├── Malware Analysis.txt
├── Network Traffic Analysis.txt
└── README.md


/Malware Analysis.txt:
--------------------------------------------------------------------------------
 1 | ## Malware Analysis
 2 | Malware Analysis is a broad scope. My aim is to extract IOC's to use for further threat hunting and detection through both static and dynamic analysis.
 3 | 
 4 | 
 5 | 
 6 | ### What I use
 7 | 
 8 | 
 9 | I use a suite of VM's for my Analysis that references the environments that I work with. The main testing ground is done on a Windows 7 VM with no AV installed. Then another Windows 7 VM with all the corporate security tools installed. Aditionally I will also use the Ubuntu VM mentioned in the below section for Network Traffic Analysis.
10 | 
11 | #### Static Analysis
12 | - 
13 | Notepad ++:	
14 | 	- Advanced text editor, used in order to view any javascript files.
15 | - IDA Pro Free:
16 | 	- x86 Disassembler.
17 | - Ollydbg:
18 | 	- x86 Disassembler.
19 | - WinDbg:
20 | 	-  x86-based, x64-based, or ARM debugger.
21 | - IlSpy:
22 | 	- .NET decompiler.
23 | - CFF Explorer:
24 | 	- PE Editor.
25 | - PE View:
26 | 	- PE File Viewer.
27 | - PEID:
28 | 	- Used to determine if a file is packed, and other basic info.
29 | - Resource Hacker:
30 | 	- Allows us to view the resources that an executable file calls.
31 | - CRITS:
32 | 	- Malware analysis and IOC storage platform. Handy for quick analysis on Malware.
33 | 	- Can extract macros and javascript embedded in documents
34 | - Malzilla:
35 | 	- Malware hunting tool.
36 | - Streams:
37 | 	- Sys internals tool for viewing Alternative Data Streams attached to files.
38 | #### Dynamic Analysis
39 | - Malwr.com:
40 | 	- Website where you can upload your sample and detonate it in a virtual sanbox.
41 | - Hybrid-analysis.com
42 | 	- Website where you can upload your sample and detonate it in a virtual sandbox.
43 | - Wireshark:
44 | 	- Network Traffic Analysis Tool.
45 | - Fiddler:
46 | 	- Web debugging tool.
47 | - Process Explorer:
48 | 	- Shows a live process tree.
49 | - Process Monitor:
50 | 	- Shows real time file system modifications and registry edits.
51 | - Regshot:
52 | 	- Can take a before and after snapshot of your registry.
53 | - Network Traffic Analysis VM:
54 | 	- See related section.
55 | - Volatility:
56 | 	- Memory forensics.
57 | - Hijack This:
58 | 	- Browser Helper Object Tool.
59 | 


--------------------------------------------------------------------------------
/Network Traffic Analysis.txt:
--------------------------------------------------------------------------------
 1 | Traffic analysis can cover both PCAP data and Flow data. Here I am focusing on analyzing PCAP Data, as my use of Flow data is concerned mostly with hunting and monitoring.
 2 | 
 3 | *What I use*
 4 | All of the Traffic Analysis that I perform is done on a Ubuntu VM running the below tools. Most often when Analyzing a PCAP I use Wireshark and Network Miner side by side.
 5 | 
 6 | - Wireshark:
 7 | 	- Graphical PCAP Analysis Tool
 8 | - TCPDump:
 9 | 	- Command line based PCAP Analysis Tool
10 | - Network Miner:
11 | 	- PCAP Parser and Analyzer
12 | - Snort:
13 | 	- Intrusion Detection System
14 | - Bro:
15 | 	- Intrusion Detection System
16 | - Whois Lookup
17 | 	- IP Address Lookup Tool
18 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Blue-Team-Tools
 2 | This contains a list of Blue Team Tools that I use daily, and have stored here for reference.
 3 | 
 4 | 
 5 | ## Malware Analysis
 6 | Malware Analysis is a broad scope. My aim is to extract IOC's to use for further threat hunting and detection through both static and dynamic analysis.
 7 | 
 8 | ### What I use
 9 | 
10 | I use a suite of VM's for my Analysis that references the environments that I work with. The main testing ground is done on a Windows 7 VM with no AV installed. Then another Windows 7 VM with all the corporate security tools installed. Aditionally I will also use the Ubuntu VM mentioned in the below section for Network Traffic Analysis.
11 | 
12 | Alternatives to these machines include using Fire Eye's "Flare VM", which comes pre installed with many useful tools that I have not listed here. I am still in the process of testing the VM, though it does allow for easier network forensics without the use of a second VM running iNetSim.
13 | 
14 | #### Static Analysis
15 | - Notepad ++:	
16 | 	- Advanced text editor, used in order to view any javascript files.
17 | - IDA Pro Free:
18 | 	- x86 Disassembler.
19 | - Ollydbg:
20 | 	- x86 Disassembler.
21 | - WinDbg:
22 | 	-  x86-based, x64-based, or ARM debugger.
23 | - IlSpy:
24 | 	- .NET decompiler.
25 | - CFF Explorer:
26 | 	- PE Editor.
27 | - PE View:
28 | 	- PE File Viewer.
29 | - PEID:
30 | 	- Used to determine if a file is packed, and other basic info.
31 | - Resource Hacker:
32 | 	- Allows us to view the resources that an executable file calls.
33 | - CRITS:
34 | 	- Malware analysis and IOC storage platform. Handy for quick analysis on Malware.
35 | 	- Can extract macros and javascript embedded in documents
36 | - Malzilla:
37 | 	- Malware hunting tool.
38 | - Streams:
39 | 	- Sys internals tool for viewing Alternative Data Streams attached to files.
40 | #### Dynamic Analysis
41 | - Malwr.com:
42 | 	- Website where you can upload your sample and detonate it in a virtual sanbox.
43 | - Hybrid-analysis.com
44 | 	- Website where you can upload your sample and detonate it in a virtual sandbox.
45 | - Wireshark:
46 | 	- Network Traffic Analysis Tool.
47 | - Fiddler:
48 | 	- Web debugging tool.
49 | - Process Explorer:
50 | 	- Shows a live process tree.
51 | - Process Monitor:
52 | 	- Shows real time file system modifications and registry edits.
53 | - Regshot:
54 | 	- Can take a before and after snapshot of your registry.
55 | - Network Traffic Analysis VM:
56 | 	- See related section.
57 | - Volatility:
58 | 	- Memory forensics.
59 | - Hijack This:
60 | 	- Browser Helper Object Tool.
61 | - iNetSim:
62 | 	- Internet Simulator.
63 | 
64 | 
65 | ## Network Traffic Analysis
66 | Traffic analysis can cover both PCAP data and Flow data. Here I am focusing on analyzing PCAP Data, as my use of Flow data is concerned mostly with hunting and monitoring.
67 | 
68 | ### What I use
69 | 
70 | All of the Traffic Analysis that I perform is done on a Ubuntu VM running the below tools. Most often when Analyzing a PCAP I use Wireshark and Network Miner side by side.
71 | 
72 | - Wireshark:
73 | 	- Graphical PCAP Analysis Tool
74 | - TCPDump:
75 | 	- Command line based PCAP Analysis Tool
76 | - Network Miner:
77 | 	- PCAP Parser and Analyzer
78 | - Snort:
79 | 	- Intrusion Detection System
80 | - Bro:
81 | 	- Intrusion Detection System
82 | - Whois Lookup
83 | 	- IP Address Lookup Tool
84 | 


--------------------------------------------------------------------------------