Giter VIP home page Giter VIP logo

procdot_sandbox's Introduction

ProDot Sandbox - AutoAnalysis

Quick Malware Analysis Toolkit. This repository contains quick setup notes to setup a malware analysis sandbox using a variety of tools and uses ProcDot to perform the analysis.

These instructions are very highlevel. You will need to adjust to work in your lab.

ProcDot

Requirements

OPTIONAL: Python to run CSV_parser

The CSV_parser directory contains a python script that can help filter noise from the procmon CSV logs.

Installation

  • Download/extract tools to a common directory
    • This example uses C:\Users\IEUser\Desktop\autoanalysis\tools\
  • Install WinPcap

Configuration

ProcDOT

Open ProcDOT and configure the following options

Note: More detailed installation information can be found here ProcDot

Path to windump/tcpdump

C:\Users\IEUser\Desktop\autoanalysis\tools\windump\WinDump.exe

Path to dot (Graphviz)

C:\Users\IEUser\Desktop\autoanalysis\tools\graphviz-2.38\release\bin\dot.exe

ProcMon

You need to adjust Procmon's configuration to be compatible with ProcDOT.

In Procmon

  • disable (uncheck) "Show Resolved Network Addresses" (Options)
  • disable (uncheck) "Enable Advanced Output" (Filter)
  • adjust the displayed columns (Options > Select Columns ...)
    • to not show the "Sequence" column
    • to show the "Thread ID" column

Quick Start

  1. Run AutoAnalysis.bat as Administrator
  2. Execute Malware
  3. Stop AutoAnalysis
  4. Analyze Results

Analyze with ProcDOT

  1. Open procdot.exe

Monitoring Logs

Procmon: browse to procmon capture.csv Procmon: browse to pcap capture.pcap

  1. Click ... in the Launcher button to analyze logs

  2. Select the first relavant process

  3. Click Refresh to build the graph

  4. Proceed to analyze results

Analyst Tips

Tune logs

  • Consider filtering out unnecessary data from PCAP
  • Consider removing unnecessary procmon logs from the report
    • CSV_parser contains a python script that can help filter the procmon CSV logs

procdot_sandbox's People

Contributors

vestjoe avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.