# Quick malware analysis
sha256sum suspicious_file && strings suspicious_file | grep -iE "password|cmd|powershell|http" | head -20Pattern matching tool for malware analysis
rule RuleName {
meta:
author = "Analyst"
description = "Detect suspicious file"
date = "2024-01-01"
strings:
$string1 = "malicious string"
$string2 = { 4D 5A 90 00 } // Hex pattern
$regex1 = /[a-z]{10,}/ // Regex pattern
condition:
$string1 or $string2
}rule StringPatterns {
strings:
// Plain text (case insensitive)
$text1 = "password" nocase
// Wide strings (UTF-16)
$text2 = "admin" wide
// Both ASCII and Wide
$text3 = "secret" ascii wide
// Hex patterns (PE header)
$mz_header = { 4D 5A }
// Hex with wildcards
$pattern = { 4D 5A ?? ?? 00 00 }
// Regex
$regex = /https?:\/\/[a-z0-9.]+/
condition:
any of them
}rule ConditionExamples {
strings:
$a = "string1"
$b = "string2"
$c = "string3"
condition:
// Logical operators
$a and $b
$a or $b
not $a
// Count
#a > 5 // More than 5 occurrences
2 of ($a, $b, $c) // At least 2 of the strings
all of them // All strings must match
any of them // Any string matches
// File properties
filesize < 1MB
filesize > 100KB
// Position
$a at 0 // At offset 0
$a in (0..100) // In first 100 bytes
}rule DetectPE {
meta:
description = "Detect Windows PE executable"
strings:
$mz = { 4D 5A }
$dos_stub = "!This program cannot be run in DOS mode"
condition:
$mz at 0 and $dos_stub
}# Scan file with rule
yara rule.yar target_file
# Scan directory recursively
yara -r rule.yar /path/to/directory
# Scan with multiple rules
yara -r /rules/*.yar /path/to/scan
# Suppress errors
yara rule.yar /path 2>/dev/null
# Show matching strings
yara -s rule.yar target_file
# Show metadata
yara -m rule.yar target_file# MD5
md5sum file.exe
# SHA1
sha1sum file.exe
# SHA256
sha256sum file.exe
# All hashes
sha256sum file.exe && sha1sum file.exe && md5sum file.exe# Find file by SHA256 hash
find / -type f -exec sh -c 'sha256sum "$1" 2>/dev/null | grep -q "HASH_HERE" && echo "$1"' _ {} \;
# Faster with specific directory
find /var -type f -exec sha256sum {} \; 2>/dev/null | grep "HASH_HERE"
# Find by MD5
find / -type f -exec md5sum {} \; 2>/dev/null | grep "MD5_HASH"# Extract ASCII strings
strings file.exe
# Extract Unicode strings
strings -el file.exe
# Minimum string length
strings -n 10 file.exe
# Search for specific patterns
strings file.exe | grep -i "password"
strings file.exe | grep -E "https?://"
strings file.exe | grep -E "[A-Za-z0-9+/]{20,}=" # Base64# Encode
echo "plain text" | base64
base64 file.txt
# Decode
echo "cGxhaW4gdGV4dA==" | base64 -d
base64 -d encoded.txt
# Decode file content
cat file.txt | base64 -d > decoded.bin# Binary string to ASCII
echo "01101000 01100101 01101100 01101100 01101111" | perl -pe 's/(\d{8})/pack("B8", $1)/ge'
# Alternative with Python
python3 -c "print(''.join(chr(int(b, 2)) for b in '01101000 01100101 01101100 01101100 01101111'.split()))"# Hex to ASCII
echo "48656c6c6f" | xxd -r -p
# From file
xxd -r -p hex_file.txt > output.bin
# Decode hex dump
xxd -r input.hex > output.bin# Python
python3 -c "import urllib.parse; print(urllib.parse.unquote('%48%65%6c%6c%6f'))"
# Using sed
echo "%48%65%6c%6c%6f" | sed 's/%/\\x/g' | xargs -0 printf# Failed login attempts
grep -i "failed\|failure\|invalid" /var/log/auth.log
# Successful logins
grep "Accepted" /var/log/auth.log
# SSH connections
grep "sshd" /var/log/auth.log
# Web server access
grep "GET\|POST" /var/log/apache2/access.log
# Command execution in web logs
grep -E "cmd=|exec=|system\(" /var/log/apache2/access.log# Count occurrences
grep "Failed" auth.log | wc -l
# Top IP addresses
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20
# Failed logins by IP
grep "Failed" auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
# Time-based filtering
grep "Jan 15" /var/log/auth.log
awk '/15\/Jan\/2024/ {print}' access.log
# Extract specific fields
awk '{print $1, $7, $9}' access.log # IP, URL, Status
# Filter by HTTP status
awk '$9 == 404 {print}' access.log # 404 errors
awk '$9 >= 400 {print}' access.log # All errors| Platform | URL | Description |
|---|---|---|
| VirusTotal | https://virustotal.com | File/URL/IP analysis |
| AbuseIPDB | https://abuseipdb.com | IP reputation |
| Shodan | https://shodan.io | Internet device search |
| Censys | https://censys.io | Internet asset discovery |
| URLScan | https://urlscan.io | Website analysis |
| Hybrid Analysis | https://hybrid-analysis.com | Malware sandbox |
| AlienVault OTX | https://otx.alienvault.com | Threat intelligence sharing |
| MISP | https://misp-project.org | Threat sharing platform |
# Check IP reputation (use $rhost for target IP)
curl -s "https://api.abuseipdb.com/api/v2/check?ipAddress=$rhost" \
-H "Key: YOUR_API_KEY" -H "Accept: application/json" | jq
# VirusTotal file hash lookup
curl -s "https://www.virustotal.com/api/v3/files/$hash" \
-H "x-apikey: YOUR_API_KEY" | jq
# Shodan host lookup
curl -s "https://api.shodan.io/shodan/host/$rhost?key=YOUR_API_KEY" | jq- Network Forensics - tshark, PCAP analysis
- Linux Commands - grep, awk, sed