- PowerMemory: https://github.com/giMini/PowerMemory
- ReflectiveDLLInjection: https://github.com/stephenfewer/ReflectiveDLLInjection
Reflective DLL injection is a library injection technique that is primarily used to perform the loading of a library from memory to host processes. The library should therefore be able to load itself by implementing a minimal PE file loader, managed with minimal interaction between the host system and processes.
- ThrowbackLP: https://github.com/silentbreaksec/ThrowbackLP
Monitor station reverse injection
- Throwback: https://github.com/silentbreaksec/Throwback
- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
- nishang: https://github.com/samratashok/nishang
Nishang is a PowerShell-based penetration testing tool. Integration of frameworks, scripts and various payloads. These scripts are written by Nishang’s author in the real penetration testing process, with actual combat value. Including the download and execution, keyboard records, dns, delay commands and other scripts.
- UnmanagedPowerShell: https://github.com/leechristensen/UnmanagedPowerShell
Executes PowerShell from an unmanaged process. With a few modifications, these same techniques can be used when injecting into different processes (i.e. you can cause any process to execute PowerShell if you want).
- Empire: https://github.com/powershellempire/empire
Empire is a PowerShell and Python post-exploitation agent. http://www.powershellempire.com/
- Unicorn: https://github.com/trustedsec/unicorn
Unicorn is a simple tool for PowerShell downgrade attacks and direct injection of shellcode into memory.
- PowerShell: https://github.com/clymb3r/PowerShell
The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
- PSRecon: https://github.com/gfoss/PSRecon
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
- PowerShell: https://github.com/MikeFal/PowerShell
- PowerTools Tools: https//github.com/PowerShellEmpire/PowerTools
- PowerShellArsenal: https://github.com/mattifestation/PowerShellArsenal
PowerShell module for reverse engineering, can be disassembled hosting and unmanaged code, for. NET malware analysis, analysis of memory, parsing file formats and memory structure, access to internal system information.
- PowerShell API Manual: http://www.pinvoke.net/
PInvoke.net is primarily a wiki that allows developers to find, edit, and add PInvoke’s * signatures, user-defined types, and any other information associated with calling managed code for Win32 and other unmanaged APIs.
- The AD-Recon-PowerShell: https://github.com/PyroTek3/PowerShell-AD-Recon
A useful PowerShell script
- The PowerCat: https://github.com/secabstraction/PowerCat
PowerShell TCP / IP Swiss Army Knife for Netcat & Ncat.
- Honeyport: https://github.com/Pwdrkeg/honeyport
A PowerShell script for creating Windows honeyport
- PowerShellMafia: https://github.com/PowerShellMafia/PowerSploit
PowerSploit is the set of PowerShell modules in Microsoft that can help Infiltrators evaluate at all stages.
- Secmod-Posh: https://github.com/darkoperator/Posh-SecMod
- Harness: https://github.com/Rich5/Harness
How to build a SOC / How to run a SOC
In this resource I’ll locate some great resources for SOC, how to build a SOC, how to set-up a SOC and how to run and maintain your SOC once set up. I will also keep the links and tools up to date as I find new & better resources.
Let me know if you have comments or additions please.
1- Starting Point – Some theoretical content:
What is a SOC? A SOC is a Security operations centre, where you have people dedicated to the company’s ongoing information security watching and responding. They need the tools to prevent what they can and discover+remediate what they can not. They need the skills to do this.
IR process template via Frode Hommedal: http://frodehommedal.no/presentations/first-tc-oslo-2015/#/slide-start
CSIRT process, new one by Frode Hommedal: http://frodehommedal.no/presentations/cert-ee-symposium-2016/#/
Report Template for Threat Intelligence and Incident Response by Lenny Zeltser
A HP SOC white paper: Building-Maturing-and-Rocking-a-Security-Operations-Center-Brandie-Anderson.pdf
The Grand List of Incident Management Frameworks via Gabor Szathmari
A slidedeck on building a SOC via Slideshare:
Lessons learned from working in a SOC by Jen Andre of Komand
How to build and run a Security Operations Center by Renato Basante Borbolla
Designing and Building Security Operations Center 1st Edition by David Nathans
Security Operations Center: Building, Operating, and Maintaining your SOC from October 2015 by Joseph Muniz, Gary McIntyre, Nadhem AlFardan
“Crafting the InfoSec Playbook. Security Monitoring and Incident Response Master Plan” by Jeff Bollinger, Brandon Enright, Matthew Valites. Thanks Sashank Dara for mentioning this.
2- Some Practical resources for incident response and SOC
Most of Opensecuritytraining http://opensecuritytraining.info/Training.html
GIAC Certified incident Handler (GCIH) https://www.giac.org/certification/certified-incident-handler-gcih
Incident response and network forensics on Infosecinstitute
SANS Master degree in Incident response: https://www.sans.edu/academics/certificates/incident-response
3. Tools of the trade:
The list of tools here on postmodernsecurity.com :
IP TO ASN via Teamcymru. IP To ASN allows one to map IP numbers to BGP prefixes and ASNs. These services come in various flavors, including whois (TCP 43), dns (UDP 53), HTTP (TCP 80) and HTTPS (TCP 443).
TOTALHASH totalhash provides static and dynamic analysis of malware samples. The data available on this site is free for non commercial use. If you have samples that you would like analyzed you may upload them to our anonymous FTP server.
- URL Abuse to check and review security of URLs
- cve-search Common Vulnerabilities and Exposures (CVE) web interface and API
- IP address to ASN mapping whois service including 4 years of historical data
- Passive DNS, historical dns records database (access on request, contact us)
- Passive SSL services, historical database of SSLcertificate per ip address (access on request, contact us)
- Dynamic malware analysis platform (access on request, contact us)
- Threat indicators sharing platform for private sector – MISP (access on request,contact us)
DA_667 on IR toolset on a shoestring budget using World of warcraft analogies:
SIEM: elk stack
NSM: Snort + Bro (with fullcap/flow later on when/if I had money)
Client-Side: GRR + El-Jefe + whatever crap A/V solution
Heroic Mode Extra credit: Packet Fence for shunting infected machines into a ?GTFO? VLAN for re-imaging/IR purposes
25-man RAID mode: Moloch for FPC.
List all named pipes via powershell:
PS C:\> [System.IO.Directory]::GetFiles("\\.\\pipe\\")Securityonion and Sysmon (slides)
Security onion Conference – 2015 from DefensiveDepth
LAIKA BOSS open sourced by lockheed martin https://github.com/lmco/laikaboss/blob/master/README.md
Incident response hunting tools: https://sroberts.github.io/2015/04/21/hunting-tools/
MozDef: The mozilladefense platform – automation of the security incident handling process and facilitate the real-timeactivities of incident handlers. Also via Jeff Bryner (suggested by @sastrytumuluri )
Maltrail: Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists
FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. Fido?s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today’s security stack and the large number of alerts generated by them. As an orchestration platform fido can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
Fast IR Collector by Sekoialab
The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response management system and knowledge base. Designed by cyber security incident responders, SCOT provides a new approach to manage security alerts, analyze data for deeper patterns, coordinate team efforts, and capture team knowledge. SCOT integrates with existing security applications to provide a consistent, easy to use interface that enhances analyst effectiveness.
Loki – Simple IOC and Incident Response scanner https://www.bsk-consulting.de/loki-free-ioc-scanner/
Volatility autoruns pluginFinding persistence points (also called ” auto-Start Extensibility Points”, or ASEPs) is a recurring task of any investigation potentially involving malware.To make an analyst’s life a BIT easier, I came up with the
autorunsbasically automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.
Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
YARA – The pattern matching swiss knife
Mandiant Redline (free and open source) https://www.fireeye.com/services/freeware/redline.html
Good tool collection by category on dfir.training blog: http://www.dfir.training/index.php/tools/new
IRMA Incident Response Malware Analysis. Today’s defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it. IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files.
New (Nov, 2016): Introducing TheHive: a Scalable, Open Source and Free Incident Response Platform blog.thehive-project.org/2016/11/07/int…
Syncurity IR – Implement a repeatable, scalable, auditable process across your entire security operations and incident response lifecycle.
4. Relevant Blogs/Slides:
(In time this will be completed: https://www.peerlyst.com/blog-post/resource-incident-response-guide)
Incident response must improve! https://www.peerlyst.com/blog-post/security-incident-response-must-improve
Preparing for Incident Response https://www.peerlyst.com/blog-post/incident-response-preparation
Getting Management Buy-in for IR https://blog.peerlyst.com/blog-post/incident-response-management-buyin
Dealing with analyst fatigue https://www.peerlyst.com/blog-post/incident-response-how-do-you-deal-with-analyst-fatigue
The importance of process https://www.peerlyst.com/blog-post/incident-response-the-importance-of-process
Infosecinstitute on SOC: http://resources.infosecinstitute.com/security-operations-center/
How to Manage a Large Volume of Cyber Alerts via securityweek
Extracting a PCAP from memory https://isc.sans.edu/forums/diary/Extracting+pcap+from+memory/20639
From RSAC 2016 by Mark Russinovich:
From RSAC 2016 by Mark Russinovich:
crowdstrike blog: Recon detection by the blue team: http://www.crowdstrike.com/blog/reconnaissance-detection-blue-team/
Improving Incident Response Investigations by JP Bourget https://www.peerlyst.com/posts/improving-incident-response-investigations-jp-bourget-1
WMI persistence blog and how to detect this persistence: http://windowsir.blogspot.lu/2016/04/cool-stuff-re-wmi-persistence.html which includes links to Matt Graeers blackhat US 2015 presentation + paper on this topic. and and the DellSecureworks blog about their discovery
SubTee SCT persistence module: https://github.com/subTee/SCTPersistence -> useful to know and be able to detect
ELF Shared Library Injection Forensics via backtrace.io
Proxy server logs for incident response https://www.vanimpe.eu/2016/10/21/proxy-server-logs-incident-response/ via Koen Van
- Raffy’s Blog – specifically Internal Threat Intelligence What Hunters Do and Hunting – The Visual Analytics Addition To Your SIEM To Find Real Attacks
- Security Visualization and Analytics – how visualization can help with data analytics – something each SOCneeds to think about.
- SIEM Use-Cases – A great guide on what a SOC should implement
- Data Analytics – Security Intelligence and Big Data presentation: Raffael Marty – Slideshare
- Security Data Lake (free download) – How to use Big Data in your SOC
Several organizations offer free online tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real time to identify threats:
- AVG Website Safety Reports: Provides historical reputation data about the site
- BrightCloud URL/IP Lookup: Presents historical reputation data about the website
- Comodo Web Inspector: Examines the URL in real-time
- Cisco SenderBase: Presents historical reputation data about the website
- Cymon: Presents data from various threat intel feeds
- Deepviz: Offers historical threat intel data about IPs, domains, etc.
- Desenmascara.me: Flags websites suspected of selling counterfeit products
- FortiGuard lookup: Displays the URL’s history and category
- IBM X-Force Exchange: Provides historical data about IPs, URLs, etc.
- Joe Sandbox URL Analyzer: Examines the URL in real time
- Is It Hacked: Performs several checks in real time and consults some blacklists
- IsItPhishing: Assesses the specified URL in real-time
- KnownSec: Presents historical reputation data about the website; Chinese language only
- Norton Safe Web: Presents historical reputation data about the website
- PhishTank: Looks up the URL in its database of known phishing websites
- Malware Domain List: Looks up recently-reported malicious websites
- MalwareURL: Looks up the URL in its historical list of malicious websites
- McAfee Site Advisor: Presents historical reputation data about the website
- McAfee TrustedSource: Presents historical reputation data about the website
- MxToolbox: Queries multiple reputational sources for information about the IP or domain
- Open Threat Exchange: Presents diverse threat intelligence data from AlienVault
- PassiveTotal: Presents passive DNS and other threat intelligence data
- Quttera ThreatSign: Scans the specified URL for the presence of malware
- Reputation Authority: Shows reputational data on specified domain or IP address
- Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
- Trend Micro Web Reputation: Presents historical reputation data about the website
- Unmask Parasites: Looks up the URL in the Google Safe Browsing database
- URL Blacklist: Looks up the URL in its database of suspicious sites
- URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
- urlscan.io: Examines the URL in real time and displays the requests it issues to render the page
- URLVoid and IPVoid: Looks up the URL or IP in several blacklisting services
- VirusTotal: Looks up the URL in several databases of malicious sites
- vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
- ThreatMiner: Presents diverse threat intelligence data
- WebPulse Site Review: Looks up the website in BlueCoat’s database
- Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques
Any on-line tools that should be on this list, but are missing? Let me know. My other lists of on-line security resources outline Automated Malware Analysis Services and Blocklists of Suspected Malicious IPs and URLs.
- Ahmia.fi – Clearnet search engine for Tor Hidden Services
- EasyONIONs – EasyONIONS is the easiest way to access a hidden service
- The Tor Dark Wiki – Latest links from Tor Dark Wiki
- The Uncensored Hidden Wiki – This wiki is a community project aimed at collecting and cataloging anything and everything
- Light Hidden Wiki -Light version of original Hidden Wiki
- All Your Wiki – Mostly just a mirror of the directories without linking to CP.
- Tor Directory – 50 000+ Sources.
- The Hidden Wiki – Wiki style link list of TOR, most links there are SCAMS!
- OnionList Onion Link List and Vendor Reviews.
- DuckDuckGo – A Hidden Service that searches the clearnet.
- Bitcoin Fog – Bitcoin anonymization taken seriously.
- Torch – Tor Search Engine. Claims to index around 1.1 Million pages.
- Torlinks – Directory for .onion sites, moderated.
- Grams – Search Darknet Markets and more.
- Hidden Wiki – The Hidden Wiki more orderly and updated!
- The Uncensored Hidden Wiki – A censorship-free mirror of The Hidden Wiki!
- The Hidden Wiki – A mirror of the Hidden Wiki. 2 days old users can edit the main page.
- The Liberty Wiki – A 100% community editable wiki that welcomes all users. Allows a variety of uses. Now recruiting Admins. [Back up]
- Hidden Links – Directory for hidden services, daily verified for availability. Anybody can add new links. [Down 2015/5]
- Hidden Answers – a site for asking questions and receiving answers on TOR.
- The Matrix – Very nice to read.
- How to Exit the Matrix – Learn how to Protect yourself and your rights, online and off.
- Verifying PGP signatures – A short and simple how-to guide.
- In Praise Of Hawala – Anonymous informal value transfer system
- MatrixDirectory -New and Fresh Onion Links Everyday! Nov. 2016. Matrix Directory
- Torads – TorAds is an advertising network for both advertisers and publishers dedicated for use on hidden services behind Tor.
- EasyCoin – Bitcoin Wallet with free Bitcoin Mixer.
- WeBuyBitcoins – Sell your Bitcoins for Cash (USD), ACH, WU/MG, LR, PayPal and more.
- OnionWallet – Anonymous Bitcoin Wallet and Bitcoin Laundry.
- ccPal – CCs, CVV2s, Ebay, Paypals and more.
- HQER – High quality euro bills replicas / counterfeits
- USD Counterfeits – High quality USD counterfeits.
- The Green Machine! – Forum type marketplace with some of the oldest and most experienced vendors around. Get your paypals, CCs, etc, here!
- The PaypalCenter – Live Paypal accounts with good balances – buy some, and fix your financial situation for awhile.
- Premium Cards – Oldest cc vendor, Top quality Us & Eu credit cards!
- Hack Masters Trust – Risk Free Pre-Paid cards for sale.
- Unique Opportunities Offering a couple of high quality products for a great deal!
- Hidden Wallet – Tor Anonymous Hidden Bitcoin Wallet
- Paypal Baazar – paypal accounts for sale
- Cash Machine – Phished PayPal, Neteller, Skrill, BoA, Wells fargo bank Accounts, Paysafecard’s, US & EU Credit cards are available here.
- Shadow Wallet – An Anonymous user Friendly Bitcoin Wallet/Mixer – Highly Regarded Service
- Card Store – Bank card store, сс, paypal, dump+pin. Free shipiing
- BitBlender – Bitcoin mixer.
- Shared Coin – Free, fast and privacy-oriented Darknet Bitcoin Mixer, any amount from 0.0001 to 50 BTC.
- SOL’s USD Counterfeits – High Quality 20 USD Counterfeit Notes – Trusted Service.
- The Queen of Cards – #1 Female Carding Forum for CCs, Pre-Paid, WU, MG, Bank & PayPal Transfers, Since 2011!
- OnionWallet – Anonymous Bitcoin Wallet and Bitcoin Laundry.
- Wall Street – Paypal accounts, credit cards, we have everything!!
- Cheap Euros – 20€ Counterfeit bills. Unbeatable prices!!
- Paypal-Coins – Buy a paypal account and receive the balance in your bitcoin wallet.
- Bitiply! Multiply Your Bitcoins Through Bitcoin Malleability Exploit!
- Clone CC Crew – No.1 Trusted onion site for Cloned Credit Card. $2000/$5000 balance available
- EasyCoin – Bitcoin Wallet with free Bitcoin Mixer.
- SOL’s Euro Counterfeits – 50€ Counterfeit notes. Quality + Best Prices
- Double your Bitcoins – Service that doubles your Bitcoins.
- Credit Cards – Credit Cards, from the most Trusted Vendor in the union.Fast shipping.
- Your C.Card Shop – Physical credit cards with High balance available to order. Paypal or bitcoins as payment methods
- Skimmed Cards Oldest seller on old HW. Fresh stock. 99.9% safe. Worldwide cashout! Express shipping.
- BtcLowen Sell your Bitcoins for 10% more than the market value!
- 7YearsinTibet Fully automated PayPal & Credit card market site. Fresh stock every 2 days. Best deals.
- USJUD Counterfeits – EUR || USD Counterfeit money, any trusted escrow accepted, the most trusted seller.
- Dexters Bank – One-Stop shop for Western Union and Bank Transfers on the Deep Web.Amazing Service. Bitcoins/Litecoins only –
- AnonCoin – Clean your coins 100% anonymously! For a 0.1% fixed fee.
- Fake Bills – Fake bills in Euro/dollar. Cheap price, shipping worldwide.
- Instabit – Get bitcoins instantly
- Buy and sell Bitcoin Anonymous and safe purchase and sale of bitcoins.
- TOR Wallet – Bitcoin Wallet with integrated Bitcoin Mixer.
- ServNet – *.onion server hosting & cryptography services.
- TorShops – Create your own .onion store with full bitcoin integration
- French Freedom Zone – French-native Marketplace – with international section.
- HQER – High quality euro bills replicas / counterfeits.
- Hitman Network – Group of contract killers from the US/Canada and EU.
- Apples4Bitcoin – Cheap Apple products for Bitcoin.
- CStore – The original CardedStore – Electronics purchased with carded giftcards. Everything Brand new. Full escrow accepted.
- Armory – Selling Brand new Guns and equipments. (Bitcoin)
- Apple Palace low priced Apple Products!
- AppleTor Very good Apple wholesale seller. Good prices and fast shipping!
- Football Money – Fixed football games info.
- Q Apple Store – Carded Gadgets with best price – Building a good reputation is one of our core values.
- BlackMarket Team – Reliable supplier with assured service quality!
- Mobile Store – Factory unlocked iphones and other smartphones.
- Fake Passport ID sale – Good website selling qualitative EU/US/AUS/CAN fake passports, ID cards, driver’s licenses.
- Deep Market – many gadgets. Free Shipping.
- Contract Killer – Permanent Solutions to Common Problems!
- TelAvivService – Professional anonymous global goods partners.
- Apple iPhones 5S for Sell – Selling a few new iPhone 5S phone.
- Rent-A-Hacker – Hacking, DDOS, Social Engeneering, Espionage, Ruining people.
- Executive Outcomes – The largest website selling weapons in TOR network.
- USA/EU Fake Documents store – The best place for buy UK,US,EU,JP,AU passports online. FREE express delivery.
- Tor web developer – Anonymous web developer for hire.
- EuroGuns – Your #1 european arms dealer.
- UK Passports – Original UK Passports.
- USfakeIDs – High quality USA Fake Drivers Licenses.
- Samsungstore Samsung tablets, smartphones, notebooks.
- Kamagra for Bitcoin – Same as Viagra but cheaper!
- New Identity – Fake documents service online. 3-5 days FREE express delivery worldwide.
- USA Citizenship – Become a citizen of the USA, real USA passport.
- UK Guns and Ammo – Selling Guns and Ammo from the UK for Bitcoins.
- /IBusiness | Offshore, Offline Managed Investment Account
- Onion Identity Services – Selling Passports and ID-Cards for Bitcoins.
- IPhone Discount Store – Free shipping. Discount. All Iphones
- IPhone Shop Market – New.Unlocked.Warranty.
- Amazon GC 4 Bitcoins – Bring Your dreams to life with these amazing Amazon gift cards half of the price.
- Deepweb Guns Store – Verified marketplace for Guns and other weapons, worldwide shipping.
- SOL’s United States Citizenship Become a True US Citizen – Selling Citizenship.
- Cards – Credit cards with high balance
- Hidden BetCoin – Play Bitcoin proven fair Same or Diff Game.
- Professional HACK GROUP – provides high-end hacking services in deepweb.
- DEEPTECH Electronics – Electronics Supplier with Good Prices and Fast Shipping! Large variety of goods (Bitcoin) tinyurl.com/deeptech-electronics
- Only.Cigs – Contraband with cigarettes, no bullshit, only original blends for Bitcoin!
- Electronion – Brand new carded Apple, Samsung, Sony and other electronics for good prices.
- UnderGround – New market place.
- Hidden Platinum DUMPs Shop – Hidden Platinum DUMPs Shop
- Readable Domains Selling readable onion domain names, use this link to search readable onion domains and share your best finds on readable onions
Hosting / Web / File / Image
- Fuck You Hosting Completely free hosting service for onion websites
- Prometheus_Hidden_Services – Payed hosting, provides Virtual Private Server (VPS) with Linux
- Image Hosting – Free image hosting site, anything goes
- Freedom Hosting II – Anonymous Freehosting with PHP/MySQL Support
- Free imageboard – apply here for free board on this forum, with basic janitor priveleges
- Web Hosting — Web Hosting PHP5, MySQL, SFTP Access, .onion Domain. 24 hours free hosting.
- TorShops – Get your own .onion store with full bitcoin integration.
- Bittit – Host and sell your original pictures for Bitcoins.
- Liberty’s Hackers – Service and Hosting Provider in onionland php5/mysql support request considered on a case by case.
- CYRUSERV – Hosting service with an emphasis on security, open for business again.
- TorVPS Shells — Free torified shell accounts, can be used for .onion hosting, IRC, etc.
Blogs / Essays
- Beneath VT – Information on the steam tunnels at Virginia Tech.
- Jiskopedia – A multilingual wikipedia for Tor and I2P networks.
- Teczkohen – Polish imageboard
- BlackBook – Social media site (The facebook of TOR)
- Galaxy 2 – A revival of the old Galaxy community.
- Facebook – The real Facebook’s Onion domain. Claim not to keep logs. Trust them at your peril.
- MultiVerse Social Network – Social Network with anonymous IRC chat services as well as other features.
- Friendica The friend network
Forums / Boards / Chans
- Torchan – /b/, /i/, programming, revolution, tons of other boards
- Torduckin0 #1st – Citadel BBS with chat and IM to support Torduckin.
- InserTor – Tor pastebin clone. Create new paste, share code, share news. Public and Private pastes. Create encrypted paste (encrypted button only with java on) or paste with time limit (also burn on reading!)
- Wall Street – Paypal accounts, credit cards, we have everything!!
- Dark Nexus – Deep chat
Email / Messaging
- Sigaint – Darknet email service that allows you to send and receive email without revealing your location or identity.
- Mail2Tor – New Tor Mail Server to clear web. (Not working properly, delayed emails)
- AnonMail – Anonymous premium email service like lavabit. (Not free).
- TorBox – TOR only secure and private email service.
- Lelantos Free @lelantos.org account.
- MailTor – Free @mailtor.net account (webmail, smtp, pop3 and imap access).
- PURE EUROPE – Cleanse Europe of the dirt!
- CODE:GREEN – Ethical hacktivism for a better world
- paraZite #1st, clearnet 301 redirector – Illicit activities advocacy and censored information archive.
- paraZite #2nd, clearnet 301 redirector – Illicit activities advocacy and censored information archive.
- FREEFOR – USA-based FREEdom FORces developing a turnkey distributed Temporary Autonomous Zone. FAQ
- Hack Canada – America is a joke.
- Cat Facts – A site that distributes cat facts.
- Tor Against CP! – Free and clean Tor – Tor users against CP!
- Safer Anonymous OS Guide – A Comprehensive Guide to Installing and employing a Safer Anonymous Operating System.
Audio – Music / Streams
- Lossless Audio Files – Mostly WavPack, some FLAC, Ape, ogg, etc. Has index generating links.
- Traum library mirror – 60GB of Russian and English books. A mirror of the latest Traum ISO. Covers, search and downloads in FB2, HTML and plain TXT
- ParaZite – Collection of forbidden files and howto’s (pdf, txt, etc.).
- Imperial Library of Trantor – A library that offers over 50,000 free ebooks.
- Jotunbane’s Reading Club “All your ebooks are belong to us!”
- Liberated Books and Papers A small collection of hard to find books.
- Clockwise Library A collection of art and science books.
- Libraries A more complete list.
- TorDrugResource – Drug Chemistry and Pharmacology including limited Rhodium/Hive/Synthetikal mirrors.
- Agora – Marketplace with escrow. Drugs, guns and more… Need a special link for registration. Working registration link: Agora Registration. tinyurl.com/agora-market-onion
- Dream Market – Drugs Marketplace with Escrow. tinyurl.com/dream-market-onion
- Abraxas – Marketplace with escrow. Drugs, weapons and others… tinyurl.com/abraxas-market-onion
- AlphaBay Market – Drugs and Weapons Marketplace, with Escrow.
- Green Road – Biggest marketplace with full working escrow (similar to the old SR) tinyurl.com/green-road-market
- Silkroad 3.0 – The newer Silkroad.
- ONION PHARMA – Pharmacy Marketplace. PSY, Stimulants, Opioids, Ecstasy and more… tinyurl.com/onion-pharma
- Weed’A’Shop – Weed / Cigarettes … Prix Bas / Low Price … weed cigarette / EUROPE !!
- MOM4Europe Mail Order Marijuana – Order organic weed from Netherlands directly from the source
- Drug Market Anonymous marketplace for all kinds of drugs.
- Green Dragon UK – Cannabis tincture, prompt delivery, low prices.
- EuCanna – ‘First Class Cannabis Healthcare’ – Medical Grade Cannabis Buds, Rick Simpson Oil, Ointments and Creams.
- Peoples Drug Store – The Darkweb’s Best Online Drug Supplier!
- Smokeables – Finest Organic Cannabis shipped from the USA.
- CannabisUK – UK Wholesale Cannabis Supplier.
- DeDope – German Weed and Hash shop. (Bitcoin)
- BitPharma – EU vendor for cocaine, speed, mdma, psychedelics and subscriptions.
- Brainmagic – Best psychedelics on the darknet.
- NLGrowers – Coffee Shop grade Cannabis from the netherlands.
- Drugs Mr.Lim – Cheap Drugs. Free Shipping.
- DrugsMarket – DrugsMarket. Free shipping. Low price
- DRUGSTORE – Marketplace with a wide range of drugs. (escrow) tinyurl.com/DRUGST0RE
- The Pot Shop – Weed and Pot Shop Trading for longer than a year now! (Bitcoin) -UPGRADED-
- EU Cocaine – selling Cocaine, Meth and Heroine. (Bitcoin)
- Weed Store – well-known deepweb store selling high quality weed.
- Nucleus market – Anonymous market similar to Evolution. Vendors from evo and agora with escrow and multi-sig. (Bitcoin, Litecoin, Darkcoin)
- Mobile Store – Factory unlocked iphones and other smartphones
- UK Guns and Ammo – Selling Guns and Ammo from the UK for Bitcoins
- Apples4Bitcoin – Cheap Apple Products for Bitcoin
- EuroGuns – Your #1 european arms dealer
Digital GoodsCommercial Links
- ccPal – CCs, CVV2s, Ebay, Paypals and more
Original Post: https://n0where.net/best-onion-links-deep-web/
The art of virus creation seems to be lost. Let’s not confuse a virus for malware, trojan horses, worms, etc. You can make that garbage in any kiddie scripting language and pat yourself on th…
Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. Process injection improves stealth, and some techniques also achieve persistence. Although there are numerous process injection techniques, in this blog I present ten techniques seen in the wild that run malware code on behalf of another process. I additionally provide screenshots for many of these techniques to facilitate reverse engineering and malware analysis, assisting detection and defense against these common techniques.
1. CLASSIC DLL INJECTION VIA CREATEREMOTETHREAD AND LOADLIBRARY
This technique is one of the most common techniques used to inject malware into another process. The malware writes the path to its malicious dynamic-link library (DLL) in the virtual address space of another process, and ensures the remote process loads it by creating a remote thread in the target process.
The malware first needs to target a process for injection (e.g. svchost.exe). This is usually done by searching through processes by calling a trio of Application Program Interfaces (APIs): CreateToolhelp32Snapshot, Process32First, and Process32Next. CreateToolhelp32Snapshot is an API used for enumerating heap or module states of a specified process or all processes, and it returns a snapshot. Process32First retrieves information about the first process in the snapshot, and then Process32Next is used in a loop to iterate through them. After finding the target process, the malware gets the handle of the target process by calling OpenProcess.
As shown in Figure 1, the malware calls VirtualAllocEx to have a space to write the path to its DLL. The malware then calls WriteProcessMemory to write the path in the allocated memory. Finally, to have the code executed in another process, the malware calls APIs such as CreateRemoteThread, NtCreateThreadEx, or RtlCreateUserThread. The latter two are undocumented. However, the general idea is to pass the address of LoadLibrary to one of these APIs so that a remote process has to execute the DLL on behalf of the malware.
CreateRemoteThread is tracked and flagged by many security products. Further, it requires a malicious DLL on disk which could be detected. Considering that attackers are most commonly injecting code to evade defenses, sophisticated attackers probably will not use this approach. The screenshot below displays a malware named Rebhip performing this technique.
Figure 1: Rebhip worm performing a typical DLL injection
2. PORTABLE EXECUTABLE INJECTION (PE INJECTION)
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and cause it to execute (either via a small shellcode, or by calling CreateRemoteThread). One advantage of PE injection over the LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. Similar to the first technique, the malware allocates memory in a host process (e.g. VirtualAllocEx), and instead of writing a “DLL path” it writes its malicious code by calling WriteProcessMemory. However, the obstacle with this approach is the change of the base address of the copied image. When a malware injects its PE into another process it will have a new base address which is unpredictable, requiring it to dynamically recompute the fixed addresses of its PE. To overcome this, the malware needs to find its relocation table address in the host process, and resolve the absolute addresses of the copied image by looping through its relocation descriptors.
This technique is similar to other techniques, such as reflective DLL injection and memory module, since they do not drop any files to the disk. However, memory module and reflective DLL injection approaches are even stealthier. They do not rely on any extra Windows APIs (e.g., CreateRemoteThread or LoadLibrary), because they load and execute themselves in the memory. Reflective DLL injection works by creating a DLL that maps itself into memory when executed, instead of relying on the Window’s loader. Memory Module is similar to Reflective DLL injection except the injector or loader is responsible for mapping the target DLL into memory instead of the DLL mapping itself. In a previous blog post, these two in memory approaches were discussed extensively.
When analyzing PE injection, it is very common to see loops (usually two “for” loops, one nested in the other), before a call to CreateRemoteThread. This technique is quite popular among crypters (softwares that encrypt and obfuscate malware). In Figure 2, the sample unit test is taking advantage of this technique. The code has two nested loops to adjust its relocation table that can be seen before the calls to WriteProcessMemory and CreateRemoteThread. The “and 0x0fff” instruction is also another good indicator, showing that the first 12 bits are used to get the offset into the virtual address of the containing relocation block. Now that the malware has recomputed all the necessary addresses, all it needs to do is pass its starting address to CreateRemoteThread and have it executed.
Figure 2: Example structure of the loops for PE injection prior to calls to CreateRemoteThread
3. PROCESS HOLLOWING (A.K.A PROCESS REPLACEMENT AND RUNPE)
Instead of injecting code into a host program (e.g., DLL injection), malware can perform a technique known as process hollowing. Process hollowing occurs when a malware unmaps (hollows out) the legitimate code from memory of the target process, and overwrites the memory space of the target process (e.g., svchost.exe) with a malicious executable.
The malware first creates a new process to host the malicious code in suspended mode. As shown in Figure 3, this is done by calling CreateProcess and setting the Process Creation Flag to CREATE_SUSPENDED (0x00000004). The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called. Next, the malware needs to swap out the contents of the legitimate file with its malicious payload. This is done by unmapping the memory of the target process by calling either ZwUnmapViewOfSection or NtUnmapViewOfSection. These two APIs basically release all memory pointed to by a section. Now that the memory is unmapped, the loader performs VirtualAllocEx to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware’s sections to the target process space. The malware calls SetThreadContext to point the entrypoint to a new code section that it has written. At the end, the malware resumes the suspended thread by calling ResumeThread to take the process out of suspended state.
Figure 3: Ransom.Cryak performing process hollowing
4. THREAD EXECUTION HIJACKING (A.K.A SUSPEND, INJECT, AND RESUME (SIR))
This technique has some similarities to the process hollowing technique previously discussed. In thread execution hijacking, malware targets an existing thread of a process and avoids any noisy process or thread creations operations. Therefore, during analysis you will probably see calls to CreateToolhelp32Snapshot and Thread32First followed by OpenThread.
After getting a handle to the target thread, the malware puts the thread into suspended mode by calling SuspendThread to perform its injection. The malware calls VirtualAllocEx and WriteProcessMemory to allocate memory and perform the code injection. The code can contain shellcode, the path to the malicious DLL, and the address of LoadLibrary.
Figure 4 illustrates a generic trojan using this technique. In order to hijack the execution of the thread, the malware modifies the EIP register (a register that contains the address of the next instruction) of the targeted thread by calling SetThreadContext. Afterwards, malware resumes the thread to execute the shellcode that it has written to the host process. From the attacker’s perspective, the SIR approach can be problematic because suspending and resuming a thread in the middle of a system call can cause the system to crash. To avoid this, a more sophisticated malware would resume and retry later if the EIP register is within the range of NTDLL.dll.
Figure 4: A generic trojan is performing thread execution hijacking
5. HOOK INJECTION VIA SETWINDOWSHOOKEX
Hooking is a technique used to intercept function calls. Malware can leverage hooking functionality to have their malicious DLL loaded upon an event getting triggered in a specific thread. This is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain. The SetWindowsHookEx function takes four arguments. The first argument is the type of event. The events reflect the range of hook types, and vary from pressing keys on the keyboard (WH_KEYBOARD) to inputs to the mouse (WH_MOUSE), CBT, etc. The second argument is a pointer to the function the malware wants to invoke upon the event execution.The third argument is a module that contains the function. Thus, it is very common to see calls to LoadLibrary and GetProcAddress before calling SetWindowsHookEx. The last argument to this function is the thread with which the hook procedure is to be associated. If this value is set to zero all threads perform the action when the event is triggered. However, malware usually targets one thread for less noise, thus it is also possible to see calls CreateToolhelp32Snapshot and Thread32Next before SetWindowsHookEx to find and target a single thread. Once the DLL is injected, the malware executes its malicious code on behalf of the process that its threadId was passed to SetWindowsHookEx function. In Figure 5, Locky Ransomware implements this technique.
Figure 5: Locky Ransomware using hook injection
6. INJECTION AND PERSISTENCE VIA REGISTRY MODIFICATION (E.G. APPINIT_DLLS, APPCERTDLLS, IFEO)
Appinit_DLL, AppCertDlls, and IFEO (Image File Execution Options) are all registry keys that malware uses for both injection and persistence. The entries are located at the following locations:
HKLM\Software\Microsoft\Windows NT\currentversion\image file execution options
Malware can insert the location of their malicious library under the Appinit_Dlls registry key to have another process load their library. Every library under this registry key is loaded into every process that loads User32.dll. User32.dll is a very common library used for storing graphical elements such as dialog boxes. Thus, when a malware modifies this subkey, the majority of processes will load the malicious library. Figure 6 demonstrates the trojan Ginwui relying on this approach for injection and persistence. It simply opens the Appinit_Dlls registry key by calling RegCreateKeyEx, and modifies its values by calling RegSetValueEx.
Figure 6: Ginwui modifying the AppIniti_DLLs registry key
This approach is very similar to the AppInit_DLLs approach, except that DLLs under this registry key are loaded into every process that calls the Win32 API functions CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateProcessWithTokenW, and WinExec.
Image File Execution Options (IFEO)
IFEO is typically used for debugging purposes. Developers can set the “Debugger Value” under this registry key to attach a program to another executable for debugging. Therefore, whenever the executable is launched the program that is attached to it will be launched. To use this feature you can simply give the path to the debugger, and attach it to the executable that you want to analyze. Malware can modify this registry key to inject itself into the target executable. In Figure 7, Diztakun trojan implements this technique by modifying the debugger value of Task Manager.
Figure 7: Diztakun trojan modifying IFEO registry key
7. APC INJECTION AND ATOMBOMBING
Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread. Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state. A thread enters an alertable state if it calls SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, or WaitForSingleObjectEx functions. The malware usually looks for any thread that is in an alterable state, and then calls OpenThread and QueueUserAPC to queue an APC to a thread. QueueUserAPC takes three arguments: 1) a handle to the target thread; 2) a pointer to the function that the malware wants to run; 3) and the parameter that is passed to the function pointer. In Figure 8, Amanahe malware first calls OpenThread to acquire a handle of another thread, and then calls QueueUserAPC with LoadLibraryA as the function pointer to inject its malicious DLL into another thread.
AtomBombing is a technique that was first introduced by enSilo research, and then used in Dridex V4. As we discussed in detail in a previous post, the technique also relies on APC injection. However, it uses atom tables for writing into memory of another process.
Figure 8: Almanahe performing APC injection
8. EXTRA WINDOW MEMORY INJECTION (EWMI) VIA SETWINDOWLONG
EWMI relies on injecting into Explorer tray window’s extra window memory, and has been used a few times among malware families such as Gapz and PowerLoader. When registering a window class, an application can specify a number of additional bytes of memory, called extra window memory (EWM). However, there is not much room in EWM. To circumvent this limitation, the malware writes code into a shared section of explorer.exe, and uses SetWindowLong and SendNotifyMessage to have a function pointer to point to the shellcode, and then execute it.
The malware has two options when it comes to writing into a shared section. It can either create a shared section and have it mapped both to itself and to another process (e.g., explorer.exe), or it can simply open a shared section that already exists. The former has the overhead of allocating heap space and calling NTMapViewOfSection in addition to a few other API calls, so the latter approach is used more often. After malware writes its shellcode in a shared section, it uses GetWindowLong and SetWindowLong to access and modify the extra window memory of “Shell_TrayWnd”. GetWindowLong is an API used to retrieve the 32-bit value at the specified offset into the extra window memory of a window class object, and SetWindowLong is used to change values at the specified offset. By doing this, the malware can simply change the offset of a function pointer in the window class, and point it to the shellcode written to the shared section.
Like most other techniques mentioned above, the malware needs to trigger the code that it has written. In previously discussed techniques, malware achieved this by calling APIs such as CreateRemoteThread, QueueUserAPC, or SetThreadContext. With this approach, the malware instead triggers the injected code by calling SendNotifyMessage. Upon execution of SendNotifyMessage, Shell_TrayWnd receives and transfers control to the address pointed to by the value previously set by SetWindowLong. In Figure 9, a malware named PowerLoader uses this technique.
Figure 9: PowerLoader injecting into extra window memory of shell tray window
9. INJECTION USING SHIMS
Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an executable for both persistence and injection. Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes.
There are many fixes that can be applied, but malware’s favorites are the ones that are somewhat security related (e.g., DisableNX, DisableSEH, InjectDLL, etc). To install a shimming database, malware can deploy various approaches. For example, one common approach is to simply execute sdbinst.exe, and point it to the malicious sdb file. In Figure 10, an adware, “Search Protect by Conduit”, uses a shim for persistence and injection. It performs an “InjectDLL” shim into Google Chrome to load vc32loader.dll. There are a few existing tools for analyzing sdb files, but for the analysis of the sdb listed below, I used python-sdb.
Figure10: SDB used by Search Protect for injection purposes
10. IAT HOOKING AND INLINE HOOKING (A.K.A USERLAND ROOTKITS)
IAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, with inline hooking, malware modifies the API function itself. In Figure 11, the malware FinFisher, performs IAT hooking by modifying where the CreateWindowEx points.
Figure 11: FinFisher performing IAT hooking by changing where CreateWindowEx points to
In this post, I covered ten different techniques that malware uses to hide its activity in another process. In general, malware either directly injects its shellcode into another process or it forces another process to load its malicious library. In Table 1, I have classified the various techniques and provided samples to serve as a reference for observing each injection technique covered in this post. The figures included throughout the post will help the researcher recognize the various techniques when reversing malware.
Table1: Process injection can be done by directly injecting code into another process, or by forcing a DLL to be loaded into another process
Attackers and researchers regularly discover new techniques to achieve injection and provide stealth. This post detailed ten common and emerging techniques, but there are others, such as COM hijacking. Defenders will never be “done” in their mission to detect and prevent stealthy process injection because adversaries will never stop innovating.
At Endgame, we constantly research advanced stealth techniques and bring protections into our product. We layer capabilities which detect malicious DLLs that load on some persistence (like AppInit DLLs, COM Hijacks, and more), prevent many forms of code injection in real-time via our patented shellcode injection protection, and detect malicious injected payloads running in memory delivered through any of the above techniques through our patent-pending fileless attack detection techniques. This approach allows our platform to be more effective than any other product on the market in protecting against code injection, while also maximizing resiliency against bypass due to emerging code injection techniques.
Apk Downloader from CNET
The publisher as below:
After you download, unzip and execute the Apk Downloader, apkserver.exe will be created in c:\windows\
Payload Security result:
Reported to CNET just now, waiting for there reply. Will keep you guy update.
In the upcoming 6 hacking tutorials we will be talking about basic malware analysis and we will start with discussing the many different Basic Malware Analysis Tools which are available. A Malware Analyst is someone highly skilled in reverse engineering malware to get a deep understanding about what a certain piece of malware does and how it does it. To become a malware analyst it is important to have a good understanding of operating systems, software, networking, programming in general, malware in general and assembly language. Assembly language is the low level programming code between the high level programming code and the machine instructions. In other words: it translates the high level language into machine instructions which will be processed by your computers hardware.
In this tutorial we will be looking at simple but popular tools for basic static malware analysis like: PEiD to detect packers, Dependency Walker to view dynamically linked functions, Resource Hacker to view the malware’s resources and PEview and FileAlyzer to examine the PE file headers and sections. These tools are used for basic static malware analysis to try to determine the kind of malware and it’s function without actually running the malware. Running and analysing the malware will be covered in laters tutorials. After this we will be looking at the malware analysis advanced tools available for advanced static analysis and advanced dynamic malware analysis in the next article: Dynamic Malware Analysis Tools. Note that we will be discussing the tools in general first and get into detailed tutorials later. In the upcoming tutorials we will be using them on sample malware in detailed step-by-step hacking tutorials.
For now the Malware Analysis Tutorials will be divided in 6 subjects and will be released the upcoming few weeks:
- Basic Malware Analysis Tools
- Dynamic Malware Analysis Tools
- Malware Types Explained
- Basic Malware Analysis
- Advanced Static Malware Analysis
- Advanced Dynamic Malware Analysis
Basic Malware Analysis Tools
As promised we’ll be looking at the following basic malware analysis tool: PEiD, Dependency Walker, Resource Hacker, PEview and FileAlyzer. For your convenience we will supply a download link for the tools as well so you can get your malware analysis toolbox ready for the upcoming tutorials. Be sure to subscribe to our newsletter as we will be updating this list and our toolbox along the upcoming tutorials.
PEiD is a small application which is used to detect common packers, cryptors and compilers. Malware writers often attempt to pack or obfuscate their malware to make it harder to detect and to analyse. The current version of PEiD can detect over 470 different signatures in PE files which are loaded from a txt file called userdb. The official PEiD website is not active anymore but you can download PEiD-0.95-20081103 from Hacking Tutorials using the following download link: PEiD-0.95-20081103.zip (7946 downloads)
You need to replace the userdb.txt file with the following file to add the signatures; PEiD Userdb (6807 downloads)
Another great basic malware analysis tool is Dependency Walker. Dependency Walter is a free application which can be used to scan 32 and 64 bit Windows modules (.exe, .dll, .ocx, etc.) and is used to list all the imported and exported functions of a module. Dependency Walker also displays the dependencies of the file which will result in a minimum set of required files. Depency Walker also displays detailed information about those files including the filepath, version number, machine type, debug information etc.
Dependency Walker can be downloaded here.
Resource Hacker, or sometimes called ResHackers, is a free application used to extract resources from Windows binaries. Resource Hacker can extract, add and modify most resources like strings, images, menus, dialogs, VersionInfo, Manifest resources etc. The latest version of Resource Hacker, which is version 4.2.4, was release in July 2015.
Resource Hacker can be downloaded using the following link: Resource Hacker
PEview is a free and easy to use application to browse through the information stored in Portable Executable (PE) file headers and the different sections of the file. In the following tutorials we will be learning how to read those headers when we’re examining real malware.
PEview can be downloaded using the following link: PEview.
FileAlyzer is also a free tool to read information stored in PE file headers and sections but offers slightly more features and functionality than PEview. Nice features are the VirusTotal tab which can be used to submit malware to VirusTotal for analysis and the functionality to unpack UPX and PECompact packed files. And yes, Filealyzer is a typo but the developer decided to stick with the name which is kinda cool in our opinion.
FileAlyzer can be downloaded using the following link: FileAlyzer.
More Basic Malware Analysis Tools
Needless to say is that we’ve covered only a very small portion of the Basic Malware Analysis Tools available. In the upcoming few days we will be adding more tools for you to download and explore so be sure to subscribe to Hacking Tutorials to stay informed about updates. If you have any questions regarding the tools we encourage you to ask them here. Also let us know when you have suggestions for other tools. You can do so by replying to this post.
Thanks for reading and see you in the next chapter: Dynamic Malware Analysis Tools
Gartner Identifies the Top Technologies for Security in 2017