Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts

Tuesday, August 14, 2018

Free Indicators of Compromise (IOC) Tools - FireEye

IOC Finder

FireEye Indicators of Compromise (IOC) Finder is a free tool for collecting host system data and reporting the presence of IOCs. IOCs are open-standard XML documents that help incident responders capture diverse information about threats.

The IOC Finder features:
  • Collection of full data, sufficient for general IOC matching requirements
  • Usage of a portable storage device for collection from multiple hosts
  • IOC hit reporting in simple text, full HTML and full MS Word XML formats
  • Generation of reports for specific hosts or all hosts

Download Link :

IOC Editor

FireEye Indicators of Compromise (IOC) Editor is a free tool that provides an interface for managing data and manipulating the logical structures of IOCs. IOCs are XML documents that help incident responders capture diverse information about threats, including attributes of malicious files, characteristics of registry changes and artifacts in memory.

The IOC Editor includes:
  • Manipulation of the logical structures that define the IOC
  • Application of meta-information to IOCs, including detailed descriptions or arbitrary labels
  • Conversion of IOCs into XPath filters
  • Management of lists of “terms” used within IOCs
 Download Link :

IOC Writer

IOC Writer provide a python library that allows for basic creation and editing of OpenIOC objects.

Provide a python library that allows for basic creation and editing of OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
Items do not have built in Read operations, since all items can be accesed with built in ElementTree syntax or the use of XPATH to select portions of the IOC.

Download Link :

Monday, December 2, 2013

Malware Forensics Tools

Windows Prefetch Files:

WinPrefetchView :

                            is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.

                               WinPrefetchView doesn't require any installation process or additional DLL files. In order to start using it, simply run the executable file - WinPrefetchView.exe

                                 The main window of WinPrefetchView contains 2 panes: The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

                                 These is also special Prefetch file, with '' filename, which can show you the list of files that are loaded during Windows boot process.

                                 WinPrefetchView also allows you to delete the selected Prefetch files. However, be aware that even when your delete a Prefetch file, it'll be created again by the operating system when you run the same program again.

 Download Link :

 Windows Registry Hives:


                    is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

                     RegRipper consists of two basic tools, both of which provide similar capability. The RegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it's activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

 RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it's activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.

Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

Download Link :


                 auto_rip is a wrapper script for RegRipper. The script automates 
the execution of the RegRipper plug-ins according to the categories below:

all              gets information from all categories
os               gets General Operating System Information
users            gets User Account Information
software         gets Installed Software Information
network          gets Networking Configuration Information
storage          gets Storage Information
execution        gets Program Execution Information
autoruns         gets Autostart Locations Information
log              gets Logging Information
web              gets Web Browsing Information
user_config      gets User Account Configuration Information
user_act         gets User Account General Activity
user_network     gets User Account Network Activity
user_file        gets User Account File/Folder Access Activity
user_virtual     gets User Account Virtualization Access Activity
comm             gets Communication Software Information
SHA1 Checksum: 
Download Link : 

NTFS Artifacts


            is designed to fully parse the MFT file from an NTFS
filesystem and present the results as accurately as possible in multiple formats.
Documentation : 

Download Link :

Windows Journal Parser (jp) :

                                                  jp is a command line tool that targets NTFS change log journals. The change journal is a component of NTFS that will, when enabled, record changes made to files. The change journal is located in the $UsnJrnl MFT entry, and the journal entries are located in the alternate data stream $J. Each entry is of variable size and its internal structure is documented in the MSDN.

                                                   The change journal will record amongst other things: (a) time of the change, (b) affected file/directory, (c) change type - delete, rename, size extend, etc, and therefore makes a useful tool when looking at a computer forensically.


32-bit Version64-bit Version


Mac OS X:jp.v.1.07.osx.tar.gzjp.v.1.07.osx.tar.gz

Saturday, October 5, 2013

Anti-Malware Tool

Malwarebytes Anti-Exploit :

                                  BETA protects you from zero-day exploits targeting browser and application vulnerabilities. Its proprietary technology protects you in that critical period between the release of a new exploit and its subsequent security patch. And, unlike antivirus products, Malwarebytes Anti-Exploit BETA proactively prevents the exploit from installing its payload. Before it can do damage.

                           Malwarebytes Anti-exploit is a new application made by the makers of the freeware anti-virus, Malwarebytes.
  • Protects Internet Explorer, Firefox, Chrome, and Opera browsers
  • Protects browser components, including Java and Flash
  • Defends against drive-by download attacks
  • Shields vulnerable applications
  • Blocks unknown and known exploit kits
 Download Link :

Malwarebytes Anti-Malware :


                                   One of the top free Anti-Malware programs out on the market today is Malwarebytes.  Recommended by many professionals and our team.  

How do I operate Malwarebytes?
  1. You will need to download Malwarebytes, from below Download Link .
  2. Once downloaded, double click the installer (Windows 7 & 8 users run as admin)
  3. When installer is finished, you will be able to run Malwarebytes (Windows 7 & 8 again run as admin)
  4. Go to the update tab and click “Check for Updates” (You can view where it’s located in the picture below)
  5. Once Malwarebytes is finished updating you are now ready to scan
  6. Click the “Scanner” tab and check “Preform quick scan”
  7. Hit the “Scan” button below.

                                       Malwarebytes should start scanning once it’s finished if anything is detected you are able to click the “Removed selected” button which will remove all infections.  Depending on your infection you may have to restart your computer, make sure you do so to complete the cleaning.

Your system should now be virus free!

Download Link :

OTL (OldTimer’s List-It) :

                         OTL by OldTimer is a flexible, multipurpose, diagnostic, and malware removal tool. It's useful for identifying changes made to a system by spyware, malware and other unwanted programs. It creates detailed reports of registry and file settings, and also includes advanced tools and scripting ability for manually removing malware.




                             OTL does not make any determination whether an entry is good or bad. For help diagnosing the logs generated, view the tutorial, or ask for free assistance.

                          Sometimes malware will block OTL.exe by name, or all executables. In that case try one of these alternatives.

Download Link :

AdwCleaner :

                    is a program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer.  By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web.

                             The types of programs that AdwCleaner targets are typically bundled with free programs that you download from the web.  In many cases when you download and install a program, the install will state that these programs will be installed along with the program you downloaded.  Unless you perform a Custom install, these unwanted programs will automatically be installed on your computer leaving you with extra browser toolbars, adware, and other unwanted programs.  AdwCleaner is designed to search for and remove these types of programs.

To see the latest changes to this program, you can visit its changelog at:

Download Link :

FortiCleanup :

                        is a tool developed to identify and cleanse systems of malicious rootkit files and their associated malware.

Download Link :

Junkware :

                             is a powerful utility, which will remove any piece of malware within Internet Explorer, Firefox or Google Chrome, on on your computer

                        this utility will display a log with the malicious files and registry keys that were removed from your computer.

Download Link :

RogueKiller :

                Malware will often add its malicious registry keys to your Windows installation, to remove them we will need to perform a scan with RogueKiller.

Download Link :

HitmanPro :

                is a cloud on-demand scanner, which scan your computer with 5 antivirus engines for any type of malware.

Download Link :

RKill :

                  is a program that will attempt to terminate all malicious processes that are running on your machine, so that we will be able to perform the next step without being interrupted by this malicious software.

               Because this utility will only stops the running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again.

Download Link :

Kaspersky TDSSKiller :

                             As part of its self defense mechanism, some types of malware will install a rootkit on the infected computer, which will compromise the Windows loading process.In this first step, we will run a system scan with Kaspersky TDSSKiller to remove this rootkit

Download Link :

SOPHOS Virus Removal Tool :


                             Using cutting edge technology found in our enterprise-grade software, this powerful tool detects all types of malicious software on your computer—including viruses, spyware, rootkits and Conficker—and returns it to a working state.

             The tool has direct access to virus data from SophosLabs, our global network of threat researchers, ensuring that even the very latest viruses are detected and removed. And it works alongside your existing antivirus.

Download Link :

Eset Malware Removal Tools Link :

Symantec Malware Removal Tools Link :


RRN Technologies