This contains a list of Open Source / Free Blue Team Tools that I use daily, and have stored here for reference.

Malware Analysis

Malware Analysis is a broad scope. My aim is to extract IOC’s to use for further threat hunting and detection through both static and dynamic analysis. The extracted IOC’s should also be incorporated into any and all threat intelligence systems and distributed appropriately.

What I use

I use a suite of VM’s for my Analysis that references the environments that I work with. The main testing ground is done on a Windows 7 VM with no AV installed. Then another Windows 7 VM with all the corporate security tools installed.

Alternatives to these machines include using Fire Eye’s “Flare VM”, which comes pre installed with many useful tools that I have not listed here. I am still in the process of testing the VM, though it does allow for easier network forensics without the use of a second VM running iNetSim.

Additionally, I recommend tracking all investigations (incident response or otherwise) inside of a tool such as ‘The Hive Project’ which essentially can act as an analyst notebook.

Static Analysis

  • Notepad ++:
    • Advanced text editor, used in order to view any javascript files.
  • IDA Pro Free:
    • x86 Disassembler.
  • Ollydbg:
    • x86 Disassembler.
  • WinDbg:
    • x86-based, x64-based, or ARM debugger.
  • IlSpy:
    • .NET decompiler.
  • CFF Explorer:
    • PE Editor.
  • PE View:
    • PE File Viewer.
  • PEID:
    • Used to determine if a file is packed, and other basic info.
  • Resource Hacker:
    • Allows us to view the resources that an executable file calls.
  • Power_dump.py
    • https://github.com/chrisjd20/power_dump
  • Olevba
    • Python Oletools. Can extract Macro’s from documents and display auto run settings.
    • From elevated console
      • Pip install oletools (Linux)
      • Py -2 -m pip install oletools (Windows)
  • CRITS:
    • Malware analysis and IOC storage platform. Handy for quick analysis on Malware.
    • Can extract macros and javascript embedded in documents
  • Malzilla:
    • Malware hunting tool.
  • Streams:
    • Sys internals tool for viewing Alternative Data Streams attached to files.

Dynamic Analysis

  • https://app.any.run/
    • Website where you can upload your sample and detonate it in a virtual sanbox.
  • Hybrid-analysis.com
    • Website where you can upload your sample and detonate it in a virtual sandbox.
  • Wireshark:
    • Network Traffic Analysis Tool.
  • Fiddler:
    • Web debugging tool.
  • Process Explorer:
    • Shows a live process tree.
  • Process Monitor:
    • Shows real time file system modifications and registry edits.
  • Regshot:
    • Can take a before and after snapshot of your registry.
  • Volatility:
    • Memory forensics.
  • Hijack This:
    • Browser Helper Object Tool.
  • iNetSim:
    • Internet Simulator.
  • Virus Total:
    • Website that houses and analyzes malware samples across AV vendors.
  • Network Miner:
    • PCAP Parser and Analyzer.