Cheat Sheets

General Indicators

Category	Detail
Files	Unexpected `.php` `.asp` `.aspx` `.jsp` in web-accessible dirs · Short/randomised names (`x.php`, `a1b2.php`, `cmd.jsp`)
Timestamps	File modification times out of line with legitimate deployments
Obfuscation	Tiny files <10KB containing `eval`, `base64_decode`, `system`, `exec`, `passthru`
Logs	POST to non-upload files · Long encoded params · Unusual source IPs
Classic PHP	`<?php eval($_POST['x']); ?>`

Suspicious Log Signals

Query parameters to flag:

?cmd=?exec=?eval= ?pass=?shell=?c= ?run=?payload=

POST requests to static/media paths (e.g. /uploads/)
Long base64-encoded request bodies or query strings
Unexpected IPs accessing admin or auth paths
200 responses to newly appeared script files
w3wp.exe or httpd spawning cmd.exe / sh

Where Web Shells Hide — Quick Reference

Platform	Common Paths
Apache / Nginx	`/var/www/html/` · `/var/www/html/uploads/` · `/usr/share/nginx/html/`
IIS / Exchange	`C:\inetpub\wwwroot\` · `FrontEnd\HttpProxy\owa\auth\` · `FrontEnd\HttpProxy\ecp\auth\` · App Pool dirs
Tomcat	`webapps/ROOT/` · `webapps/[app]/`
WordPress	`wp-content/uploads/` · theme & plugin dirs

Server-Specific Notes

Tomcat / Java

Config

$CATALINA_HOME/conf/server.xml

Logs

$CATALINA_HOME/logs/
localhost_access_log.*.txt
catalina.out

Dirs

$CATALINA_HOME/webapps/ROOT/
$CATALINA_HOME/webapps/*/

WAR Deploy: Malicious .war dropped to webapps/ auto-deploys a shell. Monitor for unexpected .war/.jar additions.

Suspicious Extensions

.jsp.jspx.war.jar

Nginx

Log Paths

/var/log/nginx/access.log
/var/log/nginx/error.log

Suspicious Dirs

/usr/share/nginx/html/uploads/
/var/www/html/

Key check: .php execution in upload paths should never occur

Suspicious Extensions

.php.phtml

Apache

Logs — Linux

Debian/Ubuntu: /var/log/apache2/access.log
RHEL/CentOS: /var/log/httpd/access_log

Logs — Windows

C:\*\apache\logs\access.log
C:\Program Files\Apache Group\Apache2\logs\

Dirs

/var/www/html/
C:\*\cgi-bin\ · C:\*\apache\htdocs\

Suspicious Extensions

.php.phtml.phar.php5

IIS / Exchange

Config

C:\Windows\System32\inetsrv\config\applicationHost.config— App Pools ↔ dirs

Logs

C:\inetpub\logs\LogFiles\W3SVC* — sort by modified

Dirs

C:\inetpub\wwwroot\
FrontEnd\HttpProxy\owa\auth\
FrontEnd\HttpProxy\ecp\auth\

App Pool Perms: Shells inherit the service account of their App Pool — check applicationHost.config to scope lateral movement risk.

Suspicious Extensions

.asp.aspx.ashx.asa.config.cshtml

WordPress (PHP CMS)

Suspicious Dirs

wp-content/uploads/ — media only, no .php files should exist here
wp-content/themes/[theme]/
wp-content/plugins/[plugin]/
wp-includes/
wp-admin/

File & Log Indicators

.php files in uploads/ (should be media only)
Modified core: index.php, wp-config.php, functions.php
Small obfuscated PHP: <?php eval($_POST['x']); ?>
POST to media paths: /uploads/shell.php
Params: cmd=, exec=, pass=

Suspicious Extensions

.php.phtml.phar

Security.evtx

Path: C:\Windows\System32\winevt\Logs\Security.evtx

Event ID	Description
4624	Account successfully logged on — watch types 2, 3, 10, 11→
4625	Account failed to log on — watch error codes and logon type
4634	Account successfully logged off
4648	Logon attempt using explicit credentials — pass-the-hash indicator
4672	Special privileges assigned to new logon (admin logon)
4688	New process created — monitor parent-child chains
4697	Service installation detected
4698	Scheduled task creation
4699	Scheduled task deletion
4700	Scheduled task enabled
4701	Scheduled task disabled
4702	Scheduled task updated/modified
4720	User account was created
4722	User account was enabled
4724	A user reset another user's password
4732	Account added to a group
4733	Account removed from a group
4740	User account was locked out
4767	User account was unlocked
4768	Kerberos TGT requested
4769	Kerberos TGS requested
4771	Kerberos pre-auth failed — watch for 0x18, 0x10, 0x17
4776	DC attempted to validate credentials
4778	RDP session reconnected
4779	RDP session disconnected
1102	Audit log cleared — potential anti-forensic

Sysmon.evtx

Event ID	Description
1	Process creation — command-line, parent, hashes. Must-have.
3	Network connection — IP, port, process. Beaconing / C2.
7	Image loaded — DLLs, LOLBins. Lateral movement / abuse.
10	Process access — injection, token theft.
11	File created — sensitive paths. Payload delivery.
12	Registry object created/deleted — persistence, tampering.
13	Registry value set — auto-run keys, config mods.
22	DNS query — process + domain. Domain-based IOCs.
25	Process tampering — hollowing, manipulation. Evasive malware.

Logon Type Breakdown (4624 / 4625)

Type	Description
2	Interactive — user at keyboard
3	Network — SMB, RDP with NLA
4	Batch — Scheduled Task
5	Service — Service account logon
7	Unlock — user unlocked workstation
8	NetworkCleartext — credentials sent in cleartext
9	NewCredentials — RunAs /netonly
10	RemoteInteractive — Terminal Services / RDP
11	CachedInteractive — domain unreachable, cached creds

System.evtx

Path: C:\Windows\System32\winevt\Logs\System.evtx

Event ID	Description
6005	Event log service started — system boot
6006	Event log service stopped — clean shutdown
6008	Unexpected shutdown
7036	Service state change
7040	Service start type change
7045	New service installed

Application.evtx

Event ID	Description
1000	Application error — useful for malware crashes
1026	.NET Runtime error — malicious .NET payloads may trigger this

PowerShell Operational

Path: Microsoft-Windows-PowerShell%4Operational.evtx

Event ID	Description
4103	Module logging — internal commands and pipelines
4104	Script block logging — critical for threat hunting
4105	Script block rejected by policy

Windows Defender Operational

Event ID	Description
1116	Malware detected
1117	Malware action taken (removed/quarantined)
1118	Malware remediation failed
5001	Real-time protection disabled
5007	Configuration change — may indicate tampering

Chainsaw Usage

Basic Hunt

chainsaw hunt --directory ./evtx --rules ./sigma

Search by Event ID

# v2
chainsaw search log.evtx -t "Event.System.EventID: =4104"

Search by String

# v2
chainsaw search log.evtx -e "IEX"

Timestamp Filtering

chainsaw search ./ \
  --timestamp Event.System.TimeCreated_attributes.SystemTime \
  --from 2022-06-21T00:00:00 \
  --to 2025-06-29T00:00:00

4624 — Logons

# Count IPs for a user
chainsaw search log.evtx -e 4624 -i -s "JoeBloggs" \
  | grep -i "ipaddress" | sort | uniq -c | sort -nr

# Show logon time and type
chainsaw search log.evtx -e 4624 -i -s "username_or_ip" \
  | grep -iE "ipaddress|targetusername|logontype|systemtime"

4625 — Failed Logons

# Count per user (brute force)
chainsaw search log.evtx -e 4625 \
  | grep -i targetusername | sort | uniq -c | sort -nr

4104 — Script Blocks

# Show all script blocks
chainsaw search log.evtx -e 4104 | grep -i "scriptblocktext"

# Filter for IEX
chainsaw search log.evtx -e 4104 \
  | grep -i "IEX" | sort | uniq -c

Tools

Tool	Use
Chainsaw	Fast hunting with Sigma rules
EvtxECmd	Convert .evtx to CSV
EventLog Explorer	GUI log viewer
KAPE	Forensic triage
Hayabusa	Log parser and timeline generator

Key Hive Overview

Hive	Abbreviation	Description	File Location
HKEY_LOCAL_MACHINE	`HKLM`	System-wide settings	`%SystemRoot%\System32\Config`
HKEY_CURRENT_USER	`HKCU`	Current user settings	`C:\Users\[user]\NTUSER.DAT`
HKEY_USERS	`HKU`	All loaded user hives	Mirrors NTUSER.DAT

Static HKCU Analysis: For forensics, HKCU must be accessed via HKU using the user's SID. Look up SIDs at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Then replace HKCU\<Key> → HKU\<SID>\<Key>

Persistence & Autostart Locations

Purpose	Registry Path	Misuse
Startup Run key	`HKLM\Software\Microsoft\Windows\CurrentVersion\Run`	Startup persistence
RunOnce key	`HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`	One-time execution
Services	`HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>`	Malicious service creation
Scheduled Tasks	`HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\`	Task abuse
Winlogon Shell	`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell`	Shell hijacking
IFEO	`HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<App>\Debugger`	Binary hijacking / debugger abuse

User Activity

Purpose	Registry Path
Last logged-in user	`HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
Recent documents	`HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
Typed folder paths	`HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
Run dialog history	`HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`
Mapped drives	`HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU`
RDP history	`HKU\<SID>\Software\Microsoft\Terminal Server Client\Default`

System Information

Description	Registry Path
RDP Enabled	`HKLM\System\CurrentControlSet\Control\Terminal Server\`
System Timezone	`HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
USB Device History	`HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR`
Mounted Drives	`HKLM\SYSTEM\MountedDevices`

Sysmon Registry Event IDs

Event ID	Description
12	Registry key object created or deleted
13	Registry value set
14	Registry object renamed

Threat Hunting Tips

Auto-start entries in suspicious paths (temp dirs, user profile dirs)
IFEO hijacks without legitimate debugging reason
Services with suspicious image paths or arguments
Encoded/obfuscated payloads in registry values
Unusual keys in Run, RunOnce, Shell

Tools

Tool	Use
RegRipper	Plugin-based hive parser (automated)
Registry Explorer	GUI-based visual inspection
RECmd	CLI registry exploration
YARP	Python-based hive parser
RegShot	Compare registry snapshots (before/after)

File & Directory Operations

pwd                     # Print current directory
ls                      # List directory contents
ls -la                  # Long listing incl. hidden files
cd /path/to/dir         # Change directory
cd ~                    # Home directory
cd -                    # Previous directory
mkdir newfolder         # Create folder
touch file.txt          # Create empty file
cp source dest          # Copy files/dirs
mv old new              # Move/rename
rm file.txt             # Delete file
rm -rf folder/          # Recursively delete (dangerous)

Search, Filters & Viewing

cat file.txt            # View file contents
less file.txt           # Scrollable viewer
head -n 10 file.txt     # First 10 lines
tail -n 10 file.txt     # Last 10 lines
grep "text" file.txt    # Search text in file
find . -name "*.log"    # Find all .log files

Sorting & Counting

sort file.txt | uniq
sort file.txt | uniq -c
sort file.txt | uniq -c | sort -nr
cat file.txt | grep -i "Search" | sort | uniq

Gatekeeper, SIP & Security

Note: These weaken system security — use with care.

# Remove quarantine attribute (safer)
xattr -d com.apple.quarantine /path/to/script

# Gatekeeper
sudo spctl --master-disable
sudo spctl --status
sudo spctl --master-enable

SIP: Must be done from Recovery Mode.

csrutil disable
csrutil enable

Hidden Files

# Show hidden files
defaults write com.apple.finder AppleShowAllFiles -bool true
killall Finder

# Hide hidden files
defaults write com.apple.finder AppleShowAllFiles -bool false
killall Finder

System Info & Processes

top                     # Real-time system monitor
ps aux                  # List all running processes
ps -ef | grep name      # Search process list
uptime
whoami
hostname
sw_vers                 # macOS version

Network

ifconfig                # Network interfaces
netstat -an             # Network connections
lsof -i :port           # Processes using a port
ping 8.8.8.8
curl http://example.com
dig domain.com

Permissions & Ownership

chmod +x script.sh      # Make executable
chmod 755 file          # rwxr-xr-x
chown user:group file   # Change owner
sudo -s                 # Root shell

Homebrew

brew install packagename
brew update && brew upgrade
brew list
brew uninstall packagename

Disk & Mounting

diskutil list
diskutil mount /dev/disk2s1
diskutil unmount /dev/disk2s1

App Management

open .                  # Open Finder at current path
open file.pdf           # Open with default app
open -a "App Name"
killall Safari
pkill -f processname

Suggested Tools

Tool	Purpose
Homebrew	Package manager
Little Snitch	Network monitor
KnockKnock	Persistency inspector
BlockBlock	Detects auto-run locations
osquery	Query OS like a database

File & Directory Operations

pwd                     # Get-Location — Print current directory
ls                      # Get-ChildItem — List contents
ls -Force               # Include hidden files
cd C:\Path\To\Dir       # Set-Location
cd ~                    # Go to home/profile dir
cd ..                   # Go up one directory
mkdir NewFolder         # New-Item -ItemType Directory
ni file.txt             # New-Item file.txt — Create empty file
cp source.txt dest.txt  # Copy-Item
mv old.txt new.txt      # Move-Item / rename
rm file.txt             # Remove-Item
rm -r -fo folder        # Remove-Item -Recurse -Force (dangerous)

Search, Filters & Viewing

cat file.txt               # Get-Content — view file
cat file.txt | select -f 10  # First 10 lines
cat file.txt | select -l 10  # Last 10 lines
sls "text" file.txt         # Select-String — search in file
ls -r -fi *.log             # Find .log files recursively

Sorting & Counting

cat filename.txt | sort -u
cat filename.txt | group | sort Count -desc
sls "Search" filename.txt | sort -u

File Hashing

Get-FileHash file.txt                # SHA256 (default)
Get-FileHash file.txt -a SHA1
(Get-FileHash file.txt).Hash         # Just the hash string

# Compare two files
if ((Get-FileHash file1.txt).Hash -eq (Get-FileHash file2.txt).Hash) {
    "Files are identical"
} else { "Files differ" }

App & Service Management

ii .                         # Open folder in Explorer
Start notepad.exe
kill -n notepad              # Stop-Process -Name
ps | ? {$_.MainWindowTitle -like "*text*"} | kill

System Info & Processes

systeminfo
ps                                         # Get-Process
ps | ? {$_.Name -like "*app*"}             # Filter by name
While(1) {ps | sort -des cpu | select -f 15 | ft -a; sleep 1; cls}
whoami
hostname
gcim Win32_OperatingSystem | select Version

Network

ipconfig
netstat -an
netstat -anb             # Add -b for process names
Get-NetTCPConnection
ping 8.8.8.8
iwr http://example.com   # Invoke-WebRequest
nslookup domain.com

Permissions & Ownership

icacls file.txt
icacls file.txt /grant User:F
takeown /f file.txt
Start-Process powershell -v runAs  # Run as Admin

Winget Package Manager

winget install name
winget upgrade
winget list
winget uninstall name

Scripting

Set-ExecutionPolicy Unrestricted
Unblock-File .\script.ps1
.\script.ps1

Disk & Volumes

Get-Volume
mountvol
Get-Disk

Suggested Tools

Tool	Purpose
PowerToys	Productivity & window manager
Windows Terminal	Modern tabbed terminal
Winget	Official package manager
Sysinternals Suite	Advanced diagnostics
Autoruns	Show auto-start programs
Process Explorer	Visual process manager

Common attack chain: sqlservr.exe → cmd.exe → powershell.exe
Watch for: PowerShell with -enc / -encodedcommand, download cradles (IEX, Invoke-WebRequest), unusual child processes from SQL Server.

Key Processes

sqlservr.exe — Main SQL Server engine
sqlagent.exe — SQL Agent (job execution)
sqlbrowser.exe — Instance enumeration
launchpad.exe — R/Python script execution

Key Registry Paths

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL{XX}.{INSTANCE}\MSSQLServer\

Key File Paths

...\MSSQL\Log\ERRORLOG
...\MSSQL\Data\
...\MSSQL\Backup\

Database File Extensions

Ext	Description
.mdf	Primary data file
.ndf	Secondary data file
.ldf	Transaction log file
.bak	Backup file
.trn	Transaction log backup

Quick Reference

What to Look For

cmd.exe or powershell.exe spawned by sqlservr.exe
PowerShell with encoded commands (-enc, -encodedcommand)
Download cradles: IEX, Invoke-WebRequest, wget
Unusual child processes from SQL Server

Detection

# Find suspicious child processes of sqlservr.exe
Get-WmiObject Win32_Process | Where-Object {
  $_.ParentProcessId -eq (Get-Process sqlservr).Id
}

Default Ports

TCP 1433 — default instance
UDP 1434 — SQL Browser service
Dynamic ports — named instances

Instance Investigation

Identifying the Exploited Instance

# Process command line reveals instance name via -s flag
Get-WmiObject Win32_Process -Filter "name='sqlservr.exe'" |
  Select-Object CommandLine

Instance Name Mapping

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL

Maps friendly name → internal version identifier
Example: PRODUCTION → MSSQL15.PRODUCTION
Use to translate between names and registry paths

Registry Key Locations

Base: HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL{XX}.{INSTANCE}\MSSQLServer\

Subkey	Description
Parameters	Startup parameters (`SQLArg0`, `SQLArg1`…)
SuperSocketNetLib	Network config, protocols, ports
ExtendedProcedures	Extended stored procedures — `xp_cmdshell`
CurrentVersion	Installed version (may be spoofed)
Audit	Audit settings
CPE	Customer feedback settings

Startup Parameters

Key: HKLM\...\MSSQLServer\Parameters — values: SQLArg0, SQLArg1, SQLArg2…

-d    # Master database file location (check for unusual paths)
-e    # Error log location (redirected logs = suspicious)
-l    # Master log file location
-T    # Trace flags (can be used as persistence mechanism)

Authentication Mode

Key: HKLM\...\MSSQLServer — value: LoginMode (DWORD)

Value	Mode	Risk
1	Windows Authentication only	More secure
2	Mixed Mode (Windows + SQL)	Allows SQL auth — often targeted

Network Configuration

Key: HKLM\...\MSSQLServer\SuperSocketNetLib\Tcp

Value	Description
`TcpPort`	Port number (default: 1433)
`Enabled`	Whether TCP/IP is enabled
`ListenOnAllIPs`	0 = specific IPs only, 1 = all IPs

# Pull current port config
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\
  *\MSSQLServer\SuperSocketNetLib\Tcp" -Name TcpPort

File System Locations

C:\Program Files\Microsoft SQL Server\MSSQL15.{INSTANCE}\
  ├─ MSSQL\
  │   ├─ Binn\       # Executables: sqlservr.exe, sqlcmd.exe
  │   ├─ Data\       # Database files: .mdf, .ldf, .ndf
  │   ├─ Log\        # ERRORLOG, SQLAGENT.OUT, *.sqlaudit
  │   ├─ Backup\     # Default backup location
  │   └─ Jobs\       # SQL Agent job scripts (rare)

Tip: If folders are missing, check startup params: -e = log path, -d = master DB path.

Log File Analysis

C:\Program Files\Microsoft SQL Server\MSSQL{XX}.{INSTANCE}\MSSQL\Log\

ERRORLOG Files

ERRORLOG        # Current — first lines show version
ERRORLOG.1      # Most recent archived
ERRORLOG.2-6    # Older archives

What to Look For in ERRORLOG

Failed login attempts — rapid bursts = brute force
New logins created — unauthorized account creation
Configuration changes — sp_configure calls
xp_cmdshell enable/disable events
Database attach/detach operations
Backup/restore — unusual locations or timing
Startup parameter changes — persistence mechanism
Service restarts — potential crash or forced restart

SQL Agent & Audit Logs

SQLAGENT.OUT    # Agent job history, suspicious tasks
*.sqlaudit      # Audit log (requires SQL Server Audit config)

Windows Event Log (SQL Audit)

Event ID	Description
33205	SQL Audit event (Application or Security log)
4625	Failed logon — filter by process: sqlservr.exe
4624	Successful logon — filter by process: sqlservr.exe
24001	Login succeeded (SQL Audit to Security log)

Investigation Checklist

Initial Triage

Identify all SQL Server instances on the system
Check authentication mode (Windows vs Mixed)
Review network configuration and exposed ports
Verify SQL Server version and patch level
Check for recent service restarts

Log Analysis

Review ERRORLOG for failed login attempts
Search for xp_cmdshell enable/disable events
Check for suspicious sp_configure changes
Review SQL Agent job history
Correlate with Windows Event Logs (4624, 4625, 33205)

Configuration Review

Check startup parameters for unusual paths
Review extended stored procedures configuration
Verify linked server configurations
Check for suspicious database attach operations
Inspect database names for SQL injection patterns
Check for malicious CLR assemblies

Network & Dependencies

Identify applications using this SQL Server
Review connection strings in application configs
Analyze network connections to/from SQL Server
Review service dependencies

Common Attack Indicators

xp_cmdshell — Registry Evidence

HKLM\...\MSSQL{XX}.{INSTANCE}\MSSQLServer\ExtendedProcedures

xp_cmdshell — ERRORLOG Patterns

Configuration option 'show advanced options' changed from 0 to 1
Configuration option 'xp_cmdshell' changed from 0 to 1

xp_cmdshell — Attack SQL

-- Enable
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
-- Execute
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'powershell -enc <base64>';
-- Cover tracks
EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;

Failed Login Patterns

Login failed for user 'sa'. Reason: Password did not match
Login failed for user 'admin'. Reason: Could not find login
Login succeeded for user 'NT AUTHORITY\SYSTEM'

Suspicious sp_configure Changes

sp_configure 'show advanced options'    # Precedes malicious config
sp_configure 'Ole Automation Procedures' # Code execution
sp_configure 'Agent XPs'                # SQL Agent extended procs
sp_configure 'clr enabled'              # CLR assembly execution

Version Verification

Format: XX.X.XXXX.X — check first lines of ERRORLOG (authoritative) and sqlservr.exe file version in \Binn\

Version	Product
16.0.x	SQL Server 2022
15.0.x	SQL Server 2019
14.0.x	SQL Server 2017
13.0.x	SQL Server 2016
12.0.x	SQL Server 2014
11.0.x	SQL Server 2012
10.50.x	SQL Server 2008 R2
10.0.x	SQL Server 2008

Identifying Services Using SQL Server

Network Connections

Get-NetTCPConnection | Where-Object {$_.LocalPort -eq 1433} | Format-Table

Service Dependencies

HKLM\SYSTEM\CurrentControlSet\Services\{ServiceName}\DependOnService — look for MSSQL${INSTANCE}

SCCM / MECM
SharePoint
Veeam Backup & Replication
WSUS
Microsoft Dynamics

Application Config Files

File	Application Type
web.config	ASP.NET applications
app.config	.NET applications
appsettings.json	.NET Core applications

Search for: Data Source=, Server=, Initial Catalog=

Linked Servers

HKLM\...\MSSQL{XX}.{INSTANCE}\Providers\ — OLE DB providers for linked servers. Can be abused for lateral movement.

Tools

Tool	Use
sqlcmd	Command-line query tool
PowerUpSQL	PowerShell toolkit for SQL Server auditing
Process Monitor	Monitor SQL Server process activity
Wireshark	Network traffic analysis

Immediate Questions to Ask

Is this a public IP or private/reserved?
Is the domain newly registered, sinkholed, or typosquatted?
Is the IP on threat feeds or blacklists?
Does it belong to a known cloud/VPN/proxy provider?
What are the historical DNS resolutions and WHOIS records?

Suggested Workflow

Step 1 — Initial Triage

URLs: URLScan.io — review screenshot, network tab, resource files and redirects
IPs: AbuseIPDB — check report history and abuse categories

Step 2 — Reputation Checks

Spur.us, IPVoid, GreyNoise, Hunting.abuse.ch
Known blacklists · Cloud hosting services · Scanning reports

Step 3 — WHOIS

Domain creation/expiry dates · Registrar details
Registrant email — useful for pivoting to other domains

Step 4 — Certificate & Passive DNS

Censys, crt.sh, SecurityTrails
SSL cert reuse across domains · Historical IP associations · Subdomain enum

Step 5 — VirusTotal

Detection engine results · Behavioural graph
Related malicious files or domains

Step 6 — Retrieve Payloads

Browserling or curl in a VM with VPN
Safely interact with and collect potential payloads

Behavioural Indicators

Type	Suspicious Traits
Domain	New registration, strange TLDs, WHOIS privacy, typosquatting, homoglyphs
IP	Blacklisted, TOR exit node, cloud host, reverse DNS mismatch
URL	Shortened, base64-encoded params, IP-based URLs, excessive redirects
DNS	Fast-flux, wildcard abuse, TXT query abuse, NXDOMAIN spikes

Tools

Tool	Use Case
AbuseIPDB	Check if IP is reported for malicious activity
VirusTotal	IP/domain reputation, passive DNS, related IOCs
URLScan.io	Scan web pages, extract scripts, HTML, redirect chains
Shodan	Open ports, services, banners on public IPs
Censys	Asset discovery, certificates, services, open ports
GreyNoise	Identify noisy scanners vs targeted threats
Browserling	Safe website browsing and JS/redirect testing
Spur.us	Identify proxies, VPNs, hosting info
SecurityTrails	Historical DNS, WHOIS, subdomains
Hunting.abuse.ch	IOC feeds — URLhaus, MalwareBazaar
IPVoid	Quick IP/domain blacklist check, ASN info
WHOIS	Ownership and registration information

Tip: When sharing IOCs with colleagues, defang URLs: hxxp://malicious[.]site to prevent accidental clicks.

IP Classes & Ranges

Class	Range	Type	CIDR	Notes
A	10.0.0.0 – 10.255.255.255	Private	10.0.0.0/8	Private use
A	127.0.0.0 – 127.255.255.255	Special	127.0.0.0/8	Loopback
B	172.16.0.0 – 172.31.255.255	Private	172.16.0.0/12	Private use
C	192.168.0.0 – 192.168.255.255	Private	192.168.0.0/16	Private use
D	224.0.0.0 – 239.255.255.255	Multicast	224.0.0.0/4	Not for general use
E	240.0.0.0 – 255.255.255.255	Reserved	240.0.0.0/4	Research / experimental

CLI Commands

# WHOIS lookup
whois example.com

# DNS records
dig example.com ANY +short
dig +trace example.com

# Alternative resolver
nslookup example.com 8.8.8.8

# IP geolocation / ASN
curl ipinfo.io/8.8.8.8
curl https://ipapi.co/8.8.8.8/json/

# Certificate history
curl "https://crt.sh/?q=%.example.com&output=json"

curl Payload Retrieval

Warning: Always perform payload retrieval in a VM with VPN enabled.

curl -I https://example.com          # View headers
curl -v -L https://short.url         # Follow redirects
curl -s https://example.com | html2text

# Custom headers (some C2s "authenticate" via headers)
curl https://example.com -A "CustomAgent"
curl https://example.com -H "Header: value"
curl https://example.com -b "cookie=value"
curl https://example.com --referer "https://source.com"

Rule Structure

title: Suspicious Process Spawned by SQL Server
id: a1b2c3d4-...           # Generate at uuidgenerator.net
status: experimental
description: Detects cmd/powershell spawned by sqlservr.exe
author: Darkrym
date: 2025/07/02
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\sqlservr.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection
level: high
falsepositives:
  - Legitimate DBA tooling may trigger this

Examples

RDP with filter

detection:
  rdp_outbound:
    DestinationPort: 3389
    Initiated: true
  filter:
    Image: "known-good.exe"
  condition: rdp_outbound and not filter

Suspicious tooling in commandline

detection:
  selection:
    CommandLine|contains:
      - "mimikatz"
      - "procdump"
  condition: selection

Regex match on hostname

detection:
  selection:
    Hostname|re: '^[A-Za-z0-9]{16}$'
  condition: selection

Multi-arg order-independent

detection:
  selection:
    CommandLine|contains|all:
      - "-nop"
      - "-enc"
      - "powershell"
  condition: selection

Helpful Links

Name	Description
SIGMA-Resources	Curated examples, templates, and threat hunting tools
Rule Creation Guide	Official guide — standards and best practices
pySigma	Python framework for compiling and converting Sigma rules
Sigconverter.io	Online tool for converting rules to SIEM-specific queries

Metadata Fields

Field	Description
title	Rule name / alert title — keep short and alert-friendly
id	UUID — generate at uuidgenerator.net
status	`stable`, `test`, or `experimental`
description	Brief summary of what the rule detects
tags	Lowercase MITRE ATT&CK tags: `attack.execution`, `attack.t1003.002`, `cve.2021-34527`
logsource	product + service + category (e.g. windows → sysmon → process_creation)
level	`informational`, `low`, `medium`, `high`, `critical`
falsepositives	Describe possible benign triggers — don't skip this

Value Modifiers

Modifier	Function
`contains`	Match value anywhere in string
`startswith`	Match value at start
`endswith`	Match value at end
`all`	Match all values in list (instead of default OR)
`re`	Use regex
`base64` / `base64offset`	For encoded strings
`windash`	Match both `-` and `/` cmdline switches
`cidr`	Match IP ranges

Condition Logic

Syntax	Meaning
`and`, `or`	Logical operators
`not`	Negate condition
`1 of`, `all of`	Match one/all of multiple identifiers
`()`	Group logic for precedence
`near`	Search items near each other in logs

Best Practices & Pitfalls

Keep logic clear and modular — use descriptive identifier names
Use contains|all to match multiple args regardless of order
Match on behaviour, not just indicators
Use filter sections to reduce noise
Test rules with sample logs before deploying
Backslashes: Use plain C:\Path\File.exe where possible — \\ = single \
Tags: Don't use MITRE links — use attack.execution format
Title: Avoid long explanations — keep it short and alert-friendly
False Positives: Be specific — e.g. "Backup software may trigger this"

Workflow

Clone the SigmaHQ repo: https://github.com/SigmaHQ/sigma
Edit in VSCode — use existing rule as template, update title/description/status/logsource/detection
Test with sigmac or pySigma (Python 3) — compile to splunk, es-qs, kibana, logpoint
Validate with a known-bad + known-good dataset before deploying

The Basics

.       # Any character except newline
*       # 0 or more of the previous
+       # 1 or more of the previous
?       # 0 or 1 of the previous
|       # OR operator
()      # Group expressions
[]      # Character class
[^]     # Negated character class
{n,m}   # Repeat n to m times
\d      # Digit (0-9)
\w      # Word character (a-zA-Z0-9_)
\s      # Whitespace
\.      # Escape literal dot

Common IOC Patterns

https?:\/\/[\w.-]+(?:\/[\w\/._%-]*)?     # URL
[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+  # Email
\b(?:\d{1,3}\.){3}\d{1,3}\b              # IPv4
([a-fA-F0-9]{1,4}:){7}[a-fA-F0-9]{1,4}  # IPv6
[A-Z]:\\(?:[\w\s.-]+\\)*[\w\s.-]+        # Windows path
\/(?:[\w.-]+\/)*[\w.-]+                  # Unix path
(?:[A-Za-z0-9+/]{4}){2,}(?:==|=)?       # Base64

Assertions (Lookaround)

(?=...)     # Lookahead assertion
(?!...)     # Negative lookahead
(?<=...)    # Lookbehind assertion
(?<!...)    # Negative lookbehind
(?#...)     # Comment

Groups & Ranges

(a|b)       # a or b
(...)       # Capturing group
(?:...)     # Non-capturing group
[abc]       # a or b or c
[^abc]      # Not a, b or c
[a-q]       # Lowercase a to q
\1, \2      # Backreference to group 1, 2

Anchors

^       # Start of string / line (multi-line)
$       # End of string / line (multi-line)
\A      # Start of string
\Z      # End of string
\b      # Word boundary
\B      # Not word boundary

Character Classes

\s / \S   # Whitespace / Not whitespace
\d / \D   # Digit / Not digit
\w / \W   # Word char / Not word char
\x        # Hexadecimal digit

Quantifiers

*         # 0 or more
+         # 1 or more
?         # 0 or 1
{3}       # Exactly 3
{3,}      # 3 or more
{3,5}     # 3, 4 or 5
*? +? ??  # Ungreedy (lazy) variants

Pattern Modifiers (Flags)

g    # Global match
i    # Case-insensitive
m    # Multi-line mode
s    # Dot matches newline
x    # Allow comments and whitespace
U    # Make quantifiers ungreedy by default

String Replacement

$1 / \1    # First captured group
$2 / \2    # Second captured group
$&         # Entire matched string
$`         # Text before the match
$'         # Text after the match

Special Characters

\n    # New line
\r    # Carriage return
\t    # Tab
\xhh  # Hex character hh

Tools

Tool	Use
Regex101	Online regex tester with detailed explanation
Regexper	Regex visualiser — railroad diagrams
CyberChef	Decode, deobfuscate, extract strings
YARA	Combine regex with memory/file scanning
Sigma	Detection rules with regex support

Tips: Double-escape backslashes (\\) when pasting into JSON/Sigma rules. Use SIEM-specific syntax for anchors. Be cautious with overly greedy expressions in detection logic.

Basic Syntax

# Heading 1
## Heading 2
### Heading 3

**bold text**
*italicized text*
~~strikethrough~~

> blockquote

`inline code`

---  (horizontal rule)

[Link Text](https://url.com)
![Alt Text](image.png)

Lists

# Ordered
1. First item
2. Second item

# Unordered
- First item
- Second item

# Task list
- [x] Completed
- [ ] Incomplete

Extended Syntax

# Table
| Header | Description |
|--------|-------------|
| Row 1  | Value       |

# Fenced code block
```json
{ "key": "value" }
```

# Footnote
Text with footnote[^1]
[^1]: Footnote text here.

# Heading with custom ID
## My Heading {#custom-id}

# Highlight (renderer-dependent)
==important text==

# Subscript / Superscript
H~2~O    X^2^

Tools

Tool	Purpose
Obsidian	Note-taking with powerful Markdown linking
VS Code + Markdown Preview Enhanced	Editor with advanced rendering
Grip	GitHub Readme instant preview
Pandoc	Convert Markdown to/from PDF, DOCX, HTML, LaTeX
MarkdownLint	Linter for style and formatting rules
mdBook	Create books/docs from Markdown files
Docsify	Generate docs websites from Markdown

Attribution: Partly developed from Lenny Zeltser work · Creative Commons v3 "Attribution"

Analysis Process

Overview

Use automated sandbox tools for initial assessment
Set up a controlled, isolated laboratory
Examine static properties and metadata for triage
Emulate code execution to identify capabilities
Perform behavioural analysis — interactions with environment
Statically analyze code with disassembler / decompiler
Dynamic code analysis for difficult aspects
Unpack the specimen if needed
Repeat steps 4–8 until objectives are met
Augment with memory forensics and threat intel
Document findings, save artifacts, clean up lab

Quick Triage Checks

Check	Detail
File Hashes	MD5, SHA1, SHA256 — VirusTotal · MalwareBazaar · Hybrid Analysis
PE Metadata	Compile time, imports, exports, sections, resources, digital signatures
Entropy	High entropy (>7.0) often indicates packing / encryption
Strings	IPs, URLs, registry keys, file paths, crypto artifacts
YARA Rules	Run against known malware family signatures
PEiD / DIE	Identify packers, compilers, protectors

Static & Behavioural Analysis

Static Analysis

Extract strings: strings, FLOSS, pestr
Analyze PE headers: pefile, pestudio, CFF Explorer
Check imports/exports: dumpbin /imports, objdump -x
Calculate hashes: md5sum, sha256sum, ssdeep (fuzzy)
Examine resources: Resource Hacker, 7-zip
Check digital signatures: sigcheck, osslsigncode
Disassemble: IDA Pro · Ghidra · Binary Ninja · Radare2
Decompile: Ghidra · IDA Hex-Rays · RetDec
Identify capabilities: capa (MITRE ATT&CK mapping)
Detect packer/compiler: Detect-It-Easy · PEiD · Exeinfo PE

Behavioural Analysis

Category	Tools
Snapshots	`Clonezilla` · `PXE` · `FOG` · `dd`
Debugging	x64dbg · WinDbg · `OllyDbg` · IDA Pro
Local monitoring	Process Hacker · Process Monitor · ProcDOT · Noriben
System changes	RegShot · Autoruns
Network traffic	Wireshark · Fiddler
Traffic redirect	`fakedns` · `accept-all-ips`
Simulate services	INetSim

Unpacking & Anti-Analysis Bypass

Unpacking Malicious Code

Detect packing: Detect-It-Easy · Exeinfo PE · Bytehist · peframe
Quick unpack: infect VM and dump memory with Scylla
Find OEP (Original Entry Point) via debugger, use OllyDumpEx
Set breakpoints on: LoadLibrary, VirtualAlloc, etc.
Use memory breakpoints at stack entry
Rebuild dumped file with Scylla, pe_unmapper
If dumping fails, use dynamic analysis live

Bypassing Analysis Defences

Decode obfuscated strings — static: FLOSS · xorsearch · Balbuzard
Decode at runtime: set breakpoints and inspect memory
Hide analysis tools: ScyllaHide plugin for x64dbg
Patch out anti-analysis code manually
Watch for tricky control flows: TLS · SEH · RET · CALL
Use scdbg and runsc for shellcode
Disable ASLR: setdllcharacteristics · CFF Explorer

Tools — Windows Executables

Static Analysis Tools

pe manalyze · peframe · pefile · exiftool · clamscan · portex · bearcommander
strings pestr · bbcrack · base64dump · xorsearch · floss · cyberchef
emulation binee · capa · vivbin
disasm ghidra · cutter · objdump · r2
unpack bytehist · de4dot · upx

Linux Binaries, Network & Intel

linux static trid · exiftool · pyew · readelf.py
linux runtime edb · gdb · strace · ltrace · frida · sysdig · unhide
network mon burpsuite · networkminer · polarproxy · mitmproxy · wireshark · tshark
network svc inetsim · fakenet · fakedns · fakemail · accept-all-ips
intel/hashes malwoverview · nsrllookup · vt · shodan
memory vol3 · aeskeyfind · rsakeyfind · bulk_extractor

Tools — Other Malicious Code Formats

Format	Tools
Android	apktool · droidlysis · androguard · baksmali · dex2jar
Java	cfr · procyon · jad · jd-gui · idx_parser.py
Python	pyinstxtractor · pycdc
JavaScript	SpiderMonkey · `js-file` · box-js
Shellcode	shellcode2exe · scdbg · `xorsearch`
PowerShell	pwsh · `base64dump`
Flash	swfdump · flare · flasm · `swf_mastah.py` · xxxswf

Analysis VMs & Docker

Useful VMs for Malware Analysis

VM	Notes
REMnux	Linux distro for RE malware · docs.remnux.org · login: `remnux/malware`
FLARE VM	Windows malware analysis distro by Mandiant — PE tools, debuggers, disassemblers
Commando VM	Mandiant offensive VM for penetration testing and red teaming
Tsurugi Linux	DFIR-focused Linux distribution with malware analysis tools
Cuckoo Sandbox	Automated analysis — Windows, macOS, Linux, and Android

Docker Containers (REMnux)

remnux/thug remnux/jsdetox remnux/retdec remnux/viper remnux/radare2

docker images                          # List images
docker pull <image>                    # Update image
docker rmi <image_id>                  # Remove image
docker system prune                    # Clean up
docker run --rm -it image bash         # Run container shell
docker run -p 80:80 image bash         # Map port
docker run -v .:/data image bash       # Mount directory

Author: Lenny Zeltser · License: Creative Commons v3 "Attribution"

Document Analysis Process

General Approach

Examine document for anomalies — risky tags, scripts, embedded artifacts
Locate embedded code — shellcode, macros, JavaScript, suspicious objects
Extract suspicious code or objects from the file
If relevant, deobfuscate and examine macros, JavaScript, or other embedded code
If relevant, emulate, disassemble and/or debug extracted shellcode
Understand the next steps in the infection chain

Microsoft Office Format Notes

Format	Notes
.doc .xls	OLE2 binary — can store older macro versions in SRP streams
.docx .xlsm	OOXML — ZIP-compressed; VBA inside OLE2 binary within ZIP
XLM Macros	Excel formulas, even without binary OLE2 stream
RTF	No macros, but supports embedded malicious objects

Analysis Commands

MS Office File Analysis

zipdump.py file.pptx                  # Examine OOXML contents
zipdump.py file.pptx -s 3 -d          # Extract file index 3
olevba file.xlsm                      # Extract macros
oledump.py file.xls -i                # List OLE2 streams
oledump.py file.xls -s 3 -v           # Extract VBA code
xmldump.py pretty                     # Format XML for analysis
oledump.py file.xls -p plugin_http_heuristics   # Find obfuscated URLs
vmonkey file.doc                      # Emulate macro execution
evilclippy -uu file.ppt               # Remove macro password
msoffcrypto-tool infile.docm outfile.docm -p    # Decrypt file
pcodedmp file.doc                     # Disassemble stomped VBA
pcode2code file.doc                   # Decompile stomped VBA

PDF Analysis

pdfid.py file.pdf -n                  # Show risky keywords
pdf-parser.py file.pdf -a             # Show stats
pdf-parser.py file.pdf -o ID          # Display object ID
pdf-parser.py file.pdf -r ID          # Objects referencing ID
qpdf --password=pass --decrypt infile.pdf outfile.pdf

Risky PDF Keywords
/OpenAction /AA — Auto-run scripts
/JavaScript /JS /AcroForm /XFA — Embedded scripts
/URI /SubmitForm /GoToR — URL redirection
/ObjStm /XObject — Hidden objects / images
Watch for hex obfuscation: /J#61vaScript

Shellcode & Other Commands

xorsearch -W -d 3 file.bin           # Locate shellcode
scdbgc /f file.bin                   # Emulate shellcode
runsc32 -f file.bin -n               # Execute shellcode
base64dump.py file.txt               # Detect base64 strings
numbers-to-string.py file            # Convert encoded numbers

Document Analysis Tools

Office Documents

olevba — Extract and analyse VBA macros
oledump.py — Inspect OLE2 streams
vmonkey — Emulate VBA macro execution
pcodedmp — Disassemble stomped VBA p-code
xlmdeobfuscator — XLM macro deobfuscation
msoffice-crypt — Decrypt encrypted Office files
ssview — Structured storage viewer

RTF, Email & PDF

rtfobj — Extract objects from RTF files
rtfdump — Dump and analyse RTF structure
emldump — Analyse .eml email files
msgconvert — Convert .msg to .eml
pdfid / pdf-parser / pdfdecrypt — Didier Stevens PDF toolkit
peepdf — Interactive PDF analyser
qpdf — Decrypt / transform PDFs
pdftk · pdfresurrect · pdfobjflow

Additional Tools

JS deobfuscation SpiderMonkey · cscript · box-js
macro debugging Built-in Office debugger in isolation
macro monitoring AMSIScriptContentRetrieval.ps1
general base64dump · tesseract · exiftool
distributions REMnux includes many free tools

Attribution: Partly developed from Lenny Zeltser work · Creative Commons v3 "Attribution"

Code Analysis Process

Examine static properties of the executable
Identify strings and API calls for suspicious indicators
Use behavioural analysis — manual and automated
Emulate to find characteristics
Static disassembly and decompilation
Dynamic debugging of API usage
Unpack code if needed
Annotate functions, rename variables
Expand analysis based on known code
Repeat steps 5–9 until objectives are met

Analysis Tips

Use dynamic analysis when static stalls
Map control flow via jumps and calls first
Work from known to unknown — prefer simplicity
Research native API names: Nt*, Zw*, Rtl*
Look for anti-debugging checks early in execution
Identify crypto constants (MD5, SHA, AES key schedules)
Track cross-references (xrefs) to understand function usage
Rename functions and variables as you understand them
Use scripting (IDAPython, r2pipe) for repetitive tasks

Registers & Assembly

Common 32-Bit Registers

Register	Purpose
`EAX`	General purpose — math, return values
`ECX`	Loop counter
`EBP`	Stack frame base
`ESP`	Stack top pointer
`EIP`	Instruction pointer
`EFLAGS`	Flags from arithmetic logic
`FS`	Thread environment block — `FS:[0]`

64-Bit Registers & Calling Conventions

32-bit → 64-bit: EAX → RAX, ECX → RCX, etc. · Registers R8–R15 added
64-bit args RCX, RDX, R8, R9
32-bit args [EBP+8], [EBP+0xC]...
stdcall Args right-to-left · callee cleans stack
cdecl Args right-to-left · caller cleans stack
fastcall First 2 args in ECX/EDX · rest on stack
Stack layout: ESP → top · EBP → base · locals at [EBP-X] · args at [EBP+X]

Conditional Jumps

Mnemonic	Meaning
`JA / JG`	Jump if above / greater
`JB / JL`	Jump if below / less
`JE / JZ`	Jump if equal (zero)
`JNE / JNZ`	Jump if not equal (not zero)
`JGE / JNL`	Jump if greater or equal

x86 Assembly Reference

Common Instructions

mov EAX, 0xB8       ; Load value into register
push EAX            ; Push onto stack
pop EAX             ; Pop from stack
lea EAX, [EBP-4]    ; Load effective address
call EAX            ; Call function by address
ret                 ; Return from function
add ESP, 8          ; Adjust stack (cleanup)
sub ESP, 0x20       ; Allocate stack space
xor EAX, EAX        ; Zero a register
test EAX, EAX       ; Check if zero
cmp EAX, 0xB8       ; Compare values
jmp 0x401000        ; Unconditional jump
nop                 ; No operation (0x90)
int 3               ; Breakpoint (0xCC)

Common Stack & Assembly Patterns

prologue push ebp; mov ebp, esp; sub esp, X
epilogue mov esp, ebp; pop ebp; ret
string refs push offset aStr; call printf — look for offsets to data section
API call call dword ptr [iat_entry] — indirect via IAT
obfuscated call push eax; ret — return-based obfuscation
XOR decode xor byte ptr [esi], 0x42; inc esi; loop
stack strings Built on stack to avoid static detection
API hashing call hash_fn; cmp eax, 0xDEADBEEF

Important Data Structures

PEB / TEB

Structure	Location	Contains
PEB	`FS:[0x30]` (32) · `GS:[0x60]` (64)	Process info, loaded modules, command line
TEB	`FS:[0]` (32) · `GS:[0]` (64)	Thread data, exception handlers, stack info

PE Header Structures

DOS header → NT headers → section headers
IAT (Import Address Table) — populated at runtime with function addresses
EAT (Export Address Table) — exported function names and addresses
Resources section — icons, strings, embedded payloads
TLS callbacks — execute before main(), used for anti-debug

Risky Windows API Calls

Injection & Memory

CreateRemoteThread
NtCreateThreadEx
WriteProcessMemory
ReadProcessMemory
VirtualAlloc / VirtualProtect
NtAllocateVirtualMemory

Execution & Loading

LoadLibrary / LdrLoadDll
GetProcAddress
CreateProcess / WinExec
ShellExecute / system
InternetOpen / WinHttpOpen
URLDownloadToFile
HttpSendRequest

Theft, Persistence & Anti-Analysis

GetClipboardData / GetWindowText
GetAsyncKeyState / GetForegroundWindow
SetWindowsHookEx
RegSetValue / CreateService
CreateFile / WriteFile / DeleteFile / MoveFile
IsDebuggerPresent
CheckRemoteDebuggerPresent
OutputDebugString

Disassemblers, Decompilers & Debuggers

Core Tools

Ghidra — Free NSA tool, powerful decompiler, multi-arch
IDA Pro — Industry standard, Hex-Rays decompiler (commercial)
Binary Ninja — Modern disassembler with BNIL and scripting
Radare2 — Open-source RE framework with r2pipe scripting
x64dbg — Modern open-source Windows debugger (32/64-bit)
WinDbg — Microsoft's powerful Windows debugger
OllyDbg — Classic 32-bit Windows debugger

Additional Analysis Tools

Malcat — Hex editor + malware analysis platform
PEStudio — Malware initial assessment for PE files
CFF Explorer — PE editor with many features
PE-bear — Portable executable viewer and analyser
Detect-It-Easy — Packer / compiler / obfuscator detector
CAPA — Identify capabilities (MITRE ATT&CK mapping)
Dependencies — Modern Dependency Walker replacement
API Monitor — Monitor and control API calls
FLOSS — Obfuscated string solver
binwalk — Firmware analysis and extraction
Scylla — Import reconstruction and dump fixing
OllyDumpEx — Process dumping plugin for OllyDbg
de4dot — .NET deobfuscator and unpacker
dnSpy — .NET debugger and assembly editor

Essential IDA Pro Plugins & MCP Servers

Essential IDA Pro Plugins

Plugin	Purpose
HexRaysCodeXplorer	Automatic type reconstruction for C++ objects and vtables
LazyIDA	Productivity shortcuts and quality-of-life improvements
ret-sync	Sync IDA / Ghidra with debuggers (WinDbg, GDB, x64dbg, OllyDbg)
Lighthouse	Code coverage explorer and visualisation
FLARE IDA	Shellcode hashes, string decoding, StackStrings by Mandiant
findcrypt-yara	Find crypto constants using YARA rules
Diaphora	Advanced binary diffing, vulnerability research, patch analysis
BinDiff	Google/Zynamics binary comparison tool
BinSync	Real-time collaboration via Git, sync across decompilers
Gepetto	GPT integration for explaining functions and renaming variables
D810	Deobfuscation plugin for complex control flow
keypatch	Multi-architecture assembler keystone plugin
IDA Plugins Interactive List	Searchable database of 500+ plugins

MCP Servers for Malware Analysis

Note: MCP (Model Context Protocol) servers enable AI assistants to access specialised tools and data sources during analysis.

Server	Notes
IDA Pro MCP (mrexodia)	AI-powered IDA Pro assistant by x64dbg creator — simple @jsonrpc decorator system
IDA Pro MCP (fdrechsler)	HTTP server plugin for IDA Pro with remote control capabilities
IDA MCP Server (MxIris)	Alternative IDA Pro MCP implementation
x64dbg MCP (Wasdubya)	40+ SDK tools for x64dbg / x32dbg debugging automation
x64dbg MCP Server (AgentSmithers)	C# HTTP MCP server plugin for x64dbg
Ghidra MCP	Ghidra integration via MCP

Online Sandboxes & Learning

Online Sandboxes & Analysis Services

Service	Purpose
VirusTotal	Multi-engine scanner and URL checker
Hybrid Analysis	Free automated malware analysis service
ANY.RUN	Interactive online malware analysis sandbox
Joe Sandbox	Deep malware analysis sandbox
Intezer Analyze	Genetic malware analysis
MalwareBazaar	Malware sample sharing platform
URLhaus	Malware URL sharing platform
ThreatFox	IOC sharing platform

Learning Resources

Malware Unicorn RE101/RE102 — Excellent RE workshops
Practical Malware Analysis — Classic malware analysis textbook
OpenSecurityTraining2 — Free security training including RE courses
Reverse Engineering for Beginners — Free book by Dennis Yurichev
FLARE-On Challenge — Annual RE CTF by Mandiant
Malware Analysis Bootcamp — Comprehensive video course
OALabs YouTube — Malware analysis tutorials and research
Exploit-DB — Exploit database and vulnerable software repo

↑