creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-malware-ioc-extraction/references/workflows.md
T

71 lines
4.0 KiB
Markdown
Raw Blame History

# Malware IOC Extraction Workflows
## Workflow 1: Static Analysis Pipeline
```
[Malware Sample] --> [Hash Generation] --> [PE Parsing] --> [String Extraction] --> [IOC Filtering]
|
v
[YARA Scanning]
|
v
[STIX Bundle]
```
### Steps:
1. **Sample Acquisition**: Obtain sample from MalwareBazaar, VirusTotal, or incident response
2. **Hash Calculation**: Generate MD5, SHA-1, SHA-256, imphash, ssdeep hashes
3. **PE Analysis**: Parse headers, sections, imports, exports, resources, timestamps
4. **String Extraction**: Extract ASCII/Unicode strings, apply IOC regex patterns
5. **IOC Filtering**: Remove false positives (private IPs, common DLLs, benign domains)
6. **YARA Classification**: Scan with community and custom YARA rules
7. **Output**: Generate STIX 2.1 bundle with extracted indicators
## Workflow 2: Dynamic Analysis Pipeline
```
[Malware Sample] --> [Sandbox Submission] --> [Detonation] --> [Artifact Collection]
|
+------------+------------+
| | |
v v v
[Network] [File Sys] [Registry]
[PCAPs] [Changes] [Changes]
| | |
+------------+------------+
|
v
[IOC Consolidation]
```
### Steps:
1. **Sandbox Setup**: Configure isolated VM with network monitoring
2. **Sample Submission**: Submit to CAPE/Cuckoo sandbox with execution parameters
3. **Execution Monitoring**: Monitor for 3-5 minutes of runtime behavior
4. **Network Capture**: Extract DNS queries, HTTP/HTTPS traffic, raw connections
5. **File System Analysis**: Identify created, modified, and deleted files
6. **Registry Analysis**: Capture registry key changes for persistence indicators
7. **Process Analysis**: Document spawned processes, injections, privilege escalation
8. **Consolidation**: Merge static and dynamic IOCs into unified report
## Workflow 3: Automated IOC Pipeline
```
[Feed/Alert] --> [Auto-Download] --> [Static Analysis] --> [Sandbox] --> [Enrichment] --> [Share]
|
v
[VirusTotal Check]
|
v
[MISP/OpenCTI Upload]
```
### Steps:
1. **Trigger**: New sample from malware feed, email gateway, or EDR alert
2. **Download**: Retrieve sample securely to analysis infrastructure
3. **Static Scan**: Automated PE parsing, string extraction, YARA scanning
4. **Dynamic Analysis**: Submit to sandbox for behavioral analysis
5. **Enrichment**: Check hashes against VirusTotal, cross-reference with TI platforms
6. **Deduplication**: Remove already-known IOCs from output
7. **Sharing**: Upload new IOCs to MISP/OpenCTI for team consumption
Reference in New Issue View Git Blame Copy Permalink