Behavioral Analysis

ProcMon (Process Monitor)

Tool	ProcMon (Process Monitor)
URL	https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Cost	Free
Target	Windows
Description	- an advanced monitoring tool for Windows that shows real-time activity for - file system - Registry - process/thread activity -adds an extensive list of enhancements -rich and non-destructive filtering -comprehensive event properties such session IDs and user names -reliable process information -full thread stacks with integrated symbol support for each operation - simultaneous logging to a file - and much more.
useful for	- analyzing which processes are running - file access - registry access
similar Tools

Wireshark

Tool	Wireshark
URL	https://www.wireshark.org/
Cost	Free
Target	no specific OS - general network analyzer
Description	- Analyze and display network capture files - adaptive filtering possibilities - understands a lot of network protocols (HTTP, SMB, Modbus, ...) - huge community to improve to software
useful for	- analyze network traffic - generate statistics (top talkers, conversations, used protocols, ...) - detailed analysis of TCP/UDP Streams and packetse
similar Tools	NetworkMiner

NetworkMiner

Tool	Networkminer
URL	NetworkMiner - The NSM and Network Forensics Analysis Tool ⛏
Cost	Free, commercial Pro version available
Target	no specific OS - general network analyzer
Description	- Analyze and display network capture files - Extract data - hosts, OS fingerprinting - files (images, html files, ...) - DNS queries and responses - SSL Certificate information (Subject, Issuer, Serial, ...)
useful for	- analyze network traffic - extract data from streams (files, images, video streams, ...)
similar Tools	WireShark

ProcessHacker

Tool	ProcessHacker
URL	GitHub - winsiderss/systeminformer: A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
Cost	Free
Target	Windows
Description	- A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
useful for	- monitor system resources, debug software and detect malware - Access memory regions of fileless malware
similar Tools	ProcMon

FakeNet

Tool	FakeNet
URL	GitHub - mandiant/flare-fakenet-ng: [Suspended] FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Cost	Free
Target	Windows and Linux
Description	- A next generation dynamic network analysis tool for malware analysts and penetration testers
useful for	- Fake Internet connection to allow malware to execute outbound connections
similar Tools	InetSim

Process Explorer

Tool	Process Explorer
URL	Process Explorer - Windows Sysinternals \| Microsoft Docs
Cost	Free
Target	Windows
Description	- show details about currently running processes - accessed files or directoy - which handles or DLLs are opened or loaded
useful for	- analyzing which processes are running - which DLLs are loaded - which files are accessed by a running process
similar Tools

RegShot

Tool	RegShot
URL	regshot download \| SourceForge.net
Cost	Free
Target	Windows
Description	- create snapshots of the registry - compare them to previous snapshots
useful for	- analyzing changes in the registry between two different points in time
similar Tools

FakeDNS

Tool	FakeDNS
URL	GitHub - pathes/fakedns: Fake DNS server written in python 3
Cost	Free
Target
https://www.aldeid.com/wiki/PEiD	- python daemon to fake a DNS server
useful for	- fake a DNS server to analyze which DNS requests a running malware is sending
similar Tools

API Monitor

Tool	API Monitor
URL	API Monitor: Spy on API Calls and COM Interfaces (Freeware 32-bit and 64-bit Versions!) \| rohitab.com
Cost	Free
Target	Windows
Description	- monitor and control API calls made by applications and services
useful for	- monitoring API calls made by applications and services
similar Tools

Capture BAT

Tool	Capture BAT
URL	Capture BAT – The Honeynet Project
Cost	Free
Target	Windows
Description	- monitor the state of a system during the execution of applications and processing of documents - monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations - provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application
useful for	- analyzing what happens on a system when applications are running
similar Tools

Tool	SSDEEP
URL	https://ssdeep-project.github.io/ssdeep/index.html
Target	Windows
Cost	Free
Description	ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
useful for	fuzzy hashing
similar Tools