Malware detection

Malware analysis platforms

Triage Analyze malware samples free. A state-of-the–art malware analysis sandbox, with all the features you need. This is an example analysis of cryptominer for Linux (see Automated Malware Analysis for an introduction to the Triage platform).
Any.run Interactive malware analysis.
Virustotal Analyse suspicious files, domains, IPs and URLs.
MobSF Specialized for mobile apps. Still in beta (Github repo).
A Beginner’s Guide to Tracking Malware Infrastructure A blog post describing how to use Censys for that purpose (Censys is not a malware analysis platform; it is an "exposure search engine" similar to Shodan; this blog post illustrates very basic Censys queries that can be useful for tracking malware infrastructure; I think similar techniques can be applied to Shodan as well).
Malpulse A simple platform that keeps track of IP addresses associated with C&C infrastructures.

Indicators of Compromise (IoCs) and Their Role in Attack Defence (RFC 9424) An excellent description of what IoCs are and how they can be used.
Importing External Custom Intelligence Feeds in SmartConsole Example of how to insert automatically IoC URLs in a certain firewall.
Indicatori di compromissione per la protezione della Pubblica Amministrazione Italian agencies can subscribe to a free service for receiving automatically a flow of IoC from the Italian Computer Emergency Response Team (CERT) of Agenzia per l'Italia Digitale (AGID). This page contains links to several firewall guides like the one in the previous item.
Cybersecurity Alerts & Advisories (CISA) Those of type "Analysis Report" contain IoC associated with specific malware or attack campaigns, as well as YARA rules.

MalwareBazaar sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
Alienvault The World’s First Truly Open Threat Intelligence Community (IoC, Malware families and other).
Greynoise We collect, analyze, and label data on IPs that scan the internet and saturate security tools with noise. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats.
VirusTotal Intelligence VirusTotal Intelligence allows you to search through our dataset in order to identify files that match certain criteria (hash, antivirus detections, metadata, submission file names, file format structural properties, file size, etc.). We could say that it is pretty much like the "Google" of malware.
The ShadowServer Foundation
- You can use the Dashboard to explore up to two years of aggregated country level data about many different types of cyber threat intelligence, including some data sets from Shadowserver’s unique vantage points. You can then visualize the data in various ways, which can be easily shared as URLs.
- Our reports will provide you a free daily potential attack surface report relevant to your organization’s network or constituency, as well as potential malware or other malicious activity seen originating from your network/constituency.

YARA documentation
Awesome YARA A curated list of awesome YARA rules, tools, and resources.
Example of YARA rules can also be found in the Cybersecurity Alerts and Advisories (CISA) mentioned in a section above.
STIX and TAXII Sharing threat intelligence
A conversation with ChatGPT that may be useful as a broad overview.

Scientific papers that assess usage and effectiveness of threat intelligence services (with video of the conference presentations):

AntiViruses under the microscope: A hands-on perspective Computers & Security, January 2022. Everything you wanted to know about antiviruses. An excellent analysis of commercial antiviruses (68 pages: quite complex). Available only from UniTS internal network.
All You Always Wanted To Know About AntiViruses A 35-minutes video by one of the authors of the above paper (slides). Very useful and interesting.
A conversation with ChatGPT that provides a general overview of the two behavioral detections mentioned in the slides (reflective DLL injection and process hollowing).

This is out of scope (not discussed in the course) but may be interesting.

Avoiding Detection with Shellcode Mutator A tool that mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
Killer: A Tool Created To Evade AVs And EDRs Or Security Tools
List of techniques for bypassing AV and EDR, with a nice graphic.
Let's create an EDR and bypass it.
Meterpreter vs Modern EDR(s) describes experiments for injecting payloads with Meterpreter while bypassing EDR (Endpoint Detection and Response: the modern term for indicating an "Antivirus"). Section "Meterpreter Reference Dropper" contains an example of usage of msfvenom.