Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Security Analyst Workshop - 20190314

12.351 visualizaciones

Publicado el

Security analyst workshop slides, with useful tools and services

Publicado en: Educación
  • You can ask here for a help. They helped me a lot an i`m highly satisfied with quality of work done. I can promise you 100% un-plagiarized text and good experts there. Use with pleasure! ⇒ www.WritePaper.info ⇐
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Hi there! I just wanted to share a list of sites that helped me a lot during my studies: .................................................................................................................................... www.EssayWrite.best - Write an essay .................................................................................................................................... www.LitReview.xyz - Summary of books .................................................................................................................................... www.Coursework.best - Online coursework .................................................................................................................................... www.Dissertations.me - proquest dissertations .................................................................................................................................... www.ReMovie.club - Movies reviews .................................................................................................................................... www.WebSlides.vip - Best powerpoint presentations .................................................................................................................................... www.WritePaper.info - Write a research paper .................................................................................................................................... www.EddyHelp.com - Homework help online .................................................................................................................................... www.MyResumeHelp.net - Professional resume writing service .................................................................................................................................. www.HelpWriting.net - Help with writing any papers ......................................................................................................................................... Save so as not to lose
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Eat THIS "prickly flower" to crush food cravings. Ugly plant kills sugar & carb cravings instantly ➤➤ https://t.cn/A6wnCpvk
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Got a new Iphone 6 in just 7 days completing surveys and offers! Now I'm just a few days away from completing and receiving my samsung tablet! Highly recommended! Definitely the best survey site out there! ➤➤ http://t.cn/AieX2Loq
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • How to use "The Scrambler" ot get a girl obsessed with BANGING you... ♥♥♥ http://scamcb.com/unlockher/pdf
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

Security Analyst Workshop - 20190314

  1. 1. Security Analyst Toolset - Workshop Florian Roth, March 2019
  2. 2. This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Summaries, links, examples, screenshots
  3. 3. Starting Points § File Sample § Hash § FQDN § IP
  4. 4. URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
  5. 5. PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
  6. 6. Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
  7. 7. ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
  8. 8. String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
  9. 9. 010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
  10. 10. FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
  11. 11. CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
  12. 12. User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
  13. 13. Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
  14. 14. Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
  15. 15. Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
  16. 16. Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
  17. 17. Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
  18. 18. Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
  19. 19. Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
  20. 20. Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
  21. 21. Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
  22. 22. Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
  23. 23. Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
  24. 24. Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
  25. 25. Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
  26. 26. IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
  27. 27. Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/02/06/antivir us-event-analysis-cheat-sheet-v1- 7/
  28. 28. Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
  29. 29. APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
  30. 30. APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
  31. 31. Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
  32. 32. Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
  33. 33. Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin
  34. 34. Questions? Twitter: @cyb3rops

×