SlideShare una empresa de Scribd logo

Security Analyst Workshop - 20200212

F
Florian Roth

This document summarizes a security analyst toolset workshop. It lists various online tools and services for security analysis tasks like investigating file samples, hashes, domains, IPs, and extracting strings. Tools covered include URL scanners, passive DNS tools, Shodan, Virustotal, hybrid analysis, Any.Run, Cybereason Iris, Antivirus event analysis, and more. Twitter, pastebin, and other open sources are also mentioned for threat hunting and monitoring.

Educación
1 de 38
Descargar para leer sin conexión
Security Analyst Toolset - Workshop Florian Roth, February 2020
This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Slides contain: key features, links, examples, screenshots
Starting Points of Investigations § File Sample § Hash § FQDN § IP
URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
FireEye Stringsifter § String evaluation § ranks strings based on their relevance for malware analysis https://github.com/fireeye/stringsifter Can be combined with 010 Editor (script by my co-worker Tobias Michalski) https://www.sweetscape.com/010editor/r epository/scripts/file_info.php?file=RateStr ings.1sc&type=1&sort= Technical Blog Post https://www.fireeye.com/blog/threat- research/2019/05/learning-to-rank-strings- output-for-speedier-malware-analysis.html
CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
Top Base64 Encoding Learning Aid § Helps you learn the most common Base64 patterns found in malware § Features a mnemonic aid and emoticon (dual coding – learning style) https://gist.github.com/N eo23x0/6af876ee72b5167 6c82a2db8d2cd3639
User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search § Imphash Search > Report Serach > Advanced > More Options https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/10/04/antivir us-event-analysis-cheat-sheet-v1- 7-2/
Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin
Unfurl § takes a URL and expands it into a directed graph https://dfir.blog/unfurl/ Blog https://dfir.blog/introducing-unfurl/
InQuest Labs § Different online tools, e.g. § Base64 regular expressions generator § Mixed ex case generator https://labs.inquest.net/
Questions? Twitter: @cyb3rops

Recomendados

Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware ResistanceFlorian Roth
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 

Recomendados

Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware ResistanceFlorian Roth
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS ProtectionAmazon Web Services
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS ProtectionMarketingArrowECS_CZ
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 

La actualidad más candente (20)

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS Protection
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 

Similar a Security Analyst Workshop - 20200212

(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 

Similar a Security Analyst Workshop - 20200212 (20)

Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 

Último

ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 

Último (20)

ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 

Security Analyst Workshop - 20200212

  • 1. Security Analyst Toolset - Workshop Florian Roth, February 2020
  • 2. This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Slides contain: key features, links, examples, screenshots
  • 3. Starting Points of Investigations § File Sample § Hash § FQDN § IP
  • 4. URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
  • 5. PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
  • 6. Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
  • 7. ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
  • 8. String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
  • 9. 010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
  • 10. FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
  • 11. FireEye Stringsifter § String evaluation § ranks strings based on their relevance for malware analysis https://github.com/fireeye/stringsifter Can be combined with 010 Editor (script by my co-worker Tobias Michalski) https://www.sweetscape.com/010editor/r epository/scripts/file_info.php?file=RateStr ings.1sc&type=1&sort= Technical Blog Post https://www.fireeye.com/blog/threat- research/2019/05/learning-to-rank-strings- output-for-speedier-malware-analysis.html
  • 12. CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
  • 13. Top Base64 Encoding Learning Aid § Helps you learn the most common Base64 patterns found in malware § Features a mnemonic aid and emoticon (dual coding – learning style) https://gist.github.com/N eo23x0/6af876ee72b5167 6c82a2db8d2cd3639
  • 14. User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
  • 15. Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
  • 16. Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
  • 17. Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
  • 18. Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
  • 19. Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
  • 20. Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
  • 21. Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
  • 22. Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
  • 23. Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
  • 24. Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
  • 25. Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search § Imphash Search > Report Serach > Advanced > More Options https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
  • 26. Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
  • 27. Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
  • 28. IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
  • 29. Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/10/04/antivir us-event-analysis-cheat-sheet-v1- 7-2/
  • 30. Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
  • 31. APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
  • 32. APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
  • 33. Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
  • 34. Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
  • 35. Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin
  • 36. Unfurl § takes a URL and expands it into a directed graph https://dfir.blog/unfurl/ Blog https://dfir.blog/introducing-unfurl/
  • 37. InQuest Labs § Different online tools, e.g. § Base64 regular expressions generator § Mixed ex case generator https://labs.inquest.net/