This document summarizes a security analyst toolset workshop. It lists various online tools and services for security analysis tasks like investigating file samples, hashes, domains, IPs, and extracting strings. Tools covered include URL scanners, passive DNS tools, Shodan, Virustotal, hybrid analysis, Any.Run, Cybereason Iris, Antivirus event analysis, and more. Twitter, pastebin, and other open sources are also mentioned for threat hunting and monitoring.
2. This Workshop
- Sets of tools and services for analysis tasks
- Don’t expect a story line
- Slides contain: key features, links, examples, screenshots
6. Censys.io
§ IP address information
§ Website information
§ SSL Certificates (!)
https://censys.io/
Example
https://censys.io/certificates?q=%22pent
est%22
Real World
https://censys.io/ipv4?q=+443.https.tls.c
ertificate.parsed.names%3A%2Fo%5B10-
9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro
%7Csk)%2F
7. ShodanHQ
§ Host Info
§ Open Ports
§ Banner
§ Services
§ Meta Data
Examples
https://www.shodan.io/explore/popular
8. String Extraction
Linux
(strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1
A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*)
(.*)$/1 W 2/') | sort -n
macOS
(gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*)
(.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed
's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n
https://gist.github.com/Neo23x0/cd4934a06a616ecf6c
f44e36f323e551
9. 010 Editor
§ Hex Editor
§ Great usability
§ Relevant Features
§ String Extraction
§ Binary Comparison
https://www.sweetscape.com/010e
ditor/
11. FireEye Stringsifter
§ String evaluation
§ ranks strings based on their relevance
for malware analysis
https://github.com/fireeye/stringsifter
Can be combined with 010 Editor
(script by my co-worker Tobias Michalski)
https://www.sweetscape.com/010editor/r
epository/scripts/file_info.php?file=RateStr
ings.1sc&type=1&sort=
Technical Blog Post
https://www.fireeye.com/blog/threat-
research/2019/05/learning-to-rank-strings-
output-for-speedier-malware-analysis.html
12. CyberChef
§ Swiss Army Knife for all encoding /
extraction / text based analysis
§ Many Functions
§ All types of encodings
(UTF16, Base64, hex, charcode …)
§ Compression (zlib, raw)
§ Extraction
(Regex, IOC parsing, embedded files)
§ Other cool stuff
(defang URLs, XOR Brute Force, CSV to JSON)
§ Recipes
§ Work like the “|” in the Linux command line
§ Can be saved as Bookmark or shared with ohers
https://gchq.github.io/CyberChef/
Recipes
https://github.com/mattnotmax/cyber-chef-
recipes
13. Top Base64 Encoding Learning Aid
§ Helps you learn the
most common Base64
patterns found in
malware
§ Features a mnemonic
aid and emoticon
(dual coding – learning
style)
https://gist.github.com/N
eo23x0/6af876ee72b5167
6c82a2db8d2cd3639
14. User Agent Analysis
§ Analyze User-Agent strings
(from Sandbox reports, proxy logs
etc.)
§ Get info on the string components
and their meanings
§ Evaluate how prevalent a certain
User-Agent is
(is it usable for detection?
E.g. BRONZE Butler UA
Mozilla/4.0 (compatible; MSIE 11.0; Windows
NT 6.1; SV1)
https://developers.whatismybrowser.c
om/useragents/parse/
15. Virustotal
50 Shades of Virustotal
§ Sample Uploads (the
obvious)
§ Sample Info (the obvious)
§ Info on Domains / Hosts
§ Info on IP Addresses
16. Virustotal – Domain Info
Domain / Host Info
- Passive DNS
Replication
- Related samples
- URLs
- Domain Siblings
Example
https://www.virustotal.com/#/domain/cdnveri
fy.net
17. Virustotal – Sample Analysis
Examples
https://www.virustotal.com/en/file/
59869db34853933b239f1e2219cf7
d431da006aa919635478511fabbfc
8849d2/analysis/
https://www.virustotal.com/en/file/e7
ba0e7123aaf3a3176b0224f0e374fac3
ecde370eedf3c18ea7d68812eba112/a
nalysis/
Fun - hash in many IOC lists:
https://otx.alienvault.com/indicator/fil
e/620f0b67a91f7f74151bc5be745b71
10
https://www.virustotal.com/en/file/f8
babc70915006740c600e1af5adaaa70
e6ba3d75b16dc4088c569a85b93d519
/analysis/
https://www.virustotal.com/#/file/5a8
8b8d682d63e3319d113a8a573580b88
81e4b7b41e913e8af8358ac4927fb1/c
ommunity
18. Virustotal – Browser Shortcuts
Use the browser’s
search engine
integration for quick
access
19. Virustotal – IP Info
IP Info
- Passive DNS Replication
- Related samples
- URLs
Example
https://www.virustotal.com/#/ip-
address/209.99.40.222
Warning:
§ IP address mapping changes
§ Multiple domains can be registered to a single
provider IP
22. Virustotal – Content Search
Search for content in sample
base
§ Strings
content:”string”
§ Byte Chains
content:{b1 1e 5f 11 35}
https://www.virustotal.com/
gui/
23. Virustotal – Graph
§ Graph based analysis
§ Pivoting to related
samples / domains
Example
https://www.virustotal.com/
graph/g1d606f8f877f92c844
7e2a775d8666a99cd8725d6
43fffc8419ac8196b7b3457/
drawer/node-
summary/node/nwinoxior.tk
/1552468646010
Demo
https://www.youtube.com/w
atch?v=17yRtGFq9xc
24. Malware.one
§ Free / Registration required
§ String / Bytes search on big (12 TB)
but unknown malware corpus
§ Search visible to all other users
§ Result download as TXT
§ Sample download on request
https://malware.one
25. Hybrid-Analysis
§ Public Sandbox
§ Commercial: CrowdStrike’s Falcon
Sandbox
§ Extra Features:
§ String Search
§ YARA Search
§ Imphash Search > Report Serach >
Advanced > More Options
https://www.hybrid-analysis.com/
Example
https://www.hybrid-
analysis.com/sample/c8f27a014db8fa34
fed08f6d7d50b728a8d49084dc20becdb2
3fff2851bae9cb?environmentId=100
26. Hybrid-Analysis – String Search
Examples:
§ certutil.exe
§ 706f7765727368656c6c
(hex encoded “powershell”)
CyberChef will help
https://gchq.github.io/CyberChef/#recip
e=Encode_text('UTF16LE%20(1200)'/disa
bled)To_Hex('None')&input=cG93ZXJzaG
VsbA
27. Any.Run
§ Public Sandbox
§ Special Feature: User Interaction
§ Pros:
§ Intuitive layout, uncluttered views
§ Sample and dropped files download
§ Sample previews (hex, raw)
https://app.any.run/
Example:
https://app.any.run/tasks/7c83e4ca
-7569-4c8b-8b2d-56bf24f30494
28. IRIS-H
- Static Analysis of Office Docs
and the like
- Fast results
- Denis is working on a dockerized
version
https://iris-h.services/
Example:
https://iris-
h.services/#/pages/report/5971707
a8190abea8399a3ff93460b4bea403
252
29. Antivirus Event Analysis Cheat Sheet
§ Helps Security Analysts to
process Antivirus Events in a
purposeful way
§ Because: It is wrong to handle
Antivirus events based on
their status: Deleted, Deletion
Failed, Detected
§ It is much better to evaluate
an Antivirus event based on:
§ Virus Type
§ Location
§ User
§ System
§ Form
§ Time
https://www.nextron-
systems.com/2019/10/04/antivir
us-event-analysis-cheat-sheet-v1-
7-2/
30. Intezer
§ Static Analysis Platform
§ Comparisons based on so called “Genes”
§ “Strings” are also very interesting
https://analyze.intezer.com
Example
https://analyze.intezer.com/#/analyses/af471fdf-
4b91-405b-aa68-c5221aa3f2d2
31. APT Groups and Operations Overview
§ Threat Groups
§ Campaigns
§ Malware Mapping
https://docs.google.com/spreadsheets/d/1H
9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF
X68EKU/
32. APT Search Engine
§ Custom Google Search Engine
§ Includes
§ Blogs of companies with frequent threat
research publications
§ Sandboxes
§ APT Notes
§ IOC Sharing Websites
https://cse.google.com/cse?cx=0032484457
20253387346:turlh5vi4xc
Sources of the Search
https://gist.github.com/Neo23x0/c4f4062934
2769ad0a8f3980942e21d3
33. Twitter / Tweetdeck
§ Search Based Panels
§ #DFIR OR #ThreatHunting OR #SIEM
§ virustotal.com OR app.any.run OR hybrid-
analysis.com OR reverseit.com OR virusbay.io
§ New Threats / Interesting Detection
Methods
https://tweetdeck.twitter.com/
34. Pastebin
§ Keyword Alerting
§ Email Addresses
§ MD5, SHA1, LM, NTLM Hash of
company’s default passwords
§ Internal AD Domain Names
§ Names of internal projects /
systems that should never appear
in public locations
(you personal project “Sauron”)
https://pastebin.com/
35. Munin
§ Process a list of Hash IOCs
§ Get many infos
§ AV detection rate
§ Imphah, filenames, type
§ First / Last submission
§ User comments (--intense)
§ Output
§ Command line output – colorized
§ CSV Export
§ Cached infos (JSON)
§ Lookups
§ Virustotal
§ Hybrid-Analysis
§ Virusbay
§ Malshare
https://github.com/Neo23x0/munin
36. Unfurl
§ takes a URL and expands it into a
directed graph
https://dfir.blog/unfurl/
Blog
https://dfir.blog/introducing-unfurl/
37. InQuest Labs
§ Different online tools, e.g.
§ Base64 regular expressions generator
§ Mixed ex case generator
https://labs.inquest.net/