SlideShare a Scribd company logo

Automatic MIME Attachments Triage

Xavier Mertens
Xavier Mertens

Presentation of mime2vy.py @ BotConfi 2015 (lightning talk)

Internet
1 of 12
Download to read offline
Automatic MIME Attachments Triage Botconf 2015 - Lightning Talk
TrueSec $ cat ~/whoami.xml 2 <profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]> </profile>
TrueSec $ cat ~/.profile • I like (your) data • Playing “Active Defense” • I prefer t-shirts than ties • I like to play with gadgets! 3
TrueSec Problem • Computers are compromised to join botnets • Main infection vectors remains: • HTTP • SMTP • Huge amount of data to process • Infosec people needs knowledge • Infosec people are lazy / don’t have time 4
TrueSec Solution 5
TrueSec Mime2VT 6 • Extracts MIME attachments from emails • Checks / submits interesting ones toVT • AnalysesVBA macros using olevba.py API(*) • Support zip files • Archive them • Extract URLs from emails • Export data to ELK (*) http://www.decalage.info/python/olevba
TrueSec Example 7 Nov 30 21:49:09 marge postfix/qmgr[22867]: 00F547C016C: from=<SaundersThelma17@telepac.pt>, size=188819, nrcpt=1 (queue active) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: message/rfc822 (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: application/vnd.ms-excel (invoice_details_32247759.xls) Nov 30 21:49:10 marge mime2vt.py[20225]: Found interesting file: invoice_details_32247759.xls (application/vnd.ms-excel) Nov 30 21:49:12 marge mime2vt.py[20225]: File: invoice_details_32247759.xls (0026d60cf0838a943793ce61fa0366a1) Score: 8/56 Scanned: 2015-11-30 20:45:07 (1:04:05) Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: dbAddMD5: 0026d60cf0838a943793ce61fa0366a1 Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Analyzing with oletools Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Detected file type: OLE Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: VBA Macros found Nov 30 21:49:19 marge mime2vt.py[20225]: DEBUG: Analysis dumped to /var/tmp/mime/ 2015/11/30/invoice_details_32247759.xls.analysis
TrueSec Example 8 $ cat /var/tmp/mime/2015/11/30/invoice_details_32247759.xls.analysis AutoExec | Workbook_Open | Runs when the Excel Workbook is opened Suspicious | Kill | May delete a file Suspicious | Open | May open a file Suspicious | Shell | May run an executable file or a system command Suspicious | Run | May run an executable file or a system command Suspicious | CreateObject | May create an OLE object Suspicious | WriteText | May create a text file Suspicious | SaveToFile | May create a text file Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | VBA obfuscated Strings | VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all) IOC | UpdateWinrar.js | Executable file name IOC | UpdOffice.exe | Executable file name VBA string | Total | "To" & "tal" VBA string | Code | ("Co" & "de") VBA string | B3 | ("B" & "3") VBA string | Total | ("To" & "tal") VBA string | Warning | ("War" & "ning")
TrueSec Setup 9 $ cat /etc/mime2vt.conf [virustotal] apikey: <redacted> exclude: image/png,image/gif,image/jpeg,image/bmp,text/plain,text/html,text/ english,application/pgp-signature [elasticsearch] server: 192.168.254.65:9200 index: virustotal [database] dbpath: /var/tmp/mime2vt.db $ cat $HOME/.procmailrc :0 { :0c | /usr/local/bin/mime2vt.py -d /var/tmp/mime/%y/%m/%d -c /etc/mime2vt.conf -l /var/ tmp/messages.dump :0 incoming }
TrueSec Bonus 10
TrueSec Wanna Play? 11 https://github.com/xme/mime2vt
TrueSec @xme xavier@truesec.be https://blog.rootshell.be https://www.truesec.be 12 Thank you!

Recommended

Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
Xavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
Xavier Mertens
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
Xavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
Xavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
Xavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
Xavier Mertens
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 

Recommended

Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
Xavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
Xavier Mertens
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
Xavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
Xavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
Xavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
Xavier Mertens
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Micah Hoffman
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
Joe Desimone
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
OWASP
 
Pa or die
Pa or diePa or die
Pa or die
Setia Juli Irzal Ismail
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
n|u - The Open Security Community
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
Micah Hoffman
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container Security
Jie Liau
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
Xavier Mertens
 

More Related Content

What's hot

20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 

What's hot (20)

Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Pa or die
Pa or diePa or die
Pa or die
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container Security
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 

Viewers also liked

What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
Xavier Mertens
 

Viewers also liked (13)

InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humans
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the Bad
 

Similar to Automatic MIME Attachments Triage

Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
SecuRing
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
guest215c4e
 

Similar to Automatic MIME Attachments Triage (20)

PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
L27
L27L27
L27
 
Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi 6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plug
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Reproducibility and automation of machine learning process
Reproducibility and automation of machine learning processReproducibility and automation of machine learning process
Reproducibility and automation of machine learning process
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 

More from Xavier Mertens

BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning Talk
Xavier Mertens
 
Belnet events management
Belnet events managementBelnet events management
Belnet events management
Xavier Mertens
 

More from Xavier Mertens (9)

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning Talk
 
Belnet events management
Belnet events managementBelnet events management
Belnet events management
 

Recently uploaded

call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 

Recently uploaded (20)

call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 

Automatic MIME Attachments Triage

  • 2. TrueSec $ cat ~/whoami.xml 2 <profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]> </profile>
  • 3. TrueSec $ cat ~/.profile • I like (your) data • Playing “Active Defense” • I prefer t-shirts than ties • I like to play with gadgets! 3
  • 4. TrueSec Problem • Computers are compromised to join botnets • Main infection vectors remains: • HTTP • SMTP • Huge amount of data to process • Infosec people needs knowledge • Infosec people are lazy / don’t have time 4
  • 6. TrueSec Mime2VT 6 • Extracts MIME attachments from emails • Checks / submits interesting ones toVT • AnalysesVBA macros using olevba.py API(*) • Support zip files • Archive them • Extract URLs from emails • Export data to ELK (*) http://www.decalage.info/python/olevba
  • 7. TrueSec Example 7 Nov 30 21:49:09 marge postfix/qmgr[22867]: 00F547C016C: from=<SaundersThelma17@telepac.pt>, size=188819, nrcpt=1 (queue active) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: message/rfc822 (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: application/vnd.ms-excel (invoice_details_32247759.xls) Nov 30 21:49:10 marge mime2vt.py[20225]: Found interesting file: invoice_details_32247759.xls (application/vnd.ms-excel) Nov 30 21:49:12 marge mime2vt.py[20225]: File: invoice_details_32247759.xls (0026d60cf0838a943793ce61fa0366a1) Score: 8/56 Scanned: 2015-11-30 20:45:07 (1:04:05) Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: dbAddMD5: 0026d60cf0838a943793ce61fa0366a1 Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Analyzing with oletools Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Detected file type: OLE Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: VBA Macros found Nov 30 21:49:19 marge mime2vt.py[20225]: DEBUG: Analysis dumped to /var/tmp/mime/ 2015/11/30/invoice_details_32247759.xls.analysis
  • 8. TrueSec Example 8 $ cat /var/tmp/mime/2015/11/30/invoice_details_32247759.xls.analysis AutoExec | Workbook_Open | Runs when the Excel Workbook is opened Suspicious | Kill | May delete a file Suspicious | Open | May open a file Suspicious | Shell | May run an executable file or a system command Suspicious | Run | May run an executable file or a system command Suspicious | CreateObject | May create an OLE object Suspicious | WriteText | May create a text file Suspicious | SaveToFile | May create a text file Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | VBA obfuscated Strings | VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all) IOC | UpdateWinrar.js | Executable file name IOC | UpdOffice.exe | Executable file name VBA string | Total | "To" & "tal" VBA string | Code | ("Co" & "de") VBA string | B3 | ("B" & "3") VBA string | Total | ("To" & "tal") VBA string | Warning | ("War" & "ning")
  • 9. TrueSec Setup 9 $ cat /etc/mime2vt.conf [virustotal] apikey: <redacted> exclude: image/png,image/gif,image/jpeg,image/bmp,text/plain,text/html,text/ english,application/pgp-signature [elasticsearch] server: 192.168.254.65:9200 index: virustotal [database] dbpath: /var/tmp/mime2vt.db $ cat $HOME/.procmailrc :0 { :0c | /usr/local/bin/mime2vt.py -d /var/tmp/mime/%y/%m/%d -c /etc/mime2vt.conf -l /var/ tmp/messages.dump :0 incoming }