1. Security Analyst Toolset - Workshop
Florian Roth, March 2019

2. This Workshop
- Sets of tools and services for analysis tasks
- Don’t expect a story line
- Summaries, links, examples, screenshots

3. Starting Points
§ File Sample
§ Hash
§ FQDN
§ IP

4. URLs / Links
Resources
- URL Scan
https://urlscan.io
- URL Query
https://www.urlquery.net
- Virustotal
https://www.virustotal.com/#/ho
me/search
Example:
https://www.virustotal.com/#/domain/
schoolaredu.com

5. PassiveTotal / RiskIQ
§ DNS Infos
§ Alerting on Changes
https://community.riskiq.com/

6. Censys.io
§ IP address information
§ Website information
§ SSL Certificates (!)
https://censys.io/
Example
https://censys.io/certificates?q=%22pent
est%22
Real World
https://censys.io/ipv4?q=+443.https.tls.c
ertificate.parsed.names%3A%2Fo%5B10-
9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro
%7Csk)%2F

7. ShodanHQ
§ Host Info
§ Open Ports
§ Banner
§ Services
§ Meta Data
Examples
https://www.shodan.io/explore/popular

8. String Extraction
Linux
(strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1
A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*)
(.*)$/1 W 2/') | sort -n
macOS
(gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*)
(.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed
's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n
https://gist.github.com/Neo23x0/cd4934a06a616ecf6c
f44e36f323e551

9. 010 Editor
§ Hex Editor
§ Great usability
§ Relevant Features
§ String Extraction
§ Binary Comparison
https://www.sweetscape.com/010e
ditor/

10. FireEye FLOSS
§ String extraction
§ Obfuscated string extraction
§ Stack string extraction
https://github.com/fireeye/flare-floss
Documentation
https://github.com/fireeye/flare-
floss/blob/master/doc/usage.md

11. CyberChef
§ Swiss Army Knife for all encoding /
extraction / text based analysis
§ Many Functions
§ All types of encodings
(UTF16, Base64, hex, charcode …)
§ Compression (zlib, raw)
§ Extraction
(Regex, IOC parsing, embedded files)
§ Other cool stuff
(defang URLs, XOR Brute Force, CSV to JSON)
§ Recipes
§ Work like the “|” in the Linux command line
§ Can be saved as Bookmark or shared with ohers
https://gchq.github.io/CyberChef/
Recipes
https://github.com/mattnotmax/cyber-chef-
recipes

12. User Agent Analysis
§ Analyze User-Agent strings
(from Sandbox reports, proxy logs
etc.)
§ Get info on the string components
and their meanings
§ Evaluate how prevalent a certain
User-Agent is
(is it usable for detection?
E.g. BRONZE Butler UA
Mozilla/4.0 (compatible; MSIE 11.0; Windows
NT 6.1; SV1)
https://developers.whatismybrowser.c
om/useragents/parse/

13. Virustotal
50 Shades of Virustotal
§ Sample Uploads (the
obvious)
§ Sample Info (the obvious)
§ Info on Domains / Hosts
§ Info on IP Addresses

14. Virustotal – Domain Info
Domain / Host Info
- Passive DNS
Replication
- Related samples
- URLs
- Domain Siblings
Example
https://www.virustotal.com/#/domain/cdnveri
fy.net

15. Virustotal – Sample Analysis
Examples
https://www.virustotal.com/en/file/
59869db34853933b239f1e2219cf7
d431da006aa919635478511fabbfc
8849d2/analysis/
https://www.virustotal.com/en/file/e7
ba0e7123aaf3a3176b0224f0e374fac3
ecde370eedf3c18ea7d68812eba112/a
nalysis/
Fun - hash in many IOC lists:
https://otx.alienvault.com/indicator/fil
e/620f0b67a91f7f74151bc5be745b71
10
https://www.virustotal.com/en/file/f8
babc70915006740c600e1af5adaaa70
e6ba3d75b16dc4088c569a85b93d519
/analysis/
https://www.virustotal.com/#/file/5a8
8b8d682d63e3319d113a8a573580b88
81e4b7b41e913e8af8358ac4927fb1/c
ommunity

16. Virustotal – Browser Shortcuts
Use the browser’s
search engine
integration for quick
access

17. Virustotal – IP Info
IP Info
- Passive DNS Replication
- Related samples
- URLs
Example
https://www.virustotal.com/#/ip-
address/209.99.40.222
Warning:
§ IP address mapping changes
§ Multiple domains can be registered to a single
provider IP

18. Virustotal – Enterprise
§ Search
§ YARA Rule Sets
§ Retro Hunts
§ Graph
https://www.virustotal
.com/gui/

19. Virustotal – VTI Dorks
Repo with interesting
VTI search queries
https://github.com/Ne
o23x0/vti-dorks

20. Virustotal – Content Search
Search for content in sample
base
§ Strings
content:”string”
§ Byte Chains
content:{b1 1e 5f 11 35}
https://www.virustotal.com/
gui/

21. Virustotal – Graph
§ Graph based analysis
§ Pivoting to related
samples / domains
Example
https://www.virustotal.com/
graph/g1d606f8f877f92c844
7e2a775d8666a99cd8725d6
43fffc8419ac8196b7b3457/
drawer/node-
summary/node/nwinoxior.tk
/1552468646010
Demo
https://www.youtube.com/w
atch?v=17yRtGFq9xc

22. Malware.one
§ Free / Registration required
§ String / Bytes search on big (12 TB)
but unknown malware corpus
§ Search visible to all other users
§ Result download as TXT
§ Sample download on request
https://malware.one

23. Hybrid-Analysis
§ Public Sandbox
§ Commercial: CrowdStrike’s Falcon
Sandbox
§ Extra Features:
§ String Search
§ YARA Search
https://www.hybrid-analysis.com/
Example
https://www.hybrid-
analysis.com/sample/c8f27a014db8fa34
fed08f6d7d50b728a8d49084dc20becdb2
3fff2851bae9cb?environmentId=100

24. Hybrid-Analysis – String Search
Examples:
§ certutil.exe
§ 706f7765727368656c6c
(hex encoded “powershell”)
CyberChef will help
https://gchq.github.io/CyberChef/#recip
e=Encode_text('UTF16LE%20(1200)'/disa
bled)To_Hex('None')&input=cG93ZXJzaG
VsbA

25. Any.Run
§ Public Sandbox
§ Special Feature: User Interaction
§ Pros:
§ Intuitive layout, uncluttered views
§ Sample and dropped files download
§ Sample previews (hex, raw)
https://app.any.run/
Example:
https://app.any.run/tasks/7c83e4ca
-7569-4c8b-8b2d-56bf24f30494

26. IRIS-H
- Static Analysis of Office Docs
and the like
- Fast results
- Denis is working on a dockerized
version
https://iris-h.services/
Example:
https://iris-
h.services/#/pages/report/5971707
a8190abea8399a3ff93460b4bea403
252

27. Antivirus Event Analysis Cheat Sheet
§ Helps Security Analysts to
process Antivirus Events in a
purposeful way
§ Because: It is wrong to handle
Antivirus events based on
their status: Deleted, Deletion
Failed, Detected
§ It is much better to evaluate
an Antivirus event based on:
§ Virus Type
§ Location
§ User
§ System
§ Form
§ Time
https://www.nextron-
systems.com/2019/02/06/antivir
us-event-analysis-cheat-sheet-v1-
7/

28. Intezer
§ Static Analysis Platform
§ Comparisons based on so called “Genes”
§ “Strings” are also very interesting
https://analyze.intezer.com
Example
https://analyze.intezer.com/#/analyses/af471fdf-
4b91-405b-aa68-c5221aa3f2d2

29. APT Groups and Operations Overview
§ Threat Groups
§ Campaigns
§ Malware Mapping
https://docs.google.com/spreadsheets/d/1H
9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF
X68EKU/

30. APT Search Engine
§ Custom Google Search Engine
§ Includes
§ Blogs of companies with frequent threat
research publications
§ Sandboxes
§ APT Notes
§ IOC Sharing Websites
https://cse.google.com/cse?cx=0032484457
20253387346:turlh5vi4xc
Sources of the Search
https://gist.github.com/Neo23x0/c4f4062934
2769ad0a8f3980942e21d3

31. Twitter / Tweetdeck
§ Search Based Panels
§ #DFIR OR #ThreatHunting OR #SIEM
§ virustotal.com OR app.any.run OR hybrid-
analysis.com OR reverseit.com OR virusbay.io
§ New Threats / Interesting Detection
Methods
https://tweetdeck.twitter.com/

32. Pastebin
§ Keyword Alerting
§ Email Addresses
§ MD5, SHA1, LM, NTLM Hash of
company’s default passwords
§ Internal AD Domain Names
§ Names of internal projects /
systems that should never appear
in public locations
(you personal project “Sauron”)
https://pastebin.com/

33. Munin
§ Process a list of Hash IOCs
§ Get many infos
§ AV detection rate
§ Imphah, filenames, type
§ First / Last submission
§ User comments (--intense)
§ Output
§ Command line output – colorized
§ CSV Export
§ Cached infos (JSON)
§ Lookups
§ Virustotal
§ Hybrid-Analysis
§ Virusbay
§ Malshare
https://github.com/Neo23x0/munin

34. Questions?
Twitter: @cyb3rops