Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security Analyst Toolset - Workshop
Florian Roth, March 2019
This Workshop
- Sets of tools and services for analysis tasks
- Don’t expect a story line
- Summaries, links, examples, sc...
Starting Points
§ File Sample
§ Hash
§ FQDN
§ IP
URLs / Links
Resources
- URL Scan
https://urlscan.io
- URL Query
https://www.urlquery.net
- Virustotal
https://www.virusto...
PassiveTotal / RiskIQ
§ DNS Infos
§ Alerting on Changes
https://community.riskiq.com/
Censys.io
§ IP address information
§ Website information
§ SSL Certificates (!)
https://censys.io/
Example
https://censys....
ShodanHQ
§ Host Info
§ Open Ports
§ Banner
§ Services
§ Meta Data
Examples
https://www.shodan.io/explore/popular
String Extraction
Linux
(strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1
A 2/' ; strings -a -td -el "$@" | sed 's/^(...
010 Editor
§ Hex Editor
§ Great usability
§ Relevant Features
§ String Extraction
§ Binary Comparison
https://www.sweetsca...
FireEye FLOSS
§ String extraction
§ Obfuscated string extraction
§ Stack string extraction
https://github.com/fireeye/flar...
CyberChef
§ Swiss Army Knife for all encoding /
extraction / text based analysis
§ Many Functions
§ All types of encodings...
User Agent Analysis
§ Analyze User-Agent strings
(from Sandbox reports, proxy logs
etc.)
§ Get info on the string componen...
Virustotal
50 Shades of Virustotal
§ Sample Uploads (the
obvious)
§ Sample Info (the obvious)
§ Info on Domains / Hosts
§ ...
Virustotal – Domain Info
Domain / Host Info
- Passive DNS
Replication
- Related samples
- URLs
- Domain Siblings
Example
h...
Virustotal – Sample Analysis
Examples
https://www.virustotal.com/en/file/
59869db34853933b239f1e2219cf7
d431da006aa9196354...
Virustotal – Browser Shortcuts
Use the browser’s
search engine
integration for quick
access
Virustotal – IP Info
IP Info
- Passive DNS Replication
- Related samples
- URLs
Example
https://www.virustotal.com/#/ip-
a...
Virustotal – Enterprise
§ Search
§ YARA Rule Sets
§ Retro Hunts
§ Graph
https://www.virustotal
.com/gui/
Virustotal – VTI Dorks
Repo with interesting
VTI search queries
https://github.com/Ne
o23x0/vti-dorks
Virustotal – Content Search
Search for content in sample
base
§ Strings
content:”string”
§ Byte Chains
content:{b1 1e 5f 1...
Virustotal – Graph
§ Graph based analysis
§ Pivoting to related
samples / domains
Example
https://www.virustotal.com/
grap...
Malware.one
§ Free / Registration required
§ String / Bytes search on big (12 TB)
but unknown malware corpus
§ Search visi...
Hybrid-Analysis
§ Public Sandbox
§ Commercial: CrowdStrike’s Falcon
Sandbox
§ Extra Features:
§ String Search
§ YARA Searc...
Hybrid-Analysis – String Search
Examples:
§ certutil.exe
§ 706f7765727368656c6c
(hex encoded “powershell”)
CyberChef will ...
Any.Run
§ Public Sandbox
§ Special Feature: User Interaction
§ Pros:
§ Intuitive layout, uncluttered views
§ Sample and dr...
IRIS-H
- Static Analysis of Office Docs
and the like
- Fast results
- Denis is working on a dockerized
version
https://iri...
Antivirus Event Analysis Cheat Sheet
§ Helps Security Analysts to
process Antivirus Events in a
purposeful way
§ Because: ...
Intezer
§ Static Analysis Platform
§ Comparisons based on so called “Genes”
§ “Strings” are also very interesting
https://...
APT Groups and Operations Overview
§ Threat Groups
§ Campaigns
§ Malware Mapping
https://docs.google.com/spreadsheets/d/1H...
APT Search Engine
§ Custom Google Search Engine
§ Includes
§ Blogs of companies with frequent threat
research publications...
Twitter / Tweetdeck
§ Search Based Panels
§ #DFIR OR #ThreatHunting OR #SIEM
§ virustotal.com OR app.any.run OR hybrid-
an...
Pastebin
§ Keyword Alerting
§ Email Addresses
§ MD5, SHA1, LM, NTLM Hash of
company’s default passwords
§ Internal AD Doma...
Munin
§ Process a list of Hash IOCs
§ Get many infos
§ AV detection rate
§ Imphah, filenames, type
§ First / Last submissi...
Questions?
Twitter: @cyb3rops
Upcoming SlideShare
Loading in …5
×

Security Analyst Workshop - 20190314

10,572 views

Published on

Security analyst workshop slides, with useful tools and services

Published in: Education
  • Real Money Streams ~ Create multiple streams of wealth from your home! ➤➤ http://scamcb.com/ezpayjobs/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security Analyst Workshop - 20190314

  1. 1. Security Analyst Toolset - Workshop Florian Roth, March 2019
  2. 2. This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Summaries, links, examples, screenshots
  3. 3. Starting Points § File Sample § Hash § FQDN § IP
  4. 4. URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
  5. 5. PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
  6. 6. Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
  7. 7. ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
  8. 8. String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
  9. 9. 010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
  10. 10. FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
  11. 11. CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
  12. 12. User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
  13. 13. Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
  14. 14. Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
  15. 15. Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
  16. 16. Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
  17. 17. Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
  18. 18. Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
  19. 19. Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
  20. 20. Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
  21. 21. Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
  22. 22. Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
  23. 23. Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
  24. 24. Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
  25. 25. Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
  26. 26. IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
  27. 27. Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/02/06/antivir us-event-analysis-cheat-sheet-v1- 7/
  28. 28. Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
  29. 29. APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
  30. 30. APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
  31. 31. Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
  32. 32. Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
  33. 33. Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin
  34. 34. Questions? Twitter: @cyb3rops

×