Security Analyst Toolset - Workshop
Florian Roth, February 2020
This Workshop
-
Sets of tools and services for analysis tasks
Don’t expect a story line
Slides contain: key features, links, examples, screenshots
Starting Points of Investigations
§
§
§
§
File Sample
Hash
FQDN
IP
URLs / Links
Resources
-
URL Scan
https://urlscan.io
-
URL Query
https://www.urlquery.net
-
Virustotal
https://www.virustotal.com/#/ho
me/search
Example:
https://www.virustotal.com/#/domain/
schoolaredu.com
PassiveTotal / RiskIQ
§
DNS Infos
§
Alerting on Changes
https://community.riskiq.com/
Censys.io
§ IP address information
§ Website information
§ SSL Certificates (!)
https://censys.io/
Example
https://censys.io/certificates?q=%22pent
est%22
Real World
https://censys.io/ipv4?q=+443.https.tls.c
ertificate.parsed.names%3A%2Fo%5B109%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro
%7Csk)%2F
ShodanHQ
§ Host Info
§
Open Ports
§
§
§
Banner
Services
Meta Data
Examples
https://www.shodan.io/explore/popular
String Extraction
Linux
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1
A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\)
\(.*\)$/\1 W \2/') | sort -n
macOS
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\)
\(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed
's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort –n
https://gist.github.com/Neo23x0/cd4934a06a616ecf6c
f44e36f323e551
010 Editor
§ Hex Editor
§ Great usability
§ Relevant Features
§
§
String Extraction
Binary Comparison
https://www.sweetscape.com/010e
ditor/
FireEye FLOSS
§ String extraction
§ Obfuscated string extraction
§ Stack string extraction
https://github.com/fireeye/flare-floss
Documentation
https://github.com/fireeye/flarefloss/blob/master/doc/usage.md
FireEye Stringsifter
§ String evaluation
§ ranks strings based on their relevance
for malware analysis
https://github.com/fireeye/stringsifter
Can be combined with 010 Editor
(script by my co-worker Tobias Michalski)
https://www.sweetscape.com/010editor/r
epository/scripts/file_info.php?file=RateStr
ings.1sc&type=1&sort=
Technical Blog Post
https://www.fireeye.com/blog/threatresearch/2019/05/learning-to-rank-stringsoutput-for-speedier-malware-analysis.html
CyberChef
§
§
Swiss Army Knife for all encoding /
extraction / text based analysis
Many Functions
§
§
§
§
§
All types of encodings
(UTF16, Base64, hex, charcode …)
Compression (zlib, raw)
Extraction
(Regex, IOC parsing, embedded files)
Other cool stuff
(defang URLs, XOR Brute Force, CSV to JSON)
Recipes
§
§
Work like the “|” in the Linux command line
Can be saved as Bookmark or shared with ohers
https://gchq.github.io/CyberChef/
Recipes
https://github.com/mattnotmax/cyber-chefrecipes
Top Base64 Encoding Learning Aid
§ Helps you learn the
most common Base64
patterns found in
malware
§ Features a mnemonic
aid and emoticon
(dual coding – learning
style)
https://gist.github.com/N
eo23x0/6af876ee72b5167
6c82a2db8d2cd3639
User Agent Analysis
§
Analyze User-Agent strings
(from Sandbox reports, proxy logs
etc.)
§
Get info on the string components
and their meanings
§
Evaluate how prevalent a certain
User-Agent is
(is it usable for detection?
E.g. BRONZE Butler UA
Mozilla/4.0 (compatible; MSIE 11.0; Windows
NT 6.1; SV1)
https://developers.whatismybrowser.c
om/useragents/parse/
Virustotal
50 Shades of Virustotal
§ Sample Uploads (the
obvious)
§ Sample Info (the obvious)
§ Info on Domains / Hosts
§ Info on IP Addresses
Virustotal – Domain Info
Domain / Host Info
- Passive DNS
Replication
- Related samples
- URLs
- Domain Siblings
Example
https://www.virustotal.com/#/domain/cdnveri
fy.net
Virustotal – Sample Analysis
Examples
https://www.virustotal.com/en/file/
59869db34853933b239f1e2219cf7
d431da006aa919635478511fabbfc
8849d2/analysis/
https://www.virustotal.com/en/file/e7
ba0e7123aaf3a3176b0224f0e374fac3
ecde370eedf3c18ea7d68812eba112/a
nalysis/
Fun - hash in many IOC lists:
https://otx.alienvault.com/indicator/fil
e/620f0b67a91f7f74151bc5be745b71
10
https://www.virustotal.com/en/file/f8
babc70915006740c600e1af5adaaa70
e6ba3d75b16dc4088c569a85b93d519
/analysis/
https://www.virustotal.com/#/file/5a8
8b8d682d63e3319d113a8a573580b88
81e4b7b41e913e8af8358ac4927fb1/c
ommunity
Virustotal – Browser Shortcuts
Use the browser’s
search engine
integration for quick
access
Virustotal – IP Info
IP Info
- Passive DNS Replication
- Related samples
- URLs
Example
https://www.virustotal.com/#/ipaddress/209.99.40.222
Warning:
§
IP address mapping changes
§
Multiple domains can be registered to a single
provider IP
Virustotal – Enterprise
§
§
§
§
Search
YARA Rule Sets
Retro Hunts
Graph
https://www.virustotal
.com/gui/
Virustotal – VTI Dorks
Repo with interesting
VTI search queries
https://github.com/Ne
o23x0/vti-dorks
Virustotal – Content Search
Search for content in sample
base
§
Strings
content:”string”
§
Byte Chains
content:{b1 1e 5f 11 35}
https://www.virustotal.com/
gui/
Virustotal – Graph
§
Graph based analysis
§
Pivoting to related
samples / domains
Example
https://www.virustotal.com/
graph/g1d606f8f877f92c844
7e2a775d8666a99cd8725d6
43fffc8419ac8196b7b3457/
drawer/nodesummary/node/nwinoxior.tk
/1552468646010
Demo
https://www.youtube.com/w
atch?v=17yRtGFq9xc
Malware.one
§ Free / Registration required
§ String / Bytes search on big (12 TB)
but unknown malware corpus
§ Search visible to all other users
§ Result download as TXT
§ Sample download on request
https://malware.one
Hybrid-Analysis
§ Public Sandbox
§ Commercial: CrowdStrike’s Falcon
Sandbox
§ Extra Features:
§
§
§
String Search
YARA Search
Imphash Search > Report Serach >
Advanced > More Options
https://www.hybrid-analysis.com/
Example
https://www.hybridanalysis.com/sample/c8f27a014db8fa34
fed08f6d7d50b728a8d49084dc20becdb2
3fff2851bae9cb?environmentId=100
Hybrid-Analysis – String Search
Examples:
§ certutil.exe
§ 706f7765727368656c6c
(hex encoded “powershell”)
CyberChef will help
https://gchq.github.io/CyberChef/#recip
e=Encode_text('UTF16LE%20(1200)'/disa
bled)To_Hex('None')&input=cG93ZXJzaG
VsbA
Any.Run
§ Public Sandbox
§ Special Feature: User Interaction
§ Pros:
§
§
§
Intuitive layout, uncluttered views
Sample and dropped files download
Sample previews (hex, raw)
https://app.any.run/
Example:
https://app.any.run/tasks/7c83e4ca
-7569-4c8b-8b2d-56bf24f30494
IRIS-H
- Static Analysis of Office Docs
and the like
- Fast results
- Denis is working on a dockerized
version
https://iris-h.services/
Example:
https://irish.services/#/pages/report/5971707
a8190abea8399a3ff93460b4bea403
252
Antivirus Event Analysis Cheat Sheet
§ Helps Security Analysts to
process Antivirus Events in a
purposeful way
§ Because: It is wrong to handle
Antivirus events based on
their status: Deleted, Deletion
Failed, Detected
§ It is much better to evaluate
an Antivirus event based on:
§
§
§
§
§
§
Virus Type
Location
User
System
Form
Time
https://www.nextronsystems.com/2019/10/04/antivir
us-event-analysis-cheat-sheet-v17-2/
Intezer
§ Static Analysis Platform
§ Comparisons based on so called “Genes”
§ “Strings” are also very interesting
https://analyze.intezer.com
Example
https://analyze.intezer.com/#/analyses/af471fdf4b91-405b-aa68-c5221aa3f2d2
APT Groups and Operations Overview
§ Threat Groups
§ Campaigns
§ Malware Mapping
https://docs.google.com/spreadsheets/d/1H
9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF
X68EKU/
APT Search Engine
§ Custom Google Search Engine
§ Includes
§
Blogs of companies with frequent threat
research publications
§
§
§
Sandboxes
APT Notes
IOC Sharing Websites
https://cse.google.com/cse?cx=0032484457
20253387346:turlh5vi4xc
Sources of the Search
https://gist.github.com/Neo23x0/c4f4062934
2769ad0a8f3980942e21d3
Twitter / Tweetdeck
§
§
Search Based Panels
§
#DFIR OR #ThreatHunting OR #SIEM
§
virustotal.com OR app.any.run OR hybridanalysis.com OR reverseit.com OR virusbay.io
New Threats / Interesting Detection
Methods
https://tweetdeck.twitter.com/
Pastebin
§
Keyword Alerting
§
Email Addresses
§
MD5, SHA1, LM, NTLM Hash of
company’s default passwords
Internal AD Domain Names
Names of internal projects /
systems that should never appear
in public locations
(you personal project “Sauron”)
§
§
https://pastebin.com/
Munin
§
Process a list of Hash IOCs
§
Get many infos
§
§
§
§
§
Output
§
§
§
§
AV detection rate
Imphah, filenames, type
First / Last submission
User comments (--intense)
Command line output – colorized
CSV Export
Cached infos (JSON)
Lookups
§
§
§
§
Virustotal
Hybrid-Analysis
Virusbay
Malshare
https://github.com/Neo23x0/munin
Unfurl
§
takes a URL and expands it into a
directed graph
https://dfir.blog/unfurl/
Blog
https://dfir.blog/introducing-unfurl/
InQuest Labs
§
Different online tools, e.g.
§
Base64 regular expressions generator
§
Mixed ex case generator
https://labs.inquest.net/
Questions?
Twitter: @cyb3rops