Security Analyst Toolset - Workshop Florian Roth, February 2020 This Workshop - Sets of tools and services for analysis tasks Don’t expect a story line Slides contain: key features, links, examples, screenshots Starting Points of Investigations § § § § File Sample Hash FQDN IP URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/ Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B109%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F ShodanHQ § Host Info § Open Ports § § § Banner Services Meta Data Examples https://www.shodan.io/explore/popular String Extraction Linux (strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551 010 Editor § Hex Editor § Great usability § Relevant Features § § String Extraction Binary Comparison https://www.sweetscape.com/010e ditor/ FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flarefloss/blob/master/doc/usage.md FireEye Stringsifter § String evaluation § ranks strings based on their relevance for malware analysis https://github.com/fireeye/stringsifter Can be combined with 010 Editor (script by my co-worker Tobias Michalski) https://www.sweetscape.com/010editor/r epository/scripts/file_info.php?file=RateStr ings.1sc&type=1&sort= Technical Blog Post https://www.fireeye.com/blog/threatresearch/2019/05/learning-to-rank-stringsoutput-for-speedier-malware-analysis.html CyberChef § § Swiss Army Knife for all encoding / extraction / text based analysis Many Functions § § § § § All types of encodings (UTF16, Base64, hex, charcode …) Compression (zlib, raw) Extraction (Regex, IOC parsing, embedded files) Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) Recipes § § Work like the “|” in the Linux command line Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chefrecipes Top Base64 Encoding Learning Aid § Helps you learn the most common Base64 patterns found in malware § Features a mnemonic aid and emoticon (dual coding – learning style) https://gist.github.com/N eo23x0/6af876ee72b5167 6c82a2db8d2cd3639 User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/ Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ipaddress/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP Virustotal – Enterprise § § § § Search YARA Rule Sets Retro Hunts Graph https://www.virustotal .com/gui/ Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/ Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/nodesummary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § § § String Search YARA Search Imphash Search > Report Serach > Advanced > More Options https://www.hybrid-analysis.com/ Example https://www.hybridanalysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100 Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § § § Intuitive layout, uncluttered views Sample and dropped files download Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494 IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://irish.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252 Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § § § § § § Virus Type Location User System Form Time https://www.nextronsystems.com/2019/10/04/antivir us-event-analysis-cheat-sheet-v17-2/ Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf4b91-405b-aa68-c5221aa3f2d2 APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/ APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § § § Sandboxes APT Notes IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3 Twitter / Tweetdeck § § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybridanalysis.com OR reverseit.com OR virusbay.io New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/ Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords Internal AD Domain Names Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) § § https://pastebin.com/ Munin § Process a list of Hash IOCs § Get many infos § § § § § Output § § § § AV detection rate Imphah, filenames, type First / Last submission User comments (--intense) Command line output – colorized CSV Export Cached infos (JSON) Lookups § § § § Virustotal Hybrid-Analysis Virusbay Malshare https://github.com/Neo23x0/munin Unfurl § takes a URL and expands it into a directed graph https://dfir.blog/unfurl/ Blog https://dfir.blog/introducing-unfurl/ InQuest Labs § Different online tools, e.g. § Base64 regular expressions generator § Mixed ex case generator https://labs.inquest.net/ Questions? Twitter: @cyb3rops