Threat Hunting for Non-Hunters

Threat hunting is a proactive task with an assumption that your organization has already been breached and you wanted to beat the average “dwell time” of 256 days; at least for me as a DFIR practitioner. And this is usually done with the help of different tools that we call “arsenals”; SIEM (security information and event management) and EDR (endpoint detection and response) mostly.

However, security is not just for the IT security folks who are paid mainly to do this kind of “Blue Teaming” work (aka Incident Responders) but it is everyone’s responsibility.

Human is the weakest link among the security chain so as an end-user, anyone should have the basic understanding of how tofind malicious activities and files within their workstations.

The malware or malicious software includes but not limited to Keylogger, credential stealerscrypto minerreverse shellransomwarebotnet, and more.

This article aims to empower non-security folks to gain a portion of technical knowledge on hunting threats from their Windowssystems and able to share to their families and friends as well using freely available and downloadable tools from the Internet.

Hunting Persistent Threat with Autorun Programs

There are so huge places in the system that an adversary can plant their malicious programs and run automatically during boottime without an end-user’s awareness.

Tools from Sysinternals Suite by Microsoft Windows; “autorunsc.exe” (command-line) and “Autoruns.exe” (graphical user interface) can help to see all Autorun programs in your machine which can be downloaded on the link below.

Download URL:

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Adding the parameter “hyphen h” (-h) to the command autorunsc.exe will give you the MD5 or SHA-256 hashes of the file to check from the Open Source Intelligence (OSInt) websites for Malicious file and URL called VirusTotal(https://www.virustotal.com)

Syntax:

autorunsc.exe –h

The output can also be redirected to a text file for reference and easy recording.

Syntax:

autorunsc.exe -h > autoruns.txt

“autorunsc.exe –help” will give you more choices to play around with the command-line tool on Windows.

More often, the graphical version of the Autoruns would be preferable to others as a simple right-click on the mouse will give you an option to check the program in VirusTotal on the spot.

Threat Hunting Hidden Processes

Anti-Virus (AV) whether traditional or call themselves as “Next-Gen AV” misses more than 70% of malware according to research and it is because they are still signature-based. And sophisticated malicious programs runs as hidden processes to evade AV detections.

The most common of this kind of malware is “rootkit”, a malicious program that runs on the system’s kernel or memory.

Below are the useful tools that can be utilized against this persistent threat on anyone’s PC.

HIDDEN PROCESS FINDER from NoVirusThanks.

GMER is an awesome tool in detecting rogue processes that can be downloaded here: http://www.gmer.net/

This is a PE (portable executable) tool similar to SysInternal Suites and other tools that are mentioned here.

With the aid of the tool from SysInternal Suite – procexp64.exe (for 64bit Windows system), the tool was found spawning different DLL’s and processes which was also identified as malicious based from the Indicators of Compromised or IOC found from VirusTotal –

https://www.virustotal.com/en/file/395b666e80388433951b764ee61b80bc5149a94507f134265f4372fba7d951b4/analysis/

Threat Hunting Command & Control

Command & Control or C2 or C&C is a computer server that gives directives to digital devices commonly computers and smartphones that have been infected with rootkit or malware such as Ransomware and other variants. These infected devicesare called “bots” or “botnet” for Robot. Botnets are also used for sending Spam and Distributed Denial of Service (DDOS) attack against the target.

Known C2 servers will be most likely detected by Firewall if it is enabled in a PC or company provided workstation. Except for “zero day” attack when the C2 server is not yet identified by the EDR and Firewall companies.

This may sound a little technical but good to know when needed since the tool of example will be used here is already included in Windows systems.

By opening the command prompt or CMD as administrator, you will be able to run the tool called NETSTAT.

In the command prompt, just type the tool command below with a hyphen “ano” (-ano), parameters to display all networkconnections, with port numbers, and process ID’s. The parameter “f” is useful to see the fully qualified domain name or simply as the website address of the established connections over the internet for quick identification.

Syntax:

netstat –ano

netstat –af

The tool will be prompted with few lines depending on how many tabs open in the browsers when connected to the internet and it will also include the connection in C&C if the host machine is infected with malware or botnet.

This network threat hunting process may take a few minutes as it needs to go through the public IP addresses which are LISTENING and ESTABLISHED for checking from OSInt like VirusTotal, OTX, and other websites that provide IOC’s based from IP’s.

If there is no IOC found from the OSINT, a healthy paranoia will be needed to stop the running processes based from the PID (process id) resulted from the NETSTAT tool by simply running the “TASK MANAGER” through typing the “CTRL+ALT+DELETE” at the same time. Find the PID under the DETAILS tab, mouse right-click on it and “END TASK”.

Threat Hunting Malware

Malicious program threat hunting is different from running an Anti-Virus as it does not need to be quarantined or remove immediately. By running an AV may notify the malware creator that the malicious program planted in the host machine has been found and deleted which the adversary will be warned for detection.

“Triaging” an advanced persistent threat (APT) is crucial in hunting the threat actor and tracing their whereabouts.

A simple IOC scanner called LOKI is effective for that detective role playing like Sherlock Holmes.

This slick tool can be downloaded here: https://github.com/Neo23x0/Loki/releases

The tool will give the full directory of both suspicious and malicious file based from its IOC’s that most AV’s does not have yet and may able to delete manually or opt for further malware analysis which is an interesting hobby.

Threat Hunting Rogue Wi-Fi

In my few speaking engagements, I always mention that “Free” is not always good as this is can be a conduit for Social Engineering attacks like Man-In-The-Middle (MITM) or Eaves Dropping technique to steal sensitive information.

It is best to have a healthy paranoia to run tools like my example here to catch rogue access points (AP) in the public.

A handy rogue AP killer and a user-friendly tool called CHELLAM is very useful to stay safe in the wild while the adversary is just one click away to bait their targets and one could be you or your family.

Conclusion

There are so many available tools that can be downloaded in the wild and it is everyone’s discretion on what tool is effective for the individual. As mentioned in my other blogs, a mindset of a hunter is the most important and that cannot be taken from classroom training nor in Ph.D. degree. Again, security is everybody’s responsibility and either you are part of the solution or just another brick in the wall.

Original Post: https://www.peerlyst.com/posts/threat-hunting-for-non-hunters-mike-art-rebultan-mit-ceh-ecsa

The AWS Security Open Source Toolkit

 

I love AWS. I love Open Source. I love Security. So I’ve been bringing together a compilation of the best tools available to monitor, audit, train up on and find exposures in your AWS accounts.

You can find the GitHub repo here; https://github.com/stuhirst/awssecurity/blob/master/arsenal.md

Please add to that if you wish!

Discovery:

Generate a report of all S3 buckets for an account: https://github.com/bear/s3scan

Find open S3 buckets: https://github.com/sa7mon/S3Scanner

Generate Network Diagrams: https://github.com/duo-labs/cloudmapper

Cred Scanner: https://github.com/disruptops/cred_scanner

Tools:

Disable Access Keys after X days; https://github.com/te-papa/aws-key-disabler

Secrets Management; https://github.com/awslabs/git-secrets

Least Privilege: https://github.com/Netflix/repokid

Resource Counter: https://github.com/disruptops/resource-counter

IAM Access Advisor: https://github.com/Netflix-Skunkworks/aardvark

Auditing:

Scout2: https://github.com/nccgroup/Scout2

Prowler: https://github.com/toniblyx/prowler

Policy changes & Insecure config: https://github.com/Netflix/security_monkey

Policy & Encryption; https://github.com/capitalone/cloud-custodian

Training:

http://flaws.cloud/

Offensive:

AWS Attack Library; https://github.com/carnal0wnage/weirdAAL/wiki

Thanks to all the awesome open-sourcers who make these possible!

Original Post: https://medium.com/@StuHirstInfoSec/the-aws-security-open-source-toolkit-eb3e92566eaf

Most Important Security Tools and Resources For Security Researcher, Malware Analyst, Reverse Engineer

Important Tools and Resources

Security Professionals always need to learn many tools , techniques and concepts to analyze sophisticated Threats and current cyber attacks.

Here we are going to see some of the most important tools , books, Resources which is mainly using for Malware Analysis and Reverse Engineering.

Hex Editors

A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.

Disassemblers

disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

Detection and Classification

  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • Assemblyline – A scalable distributed file analysis framework.
  • BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • Detect-It-Easy – A program for determining types of files.
  • ExifTool – Read, write and edit file metadata.
  • File Scanning Framework – Modular, recursive file scanning solution.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

Dynamic Binary Instrumentation

Dynamic Analysis

This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.

The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker – A generic hidden code extractor for Windows malware.
  • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.

Debugging

IN this List we could  see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
  • bamfdetect – Identifies and extracts information from bots and other malware.
  • BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
  • BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
  • Binary ninja – A reversing engineering platform that is an alternative to IDA.
  • Binwalk – Firmware analysis tool.
  • Bokken – GUI for Pyew and Radare. (mirror)
  • Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro – Web based code browser using  clang to provide basic code analysis.
  • DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy – .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
  • Fibratus – Tool for exploration and tracing of the Windows kernel.
  • FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB – The GNU debugger.
  • GEF – GDB Enhanced Features, for exploiters and reverse engineers.
  • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • Hopper – The macOS and Linux Disassembler.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
  • ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct – DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace – Dynamic analysis for Linux executables.
  • objdump – Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executables.
  • PANDA – Platform for Architecture-Neutral Dynamic Analysis.
  • PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio – Perform static analysis of Windows executables.
  • Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
  • plasma – Interactive disassembler for x86/ARM/MIPS.
  • PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • Process Explorer – Advanced task manager for Windows.
  • Process Hacker – Tool that monitors system resources.
  • Process Monitor – Advanced monitoring tool for Windows programs.
  • PSTools – Windows command-line tools that help manage and investigate live systems.
  • Pyew – Python tool for malware analysis.
  • PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
  • QKD – QEMU with embedded WinDbg server for stealth debugging.
  • Radare2 – Reverse engineering framework, with debugger support.
  • RegShot – Registry compare utility that compares snapshots.
  • RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
  • ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
  • SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace – Dynamic analysis for Linux executables.
  • Triton – A dynamic binary analysis (DBA) framework.
  • Udis86 – Disassembler library and tool for x86 and x86_64.
  • Vivisect – Python tool for malware analysis.
  • WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg – An open-source x64/x32 debugger for windows.

Binary Format and  Binary Analysis

The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.

 Decompiler

A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.

Online Scanners and Sandboxes

Following Tools are using for Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • anlyz.io – Online sandbox.
  • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
  • AVCaesar – Malware.lu online scanner and malware repository.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
  • DeepViz – Multi-format file analyzer with machine-learning classification.
  • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF – Dynamic malware analysis system.
  • firmware.re – Unpacks, scans and analyzes almost any firmware package.
  • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.
  • Joe Sandbox – Deep malware analysis with Joe Sandbox.
  • Jotti – Free online multi-AV scanner.
  • Limon – Sandbox for Analyzing Linux Malware.
  • Malheur – Automatic sandboxed analysis of malware behavior.
  • malsub – A Python RESTful API framework for online malware and URL analysis services.
  • Malware config – Extract, decode and display online the configuration settings from common malwares.
  • Malwr – Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online – Online static analysis of malware.
  • Metadefender.com – Scan a file, hash or IP address for malware (free).
  • NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner – Analyse suspicious PDF files.
  • ProcDot – A graphical malware analysis tool kit.
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • Sand droid – Automatic and complete Android application analysis system.
  • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • VirusTotal – Free online analysis of malware samples and URLs
  • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
  • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
  • evolve – Web interface for the Volatility Memory Forensics Framework.
  • FindAES – Find AES encryption keys in memory.
  • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • VolUtility – Web Interface for Volatility Memory Analysis framework.
  • WDBGARK – WinDBG Anti-RootKit Extension.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – Open Source Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse – Store, tag, and search malware.
  • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper – A binary management and analysis framework for analysts and researchers.

Malware samples

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • MalwareDB – Malware samples repository.
  • Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo – Live malware samples for analysts.
  • Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration required.
  • VX Vault – Active collection of malware samples.
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011.

Domain Analysis

Inspect domains and IP addresses.

  • badips.com – Community based IP blacklist service.
  • boomerang – A tool designed for consistent and safe capture of off network web resources.
  • Cymon – Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker – Cross-language temporary email detection library.
  • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery – Free URL Scanner.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu – Zulu URL Risk Analyzer.

Books

Most Important books Reverse Engineering Books

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

Open Source Threat Intelligence Tool

Harvest and analyze IOCs.

  • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel – Pull intelligence per file hash.
  • Hostintel – Pull intelligence per host.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor – A free editor for XML IOC files.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe – A Python OpenIOC editor.
  • RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Credits

This list is Created with helping of following Awesome Peoples.

Original Post: https://gbhackers.com/most-important-tools/

Indicator Of Attack(IoA’s) And Activities – SOC/SIEM – A Detailed Explanation

SOC

What is an Indicator of Attack (IOA)

IoAs is some events that could reveal an active attack before indicators of compromise become visible. Use of IoAs provides a way to shift from reactive cleanup/recovery to a proactive mode, where attackers are disrupted and blocked before they achieve their goal such as data thief, ransomware, exploit, etc.

IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach

10 Indicators of attack (IoAs)

The following most common attack activities could have been used, individually or in combination, to diagnose active attacks:

1) Internal hosts with bad destinations

Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.

SOC

An example of HP ArcSight Dashboard that shows client’s hosts communicating with Feeds(IP, Domain, Url) from “ransomwaretracker.abuse.ch” website.

SOC

Example of Global Threat Intelligence from McAfee

2) Internal hosts with non-standard ports

Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port.

SOC

Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to the Internet

3) Public Servers/DMZ to Internal hosts

Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.

 SOC

An example of a Report that monitor Top 10 Traffic from “DMZ” zone to “Internal/Client” Zone.

From this report, Security Analyst should investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.

SOC

Example of IPS alerts on non-working time (Holiday)

5) Network scans by internal hosts

Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. This incident detects from Perimeter network defenses such as firewall and IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For Future, you should focus Reference: “Internal” to “DMZ” too. It may be “Insider Threat” or “Compromise hosts” that they need more information from your networks (Reconnaissance)

SOC

Example of Network Scans Report that filters from “Internal” to “Internal” zone

6) Multiple alarm events from a single host

Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS COMMON USE CASE.

SOC

Example Dashboard that monitoring “User Login Failures” from Single Hosts

Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when the password of a user account is expired but they have not change the new password on their devices.

7) System is reinfected with malware

After the Infected host is cleaned, a system is reinfected with malware within 5-10 minutes, repeated reinfections signal the presence of a rootkit or persistent compromise. This incident may detect from Endpoint Security Protection or Anti-Virus events.

SOC

This is Example Malware Dashboard.

Detection: You must create at least 3 rules on SIEM follow as

  1. The rule alert when it found infected host then “Add To” Current Infected Hosts List and Historical Infected Hosts List (Store at least 1 week)
  2. The rule alert when malware is cleaned from infected Host then “Remove To” Current Infected Hosts List
  3. The rule alert when it found an infected host that is “Historical Infected Hosts List” within the specified time range. THAT SYSTEMs SHOULD SCAN/INVESTIGATE MALWARE AGAIN!!!

8. Multiple Login from different regions

A user account trying to login to multiple resources within a few minutes from/to different region. This is a sign that user’s credentials have been stolen or that a user is up to mischief.

SOC

An example of the Correlated rule that Ideal solutions may vary based on your network conditions and security policy.

This rule detects an event in the “Login” normalization category, with an Event Outcome equal “Success” with multiple Source Geo-locations, within a specified Time Range and Events are grouped by Source User.

9. Internal hosts use much SMTP

E-Mail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.

SOC

Example of Infected client that use SMTP(TCP/25)

10. Internal hosts may query to External/Internal DNS

Many organization has Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is defined Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan malware on that clients.

SOC

Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour)

Action and Adaptation

Once the IoA is created, people and processes can act while the rich intelligence is distributed. Directly, alerts and thresholds can guide enforcement actions such as quarantine. In near real time, new findings can factor into policy adjustments, authentication requirements, and human response workflows. Within hours and days, findings can influence risk scores, organizational policies, and end-user education. Over longer timelines—weeks and months—organizations can trend and surface anomalies, predict future attacks and adjust sensitivities.

Reference: http://www.mcafee.com/cf/resources/reports/rp-when-minutes-count.pdf

Original Source & Credit:  Sittikorn Sangrattanapitak, CISSP

Also Read:

  1. Intrusion Prevention System(IPS) and Its Detailed Function – SOC/SIEM
  2. Intrusion Detection System (IDS) and Its detailed Function – SOC/SIEM 

Original Post: https://gbhackers.com/soc-indicator/

Red Team and Open-Source Mitre’s ATT&CK Framework Test Tools

download

One way to learn how to better defend your enterprise is to train a red team to simulate attacks. The Mitre ATT&CK framework, which can be a very useful collection of threat tactics and techniques for such a team. The frameworkclassifies and describes a wide range of attacks. To make it even more effective, various commercial and open-source general testing tools have been built to complement its schemas.

Adversarial Tactics, Techniques & Common Knowledge

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

https://attack.mitre.org/wiki/Main_Page

Video: Post-Exploit Threat Modeling with ATT&CK

 

cso_mitre_open-source_attck_test_tools_1400px-100754760-orig

 

Red Team Automation (RTA)

RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file timestopping, process injections, and beacon simulation as needed.

Where possible, RTA attempts to perform the actual malicious activity described. In other cases, the RTAs will emulate all or parts of the activity. For example, some lateral movement will by default target local host (though with parameters typically allow for multi-host testing). In other cases, executables such as cmd.exe or python.exe will be renamed to make it appeas as if a Windows binary is doing non-standard activities.

Introduction: https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation

Download: https://github.com/endgameinc/RTA

CALDERA

CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.

Introduction: https://www.mitre.org/research/technology-transfer/open-source-software/caldera

Download: https://github.com/mitre/caldera

Atomic Red Team

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.

Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.

Introduction: https://www.redcanary.com/blog/atomic-red-team-testing/

Download: https://github.com/redcanaryco/atomic-red-team

Metta

Metta is an information security preparedness tool.

This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.

Introduction: https://medium.com/uber-security-privacy/uber-security-metta-open-source-a8a49613b4a

Download: https://github.com/uber-common/metta

Reference:

https://www.csoonline.com/article/3268545/data-breach/4-open-source-mitre-attandck-test-tools-compared.html 

 

Invoke-Adversary – Simulating Adversary Operations


Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth.

Warning

Update 4/14/2018 – In the original script 3rd party tools were downloaded by the script automatically. I believe that the original disclaimers were enough, but decided to change it due to the feedback I got, and now the script ask the users to download the 3rd party tools by themselves – with additional warnings and hash file checking.

This script is provided AS IS without warranty of any kind.

The script should be used for authorized testing and/or educational purposes only with no exceptions. By using the script Windows system’s security and stability (including but not limited to: passwords dump, disabling security features, etc.) may be affected so DON’T RUN IT ON PRODUCTION systems.

The script is my own, based on other researchers’ public domain knowledge and not related to Microsoft in any form.

 

“Kill Chain”, or What happens during a targeted cybersecurity attack?

Cybersecurity kill chain is a framework developed by Lockheed Martin for identification and prevention of cyber intrusions activity. As attacks may occur in stages, you as defender can put optics and controls to detect or disrupt the entire process.

The stages of the Kill Chain are:

  • Reconnaissance – an attacker is probing for a weakness or bad configuration
  • Weaponization – an attacker is building a payload that can be delivered to the victim (can be a PDF  file or an Office document)
  • Delivery– Sending the payload via e-mail, web link or removable media
  • Exploit– The payload will execute on the victim’s network
  • Installation– The payload will download additional remote access tools and install them to maintain persistence
  • Command and Control– A channel is created between the victim and the attacker
  • Actions– The intended goal is executed (encrypt files, exfiltration of data, etc.)

On top of that model, Mitre, a not-for-profit organization, developed a enhanced model for cyber adversarial behavior, called “Adversarial Tactics, Techniques, and Common Knowledge” (ATT&CK™) Matrix.

Currently, the MITRE ATT&CK™ Matrix provides the most comprehensive framework for adversarial techniques and tactics that enterprises encounter daily.

Technique Description
Persistence Techniques for persistent presence on compromised system
Privilege Escalation Techniques for adversary to obtain a higher level of permissions
Defense Evasion Techniques adversary may use to evade detection or avoid other defenses
Credential Access Techniques resulting in access to or control over system, domain, or service credentials
Discovery Techniques that allow the adversary to gain knowledge about the system and internal network
Lateral Movement Techniques that enable an adversary to access and control remote systems on a network
Execution Techniques that result in execution of adversary-controlled code on a local or remote system
Collection Techniques used to identify and gather information
Exfiltration Techniques that result or aid in the adversary removing files and information from a target network
Command and Control Techniques that represents how adversaries communicate with systems under their control within a target network

 

Many companies are using Security Information and Event Management (SIEM), Endpoint Protection Platform (EPP) and Endpoint Detection & Response (EDR) products to monitor and protect their environments. What seems to be missing is a tool that can generate a real data that represents real-world targeted attacks.

Invoke-Adversary is a PowerShell script that uses a set of functions to simulate post-compromise adversarial behavior within Windows Enterprise networks.

By using Invoke-Adversary script you can:

  • Assess your security monitoring tools and practices
  • Evaluate Endpoint detection agents

Setup

Requirements for deploying:

Usage

  • The simplest way to run the script is to open an elevated (run as Administrator) PowerShell ISE window and press F5.

  • The script will start and the first thing you need to do is to read the disclaimer and accept the terms by typing yes

 

  • Now you can select any test case by choosing its number on the menu

  • Choose which test you want to run by choosing its number on the menu

Screenshots

 

What are the tactics

Defense Evasion

  • Disable network interface – Disables a network adapter and causes loss of network connectivity
  • Disable Windows Defender AV – Turn off real-time protection, scanning all downloaded files and attachments, behavior monitoring, network protection and privacy mode
  • Add local firewall rule exceptions – Add fictitious rule “Invoke-APT Test Rule” to Windows Advanced Firewall
  • Turn off Windows Firewall – Turn off Windows Advanced Firewall
  • Clear Security Log – clears the security log using wevtutil command

Persistence Tactics

  • Accessibility Features – “Hijack” sethc.exe with cmd.exe using “Image File Execution Options”
  • AppInit DLLs – Adds entry for pserver32.dll under AppInit_DLLs
  • Application Shimming – Create registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842562ef-8d28-411d-a67d-ab75ef611fe8}.sdb
  • Create local user – A new user (user name is: support_388945a0)
  • Create local Administrator – A new user created (user name is: Lost_337fde69_81a9) and added to local Administrators group
  • Create New Service – new service (WindowsHealth) is created
  • Create New Service (Unquoted Path) – same as previous, just with unquoted path
  • Registry Run Keys [HKLM] – New run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • Registry Run Keys [HKCU] – New run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Scheduled tasks – new scheduled task (OfficeUpdaterA) is created

Credential Access

  1. Mimikatz – Logonpasswords – Download mimikatz to a random file name and execute it with the following arguments “privilege::debug” “sekurlsa::logonpasswords” “exit” (credit: https://twitter.com/gentilkiwi)
  2. PowerShell Mimikatz – Run Invoke-Mimikatz.ps1  (credit: https://twitter.com/josephbialek?lang=en)
  3. PowerShell Encoded Mimikatz – Run Invoke-Mimikatz.ps1 with encoded PowerShell command line
  4. Capture Lsass Memory Dump – Using Windows Error Reporting to capture lsass memory (credit: https://twitter.com/mattifestation)
  5. Capture Lsass Memory Dump (Prodump) – Download Prodump to a random file and capture lsass memory
  6. Copy Local SAM File (via Invoke-NinjaCopy) – Run Invoke-NinjaCopy to copy C:\Windows\System32\config\sam file (credit: https://twitter.com/josephbialek?lang=en)

Discovery Tactics

  1. Account Discovery – running net commands to discover local and domain users and groups
  2. Network Service Scanning – ports scan (1-1024) on user selected host
  3. System Owner Discovery – whoami command
  4. System Time Discovery – Running “net time” and “w32tm.exe /tz” commands
  5. Service Discovery – List of all services
  6. Network Connections Discovery – netstat

Command and Control

  1. Commonly used Ports – Trying to connect to user selected host
  2. Uncommonly used Ports – Trying to connect to user selected host using uncommon ports  (credit: Florian Roth)
  3. Web Service – Create a new post at pastebin and upload BITS service information
  4. DNS – Well-Known Blacklisted IP Address – Resolving top 10 malicious IP addresses (credit: Florian Roth)
  5. Connect – Well-Known Blacklisted IP Address – Connecting to top 10 malicious IP addresses (credit: Florian Roth)

Execution

  1. PSExec (random file name) – Rename PSEec to random file name and execute it (credit:  https://twitter.com/markrussinovich)
  2. PSExec (Remote) – Running psexec on user selected host
  3. PowerShell API call – Native API call from PowerShell
  4. Self Delete (batch file) – self deleting batch file
  5. WMI Process Execution – use the WMI command-line (WMIC) utility

Collection

  1. Screen Capture – screen capture (credit: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/)

AppLocker ByPasses

  1. Regsvr32 – Regsvr32 technique (credit: https://twitter.com/subTee)

Original Post: https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/

[Collection] Powershell Toolkit For PenTester

Original Post: https://securityonline.info/collection-powershell-toolkit-for-pentesterempire-powershellpowermemorypowersploit/

How To Build And Run A SOC for Incident Response – A Collection Of Resources

How to build a SOC / How to run a SOC

In this resource I’ll locate some great resources for SOC, how to build a SOC, how to set-up a SOC and how to run and maintain your SOC once set up. I will also keep the links and tools up to date as I find new & better resources.

Let me know if you have comments or additions please.

_________

1- Starting Point – Some theoretical content:

What is a SOC? A SOC is a Security operations centre‍, where you have people dedicated to the company’s ongoing information security watching and responding. They need the tools to prevent what they can and discover+remediate what they can not. They need the skills to do this.

Free:

IR process template via Frode Hommedal: http://frodehommedal.no/presentations/first-tc-oslo-2015/#/slide-start

CSIRT process, new one by Frode Hommedal: http://frodehommedal.no/presentations/cert-ee-symposium-2016/#/

Report Template for Threat Intelligence and Incident Response by Lenny Zeltser

MITREhttps://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

Building a SOC via twitter user Rafeeq_rehman Building_SOC.pdf

An EY SOC white paperEY-SOC-Oct-2013.pdf

A HP SOC white paper: Building-Maturing-and-Rocking-a-Security-Operations-Center-Brandie-Anderson.pdf

The Grand List of Incident Management Frameworks via Gabor Szathmari

A slidedeck on building a SOC via Slideshare:

Design & Build a Security Operation Center – from Sameer Paradia (CGEIT,CISM,CISSP)

SANS https://www.sans.org/reading-room/whitepapers/analyst/incident-response-fight-35342

OWASP incident response project https://www.owasp.org/index.php/OWASP_Incident_Response_Project
via Tom Brennan

RSA conference presentation 2012 Ben RothkeBuilding a Security Operations Center(SOC) 
McAfee – Creating and Maintaining a SOC – The details behind successful security operations centers

emc Creating an intelligence-driven SOC

Peerlyst resource: A list of Incident Response Playbooks by Michael Hamblin

Building a World-Class Security Operations Center:A Roadmap by SANS

How to build and runa SecurityOperations Center by Nicolas Fischbach of Securite

Building and running a SOC with Splunk

Lessons learned from working in a SOC by Jen Andre of Komand

“Build a SOC or Choose an MSSP?” by Eric Carroll

How to build and run a Security Operations Center by Renato Basante Borbolla

Requiring sign-up:

AlienVault https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response-download

Dell SecureWorks http://go.secureworks.co.uk/incident-response-preparedness

Paid:

Designing and Building Security Operations Center 1st Edition by David Nathans

Security Operations Center: Building, Operating, and Maintaining your SOC from October 2015 by Joseph Muniz, Gary McIntyre, Nadhem AlFardan

Crafting the InfoSec Playbook. Security Monitoring and Incident Response Master Plan” by Jeff Bollinger, Brandon Enright, Matthew Valites. Thanks Sashank Dara‍ for mentioning this.

2- Some Practical resources for incident response and SOC

Cheat Sheets:

http://www.malwarearchaeology.com/cheat-sheets

Awesome Incident response collection

Training/Certifications:
A critique of the parts/elements of paid incident handling‍ certfications via Taosecurity‍:

http://taosecurity.blogspot.lu/2009/04/speaking-of-incident-response.html

Free:

Computer and hackingforensics on Cybrary.ithttps://www.cybrary.it/course/computer-hacking-forensics-analyst/

Most of Opensecuritytraining http://opensecuritytraining.info/Training.html

Paid:

SANS‍ MGT517: managing Security Operations: Detection, Response, and Intelligencehttps://www.sans.org/course/managing-security-operations-detection-response-and-intelligence

https://www.sans.org/course/continuous-monitoring-security-operations Sec511

EC-Council Certified incident Handler http://www.eccouncil.org/Certification/ec-council-certified-incident-handler

GIAC Certified incident Handler (GCIH) https://www.giac.org/certification/certified-incident-handler-gcih

cert-Certified Computer Security incident Handler https://www.sei.cmu.edu/training/certificates/security/handler.cfm

Incident response and network forensics on Infosecinstitute

SANS SEC504hackertools, techniquesExploits and incident handling

SANS Cyber defensehttps://www.sans.org/curricula

SANS Master degree in Incident response: https://www.sans.edu/academics/certificates/incident-response

3. Tools of the trade:

Open Source/Free:

The list of tools here on postmodernsecurity.com :
https://postmodernsecurity.com/2015/09/11/malware-analysis-and-incident-response-tools-for-the-frugal-and-lazy/

IP TO ASN via Teamcymru. IP To ASN allows one to map IP numbers to BGP prefixes and ASNs. These services come in various flavors, including whois (TCP 43), dns (UDP 53), HTTP (TCP 80) and HTTPS (TCP 443).

TOTALHASH totalhash provides static and dynamic analysis of malware samples. The data available on this site is free for non commercial use. If you have samples that you would like analyzed you may upload them to our anonymous FTP server.

Via InfosecTDK‍ https://www.hybrid-analysis.com An automated malware analysis sandbox

Malwr malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back.

Via CIRCL.LU:

Twitter user DA_667 storify on questions to ask when hiring an incident responder – storify created by

DA_667 on IR toolset on a shoestring budget using World of warcraft analogies:

SIEMelk stack
NSMSnort + Bro (with fullcap/flow later on when/if I had money)
Client-Side: GRR + El-Jefe + whatever crap A/V solution
Heroic Mode Extra credit: Packet Fence for shunting infected machines into a ?GTFO? VLAN for re-imaging/IR purposes
25-man RAID mode: Moloch for FPC.

Remote IOC scannerhttps://github.com/CERT-Solucom/certitude

Defeating pth attacks via DFIRBLOG

Free service that unpacks, scans and analyzes almost any firmware package, detects vulnerabilitiesbackdoors -> firmware.refirmware.re

usb packet capture/sniffer http://desowin.org/usbpcap/

Javascript deobfuscator toolhttp://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/

Live Incident response in powershell: PSRecon https://github.com/gfoss/PSRecon

List all named pipes via powershell:

PS C:\> [System.IO.Directory]::GetFiles("\\.\\pipe\\")Securityonion and Sysmon (slides)

Security onion Conference – 2015 from DefensiveDepth

Windows Live Artifact acquisition scripthttps://github.com/OMENScan/AChoir

LAIKA BOSS open sourced by lockheed martin https://github.com/lmco/laikaboss/blob/master/README.md

Via mozilla open sourced: incident investigations: MIG “Mozllla InvestiGator”: github.com/mozilla/mig

88 Feeds, ~800K live streamable threat Intel indicators to your sensors (link) via @critical stack

Incident response hunting tools: https://sroberts.github.io/2015/04/21/hunting-tools/

Share threat information with vetted partners -> ThreatExchange via the Facebook team

Cymon: Cymon is the largest tracker of open-source security reports about phishing, malware, botnets and other maliciousactivities.

NBDServer: Network block Device server for windows with a DFIR/forensic focus via Jeff Bryner

PYIOCpython tools for IOC (Indicator of Compromise) handling via Jeff Bryner

MozDef: The mozilladefense platform – automation of the security incident handling process and facilitate the real-timeactivities of incident handlers. Also via Jeff Bryner (suggested by @sastrytumuluri )

Maltrail: Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists

FIDO by the netflix team for automating incident response.

FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. Fido?s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today’s security stack and the large number of alerts generated by them. As an orchestration platform fido can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.

Fast IR Collector by Sekoialab

This tool collects different artefacts on live windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected.

Kansa: A powershell incident response framework

Fast Incident Response by cert societe generale

The awesome Incident Response Collection

SCOT:

The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response management system and knowledge base. Designed by cyber security incident respondersSCOT provides a new approach to manage security alertsanalyze data for deeper patterns, coordinate team efforts, and capture team knowledge. SCOT integrates with existing security applications to provide a consistent, easy to use interface that enhances analyst effectiveness.

LOKI:

Loki – Simple IOC and Incident Response scanner https://www.bsk-consulting.de/loki-free-ioc-scanner/

Volatility & Volatility Autoruns:

Volatility autoruns pluginFinding persistence points (also called ” auto-Start Extensibility Points”, or ASEPs) is a recurring task of any investigation potentially involving malware.To make an analyst’s life a BIT easier, I came up with theautoruns plugin. autoruns basically automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.

IR_Tool: A simple bash script for digital forensic on linux/unix system

Malcom: Malware Communication Analyzer

Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.

YARA – The pattern matching swiss knife

IRTriage – Incident Response Triage – Windows evidence Collection for forensic analysis

Skydive: An Open Source real-time network topology and protocols analyzer

EMET 5.5. Always relevant to use, especially now that it can block Casey Smith’s (SubTee) regsrv32 applocker bypass. Instructions on that here.

reassemble_dns – NICE tool 2 read pcap files, extract DNS messages &write them into file. IP fragments + TCP streams r reassembled

Mandiant‍ Redline‍ (free and open source) https://www.fireeye.com/services/freeware/redline.html

ANZ Nighthawk‍ / NighthawkResponse‍ is a new incident response tool‍ for Mandiant Redlinehttps://github.com/biggiesmallsAG/nightHawkResponse

DNStwistCrazyParser– Identify typosquatting phishing domains

DNS Probe‍ and DNS_analyze‍ -> Identify, capture and analyze DNS traffic. Linkand Link.

Good tool collection by category on dfir.training blog: http://www.dfir.training/index.php/tools/new

OSXCollector which has now been turned into AMIRA: Automated Malware Incident Response & Analysis

Strake-IR‍ from 9yahds is a Security Incident Response Orchestration solution, 2 seat subscription is free.

IRMA Incident Response Malware Analysis. Today’s defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it. IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files.

New (Nov, 2016): Introducing TheHive: a Scalable, Open Source and Free Incident Response Platform blog.thehive-project.org/2016/11/07/int…

140 free forensics toolshttps://forensiccontrol.com/resources/free-software/

_________

Commercial solutions:

Syncurity IR – Implement a repeatable, scalable, auditable process across your entire security operations and incident response lifecycle.

The Demisto platform – The automation and Collaboration Platform for your security operations center (evaluation of this needed, please let me know if you’ve used this).

Using RiskIQ Inc.‍ Passivetotal‍ for Automated Infrastructure Alerts

Strake-IR‍ from 9yahds is a Security Incident Response Orchestration solution, 2 seat subscription is free. http://9yahds.com/

_________

4. Relevant Blogs/Slides:

Introduction to DFIR https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning

Free reverse engineering tools list https://wiremask.eu/articles/free-reverse-engineering-tools/

(In time this will be completed: https://www.peerlyst.com/blog-post/resource-incident-response-guide)

Incident response must improve! https://www.peerlyst.com/blog-post/security-incident-response-must-improve

Preparing for Incident Response https://www.peerlyst.com/blog-post/incident-response-preparation

Getting Management Buy-in for IR https://blog.peerlyst.com/blog-post/incident-response-management-buyin

Dealing with analyst fatigue https://www.peerlyst.com/blog-post/incident-response-how-do-you-deal-with-analyst-fatigue

The importance of process https://www.peerlyst.com/blog-post/incident-response-the-importance-of-process

Infosecinstitute on SOC: http://resources.infosecinstitute.com/security-operations-center/

10 attributes of a leading SOC https://www.rooksecurity.com/10-attributes-of-a-leading-security-operations-center-soc-in-2014-2/

Automating Forensic Artifact Collection with Splunk and GRR (link)

NoSQL forensics

Report template for threat intelligence and Incident Response (link)

+Added: MS Ignore presentation: Windows Event Forwarding / Centralized logging for everyone via Jessica Payne

How to Manage a Large Volume of Cyber Alerts via securityweek

Extracting a PCAP from memory https://isc.sans.edu/forums/diary/Extracting+pcap+from+memory/20639

Windows commands Abused by attackers http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

Windows 10 and enhanced powershell logging https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

From RSAC‍ 2016 by Mark Russinovich:

“Machine Learning and the Cloud: Disrupting Threat Detection and Prevention”

From RSAC‍ 2016 by Mark Russinovich:

“Tracking Hackers on Your Network with Sysinternals Sysmon”

crowdstrike‍ blog: Recon detection by the blue teamhttp://www.crowdstrike.com/blog/reconnaissance-detection-blue-team/

Improving Incident Response Investigations by JP Bourget‍ https://www.peerlyst.com/posts/improving-incident-response-investigations-jp-bourget-1

WMI persistence‍ blog and how to detect this persistence: http://windowsir.blogspot.lu/2016/04/cool-stuff-re-wmi-persistence.html which includes links to Matt Graeers blackhat US 2015 presentation paper on this topic. and and the DellSecureworks blog about their discovery

Basic Snort Rules Syntax and Usage

SubTee SCT persistence module: https://github.com/subTee/SCTPersistence -> useful to know and be able to detect

Hacking exposed: Computer forensics blog by David Cowen. Lots of good forensics advice to be found.

From BsidesCharm: Hunting threat actors with TLS certificates. Using open source data to defend networks by Mark Parsons / @markpars0ns / mark at accessviolation.org

ELF Shared Library Injection Forensics via backtrace.io

Detecting DNS Tunnels with Packetbeat and Watcher

Data observed from monitoring DNS traffic on a network can be used as an indicator of compromise (IOC). This blog post will discuss how elasticsearch and Watcher can be used with Packetbeat to alert when possible malware activity is detected. Packetbeat is our open source packet analyzer.

Not all IOC scanning is the sameScan that which helps you via BSK-Consulting.

Adversarial Tactics, Techniques, and Common Knowledge by Mitre

Outsourcing the SOC function can make sense. Use cases for managed security services via Securosis‍ thanks Sashank Dara‍ for the link

Diagnosis SOC-atrophy‍ : What To Do When Your Security Operation Center Gets Sick

Proxy server logs for incident response https://www.vanimpe.eu/2016/10/21/proxy-server-logs-incident-response/ via Koen Van‍

Advice on setting up a SOC or multiple SOCs in 1 organizationhttp://www.montance.com/mgt517/#/5/7

Threat hunting for SOCs via Raffael Marty‍:

Original Post: https://www.peerlyst.com/posts/how-to-build-and-run-a-soc-for-incident-response-and-enterprise-defensibility-a-collection-of-resources

Free Online Tools for Looking up Potentially Malicious Websites

Several organizations offer free online tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real time to identify threats:

Any on-line tools that should be on this list, but are missing? Let me know. My other lists of on-line security resources outline Automated Malware Analysis Services and Blocklists of Suspected Malicious IPs and URLs.

Up ↑