SlideShare a Scribd company logo

Security Analyst Workshop - 20190314

F
Florian Roth

Security analyst workshop slides, with useful tools and services

Education
1 of 34
Download to read offline
Security Analyst Toolset - Workshop Florian Roth, March 2019
This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Summaries, links, examples, screenshots
Starting Points § File Sample § Hash § FQDN § IP
URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/02/06/antivir us-event-analysis-cheat-sheet-v1- 7/
Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin
Questions? Twitter: @cyb3rops

Recommended

Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 

Recommended

Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt ScannerFlorian Roth
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 

More Related Content

What's hot

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 

What's hot (20)

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 

Similar to Security Analyst Workshop - 20190314

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practicesdeseomar
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 

Similar to Security Analyst Workshop - 20190314 (20)

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practices
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Azure Websites
Azure WebsitesAzure Websites
Azure Websites
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 

Recently uploaded

How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersChitralekhaTherkar
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 

Recently uploaded (20)

How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of Powders
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 

Security Analyst Workshop - 20190314

  • 1. Security Analyst Toolset - Workshop Florian Roth, March 2019
  • 2. This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Summaries, links, examples, screenshots
  • 3. Starting Points § File Sample § Hash § FQDN § IP
  • 4. URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
  • 5. PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
  • 6. Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
  • 7. ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
  • 8. String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
  • 9. 010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
  • 10. FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
  • 11. CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
  • 12. User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
  • 13. Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
  • 14. Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
  • 15. Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
  • 16. Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
  • 17. Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
  • 18. Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
  • 19. Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
  • 20. Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
  • 21. Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
  • 22. Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
  • 23. Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
  • 24. Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
  • 25. Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
  • 26. IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
  • 27. Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/02/06/antivir us-event-analysis-cheat-sheet-v1- 7/
  • 28. Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
  • 29. APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
  • 30. APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
  • 31. Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
  • 32. Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
  • 33. Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin