SlideShare a Scribd company logo

Security Analyst Workshop - 20200212

F
Florian Roth

This document summarizes a security analyst toolset workshop. It lists various online tools and services for security analysis tasks like investigating file samples, hashes, domains, IPs, and extracting strings. Tools covered include URL scanners, passive DNS tools, Shodan, Virustotal, hybrid analysis, Any.Run, Cybereason Iris, Antivirus event analysis, and more. Twitter, pastebin, and other open sources are also mentioned for threat hunting and monitoring.

1 of 38
Download to read offline
Security Analyst Toolset - Workshop Florian Roth, February 2020
This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Slides contain: key features, links, examples, screenshots
Starting Points of Investigations § File Sample § Hash § FQDN § IP
URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
FireEye Stringsifter § String evaluation § ranks strings based on their relevance for malware analysis https://github.com/fireeye/stringsifter Can be combined with 010 Editor (script by my co-worker Tobias Michalski) https://www.sweetscape.com/010editor/r epository/scripts/file_info.php?file=RateStr ings.1sc&type=1&sort= Technical Blog Post https://www.fireeye.com/blog/threat- research/2019/05/learning-to-rank-strings- output-for-speedier-malware-analysis.html
CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
Top Base64 Encoding Learning Aid § Helps you learn the most common Base64 patterns found in malware § Features a mnemonic aid and emoticon (dual coding – learning style) https://gist.github.com/N eo23x0/6af876ee72b5167 6c82a2db8d2cd3639
User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search § Imphash Search > Report Serach > Advanced > More Options https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/10/04/antivir us-event-analysis-cheat-sheet-v1- 7-2/
Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin
Unfurl § takes a URL and expands it into a directed graph https://dfir.blog/unfurl/ Blog https://dfir.blog/introducing-unfurl/
InQuest Labs § Different online tools, e.g. § Base64 regular expressions generator § Mixed ex case generator https://labs.inquest.net/
Questions? Twitter: @cyb3rops

More Related Content

Security Analyst Workshop - 20200212

  • 1. Security Analyst Toolset - Workshop Florian Roth, February 2020
  • 2. This Workshop - Sets of tools and services for analysis tasks - Don’t expect a story line - Slides contain: key features, links, examples, screenshots
  • 3. Starting Points of Investigations § File Sample § Hash § FQDN § IP
  • 4. URLs / Links Resources - URL Scan https://urlscan.io - URL Query https://www.urlquery.net - Virustotal https://www.virustotal.com/#/ho me/search Example: https://www.virustotal.com/#/domain/ schoolaredu.com
  • 5. PassiveTotal / RiskIQ § DNS Infos § Alerting on Changes https://community.riskiq.com/
  • 6. Censys.io § IP address information § Website information § SSL Certificates (!) https://censys.io/ Example https://censys.io/certificates?q=%22pent est%22 Real World https://censys.io/ipv4?q=+443.https.tls.c ertificate.parsed.names%3A%2Fo%5B10- 9%5D%7B4%2C4%7D%5C.(at%7Ccz%7Cro %7Csk)%2F
  • 7. ShodanHQ § Host Info § Open Ports § Banner § Services § Meta Data Examples https://www.shodan.io/explore/popular
  • 8. String Extraction Linux (strings -a -td "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; strings -a -td -el "$@" | sed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort -n macOS (gstrings -a -td "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 A 2/' ; gstrings -a -td -el "$@" | gsed 's/^(s*[0-9][0-9]*) (.*)$/1 W 2/') | sort –n https://gist.github.com/Neo23x0/cd4934a06a616ecf6c f44e36f323e551
  • 9. 010 Editor § Hex Editor § Great usability § Relevant Features § String Extraction § Binary Comparison https://www.sweetscape.com/010e ditor/
  • 10. FireEye FLOSS § String extraction § Obfuscated string extraction § Stack string extraction https://github.com/fireeye/flare-floss Documentation https://github.com/fireeye/flare- floss/blob/master/doc/usage.md
  • 11. FireEye Stringsifter § String evaluation § ranks strings based on their relevance for malware analysis https://github.com/fireeye/stringsifter Can be combined with 010 Editor (script by my co-worker Tobias Michalski) https://www.sweetscape.com/010editor/r epository/scripts/file_info.php?file=RateStr ings.1sc&type=1&sort= Technical Blog Post https://www.fireeye.com/blog/threat- research/2019/05/learning-to-rank-strings- output-for-speedier-malware-analysis.html
  • 12. CyberChef § Swiss Army Knife for all encoding / extraction / text based analysis § Many Functions § All types of encodings (UTF16, Base64, hex, charcode …) § Compression (zlib, raw) § Extraction (Regex, IOC parsing, embedded files) § Other cool stuff (defang URLs, XOR Brute Force, CSV to JSON) § Recipes § Work like the “|” in the Linux command line § Can be saved as Bookmark or shared with ohers https://gchq.github.io/CyberChef/ Recipes https://github.com/mattnotmax/cyber-chef- recipes
  • 13. Top Base64 Encoding Learning Aid § Helps you learn the most common Base64 patterns found in malware § Features a mnemonic aid and emoticon (dual coding – learning style) https://gist.github.com/N eo23x0/6af876ee72b5167 6c82a2db8d2cd3639
  • 14. User Agent Analysis § Analyze User-Agent strings (from Sandbox reports, proxy logs etc.) § Get info on the string components and their meanings § Evaluate how prevalent a certain User-Agent is (is it usable for detection? E.g. BRONZE Butler UA Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1) https://developers.whatismybrowser.c om/useragents/parse/
  • 15. Virustotal 50 Shades of Virustotal § Sample Uploads (the obvious) § Sample Info (the obvious) § Info on Domains / Hosts § Info on IP Addresses
  • 16. Virustotal – Domain Info Domain / Host Info - Passive DNS Replication - Related samples - URLs - Domain Siblings Example https://www.virustotal.com/#/domain/cdnveri fy.net
  • 17. Virustotal – Sample Analysis Examples https://www.virustotal.com/en/file/ 59869db34853933b239f1e2219cf7 d431da006aa919635478511fabbfc 8849d2/analysis/ https://www.virustotal.com/en/file/e7 ba0e7123aaf3a3176b0224f0e374fac3 ecde370eedf3c18ea7d68812eba112/a nalysis/ Fun - hash in many IOC lists: https://otx.alienvault.com/indicator/fil e/620f0b67a91f7f74151bc5be745b71 10 https://www.virustotal.com/en/file/f8 babc70915006740c600e1af5adaaa70 e6ba3d75b16dc4088c569a85b93d519 /analysis/ https://www.virustotal.com/#/file/5a8 8b8d682d63e3319d113a8a573580b88 81e4b7b41e913e8af8358ac4927fb1/c ommunity
  • 18. Virustotal – Browser Shortcuts Use the browser’s search engine integration for quick access
  • 19. Virustotal – IP Info IP Info - Passive DNS Replication - Related samples - URLs Example https://www.virustotal.com/#/ip- address/209.99.40.222 Warning: § IP address mapping changes § Multiple domains can be registered to a single provider IP
  • 20. Virustotal – Enterprise § Search § YARA Rule Sets § Retro Hunts § Graph https://www.virustotal .com/gui/
  • 21. Virustotal – VTI Dorks Repo with interesting VTI search queries https://github.com/Ne o23x0/vti-dorks
  • 22. Virustotal – Content Search Search for content in sample base § Strings content:”string” § Byte Chains content:{b1 1e 5f 11 35} https://www.virustotal.com/ gui/
  • 23. Virustotal – Graph § Graph based analysis § Pivoting to related samples / domains Example https://www.virustotal.com/ graph/g1d606f8f877f92c844 7e2a775d8666a99cd8725d6 43fffc8419ac8196b7b3457/ drawer/node- summary/node/nwinoxior.tk /1552468646010 Demo https://www.youtube.com/w atch?v=17yRtGFq9xc
  • 24. Malware.one § Free / Registration required § String / Bytes search on big (12 TB) but unknown malware corpus § Search visible to all other users § Result download as TXT § Sample download on request https://malware.one
  • 25. Hybrid-Analysis § Public Sandbox § Commercial: CrowdStrike’s Falcon Sandbox § Extra Features: § String Search § YARA Search § Imphash Search > Report Serach > Advanced > More Options https://www.hybrid-analysis.com/ Example https://www.hybrid- analysis.com/sample/c8f27a014db8fa34 fed08f6d7d50b728a8d49084dc20becdb2 3fff2851bae9cb?environmentId=100
  • 26. Hybrid-Analysis – String Search Examples: § certutil.exe § 706f7765727368656c6c (hex encoded “powershell”) CyberChef will help https://gchq.github.io/CyberChef/#recip e=Encode_text('UTF16LE%20(1200)'/disa bled)To_Hex('None')&input=cG93ZXJzaG VsbA
  • 27. Any.Run § Public Sandbox § Special Feature: User Interaction § Pros: § Intuitive layout, uncluttered views § Sample and dropped files download § Sample previews (hex, raw) https://app.any.run/ Example: https://app.any.run/tasks/7c83e4ca -7569-4c8b-8b2d-56bf24f30494
  • 28. IRIS-H - Static Analysis of Office Docs and the like - Fast results - Denis is working on a dockerized version https://iris-h.services/ Example: https://iris- h.services/#/pages/report/5971707 a8190abea8399a3ff93460b4bea403 252
  • 29. Antivirus Event Analysis Cheat Sheet § Helps Security Analysts to process Antivirus Events in a purposeful way § Because: It is wrong to handle Antivirus events based on their status: Deleted, Deletion Failed, Detected § It is much better to evaluate an Antivirus event based on: § Virus Type § Location § User § System § Form § Time https://www.nextron- systems.com/2019/10/04/antivir us-event-analysis-cheat-sheet-v1- 7-2/
  • 30. Intezer § Static Analysis Platform § Comparisons based on so called “Genes” § “Strings” are also very interesting https://analyze.intezer.com Example https://analyze.intezer.com/#/analyses/af471fdf- 4b91-405b-aa68-c5221aa3f2d2
  • 31. APT Groups and Operations Overview § Threat Groups § Campaigns § Malware Mapping https://docs.google.com/spreadsheets/d/1H 9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePF X68EKU/
  • 32. APT Search Engine § Custom Google Search Engine § Includes § Blogs of companies with frequent threat research publications § Sandboxes § APT Notes § IOC Sharing Websites https://cse.google.com/cse?cx=0032484457 20253387346:turlh5vi4xc Sources of the Search https://gist.github.com/Neo23x0/c4f4062934 2769ad0a8f3980942e21d3
  • 33. Twitter / Tweetdeck § Search Based Panels § #DFIR OR #ThreatHunting OR #SIEM § virustotal.com OR app.any.run OR hybrid- analysis.com OR reverseit.com OR virusbay.io § New Threats / Interesting Detection Methods https://tweetdeck.twitter.com/
  • 34. Pastebin § Keyword Alerting § Email Addresses § MD5, SHA1, LM, NTLM Hash of company’s default passwords § Internal AD Domain Names § Names of internal projects / systems that should never appear in public locations (you personal project “Sauron”) https://pastebin.com/
  • 35. Munin § Process a list of Hash IOCs § Get many infos § AV detection rate § Imphah, filenames, type § First / Last submission § User comments (--intense) § Output § Command line output – colorized § CSV Export § Cached infos (JSON) § Lookups § Virustotal § Hybrid-Analysis § Virusbay § Malshare https://github.com/Neo23x0/munin
  • 36. Unfurl § takes a URL and expands it into a directed graph https://dfir.blog/unfurl/ Blog https://dfir.blog/introducing-unfurl/
  • 37. InQuest Labs § Different online tools, e.g. § Base64 regular expressions generator § Mixed ex case generator https://labs.inquest.net/