Blue Tradecraft
Blue Tradecraft

Blue Tradecraft

Network Data Analysis

Wireshark and TShark CheatSheets

Follow a Stream in Commandline

The following command will display tcp info for stream 1

.\tshark.exe -r 'dcom.pcap' -qz "follow,tcp,ascii,1"

Packet Total

PacketTotal is a free, online PCAP analyzer designed to visualize network traffic, detect malware, and provide analytics for the traffic contained within

https://packettotal.com/

Capturing Network Data with Netsh and converting to PCAP

ETL2PCAPNG: https://github.com/microsoft/etl2pcapng

Windows ships with an native packet capture component called “ndiscap” which is implemented as an ETW trace provider. This tool enables you to view ndiscap packet captures with Wireshark. A capture can be collected with netsh:

netsh trace start capture=yes report=disabled
<repro>
netsh trace stop

Unpacking Malware

Mal Unpack

Dynamic unpacker based on PE-sieve: https://github.com/hasherezade/mal_unpack

Compiling C Code with VSCode

Great Microsoft guide on how to compile C code using VSCode: https://code.visualstudio.com/docs/cpp/config-mingw

Parsers and other Herbs

Cobalt Strike Metadata Parser

  • Parse Cobalt Strike executables to obtain metadata on jitter, delay times and preconfigured variables: https://github.com/Sentinel-One/CobaltStrikeParser

DNS Tunnelling

PacketWhisper

PacketWhisper - Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.

https://github.com/TryCatchHCF/PacketWhisper

Hash Cracking

OphCrack Online Free Rainbow Table Cracking Service

OphCrack can be downloaded and used in Linux/Windows with their rainbow tables, however, for quick cracks, you can also submit a hash online for a quickie: https://www.objectif-securite.ch/en/ophcrack

Email Defense

All organizations deal with different forms of Phishing, Scams or SPAM. There are many playbooks out there to deal with these cases. I want to capture here some interesting resources or tools to aid in the response tactics to these type of Phishing threats.

Documentation and Best Practices

  • How to Combat Fake Emails: https://www.cyber.gov.au/sites/default/files/2020-05/PROTECT%20-%20How%20to%20Combat%20Fake%20Emails%20%28September%202019%29.pdf. Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System (DNS) configuration. Using DMARC with DomainKeys Identified Mail (DKIM) to sign emails provides further safety against fake emails.
  • Protecting Parked Domains Best Common Practices: https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf. Great document with some simple rules on what are the best practices with DNS records to protect parked or non-existent subdomains.
  • Email Authentication Best Practices: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf. This document recommends a set of best practices for authenticating email messages using the security protocols Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance) DMARC and Authenticated Received Chain (ARC).
  • Introduction to Addressing Malicious Domain Registrations: https://www.m3aawg.org/sites/default/files/m3aawg-maliciousdomainregistratinos-2018-06.pdf
  • Best Current Practices for Reporting Phishing URLs: https://www.m3aawg.org/sites/default/files/m3aawg-reporting-phishing-urls-2018-12.pdf

Endpoint Scanners | Yara Rule Scanners | SIGMA Rule Scanners | Anomaly Detectors

Zircolite

  • Python-based, battle-tested, standalone and fast SIGMA-based detection tool for EVTX or JSON
  • Link: https://github.com/wagga40/Zircolite

ChainSaw

  • Kind of like Zircolite but written in RUST so potentially a bit faster.
  • Caveat: not all EVENT IDs are considered
  • Link: https://github.com/countercept/chainsaw

DeepBlueCli

  • A PowerShell Module for Threat Hunting via Windows Event Logs developed by the SANS Blue Team.
  • Link: https://github.com/sans-blue-team/DeepBlueCLI

ThorLite

  • Desc
  • Link

ClamAV Commands

Updating ClamAV

  • To update ClamAV in Windows run .\freshclam.exe
  • To update ClamAV in Linux run ????

Proxy Issues

You may run into proxy issues when updating, if so, you need to modify freshclam.conf to account for that:

# Proxy settings
# The HTTPProxyServer may be prefixed with \[scheme\]:// to specify which kind
# of proxy is used.
#   http://     HTTP Proxy. Default when no scheme or proxy type is specified.#   https://    HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
#   socks4://   SOCKS4 Proxy.
#   socks4a://  SOCKS4a Proxy. Proxy resolves URL hostname.
#   socks5://   SOCKS5 Proxy.
#   socks5h://  SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

A one-liner to do this automatically in a pipeline:

if($env:COMPUTERNAME -eq 'SERVER_BEHIND_PROXY'){(Get-Content .\freshclam.conf).Replace('#HTTPProxyServer', 'HTTPProxyServer http://your.proxy.com') | Out-File .\freshclam.conf} else {.\freshclam.exe}

Scan with ClamAV

Simple command to scan with ClamAV

.\clamscan.exe --log='clamav_hostname_scan_results.log' --database=.\database --infected --recursive=yes F:

THOR IOC Scanner

Summary

Some notes on how to scan systems with ThorLite.

Scan Systems

Scan all Hard Drives

This will scan all hard disks in intense mode and exclude live process scans

.\thor64-lite.exe --allhds --intense --nocpulimit --c2-in-memory --full-registry --dumpscan --noprocs --nocsv --json --jsonfile "$(pwd)\$($env:COMPUTERNAME)_thor.json" --htmlfile "$(pwd)\$($env:COMPUTERNAME)_thor.html"

Scan a single location

This will scan a single location (F: in this case) in intense mode and exclude live process scans

.\thor64-lite.exe --intense --nocpulimit --c2-in-memory --full-registry --dumpscan --noprocs --nocsv --json --jsonfile "$(pwd)\$($env:COMPUTERNAME)_thor.json" --htmlfile "$(pwd)\$($env:COMPUTERNAME)_thor.html" --path F: