- Network Data Analysis
- Wireshark and TShark CheatSheets
- Follow a Stream in Commandline
- Packet Total
- Capturing Network Data with Netsh and converting to PCAP
- Unpacking Malware
- Mal Unpack
- Compiling C Code with VSCode
- Parsers and other Herbs
- Cobalt Strike Metadata Parser
- DNS Tunnelling
- PacketWhisper
- Hash Cracking
- OphCrack Online Free Rainbow Table Cracking Service
- Email Defense
- Documentation and Best Practices
- Endpoint Scanners | Yara Rule Scanners | SIGMA Rule Scanners | Anomaly Detectors
- Zircolite
- ChainSaw
- DeepBlueCli
- ThorLite
- ClamAV Commands
- Updating ClamAV
- Proxy Issues
- Scan with ClamAV
- THOR IOC Scanner
- Summary
- Scan Systems
- Scan all Hard Drives
- Scan a single location
Network Data Analysis
Wireshark and TShark CheatSheets
- Great guide on packet analysis: https://dfirmadness.com/case-001-pcap-analysis/
- https://wiki.sans.blue/Tools/pdfs/tshark.pdf
- https://cheatography.com/mbwalker/cheat-sheets/tshark-wireshark-command-line/
Follow a Stream in Commandline
The following command will display tcp info for stream 1
.\tshark.exe -r 'dcom.pcap' -qz "follow,tcp,ascii,1"Packet Total
PacketTotal is a free, online PCAP analyzer designed to visualize network traffic, detect malware, and provide analytics for the traffic contained within
https://packettotal.com/
Capturing Network Data with Netsh and converting to PCAP
ETL2PCAPNG: https://github.com/microsoft/etl2pcapng
Windows ships with an native packet capture component called “ndiscap” which is implemented as an ETW trace provider. This tool enables you to view ndiscap packet captures with Wireshark. A capture can be collected with netsh:
netsh trace start capture=yes report=disabled
<repro>
netsh trace stopUnpacking Malware
Mal Unpack
Dynamic unpacker based on PE-sieve: https://github.com/hasherezade/mal_unpack
Compiling C Code with VSCode
Great Microsoft guide on how to compile C code using VSCode: https://code.visualstudio.com/docs/cpp/config-mingw
Parsers and other Herbs
Cobalt Strike Metadata Parser
- Parse Cobalt Strike executables to obtain metadata on jitter, delay times and preconfigured variables: https://github.com/Sentinel-One/CobaltStrikeParser
DNS Tunnelling
PacketWhisper
PacketWhisper - Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.
https://github.com/TryCatchHCF/PacketWhisper
Hash Cracking
OphCrack Online Free Rainbow Table Cracking Service
OphCrack can be downloaded and used in Linux/Windows with their rainbow tables, however, for quick cracks, you can also submit a hash online for a quickie: https://www.objectif-securite.ch/en/ophcrack
Email Defense
All organizations deal with different forms of Phishing, Scams or SPAM. There are many playbooks out there to deal with these cases. I want to capture here some interesting resources or tools to aid in the response tactics to these type of Phishing threats.
Documentation and Best Practices
- How to Combat Fake Emails: https://www.cyber.gov.au/sites/default/files/2020-05/PROTECT%20-%20How%20to%20Combat%20Fake%20Emails%20%28September%202019%29.pdf. Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System (DNS) configuration. Using DMARC with DomainKeys Identified Mail (DKIM) to sign emails provides further safety against fake emails.
- Protecting Parked Domains Best Common Practices: https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf. Great document with some simple rules on what are the best practices with DNS records to protect parked or non-existent subdomains.
- Email Authentication Best Practices: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf. This document recommends a set of best practices for authenticating email messages using the security protocols Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance) DMARC and Authenticated Received Chain (ARC).
- Introduction to Addressing Malicious Domain Registrations: https://www.m3aawg.org/sites/default/files/m3aawg-maliciousdomainregistratinos-2018-06.pdf
- Best Current Practices for Reporting Phishing URLs: https://www.m3aawg.org/sites/default/files/m3aawg-reporting-phishing-urls-2018-12.pdf
Endpoint Scanners | Yara Rule Scanners | SIGMA Rule Scanners | Anomaly Detectors
Zircolite
- Python-based, battle-tested, standalone and fast SIGMA-based detection tool for EVTX or JSON
- Link: https://github.com/wagga40/Zircolite
ChainSaw
- Kind of like Zircolite but written in RUST so potentially a bit faster.
- Caveat: not all EVENT IDs are considered
- Link: https://github.com/countercept/chainsaw
DeepBlueCli
- A PowerShell Module for Threat Hunting via Windows Event Logs developed by the SANS Blue Team.
- Link: https://github.com/sans-blue-team/DeepBlueCLI
ThorLite
- Desc
- Link
ClamAV Commands
Updating ClamAV
- To update ClamAV in Windows run
.\freshclam.exe - To update ClamAV in Linux run
????
Proxy Issues
You may run into proxy issues when updating, if so, you need to modify freshclam.conf to account for that:
# Proxy settings
# The HTTPProxyServer may be prefixed with \[scheme\]:// to specify which kind
# of proxy is used.
# http:// HTTP Proxy. Default when no scheme or proxy type is specified.# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
# socks4:// SOCKS4 Proxy.
# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
# socks5:// SOCKS5 Proxy.
# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypassA one-liner to do this automatically in a pipeline:
if($env:COMPUTERNAME -eq 'SERVER_BEHIND_PROXY'){(Get-Content .\freshclam.conf).Replace('#HTTPProxyServer', 'HTTPProxyServer http://your.proxy.com') | Out-File .\freshclam.conf} else {.\freshclam.exe}Scan with ClamAV
Simple command to scan with ClamAV
.\clamscan.exe --log='clamav_hostname_scan_results.log' --database=.\database --infected --recursive=yes F:THOR IOC Scanner
Summary
Some notes on how to scan systems with ThorLite.
Scan Systems
Scan all Hard Drives
This will scan all hard disks in intense mode and exclude live process scans
.\thor64-lite.exe --allhds --intense --nocpulimit --c2-in-memory --full-registry --dumpscan --noprocs --nocsv --json --jsonfile "$(pwd)\$($env:COMPUTERNAME)_thor.json" --htmlfile "$(pwd)\$($env:COMPUTERNAME)_thor.html"Scan a single location
This will scan a single location (F: in this case) in intense mode and exclude live process scans
.\thor64-lite.exe --intense --nocpulimit --c2-in-memory --full-registry --dumpscan --noprocs --nocsv --json --jsonfile "$(pwd)\$($env:COMPUTERNAME)_thor.json" --htmlfile "$(pwd)\$($env:COMPUTERNAME)_thor.html" --path F: