Category Archives: DFIR

Script(s) to extract HTTP Host data from file

A while ago, created a new repository on GitHub for the scripts I wrote for DFIR. Since then, it only had the Computer Ping script in it. Today I added the first of the Extractor scripts.

The first extractor script, xHttpExtractor.py came about from a web based tool I used. It would run on a file uploaded to it, and then list a bunch of indicators, system artifacts, url calls outs, network communication, etc. However the tool didn’t have a good export mechanism at the time. So I would copy and paste everything to a text file, and then extract the url host details from the text files. Mainly so I could add the URL indicators to the web proxy.

Continue reading

Script(s) to ping a computer

I re-wrote a script I use at work. It was a messy bit of Python 3 previously. While it’s still not the cleanest of python scripts, it scratches my itch. It was originally just a straight line of commands with lots of repeated code. I made some functions and made it a little more modular. I know I need to learn PEP8, and start following it. This was just to improve something that I wrote previously with things I learned from Automate the Boring Stuff with Python.

I’ve shared it via my GitHub repository for DFIR scripts. They’re clean (not tied to any company). There is only Computer Ping for right now. There are 3 scripts all based on the same idea.

Ping a computer, if it is down, keep trying every 10 minutes for 1 hour. Pop an “alert” if the target is up, or the script finished before it came up.

  • 1 version for Windows running python (wComputerPing.py)
  • 1 version for Windows running Cygwin (cwComputerPing.py)
  • 1 version for boxes running Linux. (lComputerPing.py).

I’ll write others and upload to the repository as I have time / re-write stuff I use. They might not all be Python, but my goal is to be more Python than not.

CSEC630 Lab 2

Ok. The lab was pretty much what I expected.

Click this Panic button to reset everything. Go look at this pcap in Wireshark. Run this command in cmd.exe (and even walks the student through opening a term window by go to the start button, type cmd in the run box).

Run Snort with the test option on a pre-defined rule set using the pcap you looked at. Modify the same rule multiple times, enabling and disabling an alert each time. Run to see the difference.

Answer these 10 questions.

The last question was how to improve the class… I forgot to say use a Linux VM instead of a Windows VM. Since one of my answers did require Grep. Which means copy and paste from the VM lab to my box connected to the lab.

Book Review: The Complete Guide to Shodan

I’ve stumbled around with Shodan.io for a while now. It’s a great tool, but using it effectively has always eluded me. John Matherly has given me some great advice on twitter, and I like Daniel Miessler’s Shodan Primer. But I never really find the information I need at the time.

While I know it is great to find webcams and spying Super Gnomes, that is just something I don’t use Shodan for. A lot of the reason I use Shodan lately is for work. Usually someone in management asks will if anyone knows what Shodan knows about the company. Which of our systems are listed on there.

Today while stumbling around trying to look up the company name and the netblocks, and using Dan’s cheatsheet (linked above), I noticed a new link on the page. Book.

This link goes to Lean Pub’s “The Complete Guide to Shodan” by John Matherly. It is a pay what you want book. They suggest just under $5.00 USD, for the 60 page booklet. I’m saying it’s worth more than that. I paid $10.00, which I still think is too low for this book.

The book can be delivered to your Kindle or downloaded as a pdf, an Epub, or Mobi file. I grabbed the PDF and Kindle copies of the file (too small to read on my phone and never figured out how to get it to show up in the Kindle Cloud reader).

This book is divided up in to Web Interface, External Tools (like the linux command line), Developer API, Industrial Control Systems, Appendices, and Exercise Solution.

There are exercises at the end of the Web Interface, External Tools, and API sections. Not all of them worked the way they were described in the book. For example I couldn’t find the Rastalvskarn Powerplant, even though it shows up with the link in the solution section.

I’ve read some documents on the API and struggled to get them to work. After reading the book, while I still have some questions, I know I can write the Network Alert that management wants.

Get this book, it’s worth more than anything you’ll pay for it. While it is only just over 60 pages, the content is great! Especially especially the Filter list in Appendix B.

p.s. It is worth getting an account, and paying for access.

 

Business Email Compromise

Last week or so, I read the Symantec Security Response blog, talking about Business Email Compromise. Short version it talks about campaigns targeting C-level employees to try and do wire transfers. There were 2 type, one is the CEO emailing another C-level because he’s stuck in meetings and needs a wire transfer. The other version is an acquisition email, that hasn’t been announced yet.

The blog linked above has screen shot examples.

At my day job, I do occasionally work on Phishing emails. While the Symantec article was good, it is missing that the example emails are no longer going to the C-levels. While I haven’t seen the acquisition email yet, I have seen lots of the person in the meeting email going around.

It isn’t just at the C-levels. I’m seeing emails claiming to be from VPs and Directors, to underlings using the same comment about being tied up in meetings and needing the wire transfer done. Where I work the C-levels are good at catching them and reporting to them. The lower levels however have been fruitful targets.  Not realizing it is a phishing attempt and trying to comply.

We need to warn the lower level people in positions to send money.

One way to try and up the game

Yesterday, I gave my opinion on the how I think we are missing an opportunity. Before it even went live Monday (I wrote it Sunday, and I’m writing this Monday night), a conversation happened. The main point is that Attackers are working together so why are the defenders all playing the Lone Ranger / Zorro by going it alone?

I also had quick twitter conversations with Ch3ryl B1sw4s and Timeless Prototype. One was related to yesterday’s post, one wasn’t. But here are some thoughts to try and up the game on the defense side. I’m not an expert, I’m just some guy working on a Master’s on Cybersecurity to go with my BS in Information Assurance.

The goals:

  1. Have a way for people who work in SOCs, on CIRT teams, Security, regardless of team size, even the guy who has to do it all at the small companies to have a group of peers who can be contacted and discuss things with.
  2. Keep the adversarial attackers out, but allow pen-testers and others access too if they want to join.
  3. Provide enough information to be helpful to each other without putting our companies at risk.

Step 1. Create a Security Operations based Web of Trust

We need a way to validate people. So lets say I’m on a CIRT, I can vouch for all my CIRT members. But if I have been interviewed by another CIRT I can vouch for the members that interviewed me there. That means, I can get those two groups talking and at some point, like a con they can meet.

Step 2. Secure communication channels.

Different options for communication. Out of band forums, chat (IRC), OTR IM, or whatever people think would be the best way.

This is multi-fold.

One it gives us a neutral ground to talk, and putting a layer between our conversations and our employers. For protection, obfuscation is not security but having a group invites attackers. Keep the company names out, and makes it harder to attack them because of our associations. It’s not to hide things from the company.

Two, this way if we have to contact another team with “Hey I’m seeing a lot Viagra ads coming from your domain”, I don’t have to worry about intercept because the mail server or mail dns is compromised.

Step 3. Share sanitized knowledge.

Note I said sanitized. This should make the stake holders at our employers a little more relaxed. They know we are sharing Indicators of Compromise, or hey I noticed this strange thing anyone else seeing it?

It would also be nice if someone finds malware aimed at another company to share that, instead of saying yep, not my company, without having to say all they did to find it. Just say “Hey I found this going after X, anyone else see it on their network. How about X, do you know your a target?

I’m sure this could be fleshed out more. I’m sure there are things I’m missing. I know it’s partly re-inventing the wheel, but really twitter is faster than Infragard on attacks, but with twitter both sides see them a the same time, while things get lost in the noise. I know HTCIA is a thing, but is it’s mission the same?

 

My thoughts on Ashley Madison Dumps: another missed chance to up the IR game

I don’t care what people want to do in there spare time. I don’t care about the teaser dump, I don’t care about the 9 gig dump, I don’t care about the 20 gig dump, and I don’t care about the 300 gigs that Impact Team claims to have.

However as someone who’s job it is to defend the company, a member of the Blue Team, there are responsibilities I have to the company. Instead of DMCA take down notices, Avid Life or at least the Incident Response team, should be working with any non-webmail based domain. So if a company’s domain shows up in the list, they should contact that company’s CIRT team. This allows the CIRT to defend against any possible attacks.

Now granted that the attacks the CIRTs are most likely to see are Spear Phishing and account brute force attacks. It still make sense to share the relevant information. I believe the same about the Anthem and OPM breaches. In all these cases, these have been missed opportunities.

Based on what I’ve done so far, what I’ve sat through in presentations, and what I’ve learned in school not enough of us are working together. Company CIRTs stop at the perimeter when they should probably be sharing information. I’ve seen too many in the industry saying “that’s their problem, let them find it”. Meanwhile how many times have we as an industry seen news stories saying Company X didn’t know they were breached until they were pinged by the U.S. Gov?

I know that Scott Roberts at his Bsides Columbus talk said there were Out of Band forums, and it sounded like the members were from multiple CIRTs, that some people use. But what is the usage like compared to all the CIRTs / Security Teams / Sole Admin supporting the whole company, that could use that kind of forum for help?

Should the CIRT team’s responsibility stop at the perimeter, or should all the teams out there have ways to work together through a web of trust to make attacking harder?