-
DIY Threat Intel: Monitoring Phishing Domains and Typosquatting
Being able to receive alerts when a new domain is registered that closely matches an existing domain you own can be a valuable source of threat intelligence. So valuable, in fact, that several services incorporate such notification as part of their product offering. However, you don’t need to pay for this sort of service. You can build the functionality rather easily, for free! What You’ll Need For this how-to, you’ll need access to some source of newly-registered domain information.…more
-
One Second Analysis Followup: Credentials Posted to Pastebin
As a followup to last week’s post regarding the number of stolen account credentials that show up on Pastebin daily, I’ve collected enough data to get a more accurate picture of the posting rate. As a reminder, here was the first day’s data: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I’ve had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now.…more
-
How To: Building A Dark Web Scraper
In a previous post, I demonstrated a way to run Linux command-line tools through Tor. Let’s take it a step further, and come up with a way to scrape sites on the dark web. This will allow us to hunt for mentions of various pieces of information we may want to be alerted to, such as the presence of company names, email addresses, etc. We’re going to need some code. Let’s start with importing all the modules we’ll need, and grabbing a URL from the command line:…more
-
DIY Threat Intel: Mining Spam For Malware
If you use email, you already have a wonderful resource available to you for doing some quick and dirty threat intelligence work: your spam folder. Every day, people receive anywhere from dozens to hundreds of spam emails, ranging from plain vanilla unsolicited emails, to unwanted content, to phishing attempts and malware. There’s a wealth of information to be mined from your spam folder. Right now, we’ll focus on extracting URLs and attachments from your spam emails and automatically analyzing them.…more
-
One Second Analysis: Credentials Posted to Pastebin
Super-quick analysis of account credentials (username/password pairs, in various forms) posted to Pastebin over roughly a day: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I’ve had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now. This is where the number of credentials extracted stood as of Start time. Clean (unproblematic) credentials: I wrote a somewhat lazy parser that attempts to help me identify patterns in the extracted paste bodies so I can more effectively grab credentials pasted in a variety of formats.…more
-
DIY Threat Intel: Building A Pastebin Scraper
There are many things to be found on Pastebin, as demonstrated by Jordan Wright’s dumpmon (on Twitter as @dumpmon). Things like: Private SSH keys Login credentials for various services and devices Database dumps Lists of compromised systems Lists of compromised accounts Lots of threat intelligence services offer to monitor the “dark web” for you, to watch for any mention of your credentials and/or intellectual property. Almost invariably, one component of these services is monitoring Pastebin and similar paste sites.…more
-
Analyst Tip: Researching IPs, Domains, And URLs From The Shell
In the course of an average day, an analyst needs to look up various bits of information about IPs, domain names, and URLs. Various workplace tools may do some of this enrichment automatically, but every now and then the analyst needs a quick, effective way to either get this information for a single indicator, or for a large list of them. Tools While there are numerous websites that can be used to obtain this information, in my opinion, nothing beats the flexibility of command-line tools.…more
-
How To: Creating Your Own Animated Threat Map
One day, I was challenged to create a “live” threat map from our existing SIEM data for display on our SOC wall screens. Never one to shrink from a challenge, I accepted. But I know practically no JavaScript, I’m not a web developer by any stretch of the imagination, and I had nowhere to start except this project, which is a joke threat map that plots random attacks using random geographical coordinates.…more