Blue Team

How To: Using Tor From The Command Line

If you’re going to be doing work in the “dark web”, it’ll be useful to understand how to quickly and easily run commands via Tor. First, assuming you’re using Linux, install Tor: sudo apt install tor Next, edit /etc/tor/torrc: sudo vi /etc/tor/torrc Find the line containing the following: #ControlPort 9051 …and uncomment it. Next, find the following line: #CookieAuthentication 1 Uncomment it, and change 1 to 0. Finally, restart the tor service:…more

DIY Threat Intel: Mining Spam For Malware

If you use email, you already have a wonderful resource available to you for doing some quick and dirty threat intelligence work: your spam folder. Every day, people receive anywhere from dozens to hundreds of spam emails, ranging from plain vanilla unsolicited emails, to unwanted content, to phishing attempts and malware. There’s a wealth of information to be mined from your spam folder. Right now, we’ll focus on extracting URLs and attachments from your spam emails and automatically analyzing them.…more

One Second Analysis: Credentials Posted to Pastebin

Super-quick analysis of account credentials (username/password pairs, in various forms) posted to Pastebin over roughly a day: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I’ve had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now. This is where the number of credentials extracted stood as of Start time. Clean (unproblematic) credentials: I wrote a somewhat lazy parser that attempts to help me identify patterns in the extracted paste bodies so I can more effectively grab credentials pasted in a variety of formats.…more

DIY Threat Intel: Building A Pastebin Scraper

There are many things to be found on Pastebin, as demonstrated by Jordan Wright’s dumpmon (on Twitter as @dumpmon). Things like: Private SSH keys Login credentials for various services and devices Database dumps Lists of compromised systems Lists of compromised accounts Lots of threat intelligence services offer to monitor the “dark web” for you, to watch for any mention of your credentials and/or intellectual property. Almost invariably, one component of these services is monitoring Pastebin and similar paste sites.…more

Analyst Tip: Testing Firewall Egress

A quick tip for testing available TCP egress, using nc, bash, and allports.exposed: for i in {1..1023}; do nc -vz -w 1 allports.exposed $i; done This will use nc with the -v, -z, and -w switches to attempt to connect to allports.exposed on TCP ports 1 through 1023. -v requests verbose output, -z puts nc in scanning mode, and -w 1 tells nc to time out after one second. You may need to adjust the value supplied with -w according to the anticipated latency of the network you’re on.…more

Simple Check For OptionsBleed vulnerability

Shortly after CVE-2017-9798 (a.k.a. “OptionsBleed”) was announced, the good folks over at The Fuzzing Project posted a great write-up, including a quick check for the vulnerability. I adapted it to check a list of sites, as analysts often have more than one web property to test. for j in `cat domains.txt`; do for i in {1..20}; do curl -sI -X OPTIONS https://www.$j/| grep -i "allow:"; done >optionsbleed-https-www.$j.out ;done This will run through a list of domains in the file domains.…more

Analyst Tip: Researching IPs, Domains, And URLs From The Shell

In the course of an average day, an analyst needs to look up various bits of information about IPs, domain names, and URLs. Various workplace tools may do some of this enrichment automatically, but every now and then the analyst needs a quick, effective way to either get this information for a single indicator, or for a large list of them. Tools While there are numerous websites that can be used to obtain this information, in my opinion, nothing beats the flexibility of command-line tools.…more

Hunting For Insecure Amazon S3 Buckets

Breaches caused by insecurely-configured Amazon S3 buckets are not new. Researchers have been sounding the alarm since 2013. However, S3-related breaches continue to make the news. Last Friday (20170901), researchers announced the discovery of records for four million Time Warner Cable customers due to an improperly secured Amazon S3 bucket. Amazon has been proactive in raising awareness of this issue. However, the problem persists, and is widespread. Let’s be clear: The problem here isn’t just one of potential exposure of PII.…more

Analyst Tip: Spotting Botnet Members

You suspect one or more hosts in your network may have unwittingly been recruited into a botnet. How can you tell? There are several indicators you can hunt for, including: A sudden spike in outbound traffic on UDP or TCP port 53 relative to normal volume for that host and/or in that network and/or system role), particularly to destinations other than approved recursive or authoritative nameservers Appearance of or increase in outbound traffic on TCP port 6660-6669 from host in question Attempted connections to known command-and-control (C2) servers DNS queries for known C2 fully-qualified domain names A sudden spike in outbound traffic on TCP port 25 (relative to normal) The presence of one or more of these indicators may warrant further investigation.…more

How To: Creating Your Own Animated Threat Map

One day, I was challenged to create a “live” threat map from our existing SIEM data for display on our SOC wall screens. Never one to shrink from a challenge, I accepted. But I know practically no JavaScript, I’m not a web developer by any stretch of the imagination, and I had nowhere to start except this project, which is a joke threat map that plots random attacks using random geographical coordinates.…more