The Increased use of powershell in attacks

The 10 top reasons why attackers use PowerShell 

1. It is installed by default on all new Windows computers.
2. It can execute payloads directly from memory, making it stealthy.
3. It generates few traces by default, making it difficult to find under forensic analysis.
4. It has remote access capabilities by default with encrypted traffic.
5. As a script, it is easy to obfuscate and difficult to detect with traditional security tools.
6. Defenders often overlook it when hardening their systems.
7. It can bypass application-whitelisting tools depending on the configuration.
8. Many gateway sandboxes do not handle script-based malware well.
9. It has a growing community with ready available scripts.
10. Many system administrators use and trust the framework, allowing PowerShell malware to blend in with regular administration work.

Fileless attacks

Referances:
Real full guide here!
https://www.crowdstrike.com/blog/blocking-malicious-powershell-downloads/
https://bensanchez.jp/fileless-malware-obfuscating-malware-using-powershell-scripts/
https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html
https://www.mcafee.com/enterprise/es-es/security-awareness/ransomware/what-is-fileless-malware.html

Useful OSINT Tools for Cyber Threat Hunting and Analysis

Zararlı yazılım analizi, tehdit istihbaratı, güvenlik olayları analizi, kaynağı bilinmeyen ağ trafiği analizi ve ioc bilgileri vb. kontrolü için sıklıkla online ücretli, ücretsiz farklı platformları güvenlik olayları analizi ile uğraşırken kullanıyoruz. Bu platformlar kimi zaman bir tehditi anlamlandırmaya, kimi zaman bir domainin kime ait olduğunu sorgulamaya, kimi zaman lokasyon farketmeksizin başlayan bir spear phishing kampanyasından haberdar olmaya kadar SOME personeline bu olayları daha iyi anlaması ve analiz etmesi konusunda imkan sağlıyor. Bende zaman zaman analiz yaparken bu araçlardan işimi kolaylaştıracağı ölçüde faydalanıyorum. OSINT tanım olarak değerlendirecek olursak; herkesin erişimine açık kaynaklar üzerinden yapılan araştırmalar neticesinde hedef hakkında bilgiler elde edilmesine Açık kaynak istihbaratı(OSINT) deniyor. Bu yazıyı yazmamdaki amacım sıklıkla kullandığım araçlar ile ilgili bu listeyi oluşturup blogumu ziyaret edenlerinde yapmış oldukları analizde daha önce kullanmamış oldukları bir araç varsa bundan faydalanıyor olabilmeleri. Ki umarım faydası olur. OSINT ile ilgili aşağıdaki görsel bize linkteki domain aslında OSINT yaparken nelerden faydalanabileceğimiz ile ilgili bize fırsatlar sağlıyor. Sizde daha detaylı bilgi için ziyaret edip baloncuklar üzerine tıklayarak faydalanabilirsiniz.

Automated Analysis/Sandboxes:

• https://app.any.run
• https://analyze.intezer.com/
• https://www.hybrid-analysis.com/
• https://www.virustotal.com/gui/home/upload
• https://app.sndbox.com/
• https://cuckoo.cert.ee/
• https://cape.contextis.com/
• https://sandbox.anlyz.io/dashboard
• https://valkyrie.comodo.com
• http://cloud.iobit.com
• https://detux.org/index.php
• https://quicksand.io/
• https://totalhash.cymru.com/upload/
• https://x.threatbook.cn/about
• https://nodistribute.com/
• https://vicheck.com/submitfile.php

Threat Intelligence/Research:

• https://mxtoolbox.com/
• https://dnsdumpster.com/
• https://censys.io/
• https://findsubdomains.com/
• https://publicwww.com/
• https://apt.threattracking.com/
• https://pan-unit42.github.io/playbook_viewer
• https://www.binaryedge.io/
• https://www.shodan.io/
• https://exchange.xforce.ibmcloud.com/
• https://www.threatminer.org/
• https://otx.alienvault.com/
• https://community.riskiq.com/home
• https://talosintelligence.com/
• https://pulsedive.com/
• https://ui.threatstream.com/login?redirect=%2Fdashboard
• https://threatpoint.checkpoint.com/ThreatPortal/emulation
• https://analyze.intezer.com/#/
• https://exchange.xforce.ibmcloud.com/
• https://threatintelligenceplatform.com/
• https://dnsdumpster.com/

Reputation Lookups Tools(IP/Hash/Url/Mac/Ssl/Dns/Seo):

• https://totalhash.cymru.com/
• https://www.scumware.org/search.php
• http://sitereview.bluecoat.com
• https://zulu.zscaler.com/
• https://urlscan.io/
• http://app.webinspector.com/
• https://www.threatcrowd.org/
• https://www.brightcloud.com/tools/url-ip-lookup.php
• http://www.ipvoid.com/
• https://crt.sh/
• https://dnslytics.com/
• https://metadefender.opswat.com/
• https://exonerator.torproject.org/
• https://developers.whatismybrowser.com
• https://macvendors.com
• https://www.abuseipdb.com/
• https://centralops.net/co/DomainDossier.aspx
• http://whois.domaintools.com/
• https://tools.wmflabs.org/whois/gateway.py?
• https://urlfiltering.paloaltonetworks.com  
• https://csi.forcepoint.com/
• https://fortiguard.com/webfilter
• http://urlquery.net/
• https://sitecheck.sucuri.net
• https://community.riskiq.com/search/
• https://metadefender.opswat.com/#!/scan-file
• https://cymon.io/
• https://www.malwareurl.com/listing-urls.php
• https://zulu.zscaler.com/
• https://talosintelligence.com/reputation_center/email_rep
• https://www.threatcrowd.org/
• https://www.threatminer.org/
• https://www.abuseipdb.com/
• https://spyse.com/search/certificate
• http://bs.org.tr/phishing-domain-list
• https://www.echotrail.io/insights/search/
• https://www.robtex.com/dns-lookup/
• http://moonsearch.com/
• https://www.malwares.com/search/tag?tag=ransomware

Miscellanous Tools:

• https://gchq.github.io/CyberChef/
• https://onlinedisassembler.com/odaweb/
• https://start.me/p/rxRbpo/ti
• https://malshare.com/
• https://iplogger.org/
• https://shrib.com/
• https://www.itextpad.com/
• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
• https://maltiverse.com/search
• http://moonsearch.com/
• https://labs.inquest.net/
• http://www.urlvir.com/

Online Test Tools:

• https://www.browserling.com/
• https://visualping.io/
• https://ping.eu/
• https://www.uptrends.com/tools/uptime
• https://urlscan.io/
• https://centralops.net/co/
• https://trumail.io/
• https://builtwith.com/

Security Blogs/News:

• https://malware-traffic-analysis.net/
• https://broadanalysis.net/
• https://blog.malwarebytes.com/
• https://myonlinesecurity.co.uk/
• https://cofense.com/blog/
• https://threatpost.com/blog/
• https://krebsonsecurity.com/
• https://blog.trendmicro.com/trendlabs-security-intelligence/
• https://unit42.paloaltonetworks.com/
• https://blog.paloaltonetworks.com/
• https://www.zscaler.com/blogs/research
• https://securelist.com/
• https://www.wired.com/category/threatlevel/
• https://www.proofpoint.com/us/blog
• https://www.sentinelone.com/blog/
• https://www.zdnet.com/
• https://thehackernews.com/
• https://www.bleepingcomputer.com/
• https://www.flashpoint-intel.com/blog/
• https://research.checkpoint.com/
• https://blogs.cisco.com/security
• https://www.cyberbit.com/blog/
• https://www.fireeye.com/blog.html
• https://nakedsecurity.sophos.com/
• https://isc.sans.edu

Malware/Threat Analysis Tools:

• https://www.packettotal.com/
• https://www.networktotal.com/analysis.phtml
• https://avcaesar.malware.lu/
• https://x.threatbook.cn/about
• https://www.randhome.io/blog/2018/02/23/harpoon-an-osint-/-threat-intelligence-tool/

Brand Protection:

• https://services.normshield.com/phishing-domain-search
• https://www.normshield.com/rapid-cyber-risk-scorecard/
• http://bs.org.tr/phishing-domain-list
• https://www.immuniweb.com/radar/?id=eQrS38Ky
• https://builtwith.com/

DeepWeb:

• https://darknetlive.com/
• https://github.com/CHEF-KOCH/ProjectX
• https://www.tor2web.org/
• https://fproxy.net/
• https://xmrchain.net/

Threat Feed

• https://urlhaus.abuse.ch/
• https://ransomwaretracker.abuse.ch/
• https://threatfeeds.io/
• https://phishstats.info/
• https://infosec.cert-pa.it/analyze/listdomains.txt

Ddos & Attack Monitoring:

• https://ddosmon.net/
• https://www.digitalattackmap.com/
• https://horizon.netscout.com/
• https://threatmap.checkpoint.com/
• https://cybermap.kaspersky.com/
• https://threatmap.fortiguard.com/
• https://www.fireeye.com/cyber-map/threat-map.html
• https://threatmap.bitdefender.com/
• https://map.lookingglasscyber.com/
• http://www.parsecuremap.com/#2/42.3/-17.7
• https://securitycenter.sonicwall.com/m/page/worldwide-attacks

Source Code Analysis

• https://publicwww.com/
• https://nerdydata.com/

Passive Dns Data:

• https://securitytrails.com/dns-trails#/
• https://passivedns.mnemonic.no/search
• http://ptrarchive.com/
• https://www.d4-project.org/
• http://research.domaintools.com/research/hosting-history/
• https://completedns.com/dns-history/
• https://whoisrequest.com/
• https://www.deteque.com/news/passive-dns/

Certificate Fingerprint:

• https://crt.sh/
• https://www.sslshopper.com/ssl-checker.html
• https://www.digicert.com/help/
• https://www.mrdomain.com/products/ssl/tools/ssl-checker/
• https://www.websecurity.digicert.com/support/ssl-checker

Malicious Samples:

• https://malshare.com/index.php
• https://malquarium.org/
• https://virusshare.com/

Yara Rules:

• https://github.com/kevthehermit/YaraRules

Twitter Intelligence:

• http://tweettioc.com/search

Malware Tracker:

• http://malwares.com
• http://vxvault.net/ViriList.php

Sigma Rules:

• https://github.com/Neo23x0/sigma/tree/master/rules
• https://socprime.com/en/blog/sigma-rules-guide-for-arcsight/
• https://github.com/Neo23x0/sigma
• https://www.nextron-systems.com/2018/02/10/write-sigma-rules/
• https://uncoder.io/

Lookup Tools:

• https://www.ultratools.com/tools/spamDBLookup
• https://mxtoolbox.com/blacklists.aspx
• https://w3dt.net/tools/dnsbl
• https://www.abuseipdb.com/
• https://apility.io/
• https://megritools.com/blacklist-lookup

Referanslar:

https://osintframework.com/

https://meltx0r.github.io/resources/
https://docs.google.com/spreadsheets/d/1XoFHZPZsU3HPxLuwH50QFJw4ToGDypkL-D_bFf3lhO8/edit#gid=0

True Sense of Security Maersk Case

Definition of false sense of security: a feeling of being safer than once really is the gun gave him a false sense of security.

I came across this statement while I was browsing at linkedin today.

References:

https://www.zdnet.com/article/maersk-forced-to-reinstall-4000-servers-45000-pcs-due-to-notpetya-attack/