Avi's blog

https://yara.readthedocs.io/en/stable/gettingstarted.html https://materials.rangeforce.com/tutorial/2020/02/19/Malware-Detection-using-YARA/ https://github.com/VirusTotal/yara/releases download the source tarball from the above github link which is yara-4.1.3.tar.gz install the following dependencies: sudo apt-get install automake libtool make gcc pkg-config autoconf libssl-dev libmagic-dev  now as you already download the source tarball, so now its time for get it prepared for compilation: tar -zxf yara-4.1.3.tar.gz cd yara-4.1.3 ./bootstrap.sh Next, compile and install YARA: ./configure --with-crypto --enable-magic make sudo make install Update shared libraries: sudo ldconfig At last, check that everything is installed correctly by running the test cases: make check Avi

https://www.youtube.com/watch?v=o98_eRt777Y&list=PL3B8L-z5QU-Z0bWmjwgUSLGTzm1k_kVZo&index=3 assuming you have already compromised the domain and AD is in your control. this attack is mainly done for maintaining persistency. if they get to know this and change the administrator account password, they cannot prevent this attack.   in every AD there is an account called krbtgt. through this account is disabled, but the system use this account's password hash to encrypt data that are send by kerberos protocol. if we get the ntlm password hash of this account, then we can create tickets using mimikatz, which is called golden ticket to impersonate anyone in the domain.  so now we need to get the ntlm hash of krbtgt account.  first go to properties of scrm.local security tab> advanced here you can see that Tom Star user has replicating directory changes access. when any user has this permission then he/she can perform dcsync attack. it allows them to impersonate domain control

launching yara rule: yara rule.yar sample.file here rule.yar is a yara rule made by someone. sample.file is the malicious file which against you want to run the rule. Now lets say you have so many yara rules saved in a directory. now if you run this one by one then it would take so many times. so lets see how we can run those rules using for loop. /home/student/Downloads/yara-forensics/file or raw say in these both directories we have some .yar rules files. we want to run those against some malicious files. here malicious file name is sample.file -c for count    for file in $(find /home/student/Downloads/yara-forensics/file -name '*.yar'); do test $(yara -c ${file} /home/student/Downloads/sample.file) -gt 0 && echo $file; done 2>/dev/null for file in $(find /home/student/Downloads/yara-forensics/raw -name '*.yar'); do test $(yara -c ${file} /home/student/Downloads/sample.file) -gt 0 && echo $file; done 2>/dev/null Avi

Regular expression is an invaluable technique that can be used in many situations to  get the work done in more fast way. it is used in siem like splunk, ctf, programming languages etc.  the main theme of using regex is, it will help you to find out specific character or sequence of characters from a long garbage string. you need to remember here everything is character. users write patterns to find out that character or sequence of character called string.  https://sodocumentation.net/regex/topic/639/lookahead-and-lookbehind https://materials.rangeforce.com/tutorial/2019/12/26/Regular-Expressions/ https://www.regular-expressions.info/lookaround.html https://regexone.com/problem/matching_phone_numbers http://www.rexegg.com/regex-lookarounds.html     meta characters ^.[{\$()|*+?     these are special characters called meta characters and have other special meaning. so if you need to find any string that contain the above characters, then you need to use \ backslash to escape

C2 over dns:   cat dns.log | zeek-cut query | sort | uniq | rev | cut -d . -f 1-2 | rev | sort | uniq -c | sort -rn | head cat dns.log | zeek-cut query | grep honestimnotevil | cut -f 1 | sort | uniq -c | sort -rn Avi

we found a suspicious ip pair lets say: 192.168.99.51 to 104.248.234.238 lets analyze the payloads in these sessions.  ngrep -q -I trace1.pcap host 192.168.99.51 and host 104.248.234.238 | head -20 the GET request url is weird. windows 7 version is weird and java 1.7 version is also weired. host is showing ip address which is wrong. host field should always be FQDN. 200 OK means server is happy to give you what you have asked for. cat http.log | zeek-cut id.orig_h id.resp_h user_agent | grep 192.168.99.51 | sort | uniq | cut -f 3 | sort | uniq -c | sort -rn   1st sorting is when they are same then they are arranged all together uniq --> say i am connecting same destinaiton ip 50 times. so instead of 50 lines make it as 1 line. then connecting another 20 same destination ip's. collapse them again in a single line. then we are again sorting it.  uniq -c --> say my system is communicating 50 different ip address. it will then show the count number.    so from the above image we

beacon check is based on connection delta, session size or both. rita tool and its helpful easy command will help you to find beacons quite easily.  RITA rita | less            ( list all of rita's commands.) rita list                lab1 lab2 lab3 ( list all of the known databases. pcap lab files need to import into                              rita.) rita import <zeek log files>         (it will import zeek log files.)  rita | grep beacons   rita show-beacons lab1 -H | less -S    (lab1 is your dataset that you import                                                                            earlier)  anything that score starting from 0.8, please investigate.  Now using that two ip's, check with dns logs. first two dns query comes with nothing. that means these two ip's is not resolving dns names. thats kind of suspicious. so lets search for what service they try to reach.  1st one says http and 2nd one says nothing. which is weird.      conn_state means --> wha

pcap and zeek logs already captured and provided you on a vm for threat hunting. 1. find top 10 longest connection or top 10 talkers: zeek stores duration in conn.log trace1.pcap this is our actual file. from this file we have created zeek logs.  capinfos -aeu trace1.pcap cat conn.log | zeek-cut id.orig_h id.resp_h duration | sort -k 3 -rn | head sorting means organizing.  2. find 10 cumulative communication time between private and legal ip addresses (internal to external)   cat conn.log | zeek-cut id.orig_h id.resp_h duration | sort | grep -v -e '^$' | grep -v '-' | datamash -g 1,2 sum 3 | sort -k 3 -rn | head 3. after finding the suspicious ip, now look for dns log to see anything anomaly there or not. zeek extracts all dns related logs into dns.log file. cat dns.log | zeek-cut query answers | grep 52.179.219.14 | sort | uniq -c cat conn.log | zeek-cut id.orig_h id.resp_h service | grep 52.179.219.14 | sort | uniq -c cat ssl.log | zeek-cut id.resp_h server_name s

2. finding cumulative talk time with zeek + datamash cat conn.log | zeek-cut id.orig_h id.resp_h duration | sort | grep -v -e '^$' | grep -v '-' | datamash -g 1,2 sum 3 | sort -k 3 -rn | head 1st sort command meaning, whenever you see same source ip communicating with same destination ip, list those connections one by one.  (removing blank lines) we are telling grep that, go and look for character $. $ means blank line. -e says this is a pattern match, regex match. not character match. this is the signature that we use to match for blank lines.   grep -v means, select lines not matching any of the specified patterns. and the pattern is mentioned using -e flag. -e '^$'     select everything except those blank lines. now why we are removing blank lines? because datamash dont understand blank lines. datamash only wants numerical values in lines.  grep -v '-' --> (removing dash -) select lines not matching the - dash character. select everything except da

 scenario: amy is a domain user. she logs in to her pc with her domain username and password. she is a computer support specialist and she is also a member of domain admins group. somehow she knows the password of bob who is domain computer administrator.  now leveraging sysinternals psexec.exe tool she will access the domain controller using bob's credentials.  C:\Tools\SysinternalsSuite> .\PsExec.exe -i \\dc.contoso.azure -u bob -p Student123 cmd.exe  ip address will also work \\192.168.0.4 for example. 

  attack synopsis: 1. attacker somehow got the password hashes of one or more users on a computer network. if that compromised account has admin rights on that system then that gives the attacker to access other credentials that are stored on the system. under the sam account database the users password hashes are stored but the file is locked when the system is running so that time it is not possible to access. but operating system still needs that data so they are stored in the memory space of lsass.exe . it can be captured using samdump, pwdump and mimikatz tool and even in offline imaging version of windows.  C:\windows\system32\config\SAM 2. now using mimikatz tool the attacker leverage compromised users username and password hashes to authenticate other system resources where that user has access to.  example: lets say Jsmith is a normal user account in the domain. he clicked on a phishing mail and his account got compromised. now attacker have access on his account. but jsmith m