[SANS ISC] Simple Analysis of an Obfuscated JAR File

I published the following diary on isc.sans.org: “Simple Analysis of an Obfuscated JAR File“.

Yesterday, I found in my spam trap a file named ‘0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named ‘0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT and looks to be a nice candidate for a quick analysis. .jar files are ZIP archives that contain compiled Java classes and a Manifest file that points to the initial class to load. Let’s decompile the classes. To achieve this, I’m using a small Docker container… [Read more]

[The post [SANS ISC] Simple Analysis of an Obfuscated JAR File has been first published on /dev/random]

from Xavier

Advertisements

“Lessons in Building your own Awareness Community – At the EU #SecAwareSummit”

Editor’s Note: Martine van de Merwe and Chris Karelse arespeakers for the upcomingSecurity Awareness Summit 6/7 December in London. Below they give an overview of their talk on Building Your Own Awareness Community. We all have that experience where it was better if we connected more and earlier with other security awareness professionals. It is … Continue reading Lessons in Building your own Awareness Community – At the EU #SecAwareSummit

from lspitzner

Splunk Custom Search Command: Searching for MISP IOC’s

While you use a tool every day, you get more and more knowledge about it but you also have plenty of ideas to improve it. I’m using Splunk on a daily basis within many customers’ environments as well as for personal purposes. When you have a big database of events, it becomes quickly mandatory to deploy techniques to help you to extract juicy information from this huge amount of data.  The classic way to do hunting is to submit IOC’s to Splunk (IP addresses, domains, hashes, etc) and to schedule searches or to search it in real time. A classic schema is:

Splunk Data Flow

Inputs are logs, OSINT sources or output from 3rd party tools. Outputs are enriched data. A good example is to use the MISP platform. Useful IOC’s are extracted at regular interval via the API and injected into Splunk for later searching and reporting.

# wget --header 'Authorization: xxxxx' \
       --no-check-certificate \
       -O /tmp/domain.txt \
       https://misp/attributes/text/download/domain/false/false/false/false/false/7d

This process has a limit: new IOC’s are not immediately available when exported on a daily basis (or every x hours). When we see new major threats like the Bad Rabbit last week, it is useful to have a way to search for the first IOCs released by security researchers. How to achieve this? You can run manually the export procedure by starting a connection on the Splunk server and executing commands (but people must have access to the console) or … use a custom search command! Splunk has a very nice language to perform queries but, do you know that you can expand it with your own commands? How?

A Splunk custom search command is just a small program written in a language that can be executed in the Splunk environment. My choice was to use Python. There is an SDK available. The principle is simple: input data are processed to generate new output data. The basis of any computer program.

I wrote a custom search command that interacts with MISP to get IOCs. Example:

Custom Search Command Example 1

The command syntax is:

|getmispioc [server=https://host:port] 
            [authkey=misp-authorization-key]
            [sslcheck=y|n]
            [eventid=id]
            [last=interval]
            [onlyids=y|n]
            [category=string]
            [type=string]

The only mandatory parameters are ‘eventid’ (to return IOCs from a specific event) or ‘last’ (to return IOCs from the last x (hours, days, week, or months). You can filter returned data by filtering on the ‘ids_only’ flag and/or a specific category or type. Example:

|getmispioc last=2d onlyids=y type=ip-dst

Custom Search Command Example 2

Now, you can integrate the command into more complex queries to search for IOCs across your logs. Here is an example with bind logs  to search for interesting domains:

source=/var/log/named/queries.log
[|getmispioc last=5d type=domain
 |rename value as query
 |fields query
]

Custom Search Command Example 3

The custom command is based on PyMISP. The script and installation details are available on my github account.

[The post Splunk Custom Search Command: Searching for MISP IOC’s has been first published on /dev/random]

from Xavier

[SANS ISC] Some Powershell Malicious Code

I published the following diary on isc.sans.org: “Some Powershell Malicious Code“.

Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new but it remains interesting to learn how a malware infects (or not) a computer and tries to collect interesting data from the victim… [Read more]

[The post [SANS ISC] Some Powershell Malicious Code has been first published on /dev/random]

from Xavier

Learn from leading cybersecurity experts

More than 170K technology and business leaders from across the world depend on Microsofts Modern Workplace monthly webcast to shed new light on business challenges related to technology. Over the past four years, Modern Workplace has had the worlds leading experts share their advice on technology topics, such as security, including CISOs, Chief Privacy Officers, Cyber Intelligence Advisors, and Chief Digital Officers. Just in the past year, Modern Workplace security episodes included:

These episodes include more than just security checklists and basicsthey go into depth around the decisions business leaders are faced with every day. In the episode on data privacy, Hillery Nye, Chief Privacy Officer at Glympse, explained how the startup company made a very conscious decision to not collect data that it could have easily gathered from its real-time location sharing app. The company collects customer data and uses it for very specific purposes, but it never stores or sells that data. The company may have given up some opportunities to monetize its customer data, but Nye feels that the company gains even more by being a responsible corporate citizen and establishing a reputation for privacy. She discussed how a companys brand is affected by its privacy policies, and how businesses can better align their privacy policies with business strategy for long term success.

The Modern Workplace series has been nominated for four regional Emmy awards because of its creative presentation of diverse perspectives and insights. To learn more about how technology can help drive your business, check out the Modern Workplace episodes on-demand today!

from Microsoft Secure Blog Staff