Posts

Nifty Splunk Tips

-
Image
 Just some Splunk Tips and tricks I've found super helpful to have on hand. Concatenate field1 and 2 as a new field named test. • | eval test=field1.field2 • | eval test=field1. "optional static text to concatenate" .field2 Using regex to strip the file extension from a URL. Can use this to search for suspicious file types like xap and swf. • index=au_proxy | rex field=url "\/[\(\)a-zA-Z0-9_-]*?\.(?<ext>[a-z0-9]{2,5})(\?|$)" | search ext=* Perform a DNS lookup on input domain and output as domainIP. • | lookup dnslookup clienthost as inputdomain OUTPUT clientip as domainIP Check the raw events • | table _raw, source Ultra Toolbox thingy for parsing subdomain, extensions and filenames from URLs • | eval list="mozilla" | `ut_parse_extended(url,list)` | Sexy time formatting • eval c_time=strftime(_time,"%m/%d/%y%H:%M:%S") Use the results of one search and pipe it to another • index=wineventlog EventCode=4624 [search index=firewall dest_por...
Read more

Tools and Resources

-
Image
Here's a dump of some my favourite places! Not everything is here but hopefully I can add to it fairly frequently so that it may help you folk passing by! IOC Sites and Breakdowns: https://malware-traffic-analysis.net – EK Blog https://broadanalysis.com – EK Blog https://malwarebreakdown.com – EK Blog https://otx.alienvault.com – Sig sharing https://exchange.xforce.ibmcloud.com – IBMs intel platform https://zerophagemalware.com – EK Blog https://ransomwaretracker.abuse.ch/tracker – Ransomware domain tracker http://blog.dynamoo.com – Spam/phishing blog https://bleepingcomputer.com – Blogs https://blog.malwarebytes.com – Blogs https://any.run - Run samples in browser Hunting Rules and Sigs: https://github.com/Neo23x0/signature-base – Florian Roth's Yara goodies @cyb3rops Guides, Techniques and Learning: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - Reverse shell cheat sheet https://cybrary.it - Free Security courses https://dca.imme...
Read more

Fractional Slash Domains

-
Image
@SighSec and I recently discovered there are more types of homograph symbols you are allowed to use when registering an IDN (Internationalised Domain Name) than expected. These symbols could potentially be used to trick unwary users into following malicious links by making a domain appear as though it were referencing a local file or one on a mapped drive. Background on IDNs IDN Homograph attacks most recently entered mainstream news back in Q2 2017. It was shown that domains could be registered using regular ASCII characters alongside characters from other languages, a feature used to support domain names for countries with different character sets. This presented an issue as it meant that domains could be registered and characters could be swapped out for their doppelgangers (homographs), allowing anyone to register xn--80ak6aa92e.com which when converted almost certainly looks like apple.com! This becomes particularly dangerous when using ASCII characters with diacritics an...
Read more