Popular

Wednesday, July 5, 2023

Indicator of compromise (IoC) activity

 Scenario

As a novice Security Operations Center (SOC) analyst employed by a financial services company, you recently received an alert regarding a potentially suspicious file download on an employee's computer. To address this concern, you proceeded to investigate the matter.

During your investigation, you discovered that the employee had received an email containing an attachment—an encrypted spreadsheet file. Surprisingly, the email included the password required to unlock the file. The employee proceeded to download the file and subsequently entered the provided password to access its contents. However, upon opening the file, a harmful payload was executed on the employee's computer.

In response, you took action by retrieving the malicious file and generating a SHA256 hash of it. This hash serves as a unique identifier for the file and cannot be decrypted. Employing hashing as a cryptographic technique, it acts as a distinctive fingerprint for identifying malware.

Now equipped with the file's hash, your next step involves leveraging VirusTotal to uncover additional Indicators of Compromise (IoCs) associated with the file.

SHA256 file hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b

A malicius actor trought a mail send a trojan with a spredsheet looking, then an employee opened it.

  • 1:11 p.m.: An employee receives an email containing a file attachment.
  • 1:13 p.m.: The employee successfully downloads and opens the file.
  • 1:15 p.m.: Multiple unauthorized executable files are created on the employee's computer.
  • 1:20 p.m.: An intrusion detection system detects the executable files and sends out an alert to the SOC.

VirusTotal analysis:

The VirtusTotal report classify it as a trojan executable in Windows machines, with a size of 430.00 KB. Behavior:
  • It spawns processes
  • Create files inside the user directory
  • Acquire credentials from Windows Credential Manager
  • May sleep (evasive loops) to hinder dynamic analysis
The analysis was made via virtual machines.

Wireshark and tcpdump

In the world of network analysis and troubleshooting, two powerful tools stand out: Wireshark and tcpdump. Both tools are widely used by network administrators, security professionals, and enthusiasts to capture and analyze network traffic (sadly by unethical hackers too). In this blog post, we will explore the features and functionalities of Wireshark and tcpdump and compare their strengths and use cases.

Wireshark

Wireshark is an open-source packet analyzer that provides deep insights into network traffic. It boasts an intuitive graphical user interface (GUI) and supports a wide range of platforms, including Windows, macOS, and Linux. Here are some key features and functionalities of Wireshark:

Live Packet Capture: Wireshark captures packets in real-time, allowing you to analyze network traffic as it occurs. You can choose specific network interfaces and apply filters to focus on relevant packets.

Powerful Display Filters: The tool offers a rich set of display filters, enabling you to narrow down the captured packets based on various parameters such as source/destination addresses, protocols, ports, and more. This helps in pinpointing specific network events quickly.

Protocol Support: Wireshark supports a vast array of network protocols, making it suitable for analyzing different network layers and applications. From Ethernet and IP to HTTP, DNS, and VoIP, Wireshark provides detailed protocol decoding and analysis.

Advanced Analysis Tools: Wireshark offers several built-in analysis tools like statistics, flow graphs, packet coloring, and expert system information. These features aid in identifying performance bottlenecks, security vulnerabilities, and network anomalies.

tcpdump

tcpdump, on the other hand, is a command-line packet analyzer available for Unix-like systems. Unlike Wireshark, tcpdump lacks a GUI but compensates with its simplicity, efficiency, and scriptability. Let's explore the key features and functionalities of tcpdump:

Terminal-based Packet Capture: tcpdump captures packets directly from the command line interface (CLI). Its non-interactive nature makes it ideal for remote or scripted network analysis tasks, especially in headless or server environments.

Flexible Filtering Options: Similar to Wireshark, tcpdump allows you to filter packets using expressions based on source/destination addresses, protocols, ports, and more. This flexibility lets you capture and analyze only the packets of interest.

Customizable Output Formatting: tcpdump provides various options to control the output format, including the ability to save packets in different file formats for later analysis. This versatility makes it convenient for post-capture processing and integration with other tools.

Lightweight and Efficient: Due to its command-line nature, tcpdump is lightweight and consumes fewer system resources. It can capture packets at high speeds without causing significant overhead on the network or the host system.


tcpdump vs Wireshark:

While both Wireshark and tcpdump serve the purpose of capturing and analyzing network traffic, they differ in their approach and suitability for different scenarios. Here's a comparison between the two tools:

User Interface: Wireshark has a user-friendly GUI, making it more accessible to beginners or those who prefer visual analysis. In contrast, tcpdump is command-line-based, making it suitable for advanced users or automated tasks.

Protocol Support: Wireshark offers a comprehensive set of pre-built protocol dissectors, providing detailed analysis for a wide range of protocols. tcpdump relies on libpcap for protocol decoding and supports fewer protocols out of the box.

Flexibility: tcpdump's command-line interface allows for fine-grained control and scripting capabilities, making it ideal for automation and integration with other tools. Wireshark, with its GUI, excels in interactive analysis and provides a more comprehensive set of analysis features.

Resource Usage: tcpdump is lightweight and consumes fewer system resources compared to Wireshark, making it suitable for capturing packets on resource-constrained systems or in high-speed network environments.

Learning Curve: Wireshark's GUI and visual interface make it more approachable for beginners, while tcpdump requires familiarity with command-line usage and filtering expressions.


Conclusion:

Wireshark and tcpdump are both powerful tools for network analysis, each with its own set of features and strengths. Wireshark's user-friendly GUI, extensive protocol support, and advanced analysis capabilities make it an excellent choice for interactive analysis and detailed investigations. On the other hand, tcpdump's command-line interface, flexibility, and efficiency make it a preferred option for automated tasks, remote analysis, or capturing packets in resource-constrained environments.

Ultimately, the choice between Wireshark and tcpdump depends on the specific use case, user preference, and level of expertise. Network professionals often find value in using both tools in their arsenal, leveraging the strengths of each to gain comprehensive network visibility and effectively troubleshoot network issues. 

Info Awareness: Safeguard your data

In today's digital age, where technology permeates every aspect of our lives, it is crucial to be aware of the importance of cybersecurity and the protection of our personal and sensitive information. Whether we realize it or not, our data is constantly being collected, stored, and utilized by various companies. Therefore, understanding how companies treat our data and implementing security measures are essential steps towards ensuring our online safety. In this post, we will explore the significance of security awareness, with a particular focus on how companies handle our data.


Data Privacy and Protection:

Data privacy is the right to control and safeguard personal information shared with companies. As users, we entrust organizations with our data, and they have a responsibility to treat it securely. It is vital to read and understand privacy policies and terms of service before using any online service. Companies that prioritize data privacy will clearly communicate how they collect, store, and use your data, as well as any third parties with whom they share it. Look for companies that implement strong data encryption and have robust security protocols in place.


Transparency and Consent:

Companies should be transparent about the data they collect and seek your consent before gathering it. When you provide personal information, they should inform you of the purpose behind it and any potential risks involved. Additionally, they should offer opt-in and opt-out mechanisms for data sharing or marketing communications. As a user, it is essential to be cautious and grant access only to trusted companies, while regularly reviewing and managing your privacy settings across various platforms.


Data Breaches and Incident Response:

Even with the most stringent security measures in place, data breaches can occur. It is important for companies to have an effective incident response plan to mitigate the impact of such events. A responsible organization will promptly notify affected users and provide guidance on steps to protect their information. Stay informed about data breaches and take necessary actions, such as changing passwords or monitoring your accounts for any suspicious activity.


Passwords and Authentication:

One of the simplest yet most effective ways to enhance your online security is by using strong, unique passwords for each of your accounts. Avoid using easily guessable information and consider utilizing password managers to securely store and generate complex passwords. Two-factor authentication (2FA) is another valuable layer of security that adds an extra step to verify your identity when logging in, reducing the risk of unauthorized access.


Phishing and Social Engineering:

Cybercriminals often employ deceptive tactics, such as phishing emails, to trick unsuspecting users into revealing sensitive information. Be cautious of unsolicited emails, messages, or calls that request personal data or financial details. Legitimate organizations will not ask you to provide sensitive information through insecure channels. Verify the authenticity of such requests independently by contacting the company directly.


Regular Software Updates:

Software vulnerabilities are frequently discovered, and updates often include patches to address these weaknesses. Regularly updating your operating systems, applications, and antivirus software helps safeguard against known vulnerabilities. Enable automatic updates wherever possible to ensure you benefit from the latest security enhancements.


Remember, security awareness is an ongoing process, and staying informed is crucial. Educate yourself about best practices in cybersecurity and encourage others to do the same. By being vigilant and proactive, we can protect our data, maintain privacy, and enjoy a safer online experience. 

Indicator of compromise (IoC) activity

 Scenario As a novice Security Operations Center (SOC) analyst employed by a financial services company, you recently received ...