brainfold.net
Branfold.net: Key names widely used in Crypto world
http://www.brainfold.net/2011/09/key-names-widely-used-in-crypto-world.html
Sunday, September 18, 2011. Key names widely used in Crypto world. Triple Data Encryption Standard. Electronic fund transfer at POS. Visa issuer Master Encryption Key. Master card Issuer Master Key for the generation of AC generation. Master card Issuer Master Key for the generation of data Authentication code. Master card Issuer Master Key for the generation of Message Authentication Code. Master card Issuer Master Key for the generation of Secure Message confidentiality. Programmable Read only memory.
brainfold.net
Branfold.net: Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs
http://www.brainfold.net/2016/08/threat-hunting-techniques-av-proxy-dns.html
Friday, August 12, 2016. Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs. Inspired by talk the from Davis sharpe Me19 Intrusion Hunting for the Masses A Practical Guide. Following techniques were developed along with few other techniques that I commonly used for hunting. YouTube video link :- https:/ www.youtube.com/watch? AV - To identify known password dumpers, droppers and backdoors (Both Deleted and not deleted). AV - Execution of binary from users APP Data directory. Known webshell filename...
brainfold.net
Branfold.net: ZEPTO VARIANT LOCKY MALSPAM
http://www.brainfold.net/2016/08/zepto-variant-locky-malspam.html
Wednesday, August 17, 2016. ZEPTO VARIANT LOCKY MALSPAM. This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 15th 2016 . And the focus is mainly on using pre-built Splunk tool to detect and observe the behavior. Suricata is used as the NIDS engine with ET signatures. Wireshark is used to further observer the payload. Along with wget to download the html page of the compromised/redirect site to witness and deobfuscate the code. Root@brainfold-blackbox:/opt/...
brainfold.net
Branfold.net: August 2016
http://www.brainfold.net/2016_08_01_archive.html
Monday, August 29, 2016. BANDARCHOR RANSOMWARE - Traffic Analysis. This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 26th 2016 . And the focus is mainly on using Splunk tool to detect and observe the behavior. Suricata is used as the NIDS engine with ET signatures. Wireshark is used to further observer the payload. And honey client THUG to analyse and pass on the output to Splunk. Http:/ www.malware-traffic-analysis.net/2016/08/26/index3.html. Threat Int...
brainfold.net
Branfold.net: July 2016
http://www.brainfold.net/2016_07_01_archive.html
Sunday, July 31, 2016. If a SIEM team during the hunting exercise (or how ever) suspects that a web-shell is present on the monitored web server, the following are some things to examine. The server access and error logs can be searched for common keywords that are being used by web shells. This includes filenames and/or parameter names. The example looks for the string ‘.php’ in URLs in Apache HTTP Server’s access log. Search for modified files in the last. Acunetix has a great, really comprehensive 5 p...
brainfold.net
Branfold.net: BANDARCHOR RANSOMWARE - Traffic Analysis
http://www.brainfold.net/2016/08/bandarchor-ransomware-traffic-analysis_47.html
Monday, August 29, 2016. BANDARCHOR RANSOMWARE - Traffic Analysis. This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 26th 2016 . And the focus is mainly on using Splunk tool to detect and observe the behavior. Suricata is used as the NIDS engine with ET signatures. Wireshark is used to further observer the payload. And honey client THUG to analyse and pass on the output to Splunk. Http:/ www.malware-traffic-analysis.net/2016/08/26/index3.html. Threat Int...
brainfold.net
Branfold.net: EITEST RIG EK - GOOTKIT
http://www.brainfold.net/2016/08/eitest-rig-ek-gootkit.html
Monday, August 22, 2016. EITEST RIG EK - GOOTKIT. This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 18th 2016 . And the focus is mainly on using pre-built Splunk tool to detect and observe the behavior. Suricata is used as the NIDS engine with ET signatures. Wireshark is used to further observer the payload. I have also used thug to analyse and pass on the domain analysis output to Splunk. Example of successful output:-. Suricata's output eve.json fi...
brainfold.net
Branfold.net: Meterpreter - Post Exploitation Tools
http://www.brainfold.net/2013/08/meterpreter-post-exploitation-tools.html
Sunday, August 25, 2013. Meterpreter - Post Exploitation Tools. Post exploitation is an crucial step as it allows the attacker to gather information from them victim that he has exploited.A lot of penetration testers are using the metasploit framework modules for system exploitation.However Metasploit provides a bunch of useful run commands that can be used to gain understanding of the victims machine. Output of each individual command with winenum and scraper are saved in the following location. Run pos...
brainfold.net
Branfold.net: Detecting Lateral Movements
http://www.brainfold.net/2016/08/detecting-lateral-movements_63.html
Thursday, August 11, 2016. I came across this useful blog on Hunting Lateral Movement. And Windows Incident Response. Below is a summary of key points from the article and also a good hunt techniques as part of Content creation for SIEM. During the lateral movements, there will more often contain the following indicators. Windows (event code 4688/592),. Netexe, ipconfig.exe, whoami.exe, nbtstat.exe…. Cluster x number of processes executing within a 10 minute time frame. Don’t discount hunches). Failed au...
brainfold.net
Branfold.net: LOCKY MALSPAM - Traffic Analysis and Indicators
http://www.brainfold.net/2016/08/locky-malspam-traffic-analysis-and.html
Wednesday, August 10, 2016. LOCKY MALSPAM - Traffic Analysis and Indicators. This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Aug 2016 - "2016-08-08 - LOCKY MALSPAM". And the focus is mainly on using Splunk as a SIEM tool to detect . Wireshark and Suricata are also used to further understand the pattern. Source - http:/ www.malware-traffic-analysis.net/2016/06/03/page2.html. 2016-08-08-Locky-malspam-traffic.pcap (873,563 bytes). Notice - This is Suricata ve...