I’ve posted about dynamic and automated analysis of the Zeus malware, but what about identifying Zeus from firewall & IDS logs? After executing Zeus, my Sophos UTM generated a few alerts. This is something that would absolutely stick out to me during daily log analysis. Drilling into the alert tells us threat “C2/Zaccess-A” attempted to … Continue reading "Zeus Malware Analysis- Sophos UTM, Security Onion"
Read MoreCategory: Security Analysis
Zeus Malware Analysis- Any.Run
I decided to run the Zeus Malware through an automated analysis tool and compare to what I saw using dynamic analysis with Remnux. I’m using the malware analysis tool at app.any.run The free version only supports Windows 7 executables, which Zeus targets. After uploading the file, app.any.run displays a windows UI and what the malware … Continue reading "Zeus Malware Analysis- Any.Run"
Read MoreZeus Malware Analysis- Remnux
Today we’re looking at dynamic malware analysis of Zeus with Remnux Linux. I wanted to RE a windows file this week, and am just not getting anything good on my RDP honeypot (yet). I thought, what better way to start windows malware analysis than with a old piece of malware? That way if I’m missing … Continue reading "Zeus Malware Analysis- Remnux"
Read MoreELF Analysis- kiga.x86
In addition to my weekly threat intel report, I’ll highlight a file/executable/exploit attempt seen in the last week. I’ll do some basic file analysis to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research. This week we’re looking at kiga.x86. Using … Continue reading "ELF Analysis- kiga.x86"
Read MoreScript Analysis- yoyobins.sh
In addition to my weekly threat intel report, I want to highlight a particular file/executable/exploit attempt I saw in the last week. I’ll do some basic analysis of the file to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research. This … Continue reading "Script Analysis- yoyobins.sh"
Read MoreSecurity Onion & Splunk: Alert Analysis Workflow/Examples
Security Onion & Splunk is setup successfully, everything is ingesting and properly alerting but now what? That largely depends on your individual situation, but I can assume you’ll see some alerts and need to do an investigation. So this article will address how to use Security Onion & Splunk to perform an investigation on your … Continue reading "Security Onion & Splunk: Alert Analysis Workflow/Examples"
Read MoreSetup IDS at Home- Security Onion 2020
Security Onion is probably the best IDS tool any InfoSec analyst can familiarize themselves with. It has a load of open-source tools that every organizations should have deployed in some form. Whether it’s snort IPS, Zeek IDS, OSSEC HID or using Security Onion to search your logs in Elasticsearch, you can easily deploy and start … Continue reading "Setup IDS at Home- Security Onion 2020"
Read MoreSetup SIEM @ Home with Splunk & Security Onion
Published: May 2, 2020 In this article, I’ll go over installing Splunk on-top of Security Onion, which we installed in my last post: Setup HomeIDS. I don’t recommend installing your log management system on the same machine as your IDS in production, but it’s great for easy analysis, development or a POC. First thing is … Continue reading "Setup SIEM @ Home with Splunk & Security Onion"
Read MoreSetup Port Mirroring and VLANs at Home- Managed Switch
A switch capable of port mirroring and VLAN tagging is an essential purchase for every home lab. For your home IDS to work, you’ll need to mirror network traffic traversing the switch to a dedicated port. This switch port should be connected to a NIC dedicated as the sniffing interface for your IDS. In future … Continue reading "Setup Port Mirroring and VLANs at Home- Managed Switch"
Read MoreHome Router- DMZ/Transparent Mode
The first Intro to Security Analysis- HomeIDS article focuses on configuring a home router for DMZ or transparent mode. This allows us to send all traffic destined for our public IP to an internal resource. This resource could be anything… A software based firewall, or in my case, a Sophos Home hardware UTM. This allows … Continue reading "Home Router- DMZ/Transparent Mode"
Read More