I have to start somewhere...

Here's some links for now:
https://github.com/agrajag9/a9dotfiles
This is a collection of my bashrc and related files. I've been daily-driving Linux terminals now for years and this is one of the first things I install. The screenshot below however is taken from one of my Windoze hosts.



https://github.com/agrajag9/getrichlaikaboss
If you work in CND/DFIR/CTI and you aren't familiar with LaikaBOSS, I recommend taking a look. It's a framework originally intended as an IDPS, but it's since grown to do far more than just those tasks. The core concept is that modern file-types tend to be tiered and follow an object-oriented design, so a modern IDS/IPS needed to be able to analyze these objects as such.
getrichlaikaboss was a short script I wrote to determine the compilation toolset of a Windoze PE. Every exe and dll compiled with Visual Studio will contain a Rich Header, which in turn contains a list of tools used to compile, assemble, and link all of the files in the project. However, that list is stored in numerical form and requires a lookup table to determine the original toolset. getrichlaikaboss will take LaikaBOSS JSON as input and return that list as output.

Comments

Post a Comment

Popular posts from this blog

Yara and Rich Headers are full of win

Rich Headers are awesome and you should read about them here: http://www.ntcore.com/files/richsign.htm I was looking at a sample recently and, being the good analyst I am, attempted to automate my DFIR processes using the tools I had handy. Step 1: Get the Rich Headers for the malicious binary. Let's use 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82, a known RAMNIT ransomware sample. $ laika.py 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82 | jq '.scan_result[].moduleMetadata | select(.META_PE) | .META_PE."Rich Header"' { "Checksum": 3183276661, "Hashes": { "SHA1": "dd0f0861bc67028b3cab0d6cdc55a29cc2822f64", "SHA256": "8fd544eee7389c64a29440555f5b968ae0632ed3b989a63402b6d43934a8973e", "MD5": "8451f317057b289c04b2c5b202c09715" }, "Rich Header Values": [ { "Count": 6, "Version": ...
Read more

"It's Not All Black And White" or "Why You Should Switch From Blacklisting To Whitelisting"

I think the title says a lot here: if you want to defend your information systems, you should switch from blacklisting to whitelisting. But what does that mean? Most people hear "whitelisting" in terms of CND and think "application whitelisting". But there's so many more places to do it! You already hopefully do outbound whitelisting on your firewall. You aren't really  allowing any system to talk out on TCP/3389, right? You do have a DEFAULT:DENY or DENY ANY,ANY down at the bottom of your firewall rules, right? But have you considered whitelisting outbound web traffic at your proxy as well? Most people think of their web proxy reputation lists as block lists, and for good reason: most of them are incomplete. But did you ever consider that maybe that incompleteness as a defensive measure? If you block unknown websites at your web proxy, you're going to block a huge amount of malicious websites. You're probably thinking to yourself but what abou...
Read more

Operation Cloud Hopper

Although long, a highly recommended read: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-updated.pdf One thing I want to call out is Table 3, where PWC clearly demonstrated an interesting composite indicator of a TTP that appears to be specific to this operation. Specifically, the use of @india.com registrants and ITITCH nameservers. If you have the ability to pivot on this TTP, then you're likely to find a significant number of other similar domains. Happy hunting, y'alls!
Read more