toolsmith snapshot: Sooty - SOC Analyst's All-in-One Tool

Speed up SOC workflow

/post/sooty/sooty-thumb.JPG

It’s been a bit longer than I like between posts, it’s definitely been busy here in the Pacific Northwest. I like to keep a running list of possible toolsmith topics, and I spotted Sooty back in December 2019, back in the good old days before our current pandemic and political mayhem. Sooty was developed with the intent of helping SOC analysts automate parts of their work flow. Sooty serves to perform the more mundane and routine checks SOC analysts typically undertake with the hope of freeing the analyst to conduct deeper analysis in a more efficient and timely manner.

[Read More]

To the Brim at the Gates of Mordor

toolsmith #144: Search & Analyze Mordor APT29 PCAPs with Brim

/post/144/logos-thumb.JPG

Herein lies an opportunity to explore the dark in the name of light.
“Some believe that it is only great power that can hold evil in check. But that is not what I’ve found. I found it is the small things. Every day deeds by ordinary folk that keeps the darkness at bay.” ~Gandalf
These words ring ever true in the every day fight we face combatting cyber crime and Internet malfeasance. Two offerings come forth to join this fight and converge here to create ample learning opportunities.
Brim offers a new way to browse, store, and archive logs with their free and open source Brim Desktop app, as well as the ZQ command line execution engine and query language.
The Mordor project provides pre-recorded security events generated by simulated adversarial techniques, categorized by platforms, adversary groups, tactics and techniques defined by the MITRE ATT&CK Framework, Evaluations, and Arsenal. MITRE really is the third protaganist in our epic, we owe them much as defenders of the realm.

[Read More]

Toolsmith Snapshot: SpectX IP Hitcount Query

Detect possible bots & automated queries

Apologies for the lag between posts, dear reader. I’m in the midst of a doctoral dissertation, almost finished my second chapter, and it doesn’t leave a lot of room for additional writing. Treat this entry as a stop gap, courtesy of Raido, from SpectX, the subject of our last toolsmith #143 on SpectX4DFIR. Herein, Raido provides us with a SpectX query to count hits from IPs during different time intervals.

[Read More]

SpectX: Log Parser for DFIR

toolsmith #143

Welcome to the first COVID edition of toolsmith, I do hope this finds you all safe, healthy, and sheltered to the best of your ability.
In February I received a DM via Twitter from Liisa at SpectX regarding my interest in checking out SpectX. Never one to shy away from a tool review offer, I accepted. SpectX, available in a free, community desktop version, is a log parser and query engine that enables you to investigate incidents via log files from multiple sources such as log servers, AWS, Azure, Google Storage, Hadoop, ELK and SQL-databases. Actions include:

  • Large-scale log review
  • Root cause analysis (RCA) during incidents
  • Historical log analysis
  • Virtual SQL joins across multiple sources of raw data
  • Ad hoc queries on data dumps

SpectX architecture differs from other log analyzers in that it queries raw data without indexing directly from storage. SpectX runs on Windows, Linux or OSX, in the cloud, or an offline on-prem server.

[Read More]

Chain Reactor: Simulate Adversary Behaviors on Linux

toolsmith #142

I am an advocate for the practice of adversary emulation to ensure detection efficacy. Candidly, I don’t consider a detection production-ready until it has been validated with appropriate adversary emulation to ensure the required triggers, alerts, and escalations are met. In many cases, basic human interaction can simulate the adversary per specific scenarios, but this doesn’t scale well. Applications and services to aid in this cause are essential. A couple of years ago I discussed APTSimulator as a means by which to test and simulate the HELK, but I haven’t given proper attention to adversary emulation on Linux. To that end, Chain Reactor “is an open source framework for composing executables that can simulate adversary behaviors and techniques on Linux endpoints. Executables can perform sequences of actions like process creation, network connections and more, through the simple configuration of a JSON file.”

[Read More]

DeepBlueCLI: Powershell Threat Hunting

toolsmith #141

Happy New Year! Those among you who participated in the SANS Holiday Hack Challenge, also known as Kringlecon 2, this holiday season may have found themselves exposed to new tools or the opportunity to utilize one or two that had not hit your radar prior. Such was the case for me with DeepBlueCLI, a PowerShell module for threat hunting via Windows Event Logs.

[Read More]

DFIR Redefined Part 3: visNetwork for Network Data

Deeper Functionality for Investigators with R series continued

In keeping with pending presentations for the Secure Iowa Conference and [ISC2 Security Congress](https://www.eventscribe.com/2019/ISC2/agenda.asp?pfp=days&day=10/28/2019&theday=Monday&h=Monday October 28&BCFO=P|G), I’m continuing the DFIR Redefined: Deeper Functionality for Investigators with R series (see Part 1 and Part 2). Incident responders and investigators, faced with an inundation of data and ever-evolving threat vectors, require skills enhancements and analytics optimization. DFIR Redefined is intended to explore such opportunities to create efficiencies and help the blue team cause. visNetwork represents another fine example of visualizing datasets in a manner that analysts can naturally gravitate towards.

[Read More]

KAPE: Kroll Artifact Parser and Extractor

toolsmith #140 - KAPE vs Commando, another Red vs Blue vignette

Once in awhile the Twittersphere really sends me signal regarding content opportunities and potential research areas. If you follow any Blue Team aficionados, as I do, you’ll likely have seen the same level of chatter and excitement I have regarding Eric Zimmerman’s KAPE, the Kroll Artifact Parser and Extractor. In short, KAPE is a triage program to target devices or storage locations, find forensic artifacts, and parse them.

[Read More]

RedHunt Linux - Adversary Emulation & Threat Hunting

toolsmith #135

Based on Lubuntu-18.04 x64, the RedHunt Linux virtual machine for adversary emulation and threat hunting is a “one stop shop for all your threat emulation and threat hunting needs. It integrates an attacker’s arsenal as well as defender’s toolkit to actively identify the threats in your environment.”

[Read More]