adricnet

Some fairly detailed notes on the classes I taught, took, conferences I attended, fees, and other professional development and education expenses in 2016, for discussion

Conference Attendance: (~ $500 USD)

1. Security Onion Conference, Augusta GA and B-Sides Augusta:

• Tickets:
• hotel room, milage, food:

Online Courses, exams, and lab access: (~ $10,000 USD)

adricnet

Looking through some books, courses for SG ideas. Guiding ideas:

• target delivery : four weeks, twice a week ... or break into chunks
  • Building data models and heuristics , good process , demo tools and techniques (in that order)
  • supplement individual education plans, not job training
  • need a book or major reference, don't write a course

Books:

• HC's WFA3 : response and investigation of windows systems

adricnet

crash = "\x41" * 4371 + "BBBB" + "C" * 6 + "DD"

        crash w/EIP ?
A's     ---------
----

4371 : 43 42 53 65 C B . .

adricnet

Instagram image source, maybe ephemeral

<img alt="Why are my geeky elves always the messy ones?  CLEAN UP YOUR DESK HERMEY!" class="_icyx7" id="pImage_3" src="https://scontent-atl3-1.cdninstagram.com/t51.2885-15/e35/15275692_1825886877683854_211464858007240704_n.jpg?ig_cache_key=MTM5ODY1MjkwODg0OTA5NDQ1Nw%3D%3D.2">

<img alt="HoHoHo.  The team decorated my parking spot again.  Where do I park?" class="_icyx7" id="pImage_4" src="https://scontent-atl3-1.cdninstagram.com/t51.2885-15/e35/14499133_107628316393967_6584649958186549248_n.jpg?ig_cache_key=MTM5NTY5Njk1OTk2ODY4MzE2MA%3D%3D.2">

adricnet

    virtualbox-iso: dependencywalker v2.2.6000.7 [Approved] - Likely broken for FOSS users (due to download location changes)
    virtualbox-iso: dependencywalker package files install completed. Performing other installation steps.
    virtualbox-iso: Downloading dependencywalker 64 bit
    virtualbox-iso: from 'http://www.dependencywalker.com/depends22_x64.zip'
    virtualbox-iso: Progress: 100% - Completed download of C:\Users\malboxes\AppData\Local\Temp\chocolatey\dependencywalker\2.2.6000.7\depends22_x64.zip (457.63 KB).
    virtualbox-iso: Download of depends22_x64.zip (457.63 KB) completed.
    virtualbox-iso: WARNING: Missing package checksums are not allowed (by default for HTTP/FTP,
    virtualbox-iso: HTTPS when feature 'allowEmptyChecksumsSecure' is disabled) for
    virtualbox-iso: safety and security reasons. Although we strongly advise against it,
    virtualbox-iso: if you need this functionality, please set the feature

adricnet

Some DOCX samples today had the VBA script payload embedded into OLE objects in the DOCX. To a user this looks like document icons in the Word file, and for file analysis they are in the DOCX zip under word/embeddings (Thanks Brian!). After doing a few of these manaully, and then dynamically fighting with the Office debugger to get the indicators out of them individually, I took a moment to try and automate at least part of the process.

Loop through samples in a directory, yank all of the embedded OLE objects, and scan them for likely VBA script with Yara

$ for file in efax/*.docx ; do unzip -qq -o -j $file "word/embeddings*" ; \
  for y in `ls oleObject*`; do echo -n "$file  "; \
    yara -f -w vbaoleobj.yara $y;done; rm -f oleObject* ; done

adricnet

Did: tshark pulled out all of the DNS domains asked for, isolated workstation hostname (common pattern), stats report for endpoints (ether and IP), decoded one packet for the src IP and addr (checked it was right), pulled out all of the HTTP request URIs and no referrers were seen

$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y dns.qry.name -T fields -e dns.qry.name -q | grep '-' | head -1 > mta-20150711-id
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y dns.qry.name -T fields -e dns.qry.name | sort -u > mta-20150711-dns-domains
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -z endpoints,ip -q | head -2 >> mta-20150711-id 
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -z endpoints,ether -q >> mta-20150711-id 
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -c1 -V | grep -i src >> mta-20150711-id 
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y http -T fields -e http.request.full_uri -e http.referer | sort -u > mta-20150711-http

adricnet

Did

tshark -nn -r 2015-03-03-traffic-analysis-exercise.pcap -z conv,tcp > tcp_convs
tshark -nn -r 2015-03-03-traffic-analysis-exercise.pcap -z conv,udp > udp_convs
tshark -nn -r 2015-03-03-traffic-analysis-exercise.pcap -z conv,ip > ip_convs
tshark -nn -q -r 2015-03-03-traffic-analysis-exercise.pcap -Y http.request.full_uri -T fields \
  -e http.request.full_uri -e http.referer | grep 'moonstoneafgelekte.onewide.co.uk' >>
capinfos 2015-03-03-traffic-analysis-exercise.pcap > time
## assembled host_data with Wireshark paste in vim

adricnet

VulnHub VMs

• SkyDogCon 2016
• VulnOS 2
• Metapsloitable 2
• mrRobot
• Morning Catch

Tools

adricnet

### Normalise VBA code in macros for easier code analysis, @adricnet

## Remove all the DOS newlines to start
/^[[:space:]]*$/d

## Add in newlines we want to highlight code blocks
s/end function/End Function\n/i
s/end sub/End Sub\n/i

## Fix mangled cASe obFUScaTioN while we are here