GitBook: [master] 4 pages and 2 assets modified

forensics/basic-forensic-methodology/malware-analysis.md

@@ -11,7 +11,7 @@
 * [Koodous](https://koodous.com/)
 * [Intezer](https://analyze.intezer.com/)
 
-## Offline antivirus
+## Offline Antivirus and Detection Tools
 
 ### Yara
 
@@ -72,6 +72,29 @@ To share these definitions is very useful as when a malware is identified in a c
 A tool to create or modify IOCs is ****[**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**  
 You can use tools such as ****[**Redline**](https://www.fireeye.com/services/freeware/redline.html) ****to **search for defined IOCs in a device**.
 
+### Loki
+
+\*\*\*\*[**Loki**](https://github.com/Neo23x0/Loki) ****is a scanner for Simple Indicators of Compromise.  
+Detection is based on four detection methods:
+
+```text
+1. File Name IOC
+   Regex match on full file path/name
+
+2. Yara Rule Check
+   Yara signature match on file data and process memory
+
+3. Hash Check
+   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
+   
+4. C2 Back Connect Check
+   Compares process connection endpoints with C2 IOCs (new since version v.10)
+```
+
+### Linux Malware Detect
+
+\*\*\*\*[**Linux Malware Detect \(LMD\)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources.
+
 ### rkhunter
 
 Tools like [**rkhunter**](http://rkhunter.sourceforge.net/) can be used to check the filesystem for possible **rootkits** and malware.
@@ -84,6 +107,14 @@ sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--sk
 
 [PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable \(binary data, entropy, URLs and IPs, some yara rules\).
 
+### NeoPI 
+
+\*\*\*\*[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**.
+
+### **php-malware-finder**
+
+\*\*\*\*[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells.
+
 ### Apple Binary Signatures
 
 When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
@@ -99,3 +130,17 @@ codesign --verify --verbose /Applications/Safari.app
 spctl --assess --verbose /Applications/Safari.app
 ```
 
+## Detection Techniques
+
+### File Stacking
+
+If you know that some folder containing the **files** of a web server was **last updated in some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
+
+### Baselines
+
+If the files of a folder s**houldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
+
+### Statistical Analysis
+
+When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a webshell might be one of the most**.
+

forensics/basic-forensic-methodology/pcap-inspection/README.md

@@ -128,6 +128,86 @@ Check if you can find any fingerprint of a known malware:
 
 {% page-ref page="../malware-analysis.md" %}
 
+## Zeek
+
+> Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor \(NSM\) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
+
+Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
+
+### Connections Info
+
+```bash
+#Get info about longest connections (add "grep udp" to see only udp traffic)
+#The longest connection might be of malware (constant reverse shell?)
+cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service duration | sort -nrk 7 | head -n 10
+
+10.55.100.100   49778   65.52.108.225   443     tcp     -       86222.365445
+10.55.100.107   56099   111.221.29.113  443     tcp     -       86220.126151
+10.55.100.110   60168   40.77.229.82    443     tcp     -       86160.119664
+
+
+#Improve the metrics by summing up the total duration time for connections that have the same destination IP and Port.
+cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += $5 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
+
+10.55.100.100   65.52.108.225   443     tcp     86222.4
+10.55.100.107   111.221.29.113  443     tcp     86220.1
+10.55.100.110   40.77.229.82    443     tcp     86160.1
+
+#Get the number of connectionssummed up per each line
+cat conn.log | zeek-cut id.orig_h id.resp_h duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2] += $3; count[$1 FS $2] += 1 } END{ for (key in arr) printf "%s%s%s%s%s\n", key, FS, count[key], FS, arr[key] }' | sort -nrk 4 | head -n 10
+
+10.55.100.100   65.52.108.225   1       86222.4
+10.55.100.107   111.221.29.113  1       86220.1
+10.55.100.110   40.77.229.82    134       86160.1
+
+#Check if any IP is connecting to 1.1.1.1
+cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service | grep '1.1.1.1' | sort | uniq -c
+
+#Get number of connections per source IP, dest IP and dest Port
+cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += 1 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
+
+
+### RITA
+#Something similar can be done with the tool rita
+rita show-long-connections -H --limit 10 zeek_logs
+
++---------------+----------------+--------------------------+----------------+
+|   SOURCE IP   | DESTINATION IP | DSTPORT:PROTOCOL:SERVICE |    DURATION    |
++---------------+----------------+--------------------------+----------------+
+| 10.55.100.100 | 65.52.108.225  | 443:tcp:-                | 23h57m2.3655s  |
+| 10.55.100.107 | 111.221.29.113 | 443:tcp:-                | 23h57m0.1262s  |
+| 10.55.100.110 | 40.77.229.82   | 443:tcp:-                | 23h56m0.1197s  |
+
+#Get connections info from rita
+rita show-beacons zeek_logs | head -n 10
+Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top Intvl,Top Size,Top Intvl Count,Top Size Count,Intvl Skew,Size Skew,Intvl Dispersion,Size Dispersion
+1,192.168.88.2,165.227.88.15,108858,197,860,182,1,89,53341,108319,0,0,0,0
+1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0
+0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
+```
+
+### DNS info
+
+```bash
+#Get info about each DNS request performed
+cat dns.log | zeek-cut -c id.orig_h query qtype_name answers
+
+#Get number of times each domain was requestedand get top 10
+cat dns.log | zeek-cut query | sort | uniq | rev | cut -d '.' -f 1-2 | rev | sort | uniq -c | sort -nr | head -n 10
+
+#Get all the IPs
+cat dns.log | zeek-cut id.orig_h query | grep 'example\.com' | cut -f 1 | sort | uniq -c
+
+#Sort the most common dnsrecord request (should be A)
+cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
+
+#See top DNS domain requested with rita
+rita show-exploded-dns -H --limit 10 zeek_logs
+
+
+
+```
+
 ## Other pcap analysis tricks
 
 {% page-ref page="dnscat-exfiltration.md" %}

forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md

@@ -11,7 +11,7 @@ The following tutorials are amazing to learn some cool basic tricks:
 * [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/)
 * [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/)
 
-### Wireshark analysed Information
+### Analysed Information
 
 #### Expert Information
 
@@ -44,6 +44,12 @@ Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoint
 
 ![](../../../.gitbook/assets/image%20%28575%29.png)
 
+#### DNS info
+
+Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured.
+
+![](../../../.gitbook/assets/image%20%28577%29.png)
+
 #### I/O Graph
 
 Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.**

pentesting/pentesting-web/php-tricks-esp/README.md

@@ -249,6 +249,10 @@ $_COOKIE | if #This mea
 
 If yo are debugging a PHP application you can globally enable error printing in`/etc/php5/apache2/php.ini` adding `display_errors = On` and restart apache : `sudo systemctl restart apache2`
 
+### Deobfuscating PHP code
+
+You can use the **web**[ **www.unphp.net**](http://www.unphp.net/) **to deobfuscate php code.**
+
 ## Variable variables
 
 ```php