UNPACKING SHADE (TROLDESH) RANSOMWARE

Today I wanted to do a blog post on unpacking Shade (Troldesh) ransomware md5 7F9D970C685F7F33AA8A961F2A10173D. The sample I used was acquired from here. Troldesh is a crypto ransomware variant that was created in Russia. So the short story is it will encrypt your files and try to extort money from you. The technique I used on […]

APT34 OilrigThreeDollarsMacro.doc Analysis

So today I wanted to analyze a Microsoft Word document I downloaded from 0xffff0800 .onion website http://iec56w4ibovnb4wc.onion and just go through some quick triage steps to strip out some Indicators of Compromise (IOC’s) if you needed to start scanning your environment quickly. So as usual, when I pull down a sample I will transfer it […]

MagicHoundAPT34 Word Doc Analysis

Today I wanted to do a blog post on a malicious Microsoft Word Document that I pulled down from http://iec56w4ibovnb4wc.onion, this is @0xffff0800 repository of malware. It is definitely an excellent resource of malware. So far from what I can tell in my analysis is that this Word document is a downloader, but with that […]

PCAP Command-line Tips & Tricks

Today I wanted to cover some command-line tips and tricks I’ve learned over the years to help me filter and analyze pcap files. The tools I will be using for this are TCPDump and TShark. The pcap I will be using is from https://www.malware-traffic-analysis.net. If you haven’t checked out this site yet you should because […]

Threat Hunting Snippets for the Network

So in this blog post I wanted to talk about my approach to hunting on the network. I won’t delve into collection of the data, but instead this will be a situation where you have a packet capture already and you don’t know where to start. So depending on the size of the packet capture […]

3 Steps to Improve Your Security

These are fascinating times we find ourselves in as security professionals, never has there been so much information at our fingertips on how to do our jobs in creative and outside the box ways! It’s literally like being Neo in the Matrix, you can find and follow bona fide rockstars such as Matt Graeber, Will […]

Elasticsearch Stack Install Part 3 Logstash

In this post we are going to install Logstash to finish up our Elasticsearch server. So let’s start. First thing we will do is install Logstash. sudo apt-get update && sudo apt-get install logstash Now we will create our Logstash configuration file to be able to receive event logs from our Windows endpoints with Winlogbeat […]

Elasticsearch Stack Install Part 2 Kibana

So we will be picking up where we left off. We have already installed Elasticsearch so if you have not completed that step yet, Part 1 is here. On with Kibana… Step 1 Install Kibana: sudo apt-get update && sudo apt-get install kibana Next we will connect the server to our localhost like we did with Elasticsearch. […]

Elasticsearch Stack Install Part 1 Elasticsearch

So in this blog post I am going to start a series of posts dealing with installing the Elasticsearch stack and then using Winlogbeat to forward Windows event logs and Filebeat to forward bro logs and then finally we will build out some cool visualizations and dashboards. I will be installing the Elasticsearch stack on […]

Using PowerShell and Python to Analyze Amcache

I wanted to write this post on using PowerShell and Python, specifically PowerForensics and the pandas library to remotely copy the Amcache.hve file from multiple computers and then use amcacheparser.exe to parse all the amcache files and then load them all up into a pandas DataFrame for analysis. What you will need to accomplish this, […]