This is the third part in a post describing how to train your team for incident response and incident investigations.
The first part for training incident response and incident investigations covered how to analyze the e-mail headers and information in a suspicious e-mail. The second part analyzed the attachment which turned out to be a CryptoLocker.F variant.
The last step of my analysis involved executing the CryptoLocker virus in a fully networked VM. After resetting … Read more.
This is the second part in a post describing how to train your team for incident response and incident investigations.
The first part covered how to analyze the e-mail headers and information in a suspicious e-mail.
The e-mail contained one attachment : koen.vanimpe@c.d.zip. Unzipping the file resulted in a .scr file.
The sha1 is
MD5 is
I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample. … Read more.
An incident response and incident investigation team needs to be able to quickly extract useful information from an incident. Instead of writing long theoretical documents I wanted to use the hands-on approach to serve as an example to train a team to quickly extract IOCs from an ongoing incident. What’s better for doing this than to analyze the behavior of CryptoLocker to train an incident response team and analyze the delivery of CryptoLocker?
IOCs or … Read more.
I wanted to track DNS queries that get send to nameservers that do not serve a particular domain or network. I used a Bind DNS server that logged the query and returned a fixed response. The logs get parsed by Logstash and stored in Elasticsearch for analysis.
Installing bind is easy via the bind9 package :
This will add a new user ‘bind’ and store the configuration files in /etc/bind.
For this setup I … Read more.
One of the things that I find lacking in netcat is a timestamp feature. You can log the requests but you can not easy log the exact timestamps. Instead of writing a wrapper around netcat I wrote a small python script that can act as a simple TCP or UDP network server.
A lot of the code is inspired on code at http://ilab.cs.byu.edu/python/select/echoserver.html and http://www.binarytides.com/udp-socket-programming-in-winsock/
All of the code can be found on Github together … Read more.
I manage a number of WordPress sites. These sites get a lot of login attempts. Instead of dropping these attempts I decided to log them and build some stats.
I also wanted “something” that I could use to play with Pipal. Pipal is a password analyzer that provides useful statistics on a list of passwords. Note that it is NOT a password cracker.
I created a fake WordPress login form (wp-login.php) and installed this on … Read more.
The Elasticsearch ELK Stack (Elasticsearch, Logstash and Kibana) is an ideal solution for a search and analytics platform on honeypot data.
There are various howto’s describing how to get ELK running (see here, here and here) so I assume you already have a working ELK system.
This post describes how to import honeypot data into ELK. The easiest way to get all the necessary scripts and configuration files is by cloning the full repository.
If … Read more.
In a previous post I did an analysis of HTTP headers returned by Belgian websites. The list of websites was based on an old Alexa datafile and more or less reflected the most ‘popular’ Belgian websites. I now trimmed these domains to their top domain only (so www.site.be and alpha.site.be became site.be) and decided to check what type of MX records are defined for the different domains.
MX records are DNS records that specify a … Read more.
This is the second part in the analysis of the content of HTTP headers returned from Belgian websites. The first part describes what HTTP headers are and analyses the results of the network requests.
Disclosing HTTP headers is not going to make your site more vulnerable nor is not disclosing them going to make your site more secure. But by leaking version information you basically give away your level of patch management, making it easier … Read more.
This analysis on HTTP headers is separated into two different blog posts :
describing what HTTP headers are and analyzing the results of the network requests analyzing the content of HTTP headers
The separation in two parts follows the logical sequence of events that I had to do to complete the investigation. First I had to map the network and interpret these results and then dive deeper in the returned HTTP header results.
Note that … Read more.
Graphs made with cudeso posts stats
By continuing to use the site, you agree to the use of cookies. more information
An HTTP cookie, is a small piece of text sent from a website and stored in your web browser. Cookies are a reliable mechanism for websites to remember your preferences and improve your browsing experience.
If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.