Lost in Security (and mostly everything else)

So with the push of the Christmas season upon me and my family, it has taken some time to get back to this. So with that being said, I have come back to it only to find out that the malicious word doc is not working fully at the present time – most likely since the compromised server is no longer up/has been fixed. But here is the little bit that I got from running the word doc. After running the malicious word doc within my test VM, I could see a call being made to an IP address of…

Continue reading

So the purpose of this post is because I could not remember how to extract the script from a malicious Word document. Damn old age and lack of coffee! Like anyone in a SOC role, you most likely get a lot of emails sent to you (or your distro) for odd/weird/humorous emails that people are not sure about. It is up to you and the team in the SOC to figure out if the email is malicious or not. So yesterday someone sent in an email from someone else saying that they would like to work for the company and…

Continue reading

So this one has a great comical backstory – how the user (ironically from the SOC) Tom brought his personal laptop in and managed to get his system infected while looking for a shotgun to go hunting with. Outside of making me and one of my co-workers laugh at the scenario (and then another one asking if this could be based on a real event – lol), there is one thing that I learned from this and it was from reading the answers. Brad explains how he went about finding the start of the infection chain from working backwards using…

Continue reading

So here is my write-up of the latest malware exercise from Brad. Needless to say, his description of the event that lead up to the infection is hilarious. Another great exercise to say the least. As usual, if you spot something off or something that I could improve on, drop me a comment below. Summary of the Investigation ============================== – Date and time of the activity. > 2015-11-06 @ 16:22 – The infected computer’s IP address. > 10.3.66.103 – The infected computer’s MAC address. > Dell 00:24:e8:2d:90:81 – The infected computer’s host name. > STROUT-PC – Domains and IP addresses…

Continue reading

So here is the latest one from Brad – another good exercise to say the least! One thing to note about this one is that I had some issues extracting objects from the PCAP using Wireshark. In those cases I was able to use Captipper to extract out the HTTP object. Also, I am re-organizing my Github so the individual files from the different labs can be downloaded individually and not as one huge download. **Update 06/11/2015 – So after reading Malware Kiwi’s blog post with his results, and talking to some of the guys at work that did the…

Continue reading

Just posting my write-up of another one of Brad’s exercises. You can find the answers to this exercise from Brad here. The other interesting bit that I came across while researching different aspects from this exercise was another researcher that had worked on the same one as well. Check out his blog here, or his Twitter feed here. Here are my results from this exercise. – Date and time of the activity. > User1 = 10.12.2015 18:55 – 19:10 > User2 = 10.12.2015 23:30 – 23:39 – The infected computer’s IP address. > User1 = 10.0.15.202 > User2 = 172.16.95.97…

Continue reading

So while waiting for Brad to come up with his next exercise, I figured that I would do some lab work “independently” while I waited. So I went over to Threatglass to see what I could find there. This one stood out to me being half-Korean and all so I figured that I would try my hand at it. The one that I used is from the Korea Times website. There you can find the PCAP and the screenshots that Threatglass posts. One thing that I wanted to note here is my lack of knowledge and understanding around how to…

Continue reading

So I am a little late with this one as I just could not find the mental capacity to finish this one on time due to a head cold that turned into a sinus infection (which I am still fighting). Based on what Brad had said about this one, it was one of his more “tricky” exercises and some of the other analysts seem to confirm that as well. With that being said, I seem to get the gist of it pretty quickly. The thing that threw me off was the fact that I did not see the traffic hitting…

Continue reading

TL;DR Basically this is one of Brad’s typical spot the malware within the PCAP from a drive-by infection. Nothing exciting like the previous one, but still good practice. Unfortunately I did get some of this one wrong (stupid me for not updating Snort rules in Security Onion). Also, one thing to note about this one that threw me for a loop. Trying to export objects in Wireshark did not work for me. I ended up using CapTipper’s “dump” command to export all the objects from the PCAP into a directory. My Results IP address of the Windows computer that was…

Continue reading