Use CryptoLocker to train your incident response team (part 2)

This is the second part in a post describing how to train your team for incident response and incident investigations.

The first part covered how to analyze the e-mail headers and information in a suspicious e-mail.

The e-mail contained one attachment : koen.vanimpe@c.d.zip. Unzipping the file resulted in a .scr file.

The sha1 is

MD5 is

I uploaded the scr file to Virustotal for further analysis. So far (22-Feb) no-one else submitted a similar sample.Read more.

Use CryptoLocker to train your incident response team (part 1)

An incident response and incident investigation team needs to be able to quickly extract useful information from an incident. Instead of writing long theoretical documents I wanted to use the hands-on approach to serve as an example to train a team to quickly extract IOCs from an ongoing incident. What’s better for doing this than to analyze the behavior of CryptoLocker to train an incident response team and analyze the delivery of CryptoLocker?

IOCs orRead more.

Bind DNS Sinkhole, Elasticsearch and Logstash

I wanted to track DNS queries that get send to nameservers that do not serve a particular domain or network. I used a Bind DNS server that logged the query and returned a fixed response. The logs get parsed by Logstash and stored in Elasticsearch for analysis.

Installing bind is easy via the bind9 package :

This will add a new user ‘bind’ and store the configuration files in /etc/bind.

For this setup IRead more.

Simple TCP and UDP network server in Python

One of the things that I find lacking in netcat is a timestamp feature. You can log the requests but you can not easy log the exact timestamps. Instead of writing a wrapper around netcat I wrote a small python script that can act as a simple TCP or UDP network server.

A lot of the code is inspired on code at http://ilab.cs.byu.edu/python/select/echoserver.html and http://www.binarytides.com/udp-socket-programming-in-winsock/

All of the code can be found on Github togetherRead more.

Analyzing WordPress login attempts with Pipal

I manage a number of WordPress sites. These sites get a lot of login attempts. Instead of dropping these attempts I decided to log them and build some stats.

I also wanted “something” that I could use to play with Pipal. Pipal is a password analyzer that provides useful statistics on a list of passwords. Note that it is NOT a password cracker.

I created a fake WordPress login form (wp-login.php) and installed this onRead more.

Using ELK as a dashboard for honeypots

The Elasticsearch ELK Stack (Elasticsearch, Logstash and Kibana) is an ideal solution for a search and analytics platform on honeypot data.

There are various howto’s describing how to get ELK running (see here, here and here) so I assume you already have a working ELK system.

This post describes how to import honeypot data into ELK. The easiest way to get all the necessary scripts and configuration files is by cloning the full repository.

IfRead more.

Analyzing MX records for .be domains

In a previous post I did an analysis of HTTP headers returned by Belgian websites. The list of websites was based on an old Alexa datafile and more or less reflected the most ‘popular’ Belgian websites. I now trimmed these domains to their top domain only (so www.site.be and alpha.site.be became site.be) and decided to check what type of MX records are defined for the different domains.

MX records are DNS records that specify aRead more.

Analyze HTTP headers (part 2)

This is the second part in the analysis of the content of HTTP headers returned from Belgian websites. The first part describes what HTTP headers are and analyses the results of the network requests.

Disclosing HTTP headers is not going to make your site more vulnerable nor is not disclosing them going to make your site more secure. But by leaking version information you basically give away your level of patch management, making it easierRead more.

Analyze HTTP headers (part 1)

This analysis on HTTP headers is separated into two different blog posts :

describing what HTTP headers are and analyzing the results of the network requests analyzing the content of HTTP headers

The separation in two parts follows the logical sequence of events that I had to do to complete the investigation. First I had to map the network and interpret these results and then dive deeper in the returned HTTP header results.

Note thatRead more.

Query Arbor Peakflow API for connections

Recently I had to verify traffic in a netflow collector for connections to a list of interesting networks (networks suspected to serve malicious content or C&Cs). The netflow collector that was used was an Arbor Peakflow solution.

In Arbor you can browse the raw flows via Explore -> Forensics. This feature allows you to look for specific traffic based on a FCAP filter.

Read more.