Skip to content
This repository has been archived by the owner on Nov 28, 2023. It is now read-only.

Latest commit

 

History

History
645 lines (235 loc) · 3.79 KB

周正虎-金融企业威胁情报建设历程与运营实践.pdf.md

File metadata and controls

645 lines (235 loc) · 3.79 KB
Raw

CONTENTS

01 02 03 04 05 Q&A

01

360+xz+cve...

(ET pro+sigma)

+...

3

2 Github +

45

HashVirustotal+Sandbox

6

7

1 IOC +

8

IP sinkhole scanner

Cybersecurity Framework

IDENTIFY

The NIST Cybersecurity Framework

PROTECT

DETECT RESPONSE RECOVER

2

3

8b

4

1 5 6 8a

7

7

https://www.nist.gov/cyberframework

02

(

(

· · · · · · · ·...

Github

· · ·

Repo · Github ·

Repo · repo ... · ""

·

https://github.com/0xbug/Hawkeye

(

... XX () xx ......

1 2 3

( && (\)

(

    ...

https://github.com/C4o/ChineseDarkWebCrawler

(

NLP · · · ·

TVMThreat and Vulnerability Management

https://github.com/toolswatch/vFeed

(

Jira:

0

jira[]

2 3

1 jira Jira:

7

5 jira[] 4

6 1 Jira:

IOC

Threatbook

· CIF v3 30+ · VirusTotalpdns sandboxrelationship · SHODAN (rdnsporttagdevice type) · Greynoisetag

https://github.com/csirtgadgets/bearded-avenger https://viz.greynoise.io/

IOC Hash DomainIP ... IP C2:-> P2P:Bot,p2p(

DownloaderC2... : AA Botnet ...

category:malware

IOC

F H 1 D

3 Domain

IP IOC

IOC

IOC

IP

H 2

Hash & Family

PORT & PROTOCOL IP

IOC : 1. ! /hunting 2.() IP:185.242.162.159 Port:81 Protocol:tcp Request:null Response:BF7CAB464EFB

&

Hunting

IOC

IOC

Hash

Hash

hash

PUP

Osquery IOC Sysmon Hash

IOC ip domain

IOC (/)

bro-dns

IP IP

sysmon osquery

hash

proc_calltrace

hash

IOC

Sinkhole IOC ...

Hash

Hash list

Virustotal

Hash

Hash

IOC

  1. IOC dorkbot sinkholedorkbot
  2. dnspdns DGA IP204.95.99.243 pdns
  3. 204.95.99.243 dorkbot C2 DGA sinkhole

sysmon event_id:3204.95.99.243 mspaint.exe 3720 calc.execalc.exe mspaint.exe ,calc.exe,3720

ET pro

Suricata-update

scirius

Suricata Suricata 1Scirius 2rule 3 4

suricata

DMZ suricata

suricata

suricata

suricata

...

https://github.com/StamusNetworks/scirius https://github.com/OISF/suricata-update

Hash

Anti-Virus

Github apikey

EDR Sandbox (+)

VirusTotal API

Hash

no

Yes

PUP

Yes

no

EDR

malware

https://github.com/malicialab/avclass

· VS VS · DMZ · Raspberry Pi · /MHN+p0f · ""(ARPIP...) · ()

Sinkhole IP

Sinkhole IP Sinkhole IP

· PDNS Domains · rdns hostname · 80/443 http header /location · TLS Certificate Chain · DNSname response · Whois info (email&register) ...

IOC

Domain sinkhole IP 130+

: SinkMiner: Mining Botnet Sinkholes for Fun and Profit

IP Sinkhole IP https://sinkdb.abuse.ch/ https://github.com/brakmic/Sinkholes

Scanner

Scanner IP

· rdns hostname · 80/443 http resp · Whois info (email&register) · ...

scanner IP2600+ :25

ipip pdrlabs shodan sonar cybergreen stretchoid probethenet pingdom team cymru censys exposure monitoring pingzapper netcraft university of new mexico quadmetrics ampere innotech binaryedge Shadowserver ...

Scanner

IP

IP Botnet IP

IP

Github...

payload XSS /UAF...

IT / ...

...

()

... · IP +

·

·

"

...

· ·

· URL

"

·

Shodan... · API ...

Wifi...

C

P

U

O S &

https://github.com/p1r06u3/opencanary_web

() Metasploit Cobalt Strike BeEF Veil Shellter Avet Cobalt Strike log

03

SOAR

SOAR SOAR(Security Orchestration, Automation, and Response,)

· · ·

· · ·

· · ·

  ( )  (/

04

C2

1 Cobalt Strike Email DLL C:\..wwlib.dll 149.abc.xyz.mn:443 Server:China_Baiker url_path:Rhp2

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

· IP(). V.S. · "" IOC · ""

· "" · IP ·

!?

05 Q&A