CONTENTS
01 02 03 04 05 Q&A
01
360+xz+cve...
(ET pro+sigma)
+...
3
2 Github +
45
HashVirustotal+Sandbox
6
7
1 IOC +
8
IP sinkhole scanner
Cybersecurity Framework
IDENTIFY
The NIST Cybersecurity Framework
PROTECT
DETECT RESPONSE RECOVER
2
3
8b
4
1 5 6 8a
7
7
https://www.nist.gov/cyberframework
02
(
(
· · · · · · · ·...
Github
· · ·
Repo · Github ·
Repo · repo ... · ""
·
https://github.com/0xbug/Hawkeye
(
... XX () xx ......
1 2 3
( && (\)
(
...
https://github.com/C4o/ChineseDarkWebCrawler
(
NLP · · · ·
TVMThreat and Vulnerability Management
https://github.com/toolswatch/vFeed
(
Jira:
0
jira[]
2 3
1 jira Jira:
7
5 jira[] 4
6 1 Jira:
IOC
Threatbook
· CIF v3 30+ · VirusTotalpdns sandboxrelationship · SHODAN (rdnsporttagdevice type) · Greynoisetag
https://github.com/csirtgadgets/bearded-avenger https://viz.greynoise.io/
IOC Hash DomainIP ... IP C2:-> P2P:Bot,p2p(
DownloaderC2... : AA Botnet ...
category:malware
IOC
F H 1 D
3 Domain
IP IOC
IOC
IOC
IP
H 2
Hash & Family
PORT & PROTOCOL IP
IOC : 1. ! /hunting 2.() IP:185.242.162.159 Port:81 Protocol:tcp Request:null Response:BF7CAB464EFB
&
Hunting
IOC
IOC
Hash
Hash
hash
PUP
Osquery IOC Sysmon Hash
IOC ip domain
IOC (/)
bro-dns
IP IP
sysmon osquery
hash
proc_calltrace
hash
IOC
Sinkhole IOC ...
Hash
Hash list
Virustotal
Hash
Hash
IOC
- IOC dorkbot sinkholedorkbot
- dnspdns DGA IP204.95.99.243 pdns
- 204.95.99.243 dorkbot C2 DGA sinkhole
sysmon event_id:3204.95.99.243 mspaint.exe 3720 calc.execalc.exe mspaint.exe ,calc.exe,3720
ET pro
Suricata-update
scirius
Suricata Suricata 1Scirius 2rule 3 4
suricata
DMZ suricata
suricata
suricata
suricata
...
https://github.com/StamusNetworks/scirius https://github.com/OISF/suricata-update
Hash
Anti-Virus
Github apikey
EDR Sandbox (+)
VirusTotal API
Hash
no
Yes
PUP
Yes
no
EDR
malware
https://github.com/malicialab/avclass
· VS VS · DMZ · Raspberry Pi · /MHN+p0f · ""(ARPIP...) · ()
Sinkhole IP
Sinkhole IP Sinkhole IP
· PDNS Domains · rdns hostname · 80/443 http header /location · TLS Certificate Chain · DNSname response · Whois info (email®ister) ...
IOC
Domain sinkhole IP 130+
: SinkMiner: Mining Botnet Sinkholes for Fun and Profit
IP Sinkhole IP https://sinkdb.abuse.ch/ https://github.com/brakmic/Sinkholes
Scanner
Scanner IP
· rdns hostname · 80/443 http resp · Whois info (email®ister) · ...
scanner IP2600+ :25
ipip pdrlabs shodan sonar cybergreen stretchoid probethenet pingdom team cymru censys exposure monitoring pingzapper netcraft university of new mexico quadmetrics ampere innotech binaryedge Shadowserver ...
Scanner
IP
IP Botnet IP
IP
Github...
payload XSS /UAF...
IT / ...
...
()
... · IP +
·
·
"
...
· ·
· URL
"
·
Shodan... · API ...
Wifi...
C
P
U
O S &
https://github.com/p1r06u3/opencanary_web
() Metasploit Cobalt Strike BeEF Veil Shellter Avet Cobalt Strike log
03
SOAR
SOAR SOAR(Security Orchestration, Automation, and Response,)
· · ·
· · ·
· · ·
( ) (/
04
C2
1 Cobalt Strike Email DLL C:\..wwlib.dll 149.abc.xyz.mn:443 Server:China_Baiker url_path:Rhp2
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
· IP(). V.S. · "" IOC · ""
· "" · IP ·
!?
05 Q&A