lectures for dynamic analysis

LabSetup/UbuntuAnalysis/Vagrantfile

@@ -28,7 +28,7 @@ Vagrant.configure("2") do |config|
 
   # set the SSH forwarded port.
   # If you need this port for something else, change it  
-  config.vm.network "forwarded_port", id: "ssh", host: 2222, host_ip: "127.0.0.1", guest: 22
+  config.vm.network "forwarded_port", id: "ssh", host: 2223, host_ip: "127.0.0.1", guest: 22
 
   # Create a forwarded port mapping which allows access to a specific port
   # within the machine from a port on the host machine and only allow access

LabSetup/UbuntuAnalysis/tools.sh

@@ -1,5 +1,15 @@
 #!/bin/bash
 
+GHIDRA_SHA256=f1f240f91cf6b1dffc9a4148384ee3c6b269a8ae27c6f981577973e00043ad94
+GHIDRA_RELEASE=https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.0_build/ghidra_11.0_PUBLIC_20231222.zip
+GHIDRA_VERSION=11.0
+GHIDRATHON=https://github.com/mandiant/Ghidrathon/archive/refs/tags/v3.0.2.zip
+GHIDRATHON_VERSION=3.0.2
+
+PE_BEAR_RELEASE=https://github.com/hasherezade/pe-bear/releases/download/v0.6.7.3/PE-bear_0.6.7.3_qt5.15_x64_linux.tar.xz
+
+GRADLE_VERSION=8.5
+
 # install compiler, gpg, other utilities 
 sudo apt-get install -y build-essential mingw-w64 gpg wget zsh git curl tmux  unzip 
 sudo apt-get install -y nasm
@@ -36,47 +46,58 @@ sudo systemctl disable inetsim
 
 # PE-bear
 wget https://github.com/hasherezade/pe-bear/releases/download/v0.6.1/PE-bear_0.6.1_qt5.14_x64_linux.tar.xz
-tar xfv PE-bear_0.6.1_qt5.14_x64_linux.tar.xz
-sudo mv PE-bear /usr/local/bin/
+wget $PE_BEAR_RELEASE -O /tmp/pebear.tar.xz
+tar xfv /tmp/pebear.tar.xz
+sudo mv /tmp/PE-bear /usr/local/bin/
 
 ## Cleanup artifacts
 rm capstone_LICENSE.TXT
 
-
-
 # install python 
 sudo apt-get install -y python3-pip python3-venv
 
 # install ghidra
 
 sudo apt-get install -y openjdk-17-jdk openjdk-17-jre
-wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.2_build/ghidra_10.2.2_PUBLIC_20221115.zip
-unzip ghidra_10.2.2_PUBLIC_20221115.zip
+GHIDRA_OUT="$HOME/ghidra_$GHIDRA_VERSION.zip"
+GHIDRA_DIR="$HOME/ghidra_${GHIDRA_VERSION}_PUBLIC"
+wget $GHIDRA_RELEASE -O $GHIDRA_OUT
+HASH=$( sha256sum $GHIDRA_OUT| awk '{ print $1 }')
+
+unzip $GHIDRA_OUT
 
-export GHIDRA_RUN=$HOME/ghidra_10.2.2_PUBLIC/ghidraRun
+export GHIDRA_RUN=$GHIDRA_DIR/ghidraRun
 chmod +x  $GHIDRA_RUN
 
 echo "export PATH=\$PATH:$(pwd)/ghidra_10.2.2_PUBLIC/" >> ~/.bashrc
+
 ## install ghidrathon
-sudo add-apt-repository -y  ppa:cwchien/gradle
-sudo apt-get install -y gradle 
-git clone https://github.com/mandiant/Ghidrathon.git
+#sudo add-apt-repository -y  ppa:cwchien/gradle
+#sudo apt-get install -y gradle 
+#git clone https://github.com/mandiant/Ghidrathon.git
+
+
+wget https://services.gradle.org/distributions/gradle-${GRADLE_VERSION}-bin.zip -P /tmp 
+sudo unzip -d /opt/gradle /tmp/gradle-${GRADLE_VERSION}-bin.zip
+sudo ln -s /opt/gradle/gradle-${GRADLE_VERSION} /opt/gradle/latest
+export GRADLE_HOME=/opt/gradle/latest
+export PATH=${GRADLE_HOME}/bin:${PATH}
 
+
+wget $GHIDRATHON -O ghidrathon.zip 
+unzip ghidrathon.zip
 ### create virtual env 
 python3 -m venv ghidra_env
 
 ### activate env
 source ghidra_env/bin/activate
 
-cd $HOME/Ghidrathon/
-gradle -PGHIDRA_INSTALL_DIR=$HOME/ghidra_10.2.2_PUBLIC
+cd "$HOME/Ghidrathon-$GHIDRATHON_VERSION"
+
+gradle -PGHIDRA_INSTALL_DIR="$HOME/ghidra_${GHIDRA_VERSION}_PUBLIC"
 cd $HOME
-cp $HOME/Ghidrathon/dist/*.zip $HOME/ghidra_10.2.2_PUBLIC/Extensions/Ghidra/
+cp $HOME/Ghidrathon-$GHIDRATHON_VERSION/dist/*.zip $GHIDRA_DIR/Extensions/Ghidra/
 
-### Optional: install Dark mode for Ghidra
-git clone https://github.com/zackelia/ghidra-dark.git
-python3 ghidra-dark/install.py --path $HOME/ghidra_10.2.2_PUBLIC/
-
 
 # Tools from Remnux that are handy 
 wget https://raw.githubusercontent.com/REMnux/distro/master/files/mynic
@@ -89,4 +110,4 @@ chmod +x accept-all-ips
 sudo mv accept-all-ips /usr/local/bin/
 
 # tor ,  wireguard 
-sudo apt-get install -y tor  
+sudo apt-get install -y tor  

LabSetup/WindowsSandbox/Vagrantfile

@@ -62,7 +62,7 @@ Vagrant.configure("2") do |config|
 
     vb.customize ["modifyvm", :id, "--vram", "128"]
     vb.customize ['modifyvm', :id, '--graphicscontroller', 'VBoxSVGA']
-    vb.customize ["modifyvm", :id, "--accelerate3d", "on"]
+    #vb.customize ["modifyvm", :id, "--accelerate3d", "on"]
 
     # enable sound output 
     vb.customize ["modifyvm", :id, "--audio", "pulse", "--audiocontroller", "hda"]

ObsidianVault/Slides/Lectures/0x01 Basics of Real Life Threat Analysis.md

@@ -41,7 +41,7 @@ Learning an entirely new language
 :::
 
 ::: left
-<!-- element style="font-size: 24px"-->
+<!-- element style="font-size: 26px"-->
 - Specialist language facilitates precise communication about complex topics.
 - Infosec is full of technical jargon and corporate speak.
 - It is also full of marketing teams that make up their own jargon.
@@ -60,9 +60,9 @@ Learning an entirely new language
 :::
 
 ::: left
-<!-- element style="font-size: 20px"-->
+<!-- element style="font-size: 24px"-->
 - Unfortunately, unlike Mathematics, there really isn’t a single  (trustworthy!) authority for definitions. 
-- There are efforts in place to standardize vocabulary, but you will likely have context dependent jargon depending on where you work.
+- There are efforts in place to standardize vocabulary, but you will likely have context dependent jargon based on where you work.
 
 :::
 
@@ -96,7 +96,7 @@ Learning an entirely new language
 - Infosec evolves rapidly.
 - Many people (myself included) constantly feel like they are  behind the curve and playing catch up
 - Marketers capitalize on this to make you feel out of the loop :smile:
-
+- spend $>0$ time at a con booth to suffer
 
 :::
 
@@ -126,7 +126,6 @@ Learning an entirely new language
 :::
 
 <!-- element style="font-size: 24px"-->
-
 #### [[Malware]]
 Unwanted, malicious software. 
 - It has a bunch of definitions, and can get very meta.
@@ -150,10 +149,21 @@ Crowdstrike’s  EDR malware?
 - Exfiltrate : get data out of the computer 
 - Process Manipulation: start, list, modify, and kill processes
 - External Messaging: communicate with an 
-externa server
+external server
 - Are these indicators of a malicious program? 
 
+---
+<!-- slide template="[[Base Slide]]" -->
+::: title
+#### Common activities performed by malware 
 
+:::
+##### TLDR Malware interacts with
+- File system
+- Processes
+- Various system resources
+
+Is malware the only one?
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
@@ -162,6 +172,9 @@ externa server
 
 ::: left
 <!-- element style="font-size: 24px"-->
+- Collect information about running processes
+- Usage statistics
+
 This seems suspicious. Is it malware?
 
 
@@ -183,18 +196,16 @@ This seems suspicious. Is it malware?
 
 ::: left
 <!-- element style="font-size: 24px"-->
-- The line between analytics and marketing and spyware can get 
-blurred
- pretty quickly
-
+- The line between analytics and marketing and spyware can get blurred pretty quickly
+- Surveillance is usually legal 
+
 :::
 
 ::: right
 ![[0x01_slide_11_image.png|300]]
 
 
 :::
-
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
@@ -218,6 +229,21 @@ messaging
 
 :::
 
+---
+<!-- slide template="[[Split Vertical]]" -->
+::: title
+ #### Google Gsuite? 
+:::
+
+::: left 
+<!-- element style="font-size: 24px"-->
+- Gsuite logs IP address of where you logged in
+- It stores all of your google searches
+- "User log events"
+:::
+::: right 
+![[google-jerry.png]]
+:::
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
@@ -312,8 +338,9 @@ https://twitter.com/__winn
 
 :::
 
-<!-- element style="font-size: 24px"-->
+<!-- element style="font-size: 28px"-->
 - Malware: Unwanted, malicious software.
+	- Context is essential
 - Threat Hunting: Searching environments to detect and isolate malicious activity.
 
 ---
@@ -322,7 +349,7 @@ https://twitter.com/__winn
 #### Types of Threat Hunting 
 :::
 - Analysis/Detection of new malicious activity, creating detection rules, attribution. 
-- Attribution: attacker environments, and/or emulation of real malicious activity. 
+- Attribution: understanding attacker environments. 
 
 ---
 <!-- slide template="[[Base Slide]]" -->
@@ -405,12 +432,12 @@ usually associated with Government actors, but any actor conducting cyber operat
 ---
 <!-- slide template="[[Base Slide]]" -->
 ::: title
-#### Advanced Persistant Threats (APTs)
+#### Advanced Persistent Threats (APTs)
 :::
 
 <!-- element style="font-size: 24px"-->
 - Large criminal groups  often with tacit government approval/protection 
-	-  Fin6, Emotet, IceID, Dridex
+	-  Fin6, Emotet, IceID, Dridex, Conti
 - Cyber Mercenaries / Contractors 
 	- (APT3 -> Hacking Team, Boyusec, Appin Security, Positive Technologies, NSO Group )
 - Government Intelligence Agencies 
@@ -434,7 +461,7 @@ usually associated with Government actors, but any actor conducting cyber operat
 :::
 
 <!-- element style="font-size: 26px"-->
-- Activism: DDoS attacks to shut down Nazi sites, defacing government websites
+- Activism: DDoS attacks to shut down Nazi sites. Hack and leak of Hacking Team
 - Crime/\$: Ransomware, stealing credentials, installing coin miners
 - Espionage/ Computer Network Exploitation (CNE): commercial vs. geopolitical -> stealing Intellectual Property / state secrets
 - “Warfare"/ Computer network Attack (CNA):  Shutting down a country’s internet, disrupting power grids, making nuclear centrifuges spin too fast, etc. 
@@ -491,7 +518,8 @@ Benefit:  intel/counterintel
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
- #### Example 2: Twitter hack
+ #### Example: Twitter hack
+
 :::
 
 ::: left
@@ -515,7 +543,7 @@ Benefit: Ego + Money
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
- #### Example 3: Monitoring 
+ #### Example: Monitoring 
 :::
 
 ::: left
@@ -526,6 +554,7 @@ Organization
 - Benefit: 
 surveillance
 - Is “Find my friend” Malware?
+- Exam monitoring software?
 - What happens if someone compromises GoGuardian?
 
 
@@ -541,7 +570,7 @@ surveillance
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
-#### Example 4: Stalkerware
+#### Example: Stalkerware
 :::
 ::: left
 <!-- element style="font-size: 24px"-->
@@ -558,14 +587,15 @@ We don't need to wonder...
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
- #### Example 5: Jamal Khashoggi Assasination
+ #### Example: Jamal Khashoggi Assasination
 :::
 
 ::: left
 <!-- element style="font-size: 24px"-->
 - Target: Individual(s) 
 Attacker: Foreign Government +  Mercenary 
 - Benefit: Political
+
 :::
 
 ::: right
@@ -577,7 +607,7 @@ Attacker: Foreign Government +  Mercenary
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
- #### Example 6: Advertising 
+ #### Example: Advertising 
 :::
 
 ::: left
@@ -594,6 +624,23 @@ Attacker: Foreign Government +  Mercenary
 
 
 :::
+
+
+
+---
+<!--slide template="[[Split Vertical]]"-->
+::: title
+#### Recent example
+:::
+::: left
+<!-- element style="font-size: 28px"-->
+- Data broker collected geolocation of users
+- Did so by bundling SDK into legitimate apps
+:::
+
+::: right
+![[xmode-banned.png]]
+:::
 ---
 <!--slide template="[[Title Slide]]"-->
  Make no mistake, digital marketing companies have impressive surveillance capabilities
@@ -602,7 +649,7 @@ Attacker: Foreign Government +  Mercenary
 ---
 <!-- slide template="[[Split Vertical]]" -->
 ::: title
- #### Example 7: Opportunistic Mass Exploitation
+ #### Example: Opportunistic Mass Exploitation
 :::
 
 ::: left
@@ -944,7 +991,7 @@ I like to think of this as “what playbooks does this specific actor use”?
 - Indicators of Compromise (IOCs):
  sets of forensic data found when malicious activity occurs. (IPs / domains of a C2 server, hash values of malware, email accounts of phishing email senders..etc)
 - Hash value:
- the unique fingerprint of a single file 
+ the unique(ish) fingerprint of a single file 
 - IP address: 
 the address of a computer on a network.
 - Domain Name: