StreamAlert & Phantom – Part 1

I’m going to continue with the osquery & StreamAlert scenario found here. I went ahead and created a StreamAlert output handler for Phantom: link Phantom Configuration The phantom configuration is pretty straightforward.  A “REST Asset” needs to be created in order for events to be consumed. 1. Define the asset name, product vendor, and product […]

osquery & StreamAlert – Part 1

I’ve recently come across some open source tools that relieve some of the burdens of security engineering. For many organizations, the traditional SIEM/logger infrastructure requires a significant amount of time, effort and expertise, resulting in an “infrastructure creep” that plagues many engineers.  Its not uncommon to find a dedicated engineer devoted to maintaining the architecture for […]

badfile.exe – Part 5 – Buffer Overflow

Now that we’ve discovered the password and both of the secrets, lets see if we can break the program to execute some shellcode. You’ll find that the program will consistently crash if a string longer than ~60 characters is entered for the password.  More importantly, it is failing because we are overflowing a buffer, and […]

badfile.exe – Part 3 – Behavioral/Static Analysis

So far, we have discovered that interacting with the web server hosted at 104.236.149.39 will reveal a bunch of random bytes, which actually represent a Windows executable file.  It would be reasonable to assume that the communication with this web server was initiated by a malware downloader (not to be confused with a dropper). In […]

badfile.exe – Part 1 – Suspicious Activity

We begin with a packet capture of an administrator’s device.  Odd connection attempts (which were unsuccessful) were made to a particular website.  These attempts were not initiated by the user. The PCAP in question can be downloaded here. See if you can find the following: What’s the IP address of the system that captured the […]