CobaltStrike data with passiveSSL

Today, FoxIT published an blog post with an github repository listing potential CobaltStrike servers for the last few years.

I was interested in the data so I processed the data with my osint-timesketch scripts to add passiveDNS and passiveSSL data. I only took the IPs that where last seen >2019 to not create to much data.

Adding it to timesketch was pretty straight forward:

sudo tsctl csv2ts -f output_cobalt.csv --name cobalt_strike
Indexing progress: 23000 events
Total events: 23650

Some quick findings, after searching for google I discovered several weird certificates, among them.

Some weird things: safebrowsing(.)net is not owned by google, the IP to that certificate accoring to Virustotal https://www.virustotal.com/#/ip-address/204.154.199.184 is resolving to microsoftapis(.)com – for sure nothing good.

Some other funny things where found by a quick look…

Hack me if you can

Hack me if you can

Happy Hacker fake CA

Happy Hacker Fake CA

This outlines the importance of:

  • Share the data (kudos FoxIT!)
  • Provide researchers access to data sets (thx to CIRCL and Virustotal!)

My dataset is available on github.

Bitcoin transaction in timelines

Investigation bad people might involve bitcoin, the blockchain technology is very popular among criminals, as it is easy to use and „untraceable“ [1]. E.g. in most ransomware cases like „Ryuk“ [2] the company Crowdstrike has listed several bitcoin wallets, that they attribute to the threat actor.

How can that information help your investigation / your intelligence gathering? IN certain ways, you could track your own wallets for transactions to these wallets. Another aspect, that this blogpost will cover on is the timeline aspect of it.

As bitcoin transactions make use of the blockchain, who is public by design, it is possible to:

  • tell, how many bitcoins a certain wallet currently holds
  • see transactions from the past

The second aspect is what I want to focus on, because if we have a look at the transactions, we might be able to identify the point in time a certain group was active and enhance our other DFIR activities enriched with that information. The transaction log is like your journal of your bank account, it tells basically who is transferring money to a wallet and where the bitcoins are transferred to.

In the example above, the bitcoin wallets we are interested in are (Source Crowdstrike Blog post):

BTC AddressTotal ReceivedNo ReceivedTotal Value (USD)
12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL55.003$221,685.46
1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY182.9910$734,601.91
1FtQnqvjxEK5GJD9PthHM4MtdmkAeTeoRt48.2504$188,974.93
14aJo5L9PTZhv8XX6qRPncbTXecb8Qohqb25.002$113,342.70
1E4fQqzCvS8wgqy5T7n1DW8JMNMaUbeFAS0.0011$6.47
1GXgngwDMSJZ1Vahmf6iexKVePPXsxGS6H30.003$132,654.91
1Cyh35KqhhDewmXy63yp9ZMqBnAWe4oJRr0.000$0.00
15LsUgfnuGc1PsHJPcfLQJEnHm2FnGAgYC0.000$0.00
1CbP3cgi1Bcjuz6g2Fwvk4tVhqohqAVpDQ13.002$82,917.49
1Jq3WwsaPA7LXwRNYsfySsd8aojdmkFnW35.001$221,979.83
129L4gRSYgVJTRCgbPDtvYPabnk2QnY9sq0.000$0.00
1ET85GTps8eFbgF1MvVhFVZQeNp2a6LeGw3.3251$12,661.74
1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm38.993$246,893.95
1CW4kTqeoedinSmZiPYH7kvn4qP3mDJQVa24.0772$152,727.13
13rTF3AYsf8xEdafUMT5W1E5Ab2aqPhkPi0.000$0.00
17zTcgKhF8XkWvkD4Y1N8634Qw37KwYkZT0.000$0.00
14dpmsn9rmdcS4dKD4GeqY2dYY6pwu4nVV0.000$0.00
17v2cu8RDXhAxufQ1YKiauBq6GGAZzfnFw0.000$0.00
1KUbXkjDZL6HC3Er34HwJiQUAE9H81Wcsr10.001$63,358.27
12UbZzhJrdDvdyv9NdCox1Zj1FAQ5onwx30.000$0.00
1NMgARKzfaDExDSEsNijeT3QWbvTF7FXxS0.000$0.00
19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op25.001$164,774.21
1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ40.0354$259,478.16
18eu6KrFgzv8yTMVvKJkRM3YBAyHLonk5G30.001$198,651.35
1C8n86EEttnDjNKM9Tjm7QNVgwGBncQhDs30.00822$194,113.76
12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau0.000$0.00
162DVnddxsbXeVgdCy66RxEPADPETBGVBR0.000$0.00
1ChnbV4Rt7nsb5acw5YfYyvBFDj1RXcVQu28.002$175,177.98
1K6MBjz79QqfLBN7XBnwxCJb8DYUmmDWAt1.72$12,455.95
1EoyVz2tbGXWL1sLZuCnSX72eR7Ju6qohH0.000$0.00
1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz0.000$0.00
15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb40.000$0.00
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk10.002$64,990.62
1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp15.001$92,934.80
1LKULheYnNtJXgQNWMo24MeLrBBCouECH70.000$0.00
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj50.413$326,477.83
1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ0.000$0.00
1NuMXQMUxCngJ7MNQ276KdaXQgGjpjFPhK101$41,034.54

Source of transaction information

There is a whole bunch of public webpages who give transaction history for a given wallet, but as it should be an automated step, the goal is to have a page with an API, after some searching I found: https://chain.so/api .

Making the call

Doing the API call to get transaction information is pretty simple:

GET /api/v2/address/{NETWORK}/{ADDRESS} 

That will give you the following information

{
  "status": "success",
  "data": {
    "network": "DOGE",
    "address": "DM7Yo7YqPtgMsGgphX9RAZFXFhu6Kd6JTT",
    "balance": "31.03885339",
    "received_value": "25828731.93733507",
    "pending_value": "0.0",
    "total_txs": 225,
    "txs": [ ... ]
}

Which is exactly what we need, with some Python JSON parsing, it is easy to get the info we want – the code I am using is available on https://github.com/deralexxx/osint_to_timesketch

After that we have an CSV with the date, the transaction happened, the raw information from the API and some meta data, enough to bake into a timeline.

Automation

The script is already made to output CSV files ready for importing them into Timesketch, as I found it to be the ideal tool to work with data points related to timestamps. Importing the CSV is straight forward and explained in the official documentation page [3].

The timeline csv looks like the following:

CSV of BTC history

Making it pretty

Importing it into Timesketch, the timeline looks very nice:

BTC transactions in Timesketch

Added Value

Now what is the added value for investigations? The above is another layer of data points /evidence. It can be used to weight limit findings in your organisation, e.g. you assume you are hit by a phishing campaign, if your phishing campaign was seen a lot earlier or a lot later than the transactions above display, it is unlikely you are hit by the same campaign. It can also be used to make a case against individuals if enriched by host forensics – your imagination is the limit.

End

I hope the article is helpful and the scripts can be used, let me know via comments within the blog, issues on github or twitter messages https://twitter.com/alexanderjaeger if you have any questions, improvements.

Thx for reading

Further reading / references

  • [1] http://www.sciencemag.org/news/2016/03/why-criminals-cant-hide-behind-bitcoin
  • [2] https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • [3] https://github.com/google/timesketch/blob/master/docs/CreateTimelineFromJSONorCSV.md

Autotimeliner to CyberChef to Timesketch

As you might know, I love to combine several OpenSource tools to get things done. One thing I wanted to play for some weeks is Autotimeliner by Andrea Fortuna.This tool is made to extract events from an Memory Image to combine it into a timeline. If you have a timeline, what comes next? Of course, putting it into Timesketch. So let’s give it a try.

We start with a memory dump from a Stuxnet infection from https://github.com/ganboing/malwarecookbook. Download the four files, extract them and you are good to go.

Prerequisites

Volatility

Installation is pretty easy, install Volatility either via pre-compiled binary or install it manually, see the Volatility installation wiki for further information.

Test it running:

vol.py -v

Sleuthkit

To install sleuthkit run:

brew install sleuthkit

or

sudo apt-get install sleuthkit

Installation Autotimeliner

Simply clone the GitHub repository:

git clone https://github.com/andreafortuna/autotimeliner.git

Run it

python autotimeline.py -f /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem -p WinXPSP2x86 -t 2009-10-20..2018-10-21

That might take some time depending on your hardware.

Now you have an csv file around 5.6 MB.


                _     _______ _                _ _
     /\        | |   |__   __(_)              | (_)
    /  \  _   _| |_ ___ | |   _ _ __ ___   ___| |_ _ __   ___ _ __
   / /\ \| | | | __/ _ \| |  | | '_ ` _ \ / _ \ | | '_ \ / _ \ '__|
  / ____ \ |_| | || (_) | |  | | | | | | |  __/ | | | | |  __/ |
 /_/    \_\__,_|\__\___/|_|  |_|_| |_| |_|\___|_|_|_| |_|\___|_|

- Automagically extract forensic timeline from volatile memory dump -

Andrea Fortuna - andrea@andreafortuna.org - https://www.andreafortuna.org

*** Processing image /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem
-------
*** Using custom profile: WinXPSP2x86
*** Creating memory timeline......done!
*** Creating shellbags timeline......done!
*** Creating $MFT timeline......done!
*** Merging and filtering timelines......done!
Timeline saved in /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem-timeline.csv

The format used for the dates is not compatible with Timesketch:

more /Users/foobar/Downloads/stuxnet.vmem.zip/stuxnet.vmem-timeline.csv
Date,Size,Type,Mode,UID,GID,Meta,File Name
Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,84995,"[MFT STD_INFO] Python26\Lib\SITE-P~1\setuptools-0.6c11-py2.6.egg-info\TOP_LE~1.TXT (Offset: 0x8a28c00)"
Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,85000,"[MFT STD_INFO] Python26\Lib\SITE-P~1\SETUPT~1.EGG\DEPEND~1.TXT (Offset: 0x75e4000)"
Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84985,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.PY (Offset: 0x91b9400)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84986,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.MAN (Offset: 0x91b9800)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84987,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.EXE (Offset: 0x91b9c00)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84988,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.MAN (Offset: 0x1042f000)"
Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84989,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.PY (Offset: 0x1042f400)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84990,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.EXE (Offset: 0x1042f800)"
Tue Oct 20 2009 21:21:26,0,...b,---a-----------,0,0,66083,"[MFT STD_INFO] Documents and Settings\Administrator\Desktop\SysinternalsSuite\ZoomIt.exe (Offset: 0x1a8a5c00)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\Tools\DRIVER~1.EXE (Offset: 0x14b9c800)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\Tools\DriverList.exe (Offset: 0x14b9c800)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT STD_INFO] Program Files\NTCore\Explorer Suite\Tools\DRIVER~1.EXE (Offset: 0x14b9c800)"
Wed Oct 21 2009 18:25:52,780800,m...,---a-----------,0,0,65338,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\TASKEX~1.EXE (Offset: 0x14b1b800)"

so we need to adjust that. In the past, I used an own developed python script https://github.com/deralexxx/timesketch-tools/tree/master/date_converter for that, but that does not really scale, so I considered another option.

Cyberchef

An open source tool by GCHQ: https://gchq.github.io/CyberChef/

A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.

https://gchq.github.io/CyberChef/#about

Installation

git clone https://github.com/gchq/CyberChef

https://github.com/gchq/CyberChef/wiki/Getting-started

Now open it

From the CSV that was generated, use your favourite tool to extract the first column of the csv which should look like that:

Date
Tue Oct 20 2009 12:08:04
Tue Oct 20 2009 12:08:04
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 21:21:26
Wed Oct 21 2009 00:02:28

Now use the following CyberChef Recipe

Fork('\\n','\\n',false)
Translate_DateTime_Format('Automatic','','UTC','YYYY-MM-DDTHH:mm:ssZZ,x','UTC')

And paste them all into input. It will result in a file you can download with the output.

Now the output txt has two CSV columns, you need to combine them with your autotimeliner csv to have the following headers:

datetime	timestamp	timestamp_desc
2009-10-20T12:08:04+0000	1256040484000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:04+0000	1256040484000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline

Now the csv should like like:

more stuxnet.vmem.zip/stuxnet.vmem-timeline_timesketch.csv 

datetime,timestamp,timestamp_desc,Date,Size,Type,Mode,UID,GID,Meta,message
2009-10-20T12:08:04+0000,1256040484000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,84995,[MFT STD_INFO] Python26\Lib\SITE-P~1\setuptools-0.6c11-py2.6.egg-info\TOP_LE~1.TXT (Offset: 0x8a28c00)
2009-10-20T12:08:04+0000,1256040484000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,85000,[MFT STD_INFO] Python26\Lib\SITE-P~1\SETUPT~1.EGG\DEPEND~1.TXT (Offset: 0x75e4000)
2009-10-20T12:08:06+0000,1256040486000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84985,[MFT STD_INFO] Python26\Scripts\EASY_I~1.PY (Offset: 0x91b9400)

There is one little caveat, you need to add „“ around the message, because some values might break the Import process.

That can now be imported into Timesketch



Et voila, a timesketched Memory Dump

Combining Virustotal, PassiveSSL and Timesketch

Motivation

Playing with Timesketch for a while and working on some OSINT timelines I was tired to investigate MD5 and domains / ips all manually so I tried to automate some of the work. Why is that important? If you have a list of hashes, domains and IPs, you of course can check your SIEM, EDR solution etc – but what if you have a hit? Would it benefit your investigation to at least have an idea of the timeframe something was used by attackers or seen in the wild?

Most shared indicators are lacking the timeframe, so we need to add those values by external information on our own.

Virustotal

There is no need to further explain Virustotal, it is basically a huge dataset of malware and information about domains and ips.

In particular information about a specific point in time a domain was seen to point to an IP and back is good to know to build your timeline.

E.g. if you have verymalicious.com pointing to 127.0.0.1 all the time, only on one day it was pointing to 1.2.3.4 – hits in your infrastructure should be higher escalated if seen during that day, out of that time window it might still be important, but not as urgent as during that day.

In regards to hash intelligence, Virustotal is nice, because if you add the info, when the last scan date of a file was, you can at least tell, that the file was known after that day.

I asked Virustotal to add more information they already have to the API and we will have wait till it is exposed:

  • First seen in the wild
  • First uploaded to VT
  • PE compile time

PassiveSSL

Alexandre Dulaunoy and Eireann Leverett have given a talk at the FIRST conference in Berlin back in 2015, which took my attention, but it took some time till I really had time to implement something to use the idea.

The basic idea is that, out of several sources, passive ssl services such as CIRCL passiveSSL collect certificates and expose information via API.

For timeline analysis in particular, the following dates are important as they might shine some light of attacker activity:

  • first seen in the wild
  • last seen in the wild
  • not use before
  • not use after

If you now add all of the information above, you might be able to get a better idea, when an IP / Domain / File was active.

This information should then be fed into a Timesketch investigation.

Example

Using some sample data from APT33: https://github.com/deralexxx/osint-timelines/blob/master/2018/2018-12-21.OVERRULED:-Containing-a-Potentially-Destructive-Adversary-APT33.csv

Combining with the python script below with the following indicators:

basepack.org
103.236.149.124
5.79.66.241
8d3fe1973183e1d3b0dbec31be8ee9dd
fa7790abe9ee40556fb3c5524388de0b

Findings

Domains resolving to IPs

It is transparent when the hashes have been last scanned and what Ips resolve to the domains mentioned in the report.

The other thing is that right before some malware was mentioned by Fireeye in the report, SSL certificates became invalid:

SSL Certificate

Of course the individual SSL certificate can also been investigated:

Python

The example is available on github: https://github.com/deralexxx/osint_to_timesketch

Next steps

  • Waiting for VT to expose more things
  • Improve the script
  • Introduce multiple pDNS providers

Timesketch on an Raspberry Pi3

TLDR

Does not work at the moment

Idea

Playing with Timesketch (timesketch.org) for a while I was wondering if it is possible to install Timesketch on a Raspberry Pi 3 to do some basic analysis, no heavy GB plaso imports and such.

A raspberry Pi is around 40 $, so pretty cheap and can be ordered almost everywhere on the planet, and you might already have some PIs from previous projects like:

I have also written about Timesketch / and or maintaining the following Github repositories:

Basic installation

I used the Noobs Image to install the raspberry using a 128 GB Micro SD card to have enough storage.

Java

Trying to install Java will cause some Java issues because you need to install it manually, follow:

https://www.raspberrypi.org/forums/viewtopic.php?t=101543

sudo mv /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/arm/client /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/arm/server

Installing Elastic Search

Follow that article:

Installing Timesketch

Simple, SSH to your raspberry pi and follow:

When installed elasticsearch:

vi /etc/elasticsearch/elasticsearch.yml

Add the following:

network.bind_host: 127.0.0.1

pycipher

This one is a bit tricky because it might fail with:

Collecting pycypher==0.5.9
Could not find a version that satisfies the requirement pycypher==0.5.9 (from versions: )
No matching distribution found for pycypher==0.5.9

Docker

https://medium.freecodecamp.org/the-easy-way-to-set-up-docker-on-a-raspberry-pi-7d24ced073ef

Docker-compose

sudo apt-get install docker-compose

So pycypher does kill the posibility to use Timesketch on a raspberry at the moment:

 Getting page https://www.piwheels.org/simple/pycypher/
  Looking up "https://www.piwheels.org/simple/pycypher/" in the cache
  Current age based on date: 30
  Freshness lifetime from request max-age: 600
  The response is "fresh", returning cached response
  600 > 30
  Analyzing links from page https://www.piwheels.org/simple/pycypher/
  Could not find a version that satisfies the requirement pycypher (from versions: )
Cleaning up...
No matching distribution found for pycypher

timesketch-tools

Overview

I am happy to say that a new tool made it to github called „timesketch-tools“.
It is basically a way to interact with Timesketch via CLI. For those who don’t know Timesketch, it is an amazing opensource tool developed by Johan Berggren and is used to create timelines for forensic investigations as well as incident response cases.

Reason

Back in 2017, Johan tweeted:

Why is the WebUi not enough? Well in some cases you might want to automate stuff, have no browser or other reasons, so it is not „Why“ but „why not“.

So I did during the last few days and built a client for it: timesketch-tools

Capabilities

At the moment only two methods do work, but it should be enough to show the power of it.

List sketches

timesketch-tools.py -ls
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
+-----+-----------------------------+
|  id |             Name            |
+-----+-----------------------------+
| 130 |     test1Untitled sketch    |
|  3  | The Greendale investigation |
+-----+-----------------------------+

Add event

timesketch-tools.py --add_events
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
Please provide the sketch id you want to add events to as (an integer): 3
Please provide informations to the event you would like to add timestamp, timestamp_desc, message will be promted

Timestamp (use Format: YYYY-mm-ddTHH:MM:SS+00:00 2018-01-15T10:45:50+00:00) use c for current time c
timestamp_desc this is the description
message something was hacked
Event added, ID: 18 Date:2018-10-31T14:49:41+00:00 timestamp desc this is the description messagesomething was hacked
Add another event? (y/n)n

I have a lot of ideas to improve, so expect some more functionality added soon…