Wednesday, June 12, 2024

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warning for the site, we're not including the actual hyperlink but it should be easy to find.


We did a quick analysis of this pcap on the NEW Security Onion 2.4.70. If you'd like to follow along, you can do the following:



The screenshots at the bottom of this post show some of the interesting alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware Analysis posts at:

https://blog.securityonion.net/search/label/quick%20malware%20analysis


About Security Onion


Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see:
https://securityonion.net


Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? Here are the top 5 reasons to purchase appliances from Security Onion Solutions: https://blog.securityonion.net/2023/08/top-5-reasons-to-purchase-security.html


Screenshots


First, we start with the overview of all alerts and logs:


Next, let's focus on just the alerts:


Drilling into the first alert, we see that they are occuring on a regular interval:


We can correlate those alerts to the corresponding HTTP logs to get a little more information:


Back at the alerts, let's drill into the "ET MALWARE Win32/SSLoad Payload Request (GET)" alerts:


We can then pivot to full packet capture to see the entire TCP stream:


We could then send the stream to CyberChef which would allow us to do more analysis or even carve the downloaded file out of the stream:


Back at the alerts, let's drill into the "ET INFO Dotted Quad Host DLL Request" alert:


Pivoting to PCAP, we can see the DLL file:


We can send the stream to CyberChef where we might look for interesting strings:


Back at Dashboards, let's look at the Zeek protocol metadata logs:


We'll start with the HTTP logs:


Then the DNS logs:


Next, we'll look at the SSL/TLS logs:


Zeek notices for invalid SSL certificates:


File metadata:


Files transferred over SMB:


x509 certificates seen in SSL/TLS traffic:


Browser User Agent strings seen in network traffic:


PE logs for Windows executables:


Zeek Weird logs showing protocol anomalies:


SMB mapping logs:


Connection logs including GeoIP information:






Wednesday, June 5, 2024

Security Onion Documentation printed book now updated for Security Onion 2.4.70!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recently released Security Onion 2.4.70!


Thanks to Richard Bejtlich for writing the inspiring foreword!


Proceeds go to the Rural Technology Fund!


This edition has been updated for Security Onion 2.4.70 and includes a 20% discount code for our on-demand training and certification!


This book covers the following Security Onion topics:


  • First Time Users
  • Getting Started
  • Security Onion Console (SOC)
  • Security Onion Desktop
  • Network Visibility
  • Additional Network Visibility
  • Host Visibility
  • Third Party Integrations
  • Rules
  • Logs
  • Updating
  • Accounts
  • Services
  • Customizing for Your Environment
  • Tricks and Tips
  • Utilities
  • Help



Q&A


What is the difference between this book and the online documentation?


This book is the online documentation formatted specifically for print. It also includes an inspiring foreword by Richard Bejtlich that is not available anywhere else! Proceeds go to the Rural Technology Fund! Finally, the printed book includes a 20% discount code for our on-demand training and certification.


Who should get this book?


You should get this book if you work on airgap networks or simply want a portable reference that doesn't require an Internet connection or batteries! Also anyone who wants to donate to a worthy cause like Rural Technology Fund!


What is the difference between this edition and the previous edition?


This edition has been updated for Security Onion 2.4.70!


Where do we get it?


https://securityonion.com/book


Tuesday, June 4, 2024

Wednesday, May 29, 2024

Security Onion 2.4.70 now available including our new Detections interface and much more!

Security Onion 2.4.70 is now available! It includes some new features for our fellow defenders including our new Detections interface to help you take your detection engineering capabilities to the next level!


Security Onion is a cybersecurity platform built by defenders for defenders. For this release, we spent several MONTHS thinking through the defender workflow specifically around detection engineering. This resulted in a new interface called Detections that makes it super simple to tune your NIDS rules for Suricata, Sigma rules for ElastAlert, and YARA rules for Strelka.


We recently shared a sneak peek at Detections and you can find that video here:
https://youtu.be/oxR4q53N6OI


Since that sneak peak video, Detections has gotten even better! 


Let's walk through the interface. First, we start with the main Detections page:



The upper-right corner shows a count of detections that matched the search query. To the left of that is a status indicator for each of the detection engines. The status can show whether a sync is in process, as well as whether the engine has detected errors. Clicking the status text will navigate to Hunt and attempt to find related logs.


The Detections menu option on the left side of the application will show an exclamation mark if there is a recent failure in any of the detection engines. In this situation the web browser tab will also show an exclamation indicator. If no failures are detected, and if any of the detection engines has an import pending or is performing a rule import, synchronization, or migration, then a blue hourglass will appear next to the Detections menu option.


The Options menu allows you to synchronize a particular detection engine such as ElastAlert, Strelka, or Suricata:


Once you’ve selected the detection engine that you want to synchronize, you can then click either the DIFFERENTIAL UPDATE or FULL UPDATE button:

  • The differential update is a lightweight sync that will skip the thorough sync and comparison of each individual rule. For example, with Suricata it will compute and compare the hash of the source rule list with the hash of the deployed rules, and only if there’s a mismatch will it perform the full sync.
  • A full sync can involve inspecting and comparing individual rules, of which there can be thousands. This more thorough sync can take much longer than the differential sync. Note that each engine has its own unique synchronization process.

To add a new rule, go to the main Detections page and click the blue + button between Options and the query bar. A form will appear where you will:

  • click the Language drop-down and select your desired rule language
  • optionally specify a license
  • add the signature
  • click the CREATE button and the detection should deploy to your grid at the next 15-minute cycle

To review and modify existing rules, there are two ways to reach the detail page:

  • From the main Detections interface, you can search for the desired detection and click the binoculars icon to the left of the rule title:

    OR


  • From the Alerts interface, you can click an alert and then click the Tune Detection menu item:

Once you’ve used one of these methods to reach the detection detail page, you can check the Status field in the upper-right corner and use the slider to enable or disable the detection.

To the left of the Status field are several tabs. The first tab on the left is the OVERVIEW tab and it displays the Summary, References, and Detection Logic for the detection:


The OPERATIONAL NOTES tab allows you to add your own local notes to the detection in markdown format:


The DETECTION SOURCE tab shows the full content of the detection:


The TUNING tab allows you to tune the detection. For NIDS rules, you can modify, suppress, or threshold. For Sigma rules, you can create a custom filter. For example, here is a NIDS suppression:


The HISTORY tab shows the history of the detection since it was added to your deployment:


Here's an example of a Sigma rule:


Here's an example of a YARA rule:


As you can see, Detections will help you take your detection engineering capabilities to the next level!


SOC Dashboards


In addition to Detections, we spent a lot of time updating SOC Dashboards! We updated just about every one of our existing default dashboards to standardize on a new sankey diagram format that will help you see relationships between different fields more clearly and filter those fields more quickly. We also added column definitions for many different data types to aid you in your hunting expeditions. This release also includes a complete set of dashboards for Elastic Agent:


We also added new dashboards for NetFlow, Kismet, and more:


Elastic Integrations


This release adds a new Elastic integration for CEF. You can find our full list of supported Elastic integrations at:

https://docs.securityonion.net/en/2.4/third-party-integrations.html


Telemetry


Starting in this release, Security Onion Console (SOC) can optionally send telemetry data to Google Analytics. 


During setup, or during non-automated soup invocations, the user must choose to enable or disable SOC telemetry collection.


After installation, grid administrators can enable or disable SOC Telemetry via the configuration interface. Search for SOC Telemetry in the Configuration screen.


The purpose of this telemetry is to help the Security Onion development team improve the product. Specifically, by knowing which user-interface features are being used, and how the user interacts with the SOC user interface, the development team can better prioritize new features, improvements to the existing user interface, and begin deprecating features that are rarely used. Deprecating unused features will help developers avoid spending their time and effort maintaining and upgrading areas of the product that aren’t widely used. This allows more time to be spent on new features and bug fixes, directly benefiting Security Onion users.


For more information, please see the Telemetry section of the docs:

https://docs.securityonion.net/en/2.4/telemetry.html


Other Features and Fixes


There are many more features and fixes included in this release! For a complete list of all changes, please see the Release Notes:

https://docs.securityonion.net/en/2.4/release-notes.html#changes


Known Issues


For a list of known issues, please see:

https://docs.securityonion.net/en/2.4/release-notes.html#known-issues


About Security Onion


Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, and case management. 


For network visibility, we offer signature based detection via Suricata, rich protocol metadata and file extraction using your choice of either Zeek or Suricata, full packet capture, and file analysis. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into Elasticsearch and we’ve built our own user interfaces for alerts, dashboards, threat hunting, case management, and grid management. 


Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build a distributed grid for your enterprise in minutes!


Documentation


You can find our online documentation here:


https://docs.securityonion.net/en/2.4/


Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.


New Installations


If this is your first time installing Security Onion 2.4, then we highly recommend starting with an IMPORT installation as shown at:


https://docs.securityonion.net/en/2.4/first-time-users.html


Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown at:


https://docs.securityonion.net/en/2.4/architecture.html


Existing 2.4 Installations


If you have an existing Security Onion 2.4 installation, you can update to the latest version using soup:


https://docs.securityonion.net/en/2.4/soup.html


Before updating your production deployment, we highly recommend testing the upgrade process on a test deployment that closely matches your production deployment if possible.


2.3 EOL


As a reminder, Security Onion 2.3 reached End Of Life (EOL) on April 6, 2024:


https://blog.securityonion.net/2023/10/6-month-eol-notice-for-security-onion-23.html


Thanks


Lots of love went into this release!


Special thanks to all our folks working so hard to make this release happen!


  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Corey Ogburn
  • Josh Patterson
  • Mike Reeves


Questions, Problems, and Feedback


If you have any questions or problems relating to Security Onion 2.4, please use the 2.4 category at our Discussions site:

https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4


Training


Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training!

https://securityonion.net/training


Security Onion Solutions Hardware Appliances


We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!


https://securityonionsolutions.com/hardware


Cloud Installations


For new Security Onion 2 installations in the cloud, Security Onion 2.4 will soon be available on the AWS, Azure, and GCP marketplaces!


AWS Marketplace and Documentation:


https://securityonion.net/aws/?ref=_ptnr_soc_blog_240529


https://docs.securityonion.net/en/2.4/cloud-amazon.html


Azure Marketplace and documentation:


https://securityonion.net/azure


https://docs.securityonion.net/en/2.4/cloud-azure.html


GCP Marketplace and documentation:


https://securityonion.net/google


https://docs.securityonion.net/en/2.4/cloud-google.html


Screenshot Tour


If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

https://docs.securityonion.net/en/2.4/first-time-users.html




































































































Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive