№3. BlueTeam-Tools. Vulnerability management

15 May 2023 6 minutes Author: Lady Liberty

Safety practices

A cybersecurity vulnerability can exist in any given system, network, or set of endpoints. Vulnerability management is the process by which these vulnerabilities are identified, assessed, reported, managed, and ultimately remedied. The vulnerability management process is one of the key factors in building a comprehensive information security system. As a rule, the company’s IT infrastructure consists of dozens of types of components: servers, user stations, network equipment, databases, application software, and others – therefore, maintaining the necessary level of information protection in such a system is not an easy task. Prioritizing risks and remediating vulnerabilities in the shortest possible time are hallmarks of effective vulnerability management programs, which do so by leveraging threat intelligence and understanding of IT and business operations.

We can scan corporate networks for vulnerabilities using vulnerability management software. If we find a vulnerability during scanning, the vulnerability management tools will suggest or trigger a patch. Vulnerability management technologies scan networks for security breaches and fix them to prevent further intrusions. Therefore, the damage that can be caused by a cyber attack is reduced by the use of vulnerability management systems. Timely fixes should be implemented according to the priorities established by vulnerability management tools. Through a methodical process, you can reduce your reliance on third-party intrusion detection systems while strengthening your network. In this article, you will find tools to identify and implement TTP detection used by threat actors.

Lolbas – project

Living off the land binaries (LOLBins) are legitimate Windows executables that can be used by attackers to perform malicious actions without arousing suspicion. Using LOLBins allows attackers to blend into normal system activity and avoid detection, making them a popular choice for attackers. The LOLBAS project is a MITER mapped list of LOLBINS with commands, usage and detection information for defenders.

visit https://lolbas-project.github.io/ .

Using:

Use the information for detection capabilities to protect your infrastructure from LOLBIN usage.

Here are some project links to get you started:

Bitsadmin.exe

Certutil.exe

Cscript.exe

GTFOBins

GTFOBins (short for “Get The F* Out Binaries”) is a collection of Unix binaries that can be used to elevate privileges, bypass restrictions, or execute arbitrary commands on a system. They can be used by attackers to gain unauthorized access to systems and perform malicious actions. The GTFOBins project is a list of Unix binaries with command and usage information for attackers. This information can be used to implement Unix detection.

visit https://gtfobins.github.io/ .

Using:

Here are some project links to get you started:

base64

curl

nano



Filesec

Filesec is a list of file extensions that attackers can use for phishing, execution, macros, and more This is a great resource for understanding common file extension exploits and how to protect against them. Each file extension page contains a description, corresponding operating system, and recommendations.

visit https://filesec.io/ .

Using:

Here are some project links to get you started:

.Docm

.Iso

.Ppam



KQL Search

KQL stands for “Kusto Query Language” and is the query language used to search and filter data in Azure Monitor logs. It is similar to SQL, but more optimized for analyzing logs and time series data. The KQL query language is particularly useful for blue teams because it allows you to quickly and easily search through large volumes of log data to identify security events and anomalies that may indicate a threat. KQL Search is a web application created by @ugurkocde that aggregates KQL queries shared on GitHub.

You can visit the site at https://www.kqlsearch.com/. More information about the Kusto Query Language (KQL) can be found here.



Unprotect

Malware authors spend a lot of time and effort to develop complex code to perform malicious actions against the target system. It is very important that malware remains undetected and avoids sandboxing, antivirus or malware analysis. Thanks to this technique, malware can go under the radar and remain undetected on the system. The goal of this free database is to centralize information on malware avoidance techniques. The project aims to provide malware analysts and defenders with actionable information and detection capabilities to reduce response time.

The project can be found at https://unprotect.it/. The project has API docs here.



Chainsaw

Chainsaw provides a powerful “first responder” capability to rapidly identify threats in Windows forensic artifacts such as event logs and MFTs. Chainsaw offers a common and fast method of searching event logs for keywords and identifying threats with built-in support for Sigma detection rules and Chainsaw’s custom detection rules.

Features:

  • Search for threats using Sigma detection rules and special chainsaw detection rules
  • Search and extract forensic artifacts using string matching and regular expression patterns
  • Lightning, written in Rust, covers the EVTX parser library by @OBenamram
  • Clean and light execution and output formats without overbloat
  • Document tagging (matching discovery logic) provided by the TAU Engine Library
  • Output results are received in various formats, such as ASCII table format, CSV format, and JSON format
  • Can run on MacOS, Linux and Windows

Installation:



Using:





Freq

Attackers try to bypass signature/pattern-matching/blacklist-based methods by entering random: filenames, service names, workstation names, domains, hostnames, SSL certificate subjects and publisher subjects, etc. Freq is a Python API developed by Mark Baggett to handle bulk entropy testing. It’s designed for use with SIEM solutions, but it can work with anything that can send a web request. The tool uses frequency tables that show how likely one character is to follow another

Installation:



Using:



yarGen

yarGen is a YARA rule generator. The basic principle is to create yara rules from the lines found in the malware files, while removing any lines that also appear in the good software files.

Thus, yarGen includes large strings of good software and a database of opcodes in the form of ZIP archives that must be unzipped before first use. The rule creation process also tries to determine similarities between the files being analyzed and then combines the strings into so-called super rules. Generating a superrule does not delete a simple rule for files combined into a single superrule. This means that there is some redundancy when creating superrules. You can suppress a simple rule for a file that is already covered by a super rule by using –nosimple.

Installation:



Download the latest version.

Using:

Examples of use can be found here.





EmailAnalyzer

With EmailAnalyzer you can analyze suspicious emails. You can extract headers, links and hashes from an .eml file

Installation:



Using:





VCG

VCG is an automated code security testing tool that works with C/C++, Java, C#, VB, and PL/SQL.​​ It has several features that we hope will be useful for anyone doing code security testing, especially where time is limited:

  1. In addition to doing more complex checks, it also has a configuration file for each language, which basically allows you to add any bad features (or other text) you want to look for
  2. It tries to find about 20 phrases in the comments that might indicate broken code (“ToDo”, “FixMe”, “Kludge”, etc.).
  3. It provides a nice pie chart (for the entire codebase and for individual files) showing the relative proportions of code, whitespace, comments, “ToDo” style comments, and bad code

Using:



Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.