BlueTeamTools

In this note, I organize the blue team tools

IDS/IPS

OSSEC
- HIDS
Suricata
- NIDS/NIPS
- ls -lah /etc/suricata/rules/ see all rulus
- suricata -r test.pcap create various logs(etc eve.json,fast.log...)
- suricata --pcap=ens160 -vv Suricata’s (Live) LibPCAP mod
- cat /var/log/suricata/old_eve.json | jq -c 'select(.event_type == "http")' | head -1 | jqquury example
RITA
- detect C2
- ``
- simple tour
- simple tour2

example:

sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -R /home/htb-student/local.rules -r /home/htb-student/pcaps/cerber.pcap -A cmg

sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq \
-r XXX.pcap

sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq \
-i ens160

Zeek
- /usr/local/zeek/bin/zeek -C -r XXX.pcap
[Sysmon]

xml filter example

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
      *[
        System[
          (EventID=3)
          and TimeCreated[
            @SystemTime >= '2022-01-01T07:41:36.000Z'
            and @SystemTime <= '2022-10-02T07:41:36.999Z'
          ]
        ]
        and EventData[
          Data[@Name='ProcessGuid']='a79137ec-af0f-6338-b702-00000000e901'
        ]
      ]
    </Select>
  </Query>
</QueryList>

SIEM

Continuously, for ongoing detection and alerting

DFIR

after an incident has occurred

Velociraptor

CTI

malware analysis

Noriben
- Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware.
- python Noriben.py launch the script

Network Forensics

wireshark
NetworkMiner
Zui
- find who is attacker by alert

Acquision

Dumpit.exe
- windows memory image
LiME
- Linux memory image
EDD
- check disk wheather has been encrypted
KAPE
- triage image
CyLR
- inux triage image

if windwos memory dead Acquision * hiberfil.sys C:/ * pagefile.sys C:/