Monday, September 17, 2018

Free / Open Source Compromise Assessment Tools

OTX ( Open Threat Exchange ):

 

                                     AlienVault provides OTX Endpoint Threat Hunter and its free, fast, and simple.


AlienVault threat hunting service delivers as much threat intelligence power as OTX Endpoint Threat Hunter. It is the Open & free service that natively uses the community-powered threat intelligence of OTX to scan your endpoints for known indicators of compromise (IOCs).

OTX Endpoint Threat Hunter uses the same agent-based approach as expensive endpoint security tools and DIY open source agents without the expense, complexity, or guesswork. 


How It Works
  • OTX Endpoint Threat Hunter is available to any registered Open Threat Exchange (OTX) user. It’s free to join OTX.
  • To get started, download and install the AlienVault® Agent on the Windows or Linux devices you want to monitor. The AlienVault Agent is immediately ready to find threats.
  • You can launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses.
  • Once launched, the AlienVault Agent executes the query, and the results of the query display on a summary page within OTX.


CERTitude:

 

       is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It allows analysts to perform large scale scans of Windows-based information systems by searching for behavioral patterns described in IOC (Indicator of Compromise) files. The tool is currently composed of two main components:
  • The Python Flask-based web interface, used to configure the scans and visualize their results;
  • The scanner that connects to remote targets and runs the search for IOCs.
CERTitude is an open-source tool developed by the CERT-Wavestone. It is brought to you freely, but user support is only provided on a best-effort basis.

Compatibility

CERTitude is compatible with a wide range of target Windows operating systems, from XP / 2003 to Windows 10 / Server 2016. Though CERTitude can be run from a Linux host, it is only fully supported on Windows as some features may not be implemented on Linux.

Features:

  • Ability to scan hosts in a way that prevents the target workstation from knowing what the investigator is searching for
  • Ability to retrieve some pieces of data from the hosts
  • Multiple scanner instances (for IOCs and/or hash scans) can be run at the same time for parallel scanning
  • Built with security considerations in mind (protected database, secure communications with hosts using IPSec)


 

 


Monday, September 10, 2018

Free and open-source threat intelligence Feeds / Tools / Frameworks

GOSINT:
              framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs).

GOSINT allows a security analyst to collect and standardize structured and unstructured threat intelligence.

Applying threat intelligence to security operations enriches alert data with additional confidence, context, and co-occurrence. This means that you apply research from third parties to security event data to identify similar, or identical, indicators of malicious behavior. The framework is written in Go with a JavaScript frontend.



 Download Link : https://github.com/ciscocsirt/gosint / https://gosint.readthedocs.io/en/latest/index.html

Threatfeeds.io:

                           It's a another Free and open-source threat intelligence feeds.


Ref Link : https://threatfeeds.io/

Yeti:
       is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.  


Quick install (the command we all love)
$ curl https://raw.githubusercontent.com/yeti-platform/yeti/master/extras/ubuntu_bootstrap.sh | sudo /bin/bash 

 Ref Link : https://yeti-platform.github.io/

TC ( Threat Connect ) Open: 

                                     is a completely free way for individual researchers to get started with threat intelligence. TC Open allows you to see and share open source threat data, with support and validation from our free community.



  • Access to 100+ open source intelligence feeds (OSINT)
  • Access to threat, incident, and adversary data
  • Ability to collaborate or consume active and historic indicators, incidents, and threats
  • Validate your findings with peers in the ThreatConnect Common Community
ThreatConnect wants as many cyber professionals to get into the habit of sharing threat data and intelligence with one another as possible. Together, we are much stronger and more likely to thwart adversaries. We created TC Open to be a completely free, non-threatening way to get started. It is perfect for individual researchers who are just starting and experienced professionals, alike.

Request Link : https://www.threatconnect.com/free/



Monday, August 27, 2018

Active Directory (AD) Security audit tool - PingCastle

PingCastle:

   is a free, Windows-based utility to audit the risk level of your AD infrastructure and check for vulnerable practices.

How its Works :

 


You can run it on an ad-hoc basis to generate a detailed HTML report, but that's just the tip of the iceberg. It can be used to schedule reports and email them (or push them to webdav shares), create spreadsheets, or even automatically create PowerPoint presentations of the data.


PingCastle AD Security Maturity Model:







It's a simple zipped download that you can just run as a normal domain user, no install required.




 https://www.pingcastle.com/PingCastleFiles/PingCastle_2.5.1.0.zip

How to Execute / Run :

https://www.pingcastle.com/download/command-line-mode/

Tuesday, August 14, 2018

Free Indicators of Compromise (IOC) Tools - FireEye

IOC Finder

FireEye Indicators of Compromise (IOC) Finder is a free tool for collecting host system data and reporting the presence of IOCs. IOCs are open-standard XML documents that help incident responders capture diverse information about threats.


The IOC Finder features:
  • Collection of full data, sufficient for general IOC matching requirements
  • Usage of a portable storage device for collection from multiple hosts
  • IOC hit reporting in simple text, full HTML and full MS Word XML formats
  • Generation of reports for specific hosts or all hosts

Download Link : https://www.fireeye.com/services/freeware/ioc-finder.html

IOC Editor

 
FireEye Indicators of Compromise (IOC) Editor is a free tool that provides an interface for managing data and manipulating the logical structures of IOCs. IOCs are XML documents that help incident responders capture diverse information about threats, including attributes of malicious files, characteristics of registry changes and artifacts in memory.

The IOC Editor includes:
  • Manipulation of the logical structures that define the IOC
  • Application of meta-information to IOCs, including detailed descriptions or arbitrary labels
  • Conversion of IOCs into XPath filters
  • Management of lists of “terms” used within IOCs
 Download Link : https://www.fireeye.com/services/freeware/ioc-editor.html

IOC Writer

IOC Writer provide a python library that allows for basic creation and editing of OpenIOC objects.

Provide a python library that allows for basic creation and editing of OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
Items do not have built in Read operations, since all items can be accesed with built in ElementTree syntax or the use of XPATH to select portions of the IOC.

Download Link : https://github.com/mandiant/ioc_writer























































Friday, August 10, 2018

Packet Capture ( PCAP ) File Analysis Tools

PacketTotal:

                  allows you to upload a PCAP, or packet capture, file and have it automatically analyzed and parsed against BRO IDS and Suricata signatures in order to provide information on what may have been detected in the capture file.

                         


URL : https://packettotal.com/

Microsoft Message Analyzer:

 is the successor to Microsoft Network Monitor. It is helpful in capturing, displaying, and analyzing protocol messaging traffic and other system messages. It is not only an effective tool for troubleshooting network issues, but for testing and verifying protocol implementations as well.
                  




              

Message Analyzer can certainly be used to analyze .pcap files.  The tool is generic and not specific to Microsoft, but certainly more focus is put on the Windows scenarios so Microsoft related parsers are kept up to date.  However, you can analyze virtually any kind of data, going beyond network captures like EVT, ETW, CSV and many more.

Tools -> Options -> Parsing

Download Link : https://www.microsoft.com/en-in/download/details.aspx?id=44226

CapAnalysis:

               is a web visual tool for information security specialists, system administrators and everyone who needs to analyze large amounts of captured network traffic.