SlideShare a Scribd company logo

OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07)

Jakub "Kuba" Sendor, profile picture
Jakub "Kuba" Sendor

The document discusses Jakub Sendor's work on osxcollector, an open-source forensic evidence collection and analysis toolkit for macOS, emphasizing its ease of use and capabilities in automated malware incident response. It details various forensic data collections, including system info, applications, and web browser histories, while highlighting the importance of timestamps, hashes, and signatures in forensic analysis. Additionally, the document describes automated filtering and analysis processes to enhance efficiency in extracting suspicious activities and domains.

Software
1 of 47
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Jakub (Kuba) Sendor @jsendor OSXCollector Automated forensic evidence collection & analysis for OS X
@jsendor whoami ● Joined Yelp security team in July 2014. ● Mostly involved in malware incident response. ● Also working on automating our security processes. ● Previously worked at SAP in Sophia Antipolis (France) in the Security & Trust research group. ● Graduated in 2011 from AGH University of Science and Technology in Kraków (Poland) and Telecom ParisTech/Institut Eurecom (France).
@jsendor Yelp’s Mission: Connecting people with great local businesses.
@jsendor Yelp Stats: As of Q2 2015 83M 3268%83M
@jsendor >3k employees, most of them using Macs
@jsendor
@jsendor
@jsendor
@jsendor https://github.com/Yelp/osxcollector OSXCollector is an open source forensic evidence collection & analysis toolkit for Mac OS X
@jsendor OSXCollector is easy to run 1 Python file 0 dependencies $ sudo osxcollector.py --id DelayedHedgehog Wrote 35394 lines. Output in DelayedHedgehog-2015_01_20-19_38_38.tar.gz $
@jsendor The output is JSON JSON is beautiful. JSON is easy to manipulate. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
@jsendor OS X stores lots of data in SQLite DBs # Dump a sqlite DB in a dozen lines of code with connect(sqlite_db_path) as conn: conn.cursor.execute('SELECT * from sqlite_master WHERE type = "table"') table_names = [table[2] for table in tables.fetchall()] for table in table_names: rows = conn.cursor.execute('SELECT * from {0}'.format(table_name)) column_descriptions = [col[0] for col in conn.cursor.description] for row in rows.fetchall(): record = dict([(key, val) for key, val in zip(column_descriptions, row)])
@jsendor plist == property list sometimes binary, sometimes plain text $ /usr/libexec/PlistBuddy -c print shell.plist Dict { ProgramArguments = Array { /usr/libexec/rshd } Sockets = Dict { Listeners = Dict { SockServiceName = shell } } Disabled = true Label = com.apple.rshd SessionCreate = true inetdCompatibility = Dict { Wait = false } } $ cat ssh.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0 //EN" "http://www.apple.com/DTDs/PropertyList-1.0. dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <true/> <key>Label</key> <string>com.openssh.sshd</string> <key>Program</key> <string>/usr/libexec/sshd-keygen- wrapper</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/sshd</string> <string>-i</string> BINARY UTF-8
@jsendor OSXCollector uses Foundation Foundation is a nice Objective-C wrapper. import Foundation # Look! Incredibly long objc style function names! plist_nsdata, error_message = Foundation.NSData.dataWithContentsOfFile_options_error_( plist_path, Foundation.NSUncachedRead, None) # Seriously, incredibly long function names! plist_dict, _, _ = Foundation.NSPropertyListSerialization. propertyListFromData_mutabilityOption_format_errorDescription_( plist_nsdata, Foundation.NSPropertyListMutableContainers, None, None)
@jsendor Forensic Collection OS System Info Applications Web Browser Info Kernel Extensions Quarantines Email Info Downloads Startup Items Groups & Accounts
@jsendor Common keys in entries path, hashes, timestamps, signature chain, ... { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
@jsendor Startup items run on boot Malware running at startup is basically game over. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } PRETTY PRETTY!
@jsendor Timestamps are important in forensics Timestamps get stored in a lot of ways. OSXCollector normalizes them. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } VERY NORMALIZED
@jsendor Hashes are still important in forensics { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } STILL USEFUL
@jsendor Quarantines track downloaded content They live forever in a plist. { "osxcollector_section": "quarantines", "osxcollector_username": "jsendor", "LSQuarantineAgentName": "Google Chrome", "LSQuarantineAgentBundleIdentifier": "com.google.Chrome", "LSQuarantineDataURLString": "https://cachefly.alfredapp.com/Alfred_2.5.1_308.zip", "LSQuarantineEventIdentifier": "6FA87446-1249-4578-83E4-4BBCF7AEA4A3", "LSQuarantineOriginURLString": "http://www.alfredapp.com/", "osxcollector_db_path": "/Users/ivanlei/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2", "osxcollector_table_name": "LSQuarantineEvent", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "LSQuarantineTimeStamp": "2014-12-05 14:40:33" }
@jsendor xattr-wherefrom No need to search around in browser history. { .. "md5": "0b984ecc39d5b33e4f6a81ade4e8dbf1", "xattr-quarantines": [ "0001;5541127e;Google Chrome;63B2C485-1F64-4ADE-A95C-72F7087FA172" ], "signature_chain": [], "xattr-wherefrom": [ "http://trojans.evildownloads.com/Trojan.app", "http://trojans.evildownloads.com/latest-trojans/" ], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "file_path": "/Users/jdoe/Downloads/Trojan.app", } THIS IS BAAAD
@jsendor OS X doesn't care if startups and kext are signed But I kinda do, so OSXCollector lists the signature chain. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } SWELL!
@jsendor Forensic collection is hard work. Forensic analysis is fun. Part science, part art.
@jsendor Manual analysis with grep and jq works pretty well grep a time window only urls in a time window grep a single user $ cat foo.json | grep ' 2014-01-01 11:3[2-8]' $ cat foo.json | grep '2014-01-01 11:3[2-8]' | jq 'select( has("url")).url' $ cat INCIDENT32.json | jq 'select( .osxcollector_username=="jsendor")|.'
@jsendor
@jsendor We can automate this! step 1: analyze step 2: ??? step 3: profit $ python -m osxcollector.output_filters.analyze -i osxcolletor_output.json == Very Readable Output Bot == Let's see what's up with this machine. Well, here's some domains OpenDNS wouldn't recommend. ... - quarantines LSQuarantineDataURLString: "http://d2.genieo.com/im/partners/webpic2/installgenieo. dmg?campaign=wbpc_1&download_browser=Chrome" LSQuarantineTimeStamp: "2014-04-30 15:26:13" opendns-categorization: {"status": 0, "content_categories": ["Adware"], "suspicious": True, "security_categories": []} opendns-security: {"dga_score": -6.35631605112, "rip_score": 0.0, "asn_score": 0.0, "securerank2": -0.00813742053751, "attack": "", "prefix_score": 0.0, "found": True, "threat_type": ""} opendns-link: "https://investigate.opendns.com/domain-view/name/w.genieo.com/view" ... - firefox history last_visit_date: "2015-01-11 23:44:56" url: "http://dl.pspvideosdownload.com/lp/?appid=12…" vtdomain-domain: "dl.pspvideosdownload.com" vtdomain-detections: {"undetected_referrer_samples": 0, "detected_downloaded_samples": 2, "detected_referrer_samples": 0, "detected_urls": 100, "detected_communicating_samples": 0, "undetected_communicating_samples": 0}
@jsendor Enter OSXCollector Output Filters
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor find domains filter a lot of filters add a single piece of info { "url": "https://biz.yelp.com" } { "url": "https://biz.yelp.com", "osxcollector_domains": [ "biz.yelp.com", "yelp.com" ] }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor check blacklist filter Match any key. Regex or exact match. Built in smarts for turning domains into regex. { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ] } { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ], "osxcollector_blacklist": [ "domains" ] } domain_blacklist.txt evil.com streaming-football.com downloads.com
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor VirusTotal hash lookup filter API output filter base does the heavy lifting. Support for rate limits & response caching issues10s of requests at once. { "sha1": "99005b68295c202fd359b46c" } { "sha1": "99005b68295c202fd359b46c", "osxcollector_vthash": { "response_code": 200, "positives": 36, "total": 52, } }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor OpenDNS related domains filter Judge domains by the company they keep. Domains related to suspicious domains are usually suspicious themselves. { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_related": { "domains": [ "double-evil.com", "free-lunch.org", "torrent-malware.net" ] } }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor OpenDNS domain reputation filter Premium Cyber Threat Intel (CTI) { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_opendns": { "domain": "evil.com", }, "security": { "found": true, "dga_score": -3, "securerank2": -23, "asn_score": -57, "prefix_score": -62, "rip_score": -99, } } }
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor Recommend next steps This whole things started with just a few clues. Now look what I found. - downloads downloads ctime: "2015-02-02 12:15:14" file_path: "/Users/jdoe/Downloads/screenshot.scr" mtime: "2015-01-16 19:20:06" xattr-quarantines: ["0001;54b95657;Googlex20Chrome;162C4043-647D-44A8-83C2-2B1F69C7861F"] xattr-wherefrom: ["https://evildownloads. com/docs/securesc/5552qjr0llks3i1r65nm9vjn073v4ahg/82mfdn9k8qmvmo3ta2vja6hta3iink5i/1421431200000/002186363 34715341180/12229357981017199890/0B-HDNU1GNnRAVjBtYlBqdVFrT2s? e=download&h=01562916784096941731&nonce=850uav3g55qiu&user=12229357981017199890&hash=78ffvfobh7rreq0bj86hqf hb7i8eq92l", ""] related-files: ["screenshot.scr"] Nothing hides from Very Readable Output Bot If I were you, I'd probably update my blacklists to include: domain: "evildownloads.com" That might just help things, Skippy!
@jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
@jsendor Threat Intel API https://github.com/Yelp/threat_intel Query Threat Intel Feeds:
@jsendor Call OpenDNS API endpoints from threat_intel.opendns import InvestigateApi investigate = InvestigateApi(<INVESTIGATE-API-KEY-HERE>, cache_file_name="/tmp/cache.opendns.json") domains = ["google.com", "baidu.com", "bibikun.ru"] investigate.security(domains) { "baidu.com": { "found": true, "dga_score": 0, "rip_score": 0, .. } }
@jsendor ElastAlert http://engineeringblog.yelp.com/
@jsendor https://github.com/Yelp/osxcollector Lemme know if you use it. Send pull requests.
Questions? Let's talk! kuba@yelp.com @jsendor We are hiring! visit yelp.com/careers
@jsendor This slide is intentionally left blank.

More Related Content

PDF
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
PDF
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
PDF
Attacking Oracle with the Metasploit Framework
Chris Gates
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PPTX
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
PPT
Top Ten Web Application Defenses v12
Jim Manico
 
PDF
Threat stack aws
Jen Andre
 
PDF
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
Attacking Oracle with the Metasploit Framework
Chris Gates
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
Top Ten Web Application Defenses v12
Jim Manico
 
Threat stack aws
Jen Andre
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 

What's hot (13)

PDF
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
PDF
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
PPTX
Top Ten Java Defense for Web Applications v2
Jim Manico
 
PDF
Invoke-DOSfuscation
Daniel Bohannon
 
ODP
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Cris Holdorph
 
PDF
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
 
PPTX
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
PDF
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PDF
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
TXT
Friendcaster log
tahani alharbi
 
PDF
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
PPS
Authentication with zend framework
George Mihailov
 
PPTX
Cosmos, Big Data GE Implementation
FIWARE
 
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Invoke-DOSfuscation
Daniel Bohannon
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Cris Holdorph
 
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Friendcaster log
tahani alharbi
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
Authentication with zend framework
George Mihailov
 
Cosmos, Big Data GE Implementation
FIWARE
 
Ad

Viewers also liked (7)

PDF
Stream processing and Norikra
SATOSHI TAGOMORI
 
PDF
Collect, summarize and notify of OpenStack's log
NTT Communications Technology Development
 
PDF
How to Make Norikra Perfect
SATOSHI TAGOMORI
 
PDF
Cep 소개 - for developers
Juhyeon Lee
 
PPTX
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
daisuke-a-matsui
 
PDF
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Masahiro Nagano
 
PDF
fluent-plugin-norikra #fluentdcasual
SATOSHI TAGOMORI
 
Stream processing and Norikra
SATOSHI TAGOMORI
 
Collect, summarize and notify of OpenStack's log
NTT Communications Technology Development
 
How to Make Norikra Perfect
SATOSHI TAGOMORI
 
Cep 소개 - for developers
Juhyeon Lee
 
Norikra + Fluentd + Elasticsearch + Kibana リアルタイムストリーミング処理 ログ集計による異常検知
daisuke-a-matsui
 
Norikraで作るPHPの例外検知システム YAPC::Asia Tokyo 2015 LT
Masahiro Nagano
 
fluent-plugin-norikra #fluentdcasual
SATOSHI TAGOMORI
 
Ad

Similar to OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07) (20)

PDF
Gatekeeper Exposed
Synack
 
PDF
Secure Coding For Java - Une introduction
Sebastien Gioria
 
PPSX
Automated malware analysis
Ibrahim Baliç
 
PDF
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
BGA Cyber Security
 
PDF
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
PDF
Positive Technologies - S4 - Scada under x-rays
qqlan
 
PDF
TIAD - DYI: A simple orchestrator built step by step
The Incredible Automation Day
 
PPT
iOS Client Side Analysis
Aadarsh N
 
PDF
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
PPTX
Nullbyte 6ed. 2019
Ricardo L0gan
 
PPTX
HTML5 on Mobile
Adam Lu
 
PPTX
Anatomy of a Drupal Hack - TechKnowFile 2014
University of Toronto Libraries - Information Technology Services
 
PDF
stackconf 2021 | Why you should take care of infrastructure drift
NETWAYS
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PDF
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Jakub "Kuba" Sendor
 
PDF
soft-shake.ch - Hands on Node.js
soft-shake.ch
 
PDF
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
ODP
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
PDF
DevSecCon London 2018: Open DevSecOps
DevSecCon
 
PDF
Original slides from Ryan Dahl's NodeJs intro talk
Aarti Parikh
 
Gatekeeper Exposed
Synack
 
Secure Coding For Java - Une introduction
Sebastien Gioria
 
Automated malware analysis
Ibrahim Baliç
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
BGA Cyber Security
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
Positive Technologies - S4 - Scada under x-rays
qqlan
 
TIAD - DYI: A simple orchestrator built step by step
The Incredible Automation Day
 
iOS Client Side Analysis
Aadarsh N
 
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Nullbyte 6ed. 2019
Ricardo L0gan
 
HTML5 on Mobile
Adam Lu
 
Anatomy of a Drupal Hack - TechKnowFile 2014
University of Toronto Libraries - Information Technology Services
 
stackconf 2021 | Why you should take care of infrastructure drift
NETWAYS
 
Pentesting iOS Applications
jasonhaddix
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Jakub "Kuba" Sendor
 
soft-shake.ch - Hands on Node.js
soft-shake.ch
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
DevSecCon London 2018: Open DevSecOps
DevSecCon
 
Original slides from Ryan Dahl's NodeJs intro talk
Aarti Parikh
 

More from Jakub "Kuba" Sendor (6)

PDF
To boldly go where no one has gone before: life after the DevSecOps transform...
Jakub "Kuba" Sendor
 
PDF
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
Jakub "Kuba" Sendor
 
PDF
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
Jakub "Kuba" Sendor
 
PDF
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
Jakub "Kuba" Sendor
 
PDF
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
Jakub "Kuba" Sendor
 
PDF
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
Jakub "Kuba" Sendor
 
To boldly go where no one has gone before: life after the DevSecOps transform...
Jakub "Kuba" Sendor
 
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
Jakub "Kuba" Sendor
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
Jakub "Kuba" Sendor
 
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
Jakub "Kuba" Sendor
 
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
Jakub "Kuba" Sendor
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
Jakub "Kuba" Sendor
 

Recently uploaded (20)

PPTX
Presentation about variables and constant.pptx
kr2589474
 
PDF
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
PDF
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
PPTX
ConcordeApp: Engineering Global Impact & Unlocking Billions in Event ROI with AI
chastechaste14
 
PPT
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
PDF
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
PDF
An Experience-Based Look at AI Lead Generation Pricing, Features & B2B Results
Thomas albart
 
PPTX
GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWARE
philipnathen82
 
PDF
What to consider before purchasing Microsoft 365 Business Premium_PDF.pdf
Q-Advise
 
PPTX
Maximizing Revenue with Marketo Measure: A Deep Dive into Multi-Touch Attribu...
bbedford2
 
PPTX
Role Of Python In Programing Language.pptx
jaykoshti048
 
PDF
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
PDF
Bandai Playdia The Book - David Glotz
BluePanther6
 
PDF
Immersive experiences: what Pharo users do!
ESUG
 
PDF
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
PPTX
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
PDF
Key Features to Look for in Arizona App Development Services
Net-Craft.com
 
PPTX
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
PDF
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
PDF
New Download FL Studio Crack Full Version [Latest 2025]
imang66g
 
Presentation about variables and constant.pptx
kr2589474
 
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
ConcordeApp: Engineering Global Impact & Unlocking Billions in Event ROI with AI
chastechaste14
 
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
An Experience-Based Look at AI Lead Generation Pricing, Features & B2B Results
Thomas albart
 
GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWARE
philipnathen82
 
What to consider before purchasing Microsoft 365 Business Premium_PDF.pdf
Q-Advise
 
Maximizing Revenue with Marketo Measure: A Deep Dive into Multi-Touch Attribu...
bbedford2
 
Role Of Python In Programing Language.pptx
jaykoshti048
 
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
Bandai Playdia The Book - David Glotz
BluePanther6
 
Immersive experiences: what Pharo users do!
ESUG
 
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
Key Features to Look for in Arizona App Development Services
Net-Craft.com
 
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
New Download FL Studio Crack Full Version [Latest 2025]
imang66g
 

OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07)

  • 1. Jakub (Kuba) Sendor @jsendor OSXCollector Automated forensic evidence collection & analysis for OS X
  • 2. @jsendor whoami ● Joined Yelp security team in July 2014. ● Mostly involved in malware incident response. ● Also working on automating our security processes. ● Previously worked at SAP in Sophia Antipolis (France) in the Security & Trust research group. ● Graduated in 2011 from AGH University of Science and Technology in Kraków (Poland) and Telecom ParisTech/Institut Eurecom (France).
  • 3. @jsendor Yelp’s Mission: Connecting people with great local businesses.
  • 4. @jsendor Yelp Stats: As of Q2 2015 83M 3268%83M
  • 5. @jsendor >3k employees, most of them using Macs
  • 9. @jsendor https://github.com/Yelp/osxcollector OSXCollector is an open source forensic evidence collection & analysis toolkit for Mac OS X
  • 10. @jsendor OSXCollector is easy to run 1 Python file 0 dependencies $ sudo osxcollector.py --id DelayedHedgehog Wrote 35394 lines. Output in DelayedHedgehog-2015_01_20-19_38_38.tar.gz $
  • 11. @jsendor The output is JSON JSON is beautiful. JSON is easy to manipulate. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
  • 12. @jsendor OS X stores lots of data in SQLite DBs # Dump a sqlite DB in a dozen lines of code with connect(sqlite_db_path) as conn: conn.cursor.execute('SELECT * from sqlite_master WHERE type = "table"') table_names = [table[2] for table in tables.fetchall()] for table in table_names: rows = conn.cursor.execute('SELECT * from {0}'.format(table_name)) column_descriptions = [col[0] for col in conn.cursor.description] for row in rows.fetchall(): record = dict([(key, val) for key, val in zip(column_descriptions, row)])
  • 13. @jsendor plist == property list sometimes binary, sometimes plain text $ /usr/libexec/PlistBuddy -c print shell.plist Dict { ProgramArguments = Array { /usr/libexec/rshd } Sockets = Dict { Listeners = Dict { SockServiceName = shell } } Disabled = true Label = com.apple.rshd SessionCreate = true inetdCompatibility = Dict { Wait = false } } $ cat ssh.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0 //EN" "http://www.apple.com/DTDs/PropertyList-1.0. dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <true/> <key>Label</key> <string>com.openssh.sshd</string> <key>Program</key> <string>/usr/libexec/sshd-keygen- wrapper</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/sshd</string> <string>-i</string> BINARY UTF-8
  • 14. @jsendor OSXCollector uses Foundation Foundation is a nice Objective-C wrapper. import Foundation # Look! Incredibly long objc style function names! plist_nsdata, error_message = Foundation.NSData.dataWithContentsOfFile_options_error_( plist_path, Foundation.NSUncachedRead, None) # Seriously, incredibly long function names! plist_dict, _, _ = Foundation.NSPropertyListSerialization. propertyListFromData_mutabilityOption_format_errorDescription_( plist_nsdata, Foundation.NSPropertyListMutableContainers, None, None)
  • 15. @jsendor Forensic Collection OS System Info Applications Web Browser Info Kernel Extensions Quarantines Email Info Downloads Startup Items Groups & Accounts
  • 16. @jsendor Common keys in entries path, hashes, timestamps, signature chain, ... { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
  • 17. @jsendor Startup items run on boot Malware running at startup is basically game over. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } PRETTY PRETTY!
  • 18. @jsendor Timestamps are important in forensics Timestamps get stored in a lot of ways. OSXCollector normalizes them. { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } VERY NORMALIZED
  • 19. @jsendor Hashes are still important in forensics { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] } STILL USEFUL
  • 20. @jsendor Quarantines track downloaded content They live forever in a plist. { "osxcollector_section": "quarantines", "osxcollector_username": "jsendor", "LSQuarantineAgentName": "Google Chrome", "LSQuarantineAgentBundleIdentifier": "com.google.Chrome", "LSQuarantineDataURLString": "https://cachefly.alfredapp.com/Alfred_2.5.1_308.zip", "LSQuarantineEventIdentifier": "6FA87446-1249-4578-83E4-4BBCF7AEA4A3", "LSQuarantineOriginURLString": "http://www.alfredapp.com/", "osxcollector_db_path": "/Users/ivanlei/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2", "osxcollector_table_name": "LSQuarantineEvent", "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "LSQuarantineTimeStamp": "2014-12-05 14:40:33" }
  • 21. @jsendor xattr-wherefrom No need to search around in browser history. { .. "md5": "0b984ecc39d5b33e4f6a81ade4e8dbf1", "xattr-quarantines": [ "0001;5541127e;Google Chrome;63B2C485-1F64-4ADE-A95C-72F7087FA172" ], "signature_chain": [], "xattr-wherefrom": [ "http://trojans.evildownloads.com/Trojan.app", "http://trojans.evildownloads.com/latest-trojans/" ], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", "file_path": "/Users/jdoe/Downloads/Trojan.app", } THIS IS BAAAD
  • 22. @jsendor OS X doesn't care if startups and kext are signed But I kinda do, so OSXCollector lists the signature chain. { "osxcollector_section": "startup", "osxcollector_subsection": "launch_agents", "md5": "dbd251d8a6e4da2419d75f5b18cf5078", "sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca", "sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2", "file_path": "/Library/Application Support/GPGTools/uuid-patcher", "ctime": "2014-12-05 16:52:00", "mtime": "2014-11-30 15:49:40", "osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist", "program": "/usr/libexec/sshd-keygen-wrapper", "label": "com.openssh.sshd", "signature_chain": [], "osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38", } SWELL!
  • 23. @jsendor Forensic collection is hard work. Forensic analysis is fun. Part science, part art.
  • 24. @jsendor Manual analysis with grep and jq works pretty well grep a time window only urls in a time window grep a single user $ cat foo.json | grep ' 2014-01-01 11:3[2-8]' $ cat foo.json | grep '2014-01-01 11:3[2-8]' | jq 'select( has("url")).url' $ cat INCIDENT32.json | jq 'select( .osxcollector_username=="jsendor")|.'
  • 26. @jsendor We can automate this! step 1: analyze step 2: ??? step 3: profit $ python -m osxcollector.output_filters.analyze -i osxcolletor_output.json == Very Readable Output Bot == Let's see what's up with this machine. Well, here's some domains OpenDNS wouldn't recommend. ... - quarantines LSQuarantineDataURLString: "http://d2.genieo.com/im/partners/webpic2/installgenieo. dmg?campaign=wbpc_1&download_browser=Chrome" LSQuarantineTimeStamp: "2014-04-30 15:26:13" opendns-categorization: {"status": 0, "content_categories": ["Adware"], "suspicious": True, "security_categories": []} opendns-security: {"dga_score": -6.35631605112, "rip_score": 0.0, "asn_score": 0.0, "securerank2": -0.00813742053751, "attack": "", "prefix_score": 0.0, "found": True, "threat_type": ""} opendns-link: "https://investigate.opendns.com/domain-view/name/w.genieo.com/view" ... - firefox history last_visit_date: "2015-01-11 23:44:56" url: "http://dl.pspvideosdownload.com/lp/?appid=12…" vtdomain-domain: "dl.pspvideosdownload.com" vtdomain-detections: {"undetected_referrer_samples": 0, "detected_downloaded_samples": 2, "detected_referrer_samples": 0, "detected_urls": 100, "detected_communicating_samples": 0, "undetected_communicating_samples": 0}
  • 28. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 29. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 30. @jsendor find domains filter a lot of filters add a single piece of info { "url": "https://biz.yelp.com" } { "url": "https://biz.yelp.com", "osxcollector_domains": [ "biz.yelp.com", "yelp.com" ] }
  • 31. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 32. @jsendor check blacklist filter Match any key. Regex or exact match. Built in smarts for turning domains into regex. { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ] } { "url": "https://www.evil.com", "osxcollector_domains": [ "www.evil.com", "evil.com" ], "osxcollector_blacklist": [ "domains" ] } domain_blacklist.txt evil.com streaming-football.com downloads.com
  • 33. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 34. @jsendor VirusTotal hash lookup filter API output filter base does the heavy lifting. Support for rate limits & response caching issues10s of requests at once. { "sha1": "99005b68295c202fd359b46c" } { "sha1": "99005b68295c202fd359b46c", "osxcollector_vthash": { "response_code": 200, "positives": 36, "total": 52, } }
  • 35. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 36. @jsendor OpenDNS related domains filter Judge domains by the company they keep. Domains related to suspicious domains are usually suspicious themselves. { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_related": { "domains": [ "double-evil.com", "free-lunch.org", "torrent-malware.net" ] } }
  • 37. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 38. @jsendor OpenDNS domain reputation filter Premium Cyber Threat Intel (CTI) { "url": "https://www.evil.com", } { "url": "https://www.evil.com", "osxcollector_opendns": { "domain": "evil.com", }, "security": { "found": true, "dga_score": -3, "securerank2": -23, "asn_score": -57, "prefix_score": -62, "rip_score": -99, } } }
  • 39. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 40. @jsendor Recommend next steps This whole things started with just a few clues. Now look what I found. - downloads downloads ctime: "2015-02-02 12:15:14" file_path: "/Users/jdoe/Downloads/screenshot.scr" mtime: "2015-01-16 19:20:06" xattr-quarantines: ["0001;54b95657;Googlex20Chrome;162C4043-647D-44A8-83C2-2B1F69C7861F"] xattr-wherefrom: ["https://evildownloads. com/docs/securesc/5552qjr0llks3i1r65nm9vjn073v4ahg/82mfdn9k8qmvmo3ta2vja6hta3iink5i/1421431200000/002186363 34715341180/12229357981017199890/0B-HDNU1GNnRAVjBtYlBqdVFrT2s? e=download&h=01562916784096941731&nonce=850uav3g55qiu&user=12229357981017199890&hash=78ffvfobh7rreq0bj86hqf hb7i8eq92l", ""] related-files: ["screenshot.scr"] Nothing hides from Very Readable Output Bot If I were you, I'd probably update my blacklists to include: domain: "evildownloads.com" That might just help things, Skippy!
  • 41. @jsendor Automated analysis with output filters OpenDNS related domains filter JSON in find domains filter check blacklists filter VirusTotal hash lookup filter Shadowserver hash lookup filter find related files filter OpenDNS domain reputation filter VirusTotal domain reputation filter JSON out construct browser history filter recommend next steps filter
  • 43. @jsendor Call OpenDNS API endpoints from threat_intel.opendns import InvestigateApi investigate = InvestigateApi(<INVESTIGATE-API-KEY-HERE>, cache_file_name="/tmp/cache.opendns.json") domains = ["google.com", "baidu.com", "bibikun.ru"] investigate.security(domains) { "baidu.com": { "found": true, "dga_score": 0, "rip_score": 0, .. } }
  • 46. Questions? Let's talk! [email protected] @jsendor We are hiring! visit yelp.com/careers
  • 47. @jsendor This slide is intentionally left blank.