05

Tools and
Techniques for
Malicious
Activity
In this chapter you will learn:
■ How to use packet capture tools like Wireshark and
tcpdump to capture and analyze network traffic

■ How to use DNS and IP reputation services like WHOIS

and AbuseIPDB to investigate suspicious network
activity

■ How to analyze files using tools like Strings and

VirusTotal to identify potential malware

■ About sandboxing tools like Joe Sandbox and Cuckoo

Sandbox to safely analyze malware in an isolated
environment
 Capturing Network Traffic
• Packet capture is the process of intercepting and logging traffic that traverses a
network.
• The captured network traffic data is typically stored in pcap (short for Packet Capture)
files, which is a widely used industry standard for storing network traffic captures.
• Some of the most common packet capture tools include Wireshark, tcpdump, and
TShark, which allow for real-time packet analysis and filtering.
• In a switched network environment, traffic captures may be more difficult, since by
their nature switches limit traffic that can be picked up to only that between the switch
port and the host. To capture traffic in a switched environment, you must normally be
plugged into a spanning port on the switch.
 6.1 BPF (Berkeley Packet Filter)
• BPF is a critical low-level filtering technology that forms the backbone of various
network analysis tools, including Wireshark, TShark, and tcpdump.
• BPF filters can be applied strategically to filter out packets that are not necessary for
the analysis.
• The following list enumerates the various types of filters and provides an example of
each:
qDirection filter
qHost filters
qPort filters
qPayload filters
qTime filters
 Wireshark and Tshark
• Wireshark is a graphical user interface (GUI) tool that provides real-time network
traffic monitoring, analysis, and packet capture.
• TShark is a command-line tool that is part of the Wireshark suite and provides similar
packet capture and analysis capabilities in a lightweight, scriptable form.
• Wireshark and TShark are essential tools for any network administrator or security
analyst who needs to capture, analyze, and troubleshoot network traffic.
 TCPDump
• The command-line tool tcpdump allows you to capture and analyze network traffic in
real time.
• One of the main advantages of tcpdump over TShark is its speed: it can capture
packets at a much faster rate and with less processing overhead.
 Log Analysis and Correlation
• Log analysis and correlation is a critical component of cybersecurity.
• SIEM collects, aggregates, and analyzes log data from various sources in near real
time to detect and respond to security events. It uses correlation rules to identify
patterns and anomalies in log data and generate alerts when a security event is
detected.
• SOAR is a newer technology that builds on the capabilities of SIEM by adding
automation and orchestration. It enables security teams to automate incident
response workflows and orchestrate actions across multiple security tools and
systems.
 Security Information and Event
Management
• SIEM is a centralized approach to security management that involves collecting,
analyzing, and correlating log data from various sources across an organization’s
network.
• One of the key functions of a SIEM is log collection and parsing.
• In addition to log collection and parsing, SIEMs also include a correlation engine that
analyzes the log data to identify potential security incidents.
• Several popular SIEM solutions are available on the market, including Splunk, QRadar,
LogRhythm, and Graylog.
 Security Orchestration, Automation, and
Response
• SOAR allows us to integrate many disparate security tools and processes, both manual
and automated, into a holistic set.
• A SOAR platform can be utilized to automate various security-related tasks, such as
alert triaging, incident investigation, and response.
• The platform can be programmed to automatically parse, extract, and prioritize threat
intelligence and then use that data to create correlation rules and alerts.
• A common use case is in automating the investigation of phishing incidents.
• Another usage example is in the automation of the vulnerability management process.
• Popular SOAR platforms include Splunk Phantom, IBM Resilient, Swimlane, and Cortex
XSOAR.
 Endpoint Detection and Response
• EDR is an evolution in security tools designed to protect the endpoints in a network.
• EDRs include an array of tools that provide the following capabilities:
qMonitor
qDetect
qRespond
• EDR solutions can monitor and record system events and user activity on endpoints,
including file modifications, network connections, process executions, and more.
• Some popular EDR solutions in the market today include CrowdStrike Falcon, Carbon
Black, Symantec Endpoint Detection and Response, and Microsoft Defender for
Endpoint.
 WHOIS
• WHOIS is a tool and protocol used to obtain information about domain name
registration records, IP address assignments, and other information related to Internet
resources.
• It is a command-line utility that sends a query to a WHOIS server, which in turn
responds with information about the queried domain name or IP address.
• Whois can also be queried by using their website.
 AbuseIPDB
• AbuseIPDB is a website that allows users to report and track IP addresses and domains
associated with malicious activity on the Internet.
• It is worth reiterating that this website is a community-driven platform. Therefore,
users should confirm any information obtained from it with other tools and techniques
before taking any action.
• AbuseIPDB provides APIs that allow users to access its data programmatically. These
APIs can be used to automate the process of reporting and searching for IP addresses
that have been reported as abusive as well as to retrieve statistics on the most
commonly reported IP addresses.
 Strings
• Strings is a utility used in cybersecurity to analyze binary and executable files for
human-readable text strings.
• Analysts can search for various types of strings, including the following:
qRegistry keys
qFilenames and paths
qHostnames and IP addresses
qURLs and web resources
qEncryption keys and algorithms
qSuspicious system commands
 Hashing Utilities
• Hash values serve as unique digital fingerprints for files, allowing you to verify their
integrity and authenticity.
• Windows Hashing: Certutil, Get-FileHash
• Linux Hashing: md5sum, sha256sum
• MacOS: md5, shasum
 VirusTotal
• VirusTotal is a free online service that allows users to scan files, IPs and URLs for
potential malware.
• To use VirusTotal, users can simply upload a file or enter a hash value to scan. The
service will then analyze the file or URL and provide a detailed report on its findings.
• When you’re submitting a file to VirusTotal, it’s important to consider the metadata
that is shared with everyone.
• The VirusTotal API provides powerful features for security analysts looking to automate
their workflows.
 Joe Sandbox
• Joe Sandbox is a malware analysis tool that provides a secure environment for
analyzing samples and generating detailed reports on their behavior and capabilities.
• Here are some of the most prominent capabilities of Joe Sandbox:
qMalware analysis
qSandboxing
qThreat hunting
qCustomization and Collaboration
qIntegration
qMachine learning
qAPI
 Cuckoo Sandbox
• Cuckoo is an open source malware analysis platform that allows security analysts to
examine suspicious files and URLs in a secure and isolated environment.
• Here are some of the most prominent capabilities of Cuckoo:
qMalware analysis
qSandboxing
qThreat hunting
qCustomization and Collaboration
qIntegration
qReporting
qAPI
 6.5 E-mail Analysis
• Phishing remains a top attack vector for threat actors of all sophistication levels.
• Many modern phishing e-mails are made using techniques that make the messages
indistinguishable from legitimate e-mail.
• Attackers can attach a malicious files to e-mail, hoping they are downloaded and
executed on a host machine.
• Attackers will often conceal malware inside other types of commonly e-mailed files,
such as word processing documents, compressed ZIP files, media files, and Adobe PDF
documents.
• Attackers may also use social engineering to trick users into enabling functionality that
would be harmful to their systems or clicking on links to malicious websites.
 DomainKeys Identified Mail (DKIM)
• The DKIM standard was introduced as a way for e-mail senders to provide a method for
recipients to verify messages.
• It specifically offers three services: identity verification, identification of an identity as
known or unknown, and determination of an identity as trusted or untrusted.
• DKIM uses a pair of keys, one private and one public, to verify messages.
• The DKIM header will include a hash of the e-mail header, a hash of some portion of
the body, and information about the function used to compute the hash, as shown
here:
 Sender Policy
Framework
(SPF)
• The Sender Policy Framework (SPF)
enables domain owners to prevent
such e-mail spoofing using their
domains by leveraging DNS
functionality.
• An SPF TXT record lists the authorized
mail servers associated with a
domain.
 Domain-Based Message Authentication,
Reporting,
and Conformance (DMARC)
• DMARC is an e-mail authentication protocol designed to give e-mail domain owners
the ability to prevent spoofing and reduce the spam that appears to originate from
their domain.
• When deployed together, SPF, DKIM, and DMARC form a powerful defense against
phishing attacks. SPF ensures that only authorized servers can send e-mails on behalf
of a domain, DKIM adds a digital signature to verify e-mail integrity, and DMARC
provides policies for handling failed authentication checks.
 Embedded Links
• Some security devices perform real-time analysis of inbound messages for the
presence of URLs and domains and then modify the messages so that links are either
disabled or redirected to a valid domain.
• Not all malicious emails contain URLS or attachments.
• Impersonation attacks are highly targeted efforts designed to trick victims into
performing actions such as wiring money to attacker accounts.
 Extensible Markup Language (XML)
• XML is a markup language used to encode documents in a format that is both human-
and machine readable.
• XML documents consist of elements, which are enclosed in opening and closing tags,
and may contain attributes that provide additional information about each element.
• XML is often used for exchanging threat intelligence information between different
security tools and platforms. For example, the STIX language uses XML for its data
format.
 JavaScript Object Notation (JSON)
• JSON is a lightweight data interchange format that is easy for humans to read and
write and for machines to parse and generate.
• JSON documents consist of key-value pairs enclosed in curly braces, with values
represented as strings, numbers, arrays, or objects.
• The latest version of STIX uses JSON for its data format.
 Shell Scripting
• Shell scripting is the process of writing scripts using command-line shells, such as
Bash, that can be executed in Unix and Unix-like operating systems.
• These scripts can automate repetitive tasks, such as system maintenance, file
manipulation, and process control.
• Shell scripts are written in a command-line interface, they can be easily integrated
with other tools and technologies.
• Some common use cases for shell scripting in cybersecurity include automating
system hardening tasks, monitoring system logs for suspicious activity, and
performing network analysis and monitoring tasks.
• Shell scripts can also be used to automate the deployment and management of
security tools, such as intrusion detection systems and vulnerability scanners.
 Regular Expressions
• Regular expressions, or regex, comprise a powerful tool widely used in cybersecurity
for text processing, which allows you to search for and match patterns in text.
• Regex patterns can be used to match specific strings, characters, or sequences of
characters.
• For example, a regex pattern could be used to match a specific IP address, a particular
URL, or a password format.
• Regular expressions are widely used in various tools and platforms, including Yara,
Snort, Suricata, Burp Suite, and Splunk, as well as various antivirus and EDR solutions.
 PowerShell
• PowerShell is an object-oriented scripting language developed by Microsoft for
automating and managing Windows environments.
• One of the advantages of PowerShell is its tight integration with the Windows
operating system, which enables it to interact with various system components,
including the registry, file system, and network.
• PowerShell is widely used in various exploit and post-exploit frameworks like
BloodHound, Mimikatz, Metasploit, PowerSploit, Posh, and Empire, among many
others.
• PowerShell downgrade attacks are used by attackers to bypass security controls that
restrict the use of PowerShell. These attacks take advantage of the fact that
PowerShell before version 5.0 allows the execution of scripts and commands without
digital signatures.
 Python
• Python is a versatile programming language that is widely used in cybersecurity for
various tasks, such as scripting, automation, data analysis, and machine learning.
• Python’s flexibility and ease of use make it a popular choice for integrating with
vendor APIs, such as those provided by CrowdStrike, VirusTotal, and Splunk.
• These APIs enable analysts to automate various tasks, such as submitting files for
analysis, retrieving threat intelligence data, and integrating security data across
different tools and platforms.
• Python is also used in SOAR platforms to automate incident response workflows and
connect different security tools.