Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Hunting for Juicy Information SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hunting for Juicy Information

Today, we must be proactive in protecting our assets. The huge mass of information available online requires us to have tools to stay aware. If collecting IOC's is important to detect malicious activities as quick as possible, searching for our own data is also a big advantage for early detection and protection. The information that are interesting to track are:

  • Domain names
  • Public IP addresses
  • Windows domains
  • Email addresses
  • Key person names (all C-level people)
  • Company/organization names
  • Brands

In short: All PII ("Personally Identifiable Information")

A first classic and easy way to hunt for such data is to use Google Alerts. Easy but not very reliable to search for technical stuff like IP addresses. Pastie websites are often used to exchange information and contain plenty of information. If pastebin.com is the most known, they are plenty of others. I'm monitoring some of them for years via tools like pastemon or pystemon.

Another source of information to add to your OSINT toolbox is the Hunting feature provided by VirusTotal. Combined with the power of YARA rules, you can define very targeted filters to search for uploaded samples. If most of the files submitted to Virustotal are binaries, it is also possible to find juicy files like lists of passwords (sample). You can upload your sets of YARA rules to match your PII. In the following examples, I'm looking for SANS domains and personal domains:

rule MyDomains
{
    strings:
        $domain1 = "sans.org" nocase wide ascii
        $domain2 = "sans.edu" nocase wide ascii
        $domain3 = "rootshell.be" nocase wide ascii
        $domain4 = "truesec.be" nocase wide ascii
    condition:
        any of them
}

By default, when a YARA rule matches, notifications are sent by emails. But it's much more powerful to use the VirusTotal API to collect the samples and details and automate the notification process. A friend wrote a Python script to collect the information from VirusTotal:

$ ./vt_hunting.py -api <redacted> -cleanup -json /var/log/vt_hunting.json -dl --samples_directory /var/tmp/samples
# of detection,YARA rule,SHA1,Binary type,First seen,Last seen
44,MyDomains,<redacted>,2015-12-30 19:33:47,2015-12-30 19:33:47,RAR,<redacted>

By running this script from a crontab, I'm collecting samples and store the detection details in a JSON file (that I'm injecting into a Splunk "osint" index for later reporting). Note that YARA is a powerful tool but some of it's features are not allowed by VirusTotal (like some regular expressions) for performance reasons.

​Happy hunting and I wish you already a Happy (and safe!) new Year!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

Xme

487 Posts
ISC Handler
Where do you upload the YARA file? It's also mentioned on the github page for the tool, yet I don't see anywhere on VT where they mention YARA in reference to the API or anything else in my account. Stumped.
Anonymous
When you go to Virus Total Intelligence, you have menu "Hunting" on top of the screen. There you can define your rules.
Xme

487 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!