Tuesday, March 18, 2014

Projecthoneynet.org

In part of my honeypot/honeynet research I found projecthoneynet.org.

Project Honey Pot has thousands of members around the world working together to track and stop email harvesters. To learn more about the project check out their site.  They have several options for web based scripts, a unique url you can embed in your site/blog to catch the automated harvesters, and your own api key.

They also have an RSS feed of the bad IP's being reported so you could take this data and feed it into your current incident response/threat intel processes.


Saturday, March 15, 2014

Update from this week - McAfee and memory analysis a bad mix

This week has been a bit busy with stuff so haven't made as much progress as hoped but I have found the honeypot approach so far may not get me what I was after.  My intent was to find a way to gather more intel on ongoing attacks/exploits but also to collect new samples.  So to that effect I'm working on setting up Cuckoo Sandbox and want to get it working and find ways to feed it as many samples as I can find in automated method.

I did spend a part of my week doing some additional testing with McAfee Antivirus in cohorts with a coworker.  During an investigation doing some memory analysis I was seeing strings in memory related to bitcoin mining, exploit source code, known malicious domains, and all sorts of other bad stuff I wouldn't expect to see on a normal system.
To test we dumped the memory from a clean Windows 7 VM with no AV installed then installed McAfee's Enterprise AV 8.8 with the current DAT files and dumped the memory again saw the same artifacts.

After checking with a few peers some had heard of certain AV vendors loading this type of stuff into memory.  I didn't find much else documented on the internet related to this and of course McAfee was not willing to share any info related to this but would only mention off the record other customers had complained of similar findings.  So even though this is off-topic of honeypots I wanted to mention for other DFIR folks in the hopes of saving others time, panic, concern, etc that when doing memory analysis on a host with possibly any anti-virus, but for certain McAfee's, that you can expect to find some suspicious artifacts if you do a strings type search of the memory.

I plan on working on the Cuckoo Sandbox this weekend and will post some updates on how it goes.

Sunday, March 9, 2014

Dionaea

No its not a result of something I ate since my last post :)

So far with KFSensor I was able to pick up some of the expected traffic/scans for some common and uncommon services but since I am more interested in finding malware samples I'm shifting gears and setting up Dionaea inside of the prebuilt HoneyDrive VM.  I do still like it as a possible fit into some production enterprise environments vs rolling your own devices.

Personal stuff has slowed me up this weekend in getting this up and running but making it a priority this week.  Of course I had to allow some time to take a look at Dave Cowen's Sunday Funday challenge this week on recovering deleted registry entries.

On another note but related I plan on posting some findings from a recent case I had involving memory artifacts and some discoveries related to McAfee's AntiVirus and what it appears to load and leave in memory, but I'll post something more formal on that later this week.

Tuesday, March 4, 2014

Day 1 review

With the first day logged running the out of the box KFSensor some interesting points

  • I've logged 481 unique visitors
  • Those 481 visitors generated 2498 events
  • Several appear to be crawlers (IPV4scan.com, Google (via anon FTP trying to find robots.txt)
  • Hits for many common services (IIS, telnet, SQL server, ftp, web proxy, ssh, rdp, vnc, smtp, pcanywhere ???, Synology web ui)
  • The majority of the events were brute force attempts on MS SQL for the sa account that looked to be a scripted using the osql utility.

So far only I'm just 1 day into testing KFSensor.  I am using a default configuration right now but poking around into the options to customize I'm really liking how open it is for creating your own scenarios and signatures.  You can also make a custom rule for a port to behave however you so chose.  The trial version seems to have limited reporting but does keep raw logs.  It does show to support logging to MSSQL or MYSQL so I will likely look at doing that next to allow for better reporting and data analysis.

Once I have a bit more data collected I may take a different approach once I see what the high frequency traffic I am getting and may use a bit more custom bait to see what happens if I provide a bit more.

Monday, March 3, 2014

Trial and error

To get things started I've started researching some of the current honeypot tools and live linux distros centered on being honeypots.  Some of the ones I've found so far include :


  • Valhala : Looks to be a easy to use Windows based honeypot with a few services
  • Honeeepi : This one is based on using a Raspberry Pi using Dionaea
  • ADHD : A linux distro based on Ubuntu 12.04 but has more focus on a "strike back" approach. Use with caution :)
  • Stratagem : Another Linux based honeypot distro but based off Linux Mint 14
  • HoneyDrive : Another Linux honeypot but distributed in an OVA that you can import direct into VM Workstation/Fusion
  • KFSensor : A windows based one that has a professional/standalone edition as well as an enterprise edition that allows for a centralized management and logging for multiple sensors.  I have installed a trial version of this one to begin my tests.
I will let KFSensor run for a day or so and then review the findings.  I am not doing anything to attempt to drive traffic to my honeypot and just observing the traffic that is already hitting my own IP/Subnet.


Sunday, March 2, 2014

Getting things rolling

I'm starting this blog to help track a new project of interest to me.  I am going to set up my own honeypot in order to create and collect random suspicious or malicious activity on the internet.  I plan to use this data to create my own incident response scenarios in a controlled environment, analyze current trends on cyber threats, and ultimately just to learn and have a little bit of fun.

Please feel free to send me any ideas or feedback based on your experience, research, or similar projects.

Happy hunting!