script:x509_ext_c2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
script:x509_ext_c2 [2018/02/08 23:11] – veera | script:x509_ext_c2 [2018/02/08 23:46] – [The Full Text Search FTS Document] veera | ||
---|---|---|---|
Line 11: | Line 11: | ||
Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. | Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. | ||
- | - the Resource stream: | + | |
- | - the FTS stream: a nearly | + | - the **FTS** stream: a complete |
+ | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document. | ||
- | it takes a different approach than Bro IDS. Instead | + | ==== Analysing the sample PCAP in Trisul ==== |
+ | |||
+ | The researchers have provided | ||
+ | |||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | Next you have to write a small LUA script that plugs into the FTS Stream. Your script will then get a chance to process each certificate //out of the fast packet path//. The Trisul LUA API provides the [[https:// | ||
+ | |||
+ | I just put together a quick [[https:// | ||
+ | |||
+ | <code lua> | ||
+ | -- WHEN CALLED : a new FTS Document (X509 Cert) is seen | ||
+ | onnewfts | ||
+ | |||
+ | local _,_,ski = fts: | ||
+ | if ski and ski:len() > 32 then | ||
+ | T.count = T.count + 1 | ||
+ | local hexski = ski: | ||
+ | local outf = io.open("/ | ||
+ | outf: | ||
+ | outf: | ||
+ | end | ||
+ | |||
+ | end, | ||
+ | </ | ||
+ | |||
+ | What the above code snippet does is | ||
+ | |||
+ | - Use a Regex to capture the bytestring in // X509v3 Subject Key// | ||
+ | - If above 32 characters then we suspect something fishy , you can also generate an alert at this point using the '' | ||
+ | - Open a tmp file the convert the hex to binary and dump the contents there. | ||
+ | |||
+ | |||
+ | If you place this script in the LUA folder ''/ | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | |||
+ | ==== Reassembling the Mimikatz payload ==== | ||
+ | |||
+ | This is a bit of a fun task. The C2 technique uses about 70+ certificates | ||
+ | |||
+ | |||
+ | ===== More about the Trisul Lua API ===== | ||
+ | |||
+ | The Trisul LUA API allows you to build your own real time analytics tools on top of the Trisul platform. Note that Trisul is Free to use forever, except that if you are using the Web Interface and Database backend, then only the most recent 3 days can be reported on. | ||
+ | |||
+ | The [[https:// | ||
+ | |||
+ | |||
+ | |||
+ | |||
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu