script:x509_ext_c2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
script:x509_ext_c2 [2018/02/08 23:16] – [The Full Text Search FTS Document] veera | script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veera | ||
---|---|---|---|
Line 14: | Line 14: | ||
- the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, | - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, | ||
- | You can see the different approach taken by Trisul NSM compared to Bro IDS. Instead of fine grained events, Trisul provides a text document. | + | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document. |
- | PCAP | + | ==== Analysing the sample |
+ | |||
+ | The researchers have provided a [[https:// | ||
{{: | {{: | ||
+ | |||
+ | |||
+ | Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// | ||
+ | |||
+ | I just put together a quick [[https:// | ||
+ | |||
+ | <code lua> | ||
+ | -- WHEN CALLED : a new FTS Document (X509 Cert) is seen | ||
+ | onnewfts | ||
+ | |||
+ | local _,_,ski = fts: | ||
+ | if ski and ski:len() > 32 then | ||
+ | T.count = T.count + 1 | ||
+ | local hexski = ski: | ||
+ | local outf = io.open("/ | ||
+ | outf: | ||
+ | outf: | ||
+ | end | ||
+ | |||
+ | end, | ||
+ | </ | ||
+ | |||
+ | What the above code snippet does is | ||
+ | |||
+ | - Use a Regex to capture the bytestring in // X509v3 Subject Key// | ||
+ | - If the SKI extension is greater than 32 characters then we suspect something fishy. You may even generate an alert at this point using the '' | ||
+ | - Open a tmp file the convert the hex to binary and dump the contents there. | ||
+ | |||
+ | |||
+ | If you place this script in the LUA folder ''/ | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | |||
+ | ==== Reassembling the Mimikatz payload ==== | ||
+ | |||
+ | This is a bit of a fun task. The C2 technique uses about 70+ certificates to transfer a payload of 785KB. The big issue for us is that the certificates show up in different TCP flows. It is a lot easier to do the reassembly in Network Miner or Wireshark but in live traffic analytics like Trisul the flows can go to different CPU/threads due to load balancing and there are no hints in the packets itself to order the payloads. The best option is to dump the chunks and then manually '' | ||
+ | |||
+ | |||
+ | ===== More about the Trisul Lua API ===== | ||
+ | |||
+ | The Trisul LUA API allows you to build your own real time analytics tools on top of the Trisul platform. Note that Trisul is Free to use forever, except that if you are using the Web Interface and Database backend, then only the most recent 3 days can be reported on. | ||
+ | |||
+ | The [[https:// | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ |
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu