Sunday, June 21, 2020

[SOC Advanced] Take Actions on offline endpoints using Tanium

I generally hear out complaints from security analyst's that they have received an endpoint incident and now it's time to investigate and verify through Tanium but while investigation through Tanium target computer is offline or the user is situated in another time period and unfit to reach. It is fine if you have colleague in another country to take your handover by the end of shift, what if you are alone or you never knew when computer will come online. 

One misinterpretation about Tanium is that you can take an actions against endpoints that are online only. This isn't so. Utilizing the accompanying strategy, you can target endpoints even they are offline, when they are disconnected, with the actions executing when they return on online.

To play out around the activity you should need to know two things about Tanium how to execute underneath steps:

  • How to ask Question:
https://docs.tanium.com/interact/interact/questions.html

AND
  • How to take an Action:
https://docs.tanium.com/platform_user/platform_user/interact_deploying_actions.html

Let’s begin,

STEP 1 : 
            Assume you want to run an action against hostname "COMPUTER2158.domain.net" and this computer is not currently online right now. If I know "COMPUTER2158.domain.net" is a Windows I can assure it will be captured by Tanium and target windows equals true or you can use all machine if you don't know operating system of it.


Click on “True” and will appear 3 options in Blue tabs and it's time to choose option “Deploy Action”

STEP 2:
           To make this Action viable for disconnected or offline PCs, plan the Schedule Action on a repetitive premise. In the event that your endpoint is offline presently, all things considered it won't be online for the span of your Action. 
You can plan schedule Action (for example runs each hour or after 8 hours depends on country time frame) with the goal that you will in the end get this computer in an online state.



STEP 3 :
            Specify your ideal endpoint(s) in the Action (under Targeting Criteria). While making the Action, essentially include a filter in the Targeting Criteria area (for example a question filter).


In this example I used a question “computer name contains “COMPUTER2158.domain.net



You can add more question based on what you want achieve when computer is online.

In this example I used a question “Get Index Query File Details[*,*,DriverToolkitInstaller.exe,*, *, *, *, 10] from all machines with Computer Name containing “COMPUTER.domain.net”.




STEP 4 :
            Once it is no longer needed, it is recommended to disable or delete the Action. Otherwise the action will keep running if you didn't set start and End time (Refer STEP 2 screenshot).








Monday, May 18, 2020

[SOC Advanced] How VirusTotal functions and Investigating Malicious URL's

Have you ever wonder based on what VirusTotal gives you the outcomes? The greater part of individuals thinks there must be a 50 or more antivirus scanners which truly examines the URL however the truth of the matter is diverse. In this article you will know how VirusTotal functions

VirusTotal is an assistance that utilizes a few command line variants of antivirus engines, refreshed consistently with legitimate signatures, databases, documents distributed and checked by particular security specialists.


VirusTotal is not a actual virus scanner which run scan checks on the web-application or software's it is just take it's history information from various database, you will know how by one of my example.

On a bustling day while working a some of the client reported a suspicious email and it's contains the URL connect including social engineering content and I began inspect it as a part of my Investigation.

Unfortunate propensities and sluggishness of the majority of cyber security specialists is whatever it is they simply put it in VirusTotal or any online sandbox and whatever the result out they believe it, This resembles general practice for everybody.

I did likewise and got VirusTotal clean report. Here it is : 




URL was  https://pendingoffice365onlinelogins.wordpress.com/releasepending/

But I barely trust anything over internet i continued to investigate and was checking website source code and found that there was an redirection URL.

window.location.replace("https://servnet.pressvp-net.xyz/?e=Y2hhbmdlZCBlbWFpbCBhZGRyZXNzIGZvciBibG9n==");


After verifying the URL seen that page asking for O365 login credentials which is again looks suspicious as the URL is something different and again started investigating source code and found that credentials stored at another server and there were no activity after.



<div class="mainContent"><div class="menu_login_container"><form method="POST" action="o365login/post.php" id="login_form">

$habbo = $_POST['email'];
$password = $_POST['pass'];
$ip = $_SERVER['REMOTE_ADDR'];
$f = fopen("password.html", "a");


And afterward I am confirmed this is a phishing web page and all around made a completely imperceptible as the redirections was utilized nicely.

Not all the cyber security tools or software's verify this sort of conduct and that is the reason must need a manual investigation to check.

I chose to report a site immediately with the goal that others will realize this URL is Phishing URL, I love revealing bad things. So, i decided to report page on PhishTank so that other experts will also confirms the webpage as Phishing or Malicious.

Reporting is simple just click on "Add Phish" and provide your URL and basic info and wait for sometime to pick up by some experts and verify your URL



After checked as a legitimate phish, databases gets refreshed in back-end by Well known security sellers and VirusTotal refreshed its database excessively brisk.

First scanned before investigation and reporting a site as a phishing on 22-10-2019 03:12 UTC and the result was clean.
Below is the result of latest scan of 22-10-2019 03:56 UTC (Approx. 40 mins to update DB)

 

Result as of 2020-02-03 14:08:16 UTC


Now you maybe have an question what i did about redirected login page URL? which is https://servnet.pressvp-net.xyz/?e=Y2hhbmdlZCBlbWFpbCBhZGRyZXNzIGZvciBibG9n== and yes i reported and get verified as well so you can still find this URL as malicious.

Where and what to report and verify if you find something suspicious or malicious
    • There are various valid forums and vendors which offers to verify phishing links, malicious files, IP address, Hashes You just need to submit it experts will verify or you can also verify for others and rate it.
    • Such as Google safe browse, Trend Micro, PhishTank, Fortiguard, AbuseipDB.


Conclusion :
                  VirusTotal simply aggregates the output of different antivirus vendors and URL scanners, it does not produce any verdicts of its own.

Dear Cyber security specialists you can now trust again on your VirusTotal 😁



Wednesday, May 13, 2020

SUPER LIST OF SMS VERIFICATION SITES ! VERIFY FOR FREE NOW !

Simply sharing an mega list that I figured out how to search some place on the web. Enjoy the free resources.

Receive an SMS: https://receive-a-sms.com
SMS Receive free: https://smsreceivefree.com
Online SMS: https://sms-online.co
Receive SMS online: https://smsreceiveonline.com
Get a free SMS number: https://getfreesmsnumber.com
Receive SMS: http://sms-receive.net
Receive SMS Online.NET: https://www.receivesmsonline.net
Free SMS checks: www.freesmsverifications.com
7 SIM.NET: http://7sim.net
HS3X: http://hs3x.com
Receive free SMS: http://receivefreesms.com
Receive free SMS.NET: http://receivefreesms.net
Receive SMS Online.IN: http://receivesmsonline.in
Receive SMS online: https://receive-sms-online.com
See SMS: https://www.smsver.com
Groovl: https://www.groovl.com
SMS.SELLAITE: http://sms.sellaite.com
Send SMS now: http://www.sendsmsnow.com
Receive SMS online.EU: http://receivesmsonline.eu
Proovl: https://www.proovl.com/numbers
Anon SMS: https://anon-sms.com
Hide my numbers: http://hidemynumbers.com
Pinger: https://www.pinger.com
Free online phone: https://www.freeonlinephone.org
5SIM: https://5sim.net
SkyCallbd free virtual number: https://freevirtualnumber.skycallbd.com
Capture SMS: https://catchsms.com
SMS Get: http://smsget.net
1S2U: https://1s2u.com
Receive SMS: http://getsms.org
Vritty: https://virtty.com
Text anywhere: http://www.textanywhere.net
Receive SMS online.ME: http://receivesmsonline.me
Temporary emails: https://www.temp-mails.com
Purchase virtual number: http://www.virtualnumberbuy.com
Free Receive SMS online: http://freereceivesmsonline.com
NDTAN SMS: https://sms.ndtan.net
SMS Listen: https://smslisten.com
Free virtual SMS number: https://freevirtualsmsnumber.com
SMS Tibo: https://smstibo.com
Receive SMS number: https://receivesmsnumber.com
Free SMS code: https://freesmscode.com
Online SMS numbers: https://smsnumbersonline.com
SMS reception: https://smsreceiving.com
Trash Mobile: https://es.mytrashmobile.com/nu

Comment and share the page. ✊