the metabrik platform - rapid development of reusable ... · i metasploit-like syntax i completion...
Post on 05-Jun-2020
3 Views
Preview:
TRANSCRIPT
The Metabrik Platform - Rapid Developmentof Reusable Security Tools
Patrice Auffret
metabrik.org
March 2017
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Whoami?GomoR
I Information security engineer for 15 yearsI Perl developper for same amount of timeI CPAN author
I Net::Packet (obsolete)I Net::Frame suite (successor)I Net::WriteI Net::SinFP/Net::SinFP3 (2012: hack.lu, ekoparty,
EuSecWest)I Metabrik (and Metabrik::Repository)
I InterestsI Forensic analysisI Network protocolsI Big data (mining)I https://www.sisyphe.io/
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
What is Metabrik?The subject of today...
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
A Pokemon?Yes, but no.
I Source:http://www.mypokecard.com/fr/Galerie/Pokemon-Metabrik
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
A platformAnd much more.
I A UNIX-like shellI A true language with a Read-Eval-Print-LoopI Many Briks
I A development/prototyping platformI To build quickly the right tool
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
A true language?Yes. Kill the troll now. But Perl is better than Python anyway :)
I Source: eweek - April, 30th 2010
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Why?CLI rules
I Everything should be possible via command lineI Automate all the things
I Do it once principleI Tired of repeated throw-away scriptsI Code reusability rules
I UNIX shells too simpleI Pipe too limitedI Needed a powerful language
I Rapid development from a CLII Writing scripts is also possible
I Normalized syntax in human readable form
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Comparison with REbusInteractive usage versus fully automatic one
I Same goal: normalize tool usageI REbus: replace the human
I Not a shellI Usage is not so easyI Written in PythonI Input/output automation
I Metabrik: help the humanI Manual input/outputI Easy Brik usage
I Both are using wrappers around existing toolsI Metabrik does not only use wrappersI It tries to use best Perl CPAN modules
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Demo 1 - The Metabrik Shell (~3 minutes)
I 3 kinds of command linesI externalI Brik’s commandsI Perl code (REPL)
I 5 Brik’s commandsI use, set, get, run, help
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
FeaturesMost notable ones
I Shell: builtinsI cd, alias, ...
I Customizable shell with history handlingI File .metabrik_rcI File .metabrik_history
I Metasploit-like syntaxI Completion for commands, files, variablesI Control keys like Ctrl+R
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
BriksYou have the knowledge, detail is in the Brik
I Many wrappers around external programsI but not only
I Object-orientedI defined by properties like tags, category or attributesI a Brik may inherit from one or more othersI Example: file::psv inherits from file::csv
I Add features to existing toolsI There is always one lackingI Example: forensic::scalpel
I A reusable Perl moduleI a command line interfaceI a classic interface
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
brik::tool BrikMakes a Brik easy to use
I Two kind of dependenciesI System packagesI Perl modules
I Easy to install and useI run brik::tool install database::cvesearchI use database::cvesearchI help database::cvesearch
I Easy to update asI run brik::tool update
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Special variablesWhere we keep some Perl philosophy
I Example:I run shell::command capture ls /I my $count = scalar(@$RUN)
I Input/output handling via $RUNI This is the new pipeI Perl basic data typesI You sculpt it to your needs
I Other special variablesI $SETI $GETI $CON, $LOG, $GLO, $SHEI $USE, $ERR, $MSG, $REF
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Demo 2 - forensic challenge (~3 minutes)Or how to quickly solve a problem
I Some miscreants kidnapped your catI We found an old device on crime-sceneI We have to analyze this dataI File analysis
I file::typeI file::compressI image::exif
I Extract dataI forensic::scalpel
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Metabrik Core and Metabrik RepositoryWhat’s the difference?
I Metabrik CoreI core::globalI core::shellI core::logI core::contextI Minimal system and Perl modules dependencies
I Metabrik RepositoryI 240+ Briks (and counting)I brik::tool to manageI brik::search to searchI Install dependencies only when needed
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
brik::tool and brik::searchYour best friends
I Search by tag, command, category or string...I run brik::search tag video
I brik::tool for managementI create a skeleton of a new Brik
I run brik::tool create_brik my::firstI create a skeleton of a new program
I run brik::tool create_tool my_tool.pl
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
A MetatoolFrom prototype to industrialisation
I Finalized prototypeI run brik::tool create_tool iplocation.pl
I Shell commands conversion to code
1 # She l l Metabr ik2 use lookup : : i p l o c a t i o n3 run lookup : : i p l o c a t i o n f rom_ip 93.184.216.34
1 # Per l program2 use Metabr ik : : Core : : Context ;3 my $con = Metabr ik : : Core : : Context−>new ;45 use Metabr ik : : Lookup : : I p l o c a t i o n ;6 my $ l i = Metabr ik : : Lookup : : I p l o c a t i o n −>new_f rom_br i k_ in i t ( $con ) ;7 my $h = $ l i −>from_ip ( $ ip ) ;
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Demo 3 - automate malware analysis (~3 minutes)Or how to extract Indicators of Compromise
I Use a VM as a scapegoat (sacrifice it)I Take a fingerprint of its memory/process/registry beforeI Run a malwareI Take a fingerprint of its memory/process/registry afterI Instrumentalise a VM and take a snapshot
I system::virtualboxI Execute program remotely
I remote::winexeI remote::wmi
I Perform a diff on a Windows machine-stateI forensic::volatility
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Demo 4 - bind all Briks together (~5 minutes)Make it straightforward
I Use all previous Briks to write a new oneI remote::windiffI Automates diffing between two VM states
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Enlarge your toolsUse more Briks
I Code: lib/Metabrik/Remote/Windiff.pmI Improve a tool by yourself from the 240+ Briks
I run file::csv write $process_diff out.csvI run client::dns ptr_lookup $ipI run api::virustotal ipv4_address_report $ipI run api::shodan host_ip $ip
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Weaknesses of this approachOr just more work todo?
I Relies on incomplete toolsI Volatility is based on reverse engineering WindowsI WMI too...and we found some parsing bugs
I Depends on the ability to snapshot a VM memoryI What if we wanted to use a physical machine?
I No live analysisI And approach already taken by VolatilityBot
I https://github.com/mkorman90/VolatilityBotI (But requires a Python agent to be installed)
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Now for a better approachHave you heard about sysmon?
I Monitors Windows system changes likeI Loading of drivers and imagesI Registry changesI Filesystem changesI Process accessesI ...and more
I Live stream through Windows Event logs
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Collect all the thingsSysmon and network
I Put everything into an Elasticsearch storageI Winlogbeat for Windows Event logsI tcpdump-like to capture network traffic
I (but no live stream yet)
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Understanding malwares without l33t skills (1/2)Automate all the things now.
I We need remote capabilities forI SysmonI Windows DefenderI Upload/download
I We need local capabilities forI Interacting with ElasticsearchI Performing forensic analysis on pcap files
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Understanding malwares without l33t skills (2/2)Automate all the things now.
I Sysmon + WinlogbeatI remote::sysmon, remote::winsvc, forensic::sysmon
I ElasticsearchI server::elasticsearch, client::elasticsearch
I tcpdumpI client::tcpdump
I smbclient + winexeI client::smbclient, remote::winexe, remote::windefend
I New Brik remote::sandbox
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
remote::sysmon && forensic::sysmon
I remote::sysmonI Generate configuration (full logging by default)I Deploy/undeploy sysmon agent to remote host with
remote::winexeI Update configuration on remote host
I forensic::sysmonI A client::elasticsearch childI Queries everythingI Saves state as CSV filesI Performs diff analysis on CSV files
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Give me malware to test :)You have a spambox, do you?
I Acquire malware sample from browsing your spamboxI But automated, of course
I And there is a Brik for that: client::imap
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Demo 5 - Acquire malware sample (~2 minutes)
I Use client::imap Brik
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Demo 6 - the remote::sandbox Brik (~8 minutes)
I Sysmon + winlogbeat + Elasticsearch are readyI Will use remote::sandbox and client::tcpdumpI Take a snapshot from collected events from ElasticsearchI We have to disable the antivirus before executing malware
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Demo 7 - pcap to Elasticsearch (~3 minutes)
I Explore pcap data with forensic::pcap
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Analysis conclusionWe have to, at some point, conclude.
I A ZIP file containing a ZIP containing a JS fileI A JS using WScript to download PNG imagesI Images are in fact executable filesI We now have some IOCs
I MD5 sums (or whatever your want)I A registry keyI IP addressesI Domain names and URLs
I (And we didn’t looked at the a.doc file)
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Some of the best BriksFor some catagories
I api::*I splunk, ...
I client::*I elasticsearch, mongodb, redis, rest, openssh, twitter,
splunk, ...I server::*
I rest, snmp, dns, ...I proxy::*
I http, ssh2tcp, ...I www::*
I shorten, google, ...I lookup::*
I iplocation, oui, ...I network::*
I nmap, linux::iptables, sinfp3, ...Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Conclusion
I Reaching the 250 Briks milestone...I Everything becomes a Perl variableI Automate all the things from CLII Add missing features to existing toolsI Normalization brings easenessI Shell unification tooI Understand the philosophy and playI POLL: who would be interested in a workshop?
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
Question(s)?
I Code available on: http://trac.metabrik.org/I Howto install: https://www.metabrik.org/metabrik/install/I Docker: docker pull metabrik/metabrikI Twitter: @MetabrikI Twitter: @PatriceAuffret
Patrice Auffret metabrik.org
The Metabrik Platform - Rapid Development of Reusable Security Tools
top related