random scattered notes
https://app.any.run/tasks/585ddd5e-0dde-421f-8b8a-e7dbaf4f8c05/
3F32E053657036D09C84D6DAD220EF50
update: after-the-fact This blog seems useful
https://distributedcompute.com/2020/04/19/how-emotet-resolves-apis/
"...the FS register points to the Thread Environment Block, or TEB. The offset 0x30 contains a pointer to the Process Environment Block, or PEB. From there the malware will walk the structure to _PEB_LDR_DATA which contains the head of a doubly-linked list called InMemoryOrderModuleList. This list contains the list entries containing BaseDllName and DllBase. When the entry point to the PE header is located, the PE structure is walked to find the export table. Emotet will then loop over the exported names to find the API function it is searching for..."
-----------
api monitor
-----------
910.exe
- spawned child "mssvp.exe" in appdata
- create windows service mssvp
sc delete "service name"
copy emotet_copy.exe emotet.exe
breakpoint openscmanager
ctrl-f7 (run until return, until get back to "debug" code)
select program segment, highlight, click 'C' for code, analyze
change to "Graph View"
look for code
mov ecx, [esi+30h]
call sub_???? (transform api with bunch of xors)
xor eax, 11D20899h
cmp eax, ebx
looking for 23F29385 (in ebx)
dll name transformed xor'd
emotet-910.exe C9F6F7D9 D824FC40
ntdll.dll D22E2014 C3FC288D
kernel32.dll 8F7EE672 9EaCEDEB
KERNELBASE.dll 6267DEE4 73B5D57D
USER32.dll D3361080 C2E41B19
GDI32.dll B6C64D61 A71446F8
LPK.dll FF368B1D EEE48084
UPS10.dll F73320A7 E6E12B3E
msvcrt.dll 88053F6B 99D734F2
ADVAPI32.dll 3220981C 23F29385 (found it)
mov edx, 4A609DFEh
mov ecx, 23F29385h #transformed & xor'd api to resolve
call apiResolver
apiResolver(edx=not used (4A609DFEh), ecx=transformAndXordApi (23F29385))
apiResolverInternal(edi=4A609DFEh, ecx=transformAndXordApi (23F29385))
foreach api in fs:30h
eax = subTransformModule(ecx=edi+esicounter) #30h intervals
eax = eax | 11D20399h
if(eax == transformAndXordApi)
eax = [esi+18h] # the starting address of the module dll (75D20000 for ADVAPI32)
exit loop & use it
functionResolver(edx=function looking for (4A609DFEh), ecx=apiResolutionDllAddress (75D20000 for ADVAPI32))
foreach function
ecx = ecx + apicounter #ecx starts as ADVAPI32 address
eax = subTransformFunction(ecx)
eax = eax | 5776499Bh
if(eax == edx)
eax=ecx
exit loop & use it
looking for 4A609DFEh (in ebp+var8)
function name transformed xor'd
** F82294E8 AF54DD73
** 838A4B1E D4FC0285
** FC3ECBB7 AB48822C
** 4C8FA46C 1BF9EDF7
** 4C8FA482 1BF9ED19
CloseServiceHandle *** ***
Showing posts with label API. Show all posts
Showing posts with label API. Show all posts
Tuesday, July 28, 2020
Thursday, December 20, 2018
Qradar API basics
This is where you can find documentation on your qradar api's instance
https://<your qradar url>/api_doc
this tells you about all the various api calls available
you can make calls directly in the browser if your credentials have permission by going to a url such as
https://<your qradar url>/api/siem/offenses
this older blog post gives you more details about connecting the 1st time
https://neonprimetime.blogspot.com/2016/01/qradar-siem-api-101-walk-through.html
https://<your qradar url>/api_doc
this tells you about all the various api calls available
you can make calls directly in the browser if your credentials have permission by going to a url such as
https://<your qradar url>/api/siem/offenses
this older blog post gives you more details about connecting the 1st time
https://neonprimetime.blogspot.com/2016/01/qradar-siem-api-101-walk-through.html
Thursday, June 22, 2017
Powershell Module to query the SANS ISC API
I listed to a great #SansAtNight talk at #SANSMinneapolis about the @sans_isc by @johullrich and thought I'd try to help out a little with a stormcenter PS module
The SANS ISC API Powershell module is at my github site
You can use it simply by doing commands like
Import-Module stormcenter
Get-ISCInfocon
Get-ISCHandler
Get-ISCIp 192.192.192.192
and many more
It is querying the SANS ISC API
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
The SANS ISC API Powershell module is at my github site
You can use it simply by doing commands like
Import-Module stormcenter
Get-ISCInfocon
Get-ISCHandler
Get-ISCIp 192.192.192.192
and many more
It is querying the SANS ISC API
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Friday, January 15, 2016
QRadar SIEM API call for Offenses Assigned to User
If interested, I wrote a simple python script and saved it on github that queries the QRadar SIEM API for Offenses Assigned to a specific user. If you missed it, I just recently posted a 101 walk-through on how to get your api calls working. The script I wrote is just a variation of the default samples provided by IBM over at their github.
After you have the default sample api calls working, just download my pythong script for assigned_to.py and put it in the same folder. The run it as follows.
# Offenses Assigned to Myself
> offenses/assigned_to.py -u MYUSERID
id:128 [MYUSERID] SrcIP=66.66.220.109
id:127 [MYUSERID] SrcIP=172.16.17.2
id:126 [MYUSERID] DstIP=61.61.61.33
id:125 [MYUSERID] DstIP=61.61.61.57
id:124 [MYUSERID] DstIP=10.0.0.2
# Offenses Not assigned to anybody yet
> offenses/assigned_to.py -u UNASSIGNED
id:133 [ ] SrcIP=190.190.117.177
id:132 [ ] User =USER22
id:131 [ ] SrcIP=66.66.103.118
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
After you have the default sample api calls working, just download my pythong script for assigned_to.py and put it in the same folder. The run it as follows.
# Offenses Assigned to Myself
> offenses/assigned_to.py -u MYUSERID
id:128 [MYUSERID] SrcIP=66.66.220.109
id:127 [MYUSERID] SrcIP=172.16.17.2
id:126 [MYUSERID] DstIP=61.61.61.33
id:125 [MYUSERID] DstIP=61.61.61.57
id:124 [MYUSERID] DstIP=10.0.0.2
# Offenses Not assigned to anybody yet
> offenses/assigned_to.py -u UNASSIGNED
id:133 [ ] SrcIP=190.190.117.177
id:132 [ ] User =USER22
id:131 [ ] SrcIP=66.66.103.118
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
QRadar SIEM API 101 Walk-Through
I thought I'd share how I got the QRadar API working.
I downloaded the sample API python modules (RestApiClient.py, SampleUtilities.py, etc.) from github
I downloaded the sample API script (01_GetOffenses.py) from github
I saved them all to the same folder.
I made sure I had python3 installed (not 2).
Then I had to download our console website PEM from the certificate like so and save it to the same folder.
Then I had to create an authorized service/token.
Then run the script via
python 01_GetOffenses.py
It will prompt you to enter your authorization token (from the authorized service screen above) and your certificate location (copy the full path to the .crt file). Once you hit enter, you have the choice to save this token and certificate information to a plaintext file for future use. But then the API call runs and boom you have a list of all offenses!
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
I downloaded the sample API python modules (RestApiClient.py, SampleUtilities.py, etc.) from github
I downloaded the sample API script (01_GetOffenses.py) from github
I saved them all to the same folder.
I made sure I had python3 installed (not 2).
Then I had to download our console website PEM from the certificate like so and save it to the same folder.
Then I had to create an authorized service/token.
Then run the script via
python 01_GetOffenses.py
It will prompt you to enter your authorization token (from the authorized service screen above) and your certificate location (copy the full path to the .crt file). Once you hit enter, you have the choice to save this token and certificate information to a plaintext file for future use. But then the API call runs and boom you have a list of all offenses!
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)