Introduction We are happy to announce that the awesome people maintaining the Sigma project on GitHub have merged our work to support the ee-outliers backend! So what you can you do with this? Sigma already contained support for Elasticsearch through the es-dsl and es-qs backends. However, these generate queries then need to be integrated by … Continue reading Sigma engine adds support for ee-outliers backend: start tagging your Sigma hits in Elasticsearch!
Author: Daan Raman
Email alerting on geographically suspicious firewall connections using logalert.py, geoiplookup and AbuseIPDB
Introduction Earlier this week, we released logalert.py, a simple python tool that can be used to pipe standard output to email for the purpose of alerting. In this blog post we want to give a concrete example of how logalert.py can be used to get simple & reliable email notifications about suspicious firewall connections, based on … Continue reading Email alerting on geographically suspicious firewall connections using logalert.py, geoiplookup and AbuseIPDB
Releasing logalert.py – Smart piping of command output to email for alerting
Introduction Today we are releasing a small but useful tool, logalert.py. This tool can be used to pipe standard output to email for the purpose of alerting. A simple caching system is used to avoid sending duplicate alerts within a certain timeframe. The tool was developed for cases where you want a simple and robust … Continue reading Releasing logalert.py – Smart piping of command output to email for alerting
Sunsetting NVISO ApkScan
Today, we are announcing the retirement of NVISO ApkScan, our online malware scanning service we launched back in 2013. ApkScan was born with the purpose of offering the (security) community a free, reliable and quality service to statically and dynamically scan Android applications for malware. Since the inception of the project, it has been a … Continue reading Sunsetting NVISO ApkScan
Detecting suspicious child processes using ee-outliers and Elasticsearch
In this post, we will illustrate how ee-outliers can be used to detect suspicious child processes. This can be a very helpful way of spotting malicious endpoint activity during our Threat Hunting activities. A few examples where detecting suspicious child processes could help us: Detection of a malicious Microsoft Word file spawning cmd.exe Detection of … Continue reading Detecting suspicious child processes using ee-outliers and Elasticsearch
TLS beaconing detection using ee-outliers and Elasticsearch
Earlier today, we open-source ee-outliers, our in-house developed framework to detect outliers in events stored in Elasticsearch. This blog post is the first of several in which we want to dive a bit deeper in how we use ee-outliers ourselves in our own security monitoring activities. Today we will look at how ee-outliers can be … Continue reading TLS beaconing detection using ee-outliers and Elasticsearch
Announcement: open-sourcing ee-outliers
Today, we are excited to announce we are open-sourcing ee-outliers, our in-house developed framework to detect outliers in events stored in Elasticsearch! The framework was developed for the purpose of detecting anomalies in security events, however it could just as well be used for the detection of outliers in other types of data. We have … Continue reading Announcement: open-sourcing ee-outliers
Filtering out top 1 million domains from corporate network traffic
During network traffic analysis and malware investigations, we often use IP and domain reputation lists to quickly filter out traffic we can expect to be benign. This typically includes filtering out traffic related to the top X most popular websites world-wide. For some detection mechanisms, this technique of filtering out popular traffic is not recommended … Continue reading Filtering out top 1 million domains from corporate network traffic
Going beyond Wireshark: experiments in visualising network traffic
Introduction At NVISO Labs, we are constantly trying to find better ways of understanding the data our analysts are looking at. This ranges from our SOC analysts looking at millions of collected data points per day all the way to the malware analyst tearing apart a malware sample and trying to make sense of its … Continue reading Going beyond Wireshark: experiments in visualising network traffic
Using binsnitch.py to detect files touched by malware
Yesterday, we released binsnitch.py - a tool you can use to detect unwanted changes to the file sytem. The tool and documentation is available here: https://github.com/NVISO-BE/binsnitch. Binsnitch can be used to detect silent (unwanted) changes to files on your system. It will scan a given directory recursively for files and keep track of any changes it detects, based … Continue reading Using binsnitch.py to detect files touched by malware