List of “Tool”

  • SysmonSearch v2.0 Released SysmonSearch
    SysmonSearch v2.0 Released
    SysmonSearch is a tool developed by JPCERT/CC to analyse event logs generated on Sysmon (a Microsoft tool). https://github.com/JPCERTCC/SysmonSearch SysmonSearch is now compatible with Elastic Stack 7.x. Please note that the new version no longer supports Elastic Stack 6.x versions. This article introduces the new version of SysmonSearch, changes from the previous versions and new functions. Elastic Stack updates Kibana There was a change in Kibana plug-in due to the updates...

    Read more

  • LogonTracer v1.4 Released Forensic
    LogonTracer v1.4 Released
    JPCERT/CC released a new version of LogonTracer, a tool to support event log analysis. https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.4.0 This article introduces some of the new features of the tool. Dark mode Dark mode has been added to LogonTracer in this update, which appears on the menu bar. Figure 1 shows the LogonTracer screen when the dark mode is on. Figure 1: LogonTracer (dark mode) Please note that each colour represents the following item...

    Read more

  • Malware Used by BlackTech after Network Intrusion Malware
    Malware Used by BlackTech after Network Intrusion
    Previously, we explained about malware "TSCookie" and "PLEAD" which are used by an attack group BlackTech. Their activities have been continuously observed in Japan as of now. We have been seeing that a new malware variant is being used after they successfully intruded into a target network. This article explains the details of the variant. TSCookie used after intrusion The malware consists of 2 files (TSCookie Loader and TSCookie) as...

    Read more

  • Extract Malware Configuration with MalConfScan Malware
    Extract Malware Configuration with MalConfScan
    Every day, new types of malware are discovered. However, many of them are actually variants of existing malware - they share most part of the code and there is a slight difference in configuration such as CC servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware. In this article, we would like to introduce details of “MalConfScan”, a tool to extract...

    Read more

  • Investigate Suspicious Account Behaviour Using SysmonSearch Forensic
    Investigate Suspicious Account Behaviour Using SysmonSearch
    In a past article in September 2018, we introduced a Sysmon log analysis tool "SysmonSearch" and its functions. Today, we will demonstrate how this tool can be used for incident investigation by showing some examples. To install SysmonSearch, please see the following page: JPCERTCC GitHub · SysmonSearch Wiki https://github.com/JPCERTCC/SysmonSearch/wiki The case study was conducted in the following environment: Sysmon 7.0.1 ElasticSearch 6.2.2 Kibana 6.2.2 Winlogbeat 6.2.2 Browser: Firefox Example of...

    Read more

  • Malware “WellMess” Targeting Linux and Windows Malware
    Malware “WellMess” Targeting Linux and Windows
    Some malware is designed to run on multiple platforms, and most commonly they are written in Java. For example, Adwind malware (introduced in a past article) is written in Java, and it runs on Windows and other OS. Golang is another programming language, and it is used for Mirai controller, which infects Linux systems. This article introduces the behaviour of WellMess malware based on our observation. It is a type...

    Read more

  • Malware “TSCookie” Malware
    Malware “TSCookie”
    Around 17 January 2018, there were some reports on the social media about malicious emails purporting to be from Ministry of Education, Culture, Sports, Science and Technology of Japan [1]. This email contains a URL leading to a malware called “TSCookie”. (Trend Micro calls it “PLEAD” malware [2]. Since PLEAD is also referred to as an attack campaign, we call this malware TSCookie in this article.) TSCookie has been observed...

    Read more

  • Investigate Unauthorised Logon Attempts using LogonTracer Forensic
    Investigate Unauthorised Logon Attempts using LogonTracer
    In the recent article, we introduced the concept and the use of "LogonTracer", a tool to support Windows event log analysis. This article presents how unauthorised logon attempts can be identified using this tool. Please refer to the Wiki for LogonTracer installation. Points for Investigation LogonTracer serves as a tool to support the log analysis rather than to detect unauthorised logon itself. For an effective investigation using this tool, we...

    Read more

  • Visualise Event Logs to Identify Compromised Accounts - LogonTracer - Forensic
    Visualise Event Logs to Identify Compromised Accounts - LogonTracer -
    Hello again, this is Shusei Tomonaga from the Analysis Center. Event log analysis is a key element in security incident investigation. If a network is managed by Active Directory (hereafter, AD), can be identified by analysing AD event logs. For such investigation, it is quite difficult to conduct detailed analysis in AD event viewer; it is rather common to export the logs to text format or import them into SIEM/log...

    Read more

  • Detecting Datper Malware from Proxy Logs Malware
    Detecting Datper Malware from Proxy Logs
    This is Yu Nakamura from Analysis Center. This entry is to explain features of Datper, malware used for targeted attacks against Japanese organisations and how to detect it from the logs. JPCERT/CC has been observing attacks using Datper since around June 2016. Research reports on the adversary are published from LAC [1], SecureWorks [2] and Palo Alto Networks [3]. The adversary had also conducted attacks using Daserf malware in the...

    Read more