rebus
play

REbus Make your security tools cooperate Raphal Rigo with slides by - PowerPoint PPT Presentation

Mar 13, 2023 •243 likes •510 views

REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5 th / RMLL Sec 2016 REbus Example malware CFG analysis workflow graph img Image viewer Bin CFG July 5 th / RMLL Sec 2016 2 REbus Example

  1. REbus Make your security tools cooperate Raphaël Rigo with slides by Xavier Mehrenberger July 5 th / RMLL Sec 2016

  2. REbus Example malware CFG analysis workflow graph → img Image viewer Bin CFG July 5 th / RMLL Sec 2016 2

  3. REbus Example malware CFG analysis workflow graph → img Image viewer Bin CFG Lib. dep. July 5 th / RMLL Sec 2016 2

  4. REbus Example malware CFG analysis workflow Visual analytics graph → img Image viewer Bin CFG Lib. dep. July 5 th / RMLL Sec 2016 2

  5. REbus Example malware CFG analysis workflow Visual analytics Unpacker graph → img Image viewer Bin CFG Lib. dep. July 5 th / RMLL Sec 2016 2

  6. REbus Example malware CFG analysis workflow Visual analytics Unpacker graph → img Image viewer Bin CFG Unpacker 2 Lib. dep. July 5 th / RMLL Sec 2016 2

  7. REbus Example malware CFG analysis workflow Visual analytics Unpacker Zip graph → img Image viewer Bin CFG Unpacker 2 Lib. dep. July 5 th / RMLL Sec 2016 2

  8. REbus Example malware CFG analysis workflow Unzip Visual analytics Unpacker Zip graph → img Image viewer Bin CFG Unpacker 2 Lib. dep. July 5 th / RMLL Sec 2016 2

  9. REbus Example malware CFG analysis workflow Unzip Visual analytics Unpacker Zip graph → img Image viewer Bin CFG Unpacker 2 Lib. dep. Mail July 5 th / RMLL Sec 2016 2

  10. REbus Example malware CFG analysis workflow Unzip Visual analytics Unpacker Zip graph → img Image viewer Bin CFG Unpacker 2 Lib. dep. Parse mail Mail July 5 th / RMLL Sec 2016 2

  11. REbus REbus interfaces Tool interface Storage interface Bus interface Tool Agent Bus master Storage July 5 th / RMLL Sec 2016 3

  12. REbus REbus architecture Framework, with a decentralised workflow Decentralized workflow Tool 1 Tool 2 July 5 th / RMLL Sec 2016 4

  13. REbus REbus architecture Framework, with a decentralised workflow Adding a new agent Tool 1 Tool 2 Tool 3 July 5 th / RMLL Sec 2016 5

  14. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher return /md5_hash inject apt1.tgz master / storage July 5 th / RMLL Sec 2016 6

  15. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher master / storage return /md5_hash inject apt1.tgz apt1.tgz July 5 th / RMLL Sec 2016 6

  16. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher /compressed/gzip/%1234abcdef master / storage return /md5_hash apt1.tgz July 5 th / RMLL Sec 2016 6

  17. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive apt1.tgz hasher master / storage return /md5_hash apt1.tgz July 5 th / RMLL Sec 2016 6

  18. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher master / storage return /md5_hash apt1.tgz AURIGA_sample_6B3 July 5 th / RMLL Sec 2016 6

  19. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher /binary/pe/%abcd1234 master / storage return /md5_hash apt1.tgz AURIGA_sample_6B3 July 5 th / RMLL Sec 2016 6

  20. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive hasher AURIGA_sample_6B3 unarchive master / storage return /md5_hash apt1.tgz AURIGA_sample_6B3 July 5 th / RMLL Sec 2016 6

  21. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher master / storage apt1.tgz AURIGA_sample_6B3 return /md5_hash md5sum(AURIGA) July 5 th / RMLL Sec 2016 6

  22. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher /md5_hash/%6e1d51696 master / storage apt1.tgz AURIGA_sample_6B3 return /md5_hash md5sum(AURIGA) July 5 th / RMLL Sec 2016 6

  23. REbus Data exchange across the bus Goal: compute md5sum of each file contained in provided ✳t❣③ archive unarchive hasher master / storage return /md5_hash apt1.tgz AURIGA_sample_6B3 md5sum(AURIGA) md5sum(AURIGA) July 5 th / RMLL Sec 2016 6

  24. REbus Example agent combination ✩ r❡❜✉s❴❛❣❡♥t ✲♠ r❡❜✉s❴❞❡♠♦✳❛❣❡♥ts ❤❛s❤❡r ✉♥❛r❝❤✐✈❡ ❭ ✐♥❥❡❝t ⑦✴ ❛♣t✶✳t❣③ ✲✲ ❭ r❡t✉r♥ ✲✲s❤♦rt ♠❞✺❴❤❛s❤ ❛♣t✶✳t❣③✿ ❆❯❘■●❆❴✻❇✸✶✸✹✹❇✹✵❊✷❆❋✾❈✾❊❊✸❇❆✼✵✼✺✺✽❈✶✹❊ ❂ ✻ ❜✸✶✸✹✹❜✹✵❡✷❛❢✾❝✾❡❡✸❜❛✼✵✼✺✺✽❝✶✹❡ ❛♣t✶✳t❣③✿ ❆❯❘■●❆❴❈❉❈❉✸❆✵✾❊❊✾✾❈❋❋✾❆✺✽❊❋❊❆✺❈❈❇❊✷❇❊❉ ❂ ❝❞❝❞✸❛✵✾❡❡✾✾❝❢❢✾❛✺✽❡❢❡❛✺❝❝❜❡✷❜❡❞ ❛♣t✶✳t❣③✿ ❇❆◆●❆❚❴✹✻✽❋❋✷❈✶✷❈❋❋❈✼❊✺❇✷❋❊✵❊❊✻❇❇✸❇✷✸✾❊ ❂ ✹✻✽ ❢❢✷❝✶✷❝❢❢❝✼❡✺❜✷❢❡✵❡❡✻❜❜✸❜✷✸✾❡ ❬✳✳✳❪ July 5 th / RMLL Sec 2016 7

  25. ❢r♦♠ r❡❜✉s✳❛❣❡♥t ✐♠♣♦rt ❆❣❡♥t ❢r♦♠ r❡❜✉s❴❞❡♠♦✳t♦♦❧s ✐♠♣♦rt ❤❛s❤❴t♦♦❧s ❅❆❣❡♥t✳r❡❣✐st❡r ❝❧❛ss ❍❛s❤❡r✭❆❣❡♥t ✮✿ ❴♥❛♠❡❴ ❂ ✧❤❛s❤❡r✧ ❴❞❡s❝❴ ❂ ✧❘❡t✉r♥ ♠❞✺ ♦❢ ❛ ❜✐♥❛r②✧ ❞❡❢ s❡❧❡❝t♦r❴❢✐❧t❡r ✭s❡❧❢ ✱ s❡❧❡❝t♦r ✮✿ ★ ■♥❞✐❝❛t❡ t❤❛t t❤✐s ❛❣❡♥t ✐s ♦♥❧② ✐♥t❡r❡st❡❞ ✐♥ ❞❡s❝r✐♣t♦rs ✇❤♦s❡ ★ s❡❧❡❝t♦r st❛rt ✇✐t❤ ✧✴ ❜✐♥❛r②✧ r❡t✉r♥ s❡❧❡❝t♦r✳st❛rts✇✐t❤✭✧✴❜✐♥❛r②✴✧✮ ❞❡❢ ♣r♦❝❡ss✭s❡❧❢ ✱ ❞❡s❝ ✱ s❡♥❞❡r❴✐❞ ✮✿ ★ ❝❛❧❧ t❤❡ ✈❡r② ❝♦♠♣❧❡① t♦♦❧ ♦♥ t❤❡ r❡❝❡✐✈❡❞ ✈❛❧✉❡ ♠❞✺❴❤❛s❤ ❂ ❤❛s❤❴t♦♦❧s✳♠❞✺❤❛s❤❡r✭❞❡s❝✳✈❛❧✉❡✮ ★ ❈r❡❛t❡ ❛ ♥❡✇ ❝❤✐❧❞ ❞❡s❝r✐♣t♦r ♥❡✇❴❞❡s❝ ❂ ❞❡s❝✳ s♣❛✇♥❴❞❡s❝r✐♣t♦r ✭✧✴♠❞✺❴❤❛s❤✧✱ ✉♥✐❝♦❞❡✭♠❞✺❴❤❛s❤✮✱ s❡❧❢✳♥❛♠❡✮ ★ P✉s❤ t❤❡ ♥❡✇ ❞❡s❝r✐♣t♦r t♦ t❤❡ ❜✉s s❡❧❢✳♣✉s❤✭♥❡✇❴❞❡s❝✮ Listing 1: Agent REbus to compute md5sum of binary files

  26. REbus Try REbus BSD licence Download & docs at ❤tt♣s✿✴✴❜✐t❜✉❝❦❡t✳♦r❣✴✐✇s❡❝❧❛❜s✴r❡❜✉s Demo agents at ❤tt♣s✿✴✴❜✐t❜✉❝❦❡t✳♦r❣✴✐✇s❡❝❧❛❜s✴r❡❜✉s❴❞❡♠♦ July 5 th / RMLL Sec 2016 9

More recommend