HP New Integrated Commands

Summary:

The commands and tools provided in the text are useful resources for cybersecurity professionals and network administrators who need to investigate potential threats, check IP addresses for malware, and verify domain and website information. Here's a summary of how these commands and tools can be used in different scenarios: 1. **Malware Domain List**: This command allows you to check if an IP address is associated with known malicious domains. You would replace the placeholder `${targetAddress}` with the actual IP address you want to investigate, and then access the provided URL to get detailed information about that IP address's association with malware or suspicious activities. 2. **Threat Expert**: This command allows you to check if a specific virus name (e.g., Trojan.VBS.YunYun) is known to ThreatExpert. Replace `$selectedItem` with the actual virus name, and open the URL provided to get information about that particular threat from the database. 3. **UrlVoid**: This command allows you to scan a website address to see if it's associated with any blacklists or has been flagged for suspicious activities. You would replace `$targetAddress` with the actual domain name, and then use the provided URL to check its reputation across multiple databases. 4. **Operating System Tools** (e.g., NBTSTAT, TraceRT/PING, Dig): These are diagnostic tools that help in confirming various network details such as host names, IP addresses, and Mac addresses. They can be used for troubleshooting and gathering information about the network configuration. 5. **DNS Lookup - Dig**: This tool is used to query DNS servers for detailed information about a domain or IP address. It's useful for educational purposes and network troubleshooting. 6. **NetBIOS Diagnostic Tool - Nbtstat**: This tool helps in resolving NetBIOS name issues on the network, providing statistics about the connections. 7. **Network Mapping Tool - NMAP**: This security scanner is used to map out hosts and services on a computer network. It's useful for discovering what services are running on target machines. 8. **PathPing**: Combines ping and traceroute functionalities, diagnosing connectivity issues and tracing routes to a destination. These tools can be particularly valuable in the following scenarios: - During an active malware attack or suspected data breach where you need to investigate IP addresses for potential threats. - For routine network management tasks such as verifying DNS settings, checking NetBIOS connections, or mapping out the network topology. - In a post-breach scenario to identify and mitigate lateral movement vectors used by attackers. Remember that while these tools can be helpful in cybersecurity investigations, they should always be used in conjunction with other security measures, including up-to-date antivirus software and regular system updates. Always ensure you have proper authorization before conducting any network or system scans, as unauthorized scanning may violate the privacy rights of network users.

Details:

This document provides an overview of a collection of integrated commands, or "right-click" tools, available through HP Enterprise Security Professional Services as of October 11, 2013. The purpose of this writeup is to outline 40 tools that can be accessed via the full console and require internet access for most operations. These tools are designed to assist in various security investigations such as host investigations, URL research, and SOC (Security Operations Center) operations. The document includes detailed information on each tool, including their functionality and how they operate within different operating systems or networks: 1. **Host Investigations** - This section covers tools related to Windows Security Event ID's, antivirus software like Symantec and McAfee, firewalls from HP Tipping Point, Checkpoint, and CISCO, as well as security solutions from Fortinet and others. Specific features include investigating threats detected by these systems and researching URLs for potential malicious activity. 2. **URLs for Research** - This part of the document lists various services that can be used to check blacklists, scan ports via MX Toolbox, verify SMTP settings, and perform Whois lookups on domains using Domain Tools and others. These tools help in assessing the security posture of URLs and identifying potential threats or malicious activities. 3. **Operating System Tools** - Included are DNS lookup, Nbtstat, NMAP PathPing, PSTools for Windows, which assist in network diagnostics and system information gathering. 4. **SOC Operations** - The writeup also details tools like FosWiki used in SOC operations, providing a comprehensive list of integrated commands that can be utilized to enhance security monitoring and incident response capabilities. The document is intended as a starting point for customers, highlighting the importance of these tools in enhancing overall enterprise security posture through effective use of technology-driven solutions. The provided information outlines a method for accessing specific security-related details from various OEM (Original Equipment Manufacturer) products, such as Windows Security Event IDs and different types of signature or vulnerability data. The suggested toolsets require users to input an event ID, signature ID, document ID, filter/signature ID, virus ID, or IP address which are then used in a URL query to access detailed information from specific websites related to each OEM's product:

• **Windows Security Event IDs**: Users can find detailed information by visiting the Ultimate Windows Security website and searching using the event ID.

• **Symantec (SEP)**: Accesses signature details through Symantec's official site by entering the signature ID.

• **IBM ISS Proventia**: Provides vulnerability information by querying XForce with the given signature name.

• **HP Tipping Point**: Displays detailed information about filters or signatures by using the filter/signature ID provided.

• **McAfee ePO**: Offers virus details through McAfee's official site, utilizing the EPO Virus ID.

• **Fortinet | Fortiguard**: Enables users to find vulnerability and virus information by entering the respective ID into the encyclopedia section of Fortiguard’s website.

• **Checkpoint FW/IPS**: Allows access to detailed threat information by searching with either signature name or virus name through Checkpoint's Threatwiki.

• **CISCO**: Users can retrieve data about an IP address by using the search feature on SenderBase, which is affiliated with Cisco.

• **Google Maps**: Although not directly related to security details, Google Maps allows users to view information about an attacker’s IP address through public services like SenderBase.

These methods are designed for quick access to detailed technical information without requiring additional logins to the technology applications, thereby maintaining a streamlined workflow based on the SPOG methodology (Simple Platform Operational Guidelines). This document lists various commands for researching IP addresses, malware names, port numbers, and domains using different online tools. Here's a summary of each command type, item, and syntax: 1. **Google Maps URL**:

• Command Type: URL

• Item: IP Address

• Syntax: } or }

2. **MX Toolbox Blacklist**:

• Command Type: URL

• Item: IP Address

• Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:$selectedItem

3. **Microsoft Malware Protection Center**:

• Command Type: URL

• Item: IP Address or Virus Name (Rogue Win32 Onescan)

• Syntax: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=${targetAddress} or http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=$selectedItem

4. **Sans Port Lookup**:

• Command Type: URL

• Item: Port Number

• Syntax: http://isc.sans.org/port.html?port=$selectedItem

5. **Domain Tools Whois**:

• Command Type: URL

• Item: IP Address

• Syntax: http://www.domaintools.com/$selectedItem

6. **MX Toolbox Internet Port Scan and SMTP Check**:

• Command Type: URL

• Item: IP Address, Hostname

• Syntax: http://www.mxtoolbox.com/SuperTool.aspx?action=scan:$selectedItem or http://www.mxtoolbox.com/SuperTool.aspx?action=smtp:$selectedItem

7. **Malware Domain List**:

• Command Type: URL

• Item: IP Address

• Syntax: http://www.malwaredomainlist.com/mdl.php?search=${targetAddress}

8. **Threat Expert**:

• Command Type: URL

• Item: Virus Name (Trojan.VBS.YunYun)

• Syntax: http://www.threatexpert.com/reports.aspx?find=$selectedItem&x=10&y=7

9. **UrlVoid**:

• Command Type: URL

• Item: Website Address

• Syntax: Allows users to scan a website address with multiple website reputation engines and domain blacklist checks.

These commands facilitate the investigation of IP addresses, malware presence, port scans, and domain information through various online tools and databases. These are various online tools and databases that provide services to scan, check, and verify different types of items related to cybersecurity. They include checking IP addresses for potential malware distribution or spam campaigns, scanning websites for known malware, blacklisting status, outdated software, and vulnerabilities. Some also offer specific checks for certain threats like fake URLs associated with the ZeuS botnet. These tools can be accessed via web interfaces that take a particular type of input (like an URL or IP address) and return detailed reports based on their databases. They are useful for security professionals to identify potential risks and for website administrators to ensure their sites are secure. This summary provides an overview of various tools used for networking tasks, including command types, their syntax, and applications. Key points include: 1. **Command Type: URL** - Used to query information from a specific service or database. The item in this case is the "Service Name," and the command syntax involves constructing a URL with the placeholder "$selectedItem" replaced by the actual service name being queried. Example command: http://www.processlibrary.com/en/search/?q=$selectedItem 2. **Operating System Tools** - These are diagnostic tools that help in confirming various network details such as host names, IP addresses, and Mac addresses. They include NBTSTAT (to check NetBIOS name table statistics), TraceRT or PING (for diagnosing connectivity issues). These tools need to be downloaded and installed on each workstation if not already present. 3. **DNS Lookup - Dig** - This is a command-line tool used for querying Domain Name System (DNS) servers, useful for network troubleshooting and educational purposes. It can operate in both interactive command line mode and batch mode by reading requests from files. The default name server can be specified or the system's default resolver will be used.

• Command Syntax: %arcsight%\tools\dig.exe -t ANY $(targetAddress)

4. **NetBIOS Diagnostic Tool - Nbtstat** - A diagnostic tool for NetBIOS over TCP/IP, included in Windows systems. It helps troubleshoot NetBIOS name resolution issues and is used to gather statistics about the NetBIOS connections on a network.

• Command Syntax: %system32%\nbtstat.exe -a $(targetAddress)

5. **Network Mapping Tool - NMAP** - A security scanner that maps out hosts and services on a computer network, sending specially crafted packets to analyze responses. It is used for discovery purposes in networking.

• Command Syntax: %arcsight%\tools\nmap\nmap.exe -vv -sU -p0 $(targetAddress)

6. **PathPing** - Combines the functionalities of ping and tracert, providing a network utility available in Windows NT and later versions. It is used for diagnosing connectivity issues and tracing routes to a destination. These tools are essential for network administrators and SOC analysts to maintain network integrity, troubleshoot issues, and ensure smooth communication across networks. The provided text outlines various command-line utilities and tools from the PSTools suite, which are used for system administration tasks on Windows systems. These tools include PathPing (used to trace a route between two hosts), PSFile (for listing files opened remotely), PSGetSid and PSInfo (for translating SIDs/User names and gathering key information about the system), PSList (to list running services), and PSLoggedOn (to show who is using remote resources). These tools are part of Microsoft's SysInternals, which were integrated into their toolkit for Windows systems. Additionally, there's a description of how SOC Operations at HP SIOC team uses a local WIKI (FosWiki) to document and search for information on various items of interest.