Recently, I started reviewing messages found in the corporate spam box, setup for people to alert us on any phishy messages getting past the spam filters, in an attempt to automatically analyze new phishing links.
Fortunately, or unfortunately (depending on where you sit), Proofpoint offers a service to a block links to malicious and suspicious sites. This service rewrites the suspect URL in each email with a link that redirects through the Proofpoint URL Defense system. A parameter of this new URL is the encoded version of the suspect link.
The challenge was to decode the URL parameter from Proofpoint and return it to its original format. This is for two purposes, first and formost, this allows me to not get blocked by URL Defense and second, it prevents skewed results.
Another interesting aspect of URL Defense is in the real-time alerts. These alerts contain information around who clicked the suspect link, from where and which link. Proofpoint is tricky how they include the suspect URL. They insert zero width space (Unicode: \u200b) between each character, basically invalidating the link. You know, for safety.
Thankfully, Warren Raquel had already written some code to decode the suspect link parameter of the rewritten URL, I simply scriptified his code, and added removal of those funky zero width spaces.
Modified ppdecode https://github.com/alxhrck/other_scripts/blob/master/ppdecode.py
Original ppdecode https://github.com/warquel/ppdecode
threat_note is a great, light-weight webapp that gives security researchers, incident responders and other security practitioners a place to collect indicators of compromise. threat_note has been designed to integrate with a variety of 3rd party services, allowing users to quickly pull in data to provide more context around an indicator.
One useful integration is with Cuckoo Sandbox. Cuckoo is a malware analysis sandbox used to detonate and examine suspicious executables. Cuckoo collects execution data including how a system is modifed, any dropped files and network communication. Enabling Cuckoo integration in threat_note is simple and quickly allows the investigator to grab IOCs from a previously analyzed sample.
Start by running the Cuckoo API server.
python ./cuckoo/utils/api.py -H 0.0.0.0
Next, in threat_note enable Cuckoo Sandbox in the Settings > File. Then configure the fields for Cuckoo Host and Cuckoo API Port.
The Import from Cuckoo button will appear on the Dashboard, clicking it will take you to the import page.
Select the analysis task you would like to import and optionally, add a campaign or list of tags.
All file hashes, domains and IP address detected by Cuckoo will now be available in the threat_note interface.
This simple yet powerful integration enables you to quickly import a large set of indicators from a tool that generates high quality IOCs.