 Okay, let's get to start it. First of all, thank you for having me as a speaker in this village. It's my great pleasure to give a talk here. Today I'm going to give a talk about the basics of adversary infrastructure tracking and also how to automate tracking tasks with a tool which I'm developing. Before starting, let me introduce myself. I'm Nino Seki on GitHub and Twitter. So if you have a question after this event, please feel free to ask me a question via direct message. And I'm working as a CSAT and trust and safety team engineer in a Japanese company. So I guess you already know that English is not my native tongue. And I'm sure that my speaking is not good. So please be patient with me for a while. And I'm interested in OSHINT, CTI, and making things. Yeah, that's all. This is the agenda of today's my presentation. I will explain the basics of adversary infrastructure tracking and how to automate tracking with a tool which is named MIHARI. Basics of adversary infrastructure tracking. Adversaries are not always, but sometimes they are good friends with bad habits. They reuse source code components and they reuse infrastructure. For example, IP address, SSL certificate, SSH host key, and who is registered. Reusing something increases a possibility of tracking. Let's say it's a fingerprint in a crime scene. You can track a criminal based on a fingerprint in there. Excuse me. This is a very simplified threat hunting loop. You have to do all tasks in there to track an adversary. But in this presentation, I will focus on adversary infrastructure tracking. It can bring new sheets address, new running page, and new samples. This is my mind map for adversary infrastructure tracking. You can use those fingerprints for tracking. For example, if a host has an SSL certificate, X509 fingerprint, and Jam and J3 hash value can be used as a fingerprint. And also if a host has an HTTP or HTTPS service, I mean, if it is a website, you can use HTML, JavaScript, style sheet, cookie, header, tracker, as a fingerprint. There are two ways to track fingerprints on the Internet. The first one is active tracking. Use scanning by yourself, by using MAP, ZMAP, and so on. Another one is passive tracking using third party services like showdown, census, binary H, virus total, or passive total. Of course, there are pros and cons. Active tracking can find active targets, but it consumes a large number of computing resources. In passive tracking, there is no need to have your own scanning infrastructure, but you should pay a fee to use in general. And you may find active targets through passive tracking. But in general, passive tracking is more cost effective than having your own scanning infrastructure. So I will focus on passive tracking in this presentation. Let me show examples of fingerprints taking HTTPS example.com as an example. It's a website, so it has an HTML, and those HTML hash values can be used as fingerprints. Also, it has SSL certificate, so its serial number and the SHA256 hash value can be used as fingerprint. For example, its HTML's MMH3 hash value can be used for showdown search and X549 serial number. It can be also used for showdown search. It's SHA1 hash value can be used for census, and SHA256 hash value of certificate, it can be used for census search. Here is a small chip to take fingerprints over a website. I published a Python-based web app to calculate the basic fingerprints over a website. It is published on GitHub, so you can use it for free. Let me show a quick demo of this app. You should put URL in form and just push calculate button, then it calculated fingerprints or example.com. DNS record with record and hash values of HTML. Fortunately, it's example.com doesn't have HabiCon, there is no hash of HabiCon. It has certificate, so these hash values of SSL certificate, and you can make a search. For example, let's make a search on showdown. Like that. Example.com. Example domain. You can make a search based on certificate. Example.com. For example, you can make a search on your scan.io based on HTML's SHA256 hash value. Example.com. Example.com. Let me make another example. Google.com. I believe it has HabiCon, so it has HabiCon.ICO, so these are hashers of HabiCon, and you can make a search based on HabiCon hash value. This is Google icon. That's all. I'd like to demonstrate how to automate tracking tasks with a tool, which is named Mihari. Mihari is a framework for continuous ocean-based threat hunting. It is a tool to automate possible tracking tasks. It is written in Ruby, and it is packaged as a Ruby gem, so it's very easy to install. Just execute this command, gem, install Mihari, and just a note, Mihari means lookout or guard in Japanese. Let me explain how it works. Mihari can get input from over 15 services by default. For example, Shodan, Senseis, Viral Sauter, Passive Sauter, and so on. And also it can integrate custom sources. I will explain it later, and Mihari can output findings to database, through the Hive, Misp, and make a general webhook. You can get a notification if there is a new finding, which is matched with a search query. Then you can take a look at it. Here is a very basic usage of Mihari. This command makes a search query in a service and stores matched artifacts in a database. Mihari has a built-in web app, so you can check findings via the web app. I will do a demo of it later. Mihari has a DSL to combine a set of queries as a rule. It is inspired by 3C7's infrastructure tracking scheme. This is a very powerful method to track an adversary, so let me explain it in detail. This is Mihari's rule schema. Let me simplify it. Required attributes are title, description, and queries. Yup, that's all. For example, please remember fingerprints of example.com. This is a rule to find posts which serve an HTML same as example.com. MH3 hash value for shodan, and SHA1 value for census, and SHA256 for binary H under your scan. So it means you can combine multiple search queries in a single rule like this. Let me explain two practical use cases. The first one is tracking dangerous password. Dangerous password, which is also known as CryptoCore Re-Retartal, or CryptoMimic, is an APT group that targets Cryptocurrency exchanges around the world. Sometimes it reuses the same infrastructure for a certain period. For example, this is an IP address used by dangerous password as a running page. You can see it is used for months, so you can know new domains for running pages by monitoring passive DNS. Then you can buy a sort of hunting to find a new dropper that is used by dangerous password. And if there is a new connected domain at dropper, I will check a record of that domain and register it in a MH3 loop, like this. And then I can get a notification if there is a new related domain through passive DNS. The next one is Mokhao, which is also known as Xloader. It is an Android malware target South Korea, Taiwan, Japan, Germany, and so on. This is a Mihari rule to track Mokhao running pages. Mokhao uses a self-signed certificate for running pages. So I use Shodan and Census to track the hosts which use that certificate. And also Mokhao hosts have a very unique web-based ping tracker. And that ping tracker can be found by an HTML hash or title of an HTML and a combination of open ports. Interestingly, Mokhao uses Pinterest to broadcast phishing messages. It embeds a message in a profile of a Pinterest account. So you can get a new phishing domain via Pinterest by monitoring those Pinterest accounts. Let's automate this task with Mihari. In Mihari, you can create an analyzer to ingest a custom source by writing a Ruby script. This is a part of custom Mihari analyzer to track phishing domains in Pinterest accounts. So it means you can do more than clearing with Mihari. Mihari is written in Ruby, so you have to create an analyzer with Ruby, but if you are not familiar with Ruby, you can make an input via REST API. Let me do a demo of Mihari web app. It's a Mihari web app, and you can see these artifacts are found by a rule I explained before, Mokhao rule. And these IP addresses match with the Mokhao rule. Rule for Mokhao. Let's take a look at it. Let's look up it on Barstota, and it has many DNS records. Mokhao uses dynamic DNS services, so it has many domains in general. Let's validate whether it is really Mokhao or not. Let's access this domain. Mokhao has, how do I say, it checks user agent. So let's access it via Android phones UI, Galaxy S5. It is written in Japanese, but it impersonates, how to say, it impersonates a company in Japan and it drops APK. I believe it's Android malware. Like that. You can combine search queries in a single rule and track targets, track and adversary. Like that. I'm using Mihari to track Mokhao for years, so there are many artifacts like this. Also, I explained that Mihari can make a notification to Slack. It's like that. It's the same value I demonstrated before, but you can get a notification like that and you can make, how do I say, Pivot on these buttons. For example, look up on PyraStorter or look up on Shodown or Census. I said that Mokhao uses self-signed certificate. This is that one. It's a very unique one, so it's very easy to track Mokhao, by the way. Conclusion. Adversary infrastructure tracking brings new insights and findings. So it's very powerful techniques to track activities of an adversary, but you should combine it with static and dynamic analysis and yellow hunting to get the whole picture. Mihari is a tool to make the tracking easy. Mihari provides a unified way to interact with various services, Shodown, Census, PyraStorter, and so on. And Mihari pings you when there are new findings, so it will help your research and you can get better coverage by combining a set of queries in a rule. That's all. Thank you for listening. Is there any question? I'm willing to answer it. Thank you for listening.