{"id":8513,"date":"2023-05-17T22:57:44","date_gmt":"2023-05-17T22:57:44","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8513"},"modified":"2023-05-18T23:23:51","modified_gmt":"2023-05-18T23:23:51","slug":"blue-teaming-its-data-complicated","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/05\/17\/blue-teaming-its-data-complicated\/","title":{"rendered":"Blue teaming &#8211; it&#8217;s DATa complicated&#8230;"},"content":{"rendered":"\n<p>A decade ago blue teaming was &#8230; easy (this is a really bad joke, I know!).<\/p>\n\n\n\n<p>In fairness, we had less targets, less programming languages to deal with, less platforms, less architectures, consoles, less  &#8230; of everything&#8230;<\/p>\n\n\n\n<p>In 2023 the life of a SOC\/CERT person is a nightmare.. In this <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1658959899496202241?s=20\">Twitter thread<\/a> I tried to summarize the state of the affairs when it comes to data that comes our way&#8230; in many forms&#8230;<\/p>\n\n\n\n<p>It comes in a binary form, it comes in a textual form, using a variety of data formats, data encodings, encryption schemes, protocol-driven encapsulations, languages of telemetry, languages of defense, languages of offense, hidden, manipulative and driving us both nuts and making us all loving it&#8230;<\/p>\n\n\n\n<p>There are so many forms in which information arrives to us today:<\/p>\n\n\n\n<ul><li>assembly: x86, x64, arm, sparc, ppc, IoC-specific<\/li><li>bytecode: IL, python, java, autoit, nullsoft, inno<\/li><li>actual executables: PE, ELF, COM, SYS, DRV, OCX, DLL<\/li><li>archives\/images: ZIP, TAR, GZ, RAR, 7z, Xz, Bzip2, KGB, ARJ, LHA, ISO, BIN, NRG, DMG, PKG, RPM, DEB, MSI, DLL, OVR, VMDK<\/li><li>macros: VBA, OpenOffice BASIC<\/li><li>c, cpp, C#, other .NET languages, vb, delphi, rust, go, nim<\/li><li>scripts: bat, vbs, js, applescript, mof, idc, idl, rc, bash, powershell<\/li><li>encrypted scripts: jse, vbe<\/li><li>web scripts: php, perl, asp, jsp<\/li><li>python (IDAPython), perl, ruby, winbatch, autoit<\/li><li>exotic malware files: fas (AutoDesk\/AutoCAD)<\/li><li>autorun scripts: autoruns.inf<\/li><li>Sigma<\/li><li>SPL<\/li><li>KQL<\/li><li>AQL<\/li><li>PowerQuery<\/li><li>Linq<\/li><li>SQL (including cache files)<\/li><li>Yara (*.yar, *.yara)<\/li><li>Detect It Easy<\/li><li>Snort<\/li><li>ClamAV<\/li><li>Tanium Signals<\/li><li>Synapse Storm<\/li><li>Sublime Security email rules language<\/li><li>R<\/li><li>pseudo-code (IDA, Ghidra, etc.)<\/li><li>config files: ini, yaml, linux config files (\/etc\/*), program-specific config files (too many to list)<\/li><li>event logs: evt, evtx<\/li><li>URL shortcuts: url<\/li><li>binary shortcuts: lnk files<\/li><li>data formats: sql, csv, tsv, json, xml<\/li><li>plug-ins: from total commander, nmap, burp, windbg, notepad++, xdbg, etc. to regripper, kape, plaso, etc.<\/li><li>network dumps: pcap<\/li><li>files using character encoding: ascii, utf7, utf8, utf16, utf32, ebcdic, KOI etc.<\/li><li>files and streams using data encodings: base64, Ascii85, uuencode, etc.<\/li><li>message encodings: mime<\/li><li>memory dumps: raw, core, dmp (per process and full-physical)<\/li><li>highlight files: uew, tmLanguage, bt<\/li><li>registry files: .reg<\/li><li>quarantined files<\/li><li>EDR logs in many formats, offering different level of telemetry<\/li><li>web logs (f.ex. both HTTP and HTTPS)<\/li><li>mail logs<\/li><li>mailbox files (ost, pst, mbox, msg, eml)<\/li><li>(S)ftp logs<\/li><li>aws CloudTrail logs<\/li><li>aws GuardDuty logs<\/li><li>command line syntax: lin, win, mac<\/li><li>&#8216;randomly accessible (per company)&#8217; feeds: f.ex. jamf<\/li><li>proprietary and less-known log streams (msad, ossec, SaaS, FIM, etc.)<\/li><li>browser extensions: xpi, crx<\/li><li>microsoft \/ office files (rtf, doc*, xls*, ppt*, pps*, one, mdb, accdb)<\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A decade ago blue teaming was &#8230; easy (this is a really bad joke, I know!). In fairness, we had less targets, less programming languages to deal with, less platforms, less architectures, consoles, less &#8230; of everything&#8230; In 2023 the &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/05\/17\/blue-teaming-its-data-complicated\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[110],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8513"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8513"}],"version-history":[{"count":24,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8513\/revisions"}],"predecessor-version":[{"id":8546,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8513\/revisions\/8546"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}