05 - Automatic crawling pastebin for "nice" things using YARA + Splunk

yara=aws_api

# Read AWS access key from env. variables or configuration file. Best practice is NOT # to embed credentials in code. access_key = "AKIAILOQYR57QT5TYWJA" secret_key = "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"

'access_key' => 'AKIAJF6WVJVTGZMC5ANQ', 'secret_key' => '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', 'region' => 'eu-west-1' }

yara=email_list

pigman2011@hotmail.co.uk|aids1234 benbrownbjb@live.co.uk|bened1ct little_princess_2001@hotmail.co.uk|bighead7 bendiggory@hotmail.co.uk|lornas123 lou.easton@hotmail.co.uk|speedo500 njb1g10@soton.ac.uk|cloud999 kyle@jupiterkiss.co.uk|pokemon123 bartlett99@tiscali.co.uk|isaacisaac parade10break@yahoo.co.uk|Simply123 christophermholmes@yahoo.co.uk|shutupstupid alextapley123@live.co.uk|Live_life1 jamiefelllows@hotmail.co.uk|sheffwed ismailolanrewaju81@yahoo.co.uk|olanrewaju zm123v@hotmail.co.uk|provocator1 greensamuel@hotmail.co.uk|npcosm12 annaleigh@live.co.uk|bunnyblanket paulmottram@blueyonder.co.uk|batman123 zak.corderoy22@hotmail.co.uk|aprilia125 adnana@redmoor.leics.sch.uk|amaterasu mexmasterchief@hotmail.co.uk|anonymus s.j.pendleton@hotmail.co.uk|codliver1 narx.strawberry@googlemail.co.uk|runescape matthewbarnard14@yahoo.co.uk|riotstarter intrinsic@tiscali.co.uk|mattstef master54@hotmail.co.uk|fungames r4ih44n123@hotmail.co.uk|barcelona123 jasongoulden92@live.co.uk|09321039 stormin177@yahoo.co.uk|hayabusa racheltullett@hotmail.co.uk|B4ILEYB00 mkinlock@hotmail.co.uk|smokebeats cool@yahoo.co.uk|ironhide13 calebprice@hotmail.co.uk|calebhell jools15@hotmail.co.uk|screw805 adam.ellaway@live.co.uk|minimonster99 tzmpaul@hotmail.co.uk|toggle11 rath@hotmail.co.uk|cockface anglevi2000@yahoo.co.uk|89773432 mordwyn@hotmail.co.uk|cambria1 salbert4cert@hotmail.co.uk|brolly100 buddy218uk@yahoo.co.uk|eh8phg2q

To search the pastbin continously for interesting facts get yousrself the sources of Pastehunter from GitHUB.

git clone https://github.com/kevthehermit/PasteHunter.git

Get you a pastbin pro account and create your API key

https://pastebin.com/api

And whitelist the IP you are about to scrape pastebin from and note the scrape URL for the later config.

https://pastebin.com/doc_scraping_api

Configure settings.json accordingly

/opt/PasteHunter/settings.json

{
"inputs": {
"pastebin":{
"enabled": true,
"module": "inputs.pastebin",
"api_scrape": "https://scrape.pastebin.com/api_scraping.php",
"api_raw": "https://scrape.pastebin.com/api_scrape_item.php?i=[removed for privatcy]", ← This is where you need the scrape URL from above section
"paste_limit": 200,
"store_all": false
},
"dumpz": {
"enabled": true,
"module": "inputs.dumpz",
"api_scrape": "https://dumpz.org/api/recent",
"api_raw": "https://dumpz.org/api/dump",
"paste_limit": 200,
"store_all": false
},
"gists": {
"enabled": true,
"module": "inputs.gists",
"api_token": "([removed for privatcy])",
"api_limit": 100,
"store_all": false,
"user_blacklist": [],
"file_blacklist": ["grahamcofborg-eval-package-list"]
}
},
"outputs": {
"elastic_output": {
"enabled": false,
"module": "outputs.elastic_output",
"classname": "ElasticOutput",
"elastic_index": "paste-test",
"elastic_host": "192.168.1.22",
"elastic_port": 9200,
"elastic_user": "elastic",
"elastic_pass": "changeme",
"elastic_ssl": false,
"weekly_index": true
},
"json_output": {
"enabled": true,
"module": "outputs.json_output",
"classname": "JsonOutput",
"output_path": "logs/json/",
"store_raw": true,
"encode_raw": true
},
"csv_output": {
"enabled": false,
"module": "outputs.csv_output",
"classname": "CSVOutput",
"output_path": "logs/csv/"
},
"syslog_output": {
"enabled": false,
"module": "outputs.syslog_output",
"classname": "SyslogOutput",
"host": "10.1.1.21",
"port": 514
},
"smtp_output": {
"enabled": false,
"module": "outputs.smtp_output",
"classname": "SMTPOutput",
"smtp_host": "smtp.server.com",
"smtp_port": 25,
"smtp_security": "starttls",
"smtp_user": "[removed for privatcy]",
"smtp_pass": "[removed for privatcy]",
"recipients" : {
"recipient_1": {
"address": "emailaddress that gets the alerts",
"rule_list": ["custom_keywords"],
"mandatory_rule_list": []
},
"recipient_2": {
"address": "emailaddress that gets the alerts",
"rule_list": [],
"mandatory_rule_list": ["keyword1", "keyword2"]
}
}
}
},
"yara": {
"rule_path": "YaraRules",
"blacklist": true,
"test_rules": false
},
"general": {
"run_frequency": 120,
"logging_level": 20
},
"post_process": {
"post_email": {
"enabled": true,
"module": "postprocess.post_email",
"rule_list": ["email_list"]
},
"post_b64": {
"enabled": true,
"module": "postprocess.post_b64",
"rule_list": ["b64_exe", "b64_rar", "b64_zip", "b64_gzip"],
"cuckoo": {
"enabled": false,
"api_host": "127.0.0.1",
"api_port": 8080
},
"viper": {
"enabled": false,
"api_host": "127.0.0.1",
"api_port": 8080
}
}
}
}

Create your own yara rules that will match the realy interesting stuff 

/opt/PasteHunter/YaraRules/customer_watch.yar

/*
This rule will look for ducky / bunny code
*/

rule watch_[removed for privatcy]{
meta:
author = "Marcus Pauli"
info = "Part of PasteHunter"
reference = "none"

strings:
$a1 = "[removed for privatcy]" nocase
$a2 = "[removed for privatcy]" nocase
$a3 = "[removed for privatcy]" nocase
$a4 = "[removed for privatcy]" nocase
$a5 = "[removed for privatcy]" nocase
$a6 = "[removed for privatcy]" nocase
$a7 = "leak" nocase
$a8 = "password" nocase
$a9 = "[removed for privatcy]" nocase
$a10 = "[removed for privatcy]" nocase
$a11 = "[removed for privatcy]" nocase
$a12 = "[removed for privatcy]" nocase
$a13 = "[removed for privatcy]" nocase
condition:
3 of them
}

rule watch_pauli
{
meta:
author = "Marcus Pauli"
info = "Part of PasteHunter"
reference = "none"

strings:
$a1 = "mpauli.de" nocase
$a2 = "[removed for privatcy]" nocase
$a3 = "paul-sec.com" nocase
$a4 = "[removed for privatcy]" nocase
$a5 = "[removed for privatcy]" nocase
$a6 = "[removed for privatcy]" nocase
$a7 = "[removed for privatcy]" nocase
$a8 = "marcus.pauli" nocase
condition:
1 of them
}

Have Splunk monitor the according output from PasteHunter

Create Splunk sourcetype pastebin