Monthly Archives: August 2016

Creating Real Looking User Accounts in AD Lab

As I write my own tools for IR Hunting and Post-Expoitation I like to have a large realistic set of AD accounts and also accounts with accentuated and not english characters to make sure my tools will work in large environments and also simulate multiple geographical locations since most customers are not US based. When creating realistic user accounts I have found no better source that using http://www.fakenamegenerator.com it allows me to order a CSV with a large amount of realistic looking users and their details.  

To do this I first go to the Fake Name Generator page and select from the menu the Order in Bulk option, click on the checkbox to accept the terms of services and select as output Comma separated (.csv)

?format=1000w

Now on step 3 I can select the name set and the country for the account information I want. Once that is selected I then select the following fields:

  • GivenName
  • Surname
  • StreetAddress
  • City
  • Title
  • Username
  • Password
  • Country
  • TelephoneNumber
  • Occupation 
?format=1000w

Once the fields have been selected I simply specify the number, the email and enter the captcha to get the accounts via email. 

?format=1000w

Now once I have the CSV in my experience they tend to have repeated usernames, also I have found my self missing one or more of the fields when I selected what to include in the CSV so I wrote a series of PowerShell functions I can use when working with the data. 

The first function is a simple one that allows me to test that the CSV contains all the fields I want. It simply extracts the header from the CSV and checks against a list. 

<#

.Synopsis

   Test a CSV from FakeNameGenerator.com for required fields.

.DESCRIPTION

  Test a CSV from FakeNameGenerator.com for required fields.

.EXAMPLE

   Test-LabADUserList -Path .\FakeNameGenerator.com_b58aa6a5.csv

#>

function Test-LabADUserList

{

    [CmdletBinding()]

    [OutputType([Bool])]

    Param

    (

        [Parameter(Mandatory=$true,

                   Position=0,

                   ValueFromPipeline=$true,

                   ValueFromPipelineByPropertyName=$true,

                   HelpMessage="Path to CSV generated from fakenamegenerator.com.")]

        [Alias("PSPath")]

        [ValidateNotNullOrEmpty()]

        [string]

        $Path

    )

    Begin {}

    Process

    {

        # Test if the file exists.

        if (Test-Path -Path $Path -PathType Leaf)

        {

            Write-Verbose -Message "Testing file $($Path)"

        }

        else

        {

            Write-Error -Message "File $($Path) was not found or not a file."

            $false

            return

        }

        # Get CSV header info.

        $fileinfo = Import-Csv -Path $Path | Get-Member | Select-Object -ExpandProperty Name

        $valid = $true

        

            

        if ('City' -notin $fileinfo) {

            Write-Warning -Message 'City field is missing'

            $valid =  $false

        }

        if ('Country' -notin $fileinfo) {

            Write-Warning -Message 'Country field is missing'

            $valid =  $false

        }

        if ('GivenName' -notin $fileinfo) {

            Write-Warning -Message 'GivenName field is missing'

            $valid =  $false

        }

        if ('Occupation' -notin $fileinfo) {

            Write-Warning -Message 'Occupation field is missing'

            $valid =  $false

        }

        if ('Password' -notin $fileinfo) {

            Write-Warning -Message 'Password field is missing'

            $valid =  $false

        }

        if ('StreetAddress' -notin $fileinfo) {

            Write-Warning -Message 'StreetAddress field is missing'

            $valid =  $false

        }

        if ('Surname' -notin $fileinfo) {

            Write-Warning -Message 'Surname field is missing'

            $valid =  $false

        }

        if ('TelephoneNumber' -notin $fileinfo) {

            Write-Warning -Message 'TelephoneNumber field is missing'

            $valid =  $false

        }

        if ('Username' -notin $fileinfo) {

            Write-Warning -Message 'Username field is missing'

            $valid =  $false

        }

        $valid

    }

    End {}

}


The next function will remove any duplicate username entries, I have found with large samples that it is inevitable for some of the usernames to be duplicated. This function uses a lot the pipeline so as minimize memory use, not the fastest but when dealing with several thousands of fake user details in a VM environment with limited memory it becomes an acceptable tradeoff.

<#

.Synopsis

   Removes duplicate username entries from Fake Name Generator generated accounts.

.DESCRIPTION

   Removes duplicate username entries from Fake Name Generator generated accounts. Bulk

   generated accounts from fakenamegenerator.com must have as fields:

   * GivenName

   * Surname

   * StreetAddress

   * City

   * Title

   * Username

   * Password

   * Country

   * TelephoneNumber

   * Occupation

.EXAMPLE

    Remove-LabADUsertDuplicate -Path .\FakeNameGenerator.com_b58aa6a5.csv -OutPath .\unique_users.csv

#>

function Remove-LabADUsertDuplicate

{

    [CmdletBinding()]

    Param

    (

        [Parameter(Mandatory=$true,

                   Position=0,

                   ParameterSetName="Path",

                   ValueFromPipeline=$true,

                   ValueFromPipelineByPropertyName=$true,

                   HelpMessage="Path to CSV to remove duplicates from.")]

        [Alias("PSPath")]

        [ValidateNotNullOrEmpty()]

        [string]

        $Path,

        [Parameter(Mandatory=$true,

                   Position=1,

                   ParameterSetName="Path",

                   ValueFromPipeline=$true,

                   ValueFromPipelineByPropertyName=$true,

                   HelpMessage="Path to CSV to remove duplicates from.")]

        [ValidateNotNullOrEmpty()]

        [string]

        $OutPath

    )

    Begin {}

    Process

    {

        Write-Verbose -Message "Processing $($Path)"

        if (Test-LabADUserList -Path $Path) {

            Import-Csv -Path $Path | Group-Object Username | Foreach-Object {

                $_.group | Select-Object -Last 1} | Export-Csv -Path $OutPath -Encoding UTF8

        } else {

            Write-Error -Message "File $($Path) is not valid."

        }

        

    }

    End {}

}


The last function does the importing of accounts from the processed CSV with duplicate usernames removed in to a specified OU. The function will create OUs under the specified one for each country in the account set. 

<#

.SYNOPSIS

    Imports a CSV from Fake Name Generator to create test AD User accounts.

.DESCRIPTION

    Imports a CSV from Fake Name Generator to create test AD User accounts.

    It will create OUs per country under the OU specified. Bulk

   generated accounts from fakenamegenerator.com must have as fields:

   * GivenName

   * Surname

   * StreetAddress

   * City

   * Title

   * Username

   * Password

   * Country

   * TelephoneNumber

   * Occupation

.EXAMPLE

    C:\PS> Import-LabADUser -Path .\unique.csv -OU DemoUsers

#>

function Import-LabADUser

{

    [CmdletBinding()]

    param(

        [Parameter(Mandatory=$true,

                   Position=0,

                   ValueFromPipeline=$true,

                   ValueFromPipelineByPropertyName=$true,

                   HelpMessage="Path to one or more locations.")]

        [Alias("PSPath")]

        [ValidateNotNullOrEmpty()]

        [string[]]

        $Path,

        [Parameter(Mandatory=$true,

                   position=1,

                   ValueFromPipeline=$true,

                   ValueFromPipelineByPropertyName=$true,

                   HelpMessage="Organizational Unit to save users.")]

        [String]

        [Alias('OU')]

        $OrganizationalUnit

    )

    

    begin {

        

    }

    

    process {

        Import-Module ActiveDirectory

        if (-not (Get-Module -Name 'ActiveDirectory')) {

            return

        }

        $DomDN = (Get-ADDomain).DistinguishedName

        $forest = (Get-ADDomain).Forest

        $ou = Get-ADOrganizationalUnit -Filter "name -eq '$($OrganizationalUnit)'"

        if($ou -eq $null) {

            New-ADOrganizationalUnit -Name "$($OrganizationalUnit)" -Path $DomDN

            $ou = Get-ADOrganizationalUnit -Filter "name -eq '$($OrganizationalUnit)'"

        }

        $data =

        Import-Csv -Path $Path | select  @{Name="Name";Expression={$_.Surname + ", " + $_.GivenName}},

                @{Name="SamAccountName"; Expression={$_.Username}},

                @{Name="UserPrincipalName"; Expression={$_.Username +"@" + $forest}},

                @{Name="GivenName"; Expression={$_.GivenName}},

                @{Name="Surname"; Expression={$_.Surname}},

                @{Name="DisplayName"; Expression={$_.Surname + ", " + $_.GivenName}},

                @{Name="City"; Expression={$_.City}},

                @{Name="StreetAddress"; Expression={$_.StreetAddress}},

                @{Name="State"; Expression={$_.State}},

                @{Name="Country"; Expression={$_.Country}},

                @{Name="PostalCode"; Expression={$_.ZipCode}},

                @{Name="EmailAddress"; Expression={$_.Username +"@" + $forest}},

                @{Name="AccountPassword"; Expression={ (Convertto-SecureString -Force -AsPlainText $_.password)}},

                @{Name="OfficePhone"; Expression={$_.TelephoneNumber}},

                @{Name="Title"; Expression={$_.Occupation}},

                @{Name="Enabled"; Expression={$true}},

                @{Name="PasswordNeverExpires"; Expression={$true}} | ForEach-Object -Process {

            

                    $subou = Get-ADOrganizationalUnit -Filter "name -eq ""$($_.Country)""" -SearchBase $ou.DistinguishedName        

                    if($subou -eq $null) {

                        New-ADOrganizationalUnit -Name $_.Country -Path $ou.DistinguishedName

                        $subou = Get-ADOrganizationalUnit -Filter "name -eq ""$($_.Country)""" -SearchBase $ou.DistinguishedName        

                    }

                    $_ | Select @{Name="Path"; Expression={$subou.DistinguishedName}},* | New-ADUser  

                }

    }    

    end {}

}


The PS1 file with the functions can be found in my GitHub account https://github.com/darkoperator/powershell_scripts/blob/master/LabAccountImport.ps1 once you download a copy of it you only need to dot source the file on a PowerShell session on the Windows 2012 R2 domain controller where you want to import the accounts:

PS C:\> . .\LabAccountImport.ps1

Now the functions will be available for you to use in the interactive session. We start by testing the file we got via email to make sure it has all the fields we want and that no mistakes where done when ordering the names:

PS C:\> Test-LabADUserList -Path .\FakeNameGenerator.com_b58aa6a5.csv 
True

Now we create a new CSV file with unique usernames:

PS C:\> Remove-LabADUsertDuplicate -Path .\FakeNameGenerator.com_b58aa6a5.csv -OutPath .\UniqueUY.csv

Once we have the accounts with unique usernames we can import de file in to Active Directory:

PS C:\> Import-LabADUser -Path .\UniqueUY.csv -OrganizationalUnit DemoUsers

Once it finishes you should now have a nice set of test accounts in AD for you to use. 

?format=1000w

Of the 3,000 accounts only 2,182 where unique when it came to username, still a very good number for testing. In the future I will probably make it so when it finds accounts with repeated usernames, Surnames or LastNames to add a random string to each. 

As Always I hope you find the information useful. 

M-Trends Asia Pacific: Organizations Must Improve at Detecting and Responding to Breaches

Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of some of the largest and most sophisticated cyber attacks. In February 2016, we released our annual global M-Trends® report based on data from the breaches we responded to in 2015. Now, we are releasing M-Trends Asia Pacific, our first report to focus on this very diverse and dynamic region.

Some of the key findings include:

  • Most breaches in the Asia Pacific region never became public. Most governments and industry-governing bodies are without effective breach disclosure laws, although this is slowly changing.
  • The median time of discovery of an attack was 520 days after the initial compromise. This is 374 days longer than the global median of 146 days.
  • Mandiant was engaged by many organizations that have already conducted forensic investigations (internally or using third parties), but failed to eradicate the attackers from their environments. These efforts sometimes made matters worse by destroying or damaging the forensic evidence needed to understand the full extent of a breach or to attribute activity to a specific threat actor.
  • Some attacker tools were used to almost exclusively target organizations within APAC. In April 2015, we uncovered the malicious efforts of APT30, a suspected China-based threat group that has exploited the networks of governments and organizations across the region, targeting highly sensitive political, economic and military information.

Download M-Trends Asia Pacific to learn more.

Zepto Evasion Techniques

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.)

Zepto spam

As we dig deeper into our analysis, we found out that these macro scripts are not crafted manually. The malware authors have automated the creation and obfuscation of their code. This type of random obfuscation is one way of evading antivirus engines. As outlined below, our research highlights several methods employed to dynamically evolve the attack vector to circumvent detection.

From the malicious emails we have gathered, we will examine the attachments to analyze key differences and common characteristics.

The malicious code was written and spread across the 3 sub modules:

zepto automation

5 sub modules are being used for the malicious code:

zepto obfuscation

Examining the sub modules of the file shows that it has some common signatures that we can look for:

zepto codezepto hidden code

We were able to find blocks of code that shares common structures. Remember that these codes were found on a different part or index of the module. From programmer’s perspective, this may seem a little odd to see codes like this, but as the analysis continues, we can say that this is just one part of the malware author’s strategy to hide the code and confuse incident responders.

Notice the highlighted strings from both screenshots that are common across the two samples. At first glance, some significant strings can be formed only if the garbage strings such as:

  • “RIIM”
  • “PORKKI”

were removed or replaced, they can be formed as:

  • “microsoft”
  • “Adodb.stream”
  • “script”
  • “application”

Additionally, and maybe more significant, is the activity of these scripts. You will also notice the highlighted strings are surrounded by what we can now assume are garbage code for misdirection and to further obfuscate malicious code.

Basically, the usual flow of the scripts analyzed will go like this:

zepto infection process

At this point, the payload of the downloaded Zepto ransomware will take over.

As observed with the Zepto downloaders, the scripts also varies with the encrypted URLs. Below are some of the URLs from which the monitored scripts attempted to download Zepto. Imagine how many of them are generated and how many various structured scripts are available in the wild. Zepto is not only distributed through macro scripts, there are also JavaScrip and wsf script downloaders.

zepto download links

With some twists of social engineering, creativity and advanced programming skills, cybercriminals are becoming increasingly adept at delivering Zepto and other ransomware payloads to both business and home users.

zepto infection screen

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data

VIPRE Antivirus Detections for this threat include:

  • Trojan-Downloader.O97M.Donoff.by (v)
  • Trojan-Downloader.O97M.Donoff.bu (v)
  • OLE.Generic.a (v)

Md5:
bb1ddad0780314a8dd51a4740727aba5
7e9657149c0062751c96baf00c89a57a

Reference:

Zepto Ransomware Packed into WSF Spam

Analysis by Daryl Tupaz

The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Linux.Agent malware sample – data stealer



Research: SentinelOne, Tim Strazzere Hiding in plain sight?
Sample credit: Tim Strazzere


List of files

9f7ead4a7e9412225be540c30e04bf98dbd69f62b8910877f0f33057ca153b65  malware
d507119f6684c2d978129542f632346774fa2e96cf76fa77f377d130463e9c2c  malware
fddb36800fbd0a9c9bfffb22ce7eacbccecd1c26b0d3fb3560da5e9ed97ec14c  script.decompiled-pretty
ec5d4f90c91273b3794814be6b6257523d5300c28a492093e4fa1743291858dc  script.decompiled-raw
4d46893167464852455fce9829d4f9fcf3cce171c6f1a9c70ee133f225444d37  script.dumped

malware_a3dad000efa7d14c236c8018ad110144
malware fcbfb234b912c84e052a4a393c516c78
script.decompiled-pretty aab8ea012eafddabcdeee115ecc0e9b5
script.decompiled-raw ae0ea319de60dae6d3e0e58265e0cfcc
script.dumped b30df2e63bd4f35a32f9ea9b23a6f9e7


Download


Download. Email me if you need the password


Donoff Macro Dropping Ransomware

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key.

donoff malicious macro sample

We decided to take a closer look on the Donoff macro used in downloading the Zepto ransomware. Here’s what we found:

The VBA Macro code

At first glance, the code is fully commented in Spanish and uses some random generated variable names.

Here a look at the code:

donoff macro code

Retrieving Zepto

The Word document contains two macro functions, autoopen and ActualizarEntrada.

donoff spanish code

Here are more snips of code showing the processing of obfuscated text.

donoff macro code

These are the strings revealed after deobfuscation.

  • XMLHTTP
  • streaM
  • Application
  • shell
  • Process
  • GeT
  • TeMP
  • Type
  • open
  • write
  • responseBody
  • savetofile
  • \sysdrubpas.exe

This VBScript uses Microsoft.XMLHTTP and Adodb.Stream Objects to download Zepto.

The Microsoft.XMLHTTP object is one of Microsoft’s XML DOM (Document Object Model) modules that is intended to deliver client-side access to XML documents on remote servers through the HTTP protocol.  This object is used to request or send any type of document.

The ADODB.Stream Object is used to read, write and manage a stream of binary data or text.

3

The following code decrypts to

x

4

Here’s the code that downloads the encrypted Zepto executable file.

5

The encrypted file is stored to the file system as TempWFDSAdrweg.  It then uses this key Aw3WSr7dB3RlPpLVmGVTtXcQ3WG8kQym to decrypt and stores the decrypted binary to the file sysdrubpas.exe in the %temp% folder.  %temp% folder is usually the C:\Users\<username>\AppData\Local\Temp folder.

6

Decryption code

7

Encrypted Zepto (Displayed here in Hexadecimals):

encrypted zepto

Decrypted Zepto (now in Executable form):

decrypted zepto

The script then executes sysdrubpas.exe infecting the system of the user.

sysdrubpas.exe

ThreatAnalyzer – Malware Sandbox Analysis

When executed in our malware analysis sandbox ThreatAnalyzer, here’s the process tree caused by the malicious Word document

donoff analysis

The ThreatAnalyzer Behavioral Determination Engine flags this as 100% malicious file and was able to find dozens of suspicious behaviors.donoff processes

One notable common behavior of ransomware is how it deletes shadow copies to prevent easy restoration from Windows backup.

3

Other behaviors are very similar to our previous post about Zepto ransomware:  https://blog.threattrack.com/ransomware-packed-into-wsf-spam/.

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data

HASHES

e98aee56175daaa96f259d04077d820f – malicious DOC attachment (Trojan-Downloader.O97M.Donoff.by (v))

837a5b0dbd5850634bfecadadc751cdd – Zepto executable (Trojan.Win32.Generic!BT)

Analysis by Wilmina Elizon

The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

Forensics Quickie: PowerShell Versions and the Registry

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly. I was chatting with Jared Atkinson and James Habben about PowerShell today and a question emerged from the discussion: is there way to determine the version of PowerShell installed on a given machine without using the $PSVersionTable PowerShell command? We all agreed that it

How to Build Your Own Penetration Testing Drop Box

xdtwKW--ptbAynRQhg0wolro8GgRmYUOz--cVuCY

Beau Bullock // TL;DR I compared three single-board computers (SBC) against each other with a specific goal of finding which one would serve best as a “penetration testing drop box”, and maintain an overall price of around $110. Spoiler Alert: At the time I tested these Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space. If […]

Google Chrome, Firefox Address Bar Spoofing Vulnerability

Introduction

Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.
In my paper "Bypassing Browser Security Policies For Fun And Profit" I have uncovered various Address Bar Spoofing techniques as well as bugs affecting modern browsers.  In this blog post I would discuss about yet another "Address Bar Spoofing" vulnerability affecting Google Chrome's Omnibox. Omnibox is a customized address bar api developed for better user experience such as search suggestions, URL prediction, instant search features so on and so forth.

Technical Details

Characters from languages are such as Arabic, Hebrew are displayed from RTL (Right To Left) order, due to mishandling of several unicode characters such as U+FE70, U+0622, U+0623 etc and how they are rendered combined with (first strong character) such as an IP address or alphabet could lead to a spoofed URL. It was noticed that by placing neutral characters such as "/", "اin filepath causes the URL to be flipped and displayed from Right To Left. However, in order for the URL to be spoofed the URL must begin with an IP address followed by neutral characters as omnibox considers IP address to be combination of punctuation and numbers and since LTR (Left To Right) direction is not properly enforced, this causes the entire URL to be treated and rendered from RTL (Right To Left). However, it doesn't have be an IP address, what matters is that  first strong character (generally, alphabetic character) in the URL must be an RTL character

Logical Order

The following is the logical order of characters in the memory.  Since, Omnibox removes"http://" and displays strings without "http://" prefix.

127.0.0.1/ا/http://example.com

Display Order

The following is the display order of characters after the browser removes the leading "http://", decodes the percent-escaped bytes, and applies the bidirectional algorithm.

http://example.com/‭ا/127.0.0.1

Steps To Reproduce

1) Visit the following link for the vulnerable browser - http://182.176.65.7/%EF%B9%B0/http://google.com/test

2) You would notice that the URL has been flipped from Right to left and the browser displays http://google.com/test/182.176.65.7 while it displays the content from the IP address.



The IP address part can be easily hided specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/... /127.0.0.1) in order to make the attack look more realistic. In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL.

Firefox Mobile Address Bar Spoofing CVE-2016-5267

Firefox was also prone to a similar vulnerability, however this did not require IP address to trigger, all it required was is arabic RTL characters, which in this case i provided arabic TLD (عربي.امارات) in order to trigger the vulnerability which resulted in

Proof of concept 

http://عربي.امارات/google.com/test/test/test


As you can see from the above screenshot that the page is hosted on عربي.امارات , however the address bar points to google.com.

Important Note

Variation of similar vulnerability has also been discovered in several other browsers that are still undergoing a fix there i am refraining from disclosing them. Details will be disclosed, once a fix has been landed. 

Fix

RFC 3987 § 4.1 states that "Bidirectional IRIs MUST be rendered in the same way as they would be if they were in a left-to-right embedding.", therefore setting paragraph direction to LTR fixes this issue. This is a known issue and has already been discussed in great detail here.

Credits

I am highly indebted to "Matt Giuca" from the Google Chrome team for his extensive help on this issue and "Tod Beardsley" for handling the disclosure.

Bug Bounty 

The total bounty rewarded for all bugs combined was 5000$.

Analyzing the Malware Analysts – Inside FireEye’s FLARE Team

At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering (FLARE) Team.

During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software,” and the latest open source freeware tools FLOSS and FakeNet-NG.

Listen to the full podcast here.

FPC

Here is my opinion on FPC. 

Full packet capture can be an intrusion analyst's best friend. Consider this example: You receive an alert that an internal device accessed a piece of JavaScript on some web site and the rule says there was an object use-after-free attempt. You need to inspect that code and see if it is malicious and preferably, what occurred afterwards. 

You could use a tool like wget or Spondulas to download the code, or you could use a sand boxed machine to browse to the URI and view the source. You could put the URI into some online site checker and see what it finds. You could check the reputation of the domain.

But, what if you are capturing full packets going in and out of your network to the Internet?

You can pull up the URI in a tool like Moloch or a commercial tool, and look at the session. You can see the JavaScript as it was delivered exactly to THAT client, running that OS, using that browser and user-agent and see what happened afterwards. You can save the code off as a file to further inspect it and run the pcap through Wireshark or SteelCentral Packet Analyzer or Netwitness or some other analysis tool.

You CAN do intrusion analysis without FPC, but you can't do it as quickly OR as effectively. 
Flow data and logs and threat intelligence are all fine (well, maybe not so much on the threat intelligence) but having packets trumps them all.