Services on CIRCL

AIL - Analysis Information Leak framework - Training Materials

Mon, 01 Jan 0001 00:00:00 +0000

Introduction

AIL project and AIL framework - Framework for Analysis of Information Leaks

AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams (such as Tor hidden services). AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.

AIL framework - FIRST virtual Training/Workshop.
AIL workshop slides including Darknet and Social Network Monitoring Introduction to Challenges, Concepts and Data Mining of the Deep Web.

Bug Report or Issues

AIL framework is a free and open source software available at https://github.com/ail-project/ail-framework. If you encounter any issues, bugs or you want to contribute, free free to open an issue.

CIRCL Cybersecurity Training Initiatives

Mon, 01 Jan 0001 00:00:00 +0000

CIRCL Cybersecurity Training Initiatives

CIRCL (Computer Incident Response Center Luxembourg) has established a robust set of training initiatives to enhance cybersecurity capabilities across various sectors. These initiatives are supported by numerous European projects and funding programs, aiming to strengthen technical expertise, improve cybersecurity practices, and foster collaborative knowledge sharing. Below is an overview of our key training projects and co-funded by EU projects:

MISP-NG (CEF 2016-LU-IA-0098)

The MISP-NG project focuses on providing training for the MISP platform. Supported by the CEF (Connecting Europe Facility) funding, this training empowers organizations to utilize MISP for threat intelligence and information sharing.

CIRCL hashlookup

Mon, 01 Jan 0001 00:00:00 +0000

CIRCL hashlookup (hashlookup.circl.lu)

CIRCL hash lookup is a public API to lookup hash values against known database of files. NSRL RDS database is included and many others are also included. The API is accessible via HTTP ReST API and the API is also described as an OpenAPI. The service is free and served as a best-effort basis.

Sources included in CIRCL hashlookup

Common Windows 10 and Windows 11 build (French, Dutch, German, UK, US)
NIST NSRL - All RDS hash sets including current, modern, android, iOS and legacy + SHA256 mapping.
Ubuntu packages distribution
CentOS core OS distribution
Fedora project EPEL repository
Kali linux packages distribution
OpenSUSE distribution packages
OpenBSD binary tar.gz distribution
CDNJS
Snap public repository

Is it a database of malicious or non-malicious hash of files?

CIRCL hashlookup service only gives details about known files appearing in specific database(s). This gives you context and information about file hashes which can be discovered during investigation or digital forensic analysis.

Digital Forensic - Training Materials

Mon, 01 Jan 0001 00:00:00 +0000

Introduction

An introduction to file-system post-mortem forensic analysis. This page links to the materials used during forensic trainings and presentations, including slides and links to the disk images.

Training Materials: 75 TF-CSIRT Meeting - DFIR-1.0.1

Slide Deck: From Zero to Hero - Digital Forensics 1.0.1
Exercises: From Zero to Hero - Exercises 1.0.1
Solutions: Solutions for the exercises can be request via email at: info@circl.lu
Materials: All files incl. disk images SHA1:2f9667a83abec81066d40d425397c0c0a0ae0b63

CIRCL - Virtual Summer School (VSS) 2025

Slide Deck: Digital Forensics 1.0.1 - From Zero to Hero
Video Recording: Digital Forensics 1.0.1 - From Zero to Hero

Training Materials: Edition December 2024

Slide Deck: Digital Forensics 1.0.1 - Introduction: Post-mortem Digital Forensics
Slide Deck: Digital Forensics 1.0.2 - Introduction: File System Forensics and Data Recovery
Slide Deck: Digital Forensics 1.0.3 - Introduction: Windows-, Memory- and File Forensics
Disk Image: Exercises SHA1:0dff633fded030dd7ac58c871a928afe93d260e9
Commands: Command Line Cheat Sheet v0.1

AUSCERT2024

Slides: As We Are Many - The spooky USB stick
Materials: All files incl. disk images SHA1:2f9667a83abec81066d40d425397c0c0a0ae0b63

Follow the instructions on the sildes and the provided training materials to create your own spooky USB stick. Take care, as some of the parameters likely vary sligthly on you own computer. Take care using dd with root rights. We are not responible if you wipe your own disk by accident.

Dynamic Malware Analysis

Mon, 01 Jan 0001 00:00:00 +0000

Dynamic Malware Analysis (DMA)

Dynamic Malware Analysis (DMA) is a service offered by CIRCL and operated by Joe Security LLC[1], a renowned Swiss security company specialised on leading sandbox technologies. CIRCL and Joe Security already collaborated regarding Joe’s MISP [2] integration. The platform allows the analysis of potential malicious software or suspicious documents in a secure and virtualized environment.

Users can upload their suspicious software or document files via a web-interface and select a specific target platform. The request is then automatically processed and executed within the selected target. After the execution, additional analysis is performed like memory analysis and comparative analysis. Then a report is made available including all the complete dynamic analysis, memory analysis and additional information.

IP to ASN Mapping Whois Service

Mon, 01 Jan 0001 00:00:00 +0000

IP to ASN Mapping Service with History

There are several services on the Internet to map IP addresses to their corresponding BGP AS number like the renowned IP to ASN mapping of Team Cymru.

During incident handling, we were lacking an historical view of IP address announcement evolution over time. It is not uncommon to have IP addresses announced by different BGP AS number over a period of time. We developed a service, freely accessible to the whole community, to look up IP addresses announcements in the past. Currently, the service covers a time span of more than 4 years until today.

MISP - Malware Information Sharing Platform & Threat Sharing for the financial sector

Mon, 01 Jan 0001 00:00:00 +0000

Information security and fraud detection are often transversal activities within banking or financial operators. One financial organization alone cannot perform all upcoming threat analysis and requires additional information shared by others. In that scope, CIRCL co-developed MISP (a threat sharing platform) to support information sharing in the context of cyber security as well as within the context of fraud. Financial services, like any other type of organization with an increased attack surface, need simple ways to share information while being able to ensure an adequate balance between privacy, confidentiality and the need of sharing to protect customers and users of financial services.

MISP - Open Source Threat Intelligence Platform

Mon, 01 Jan 0001 00:00:00 +0000

MISP - Open Source Threat Intelligence Platform

MISP - Open Source Threat Intelligence and Sharing Platform (formerly known as Malware Information Sharing Platform) is developed as free software/open source by a group of developers from CIRCL and many other contributors.

CIRCL operates several MISP instances (for different types of constituents) in order to improve automated detection and responsiveness to targeted and cybersecurity attacks in Luxembourg and outside. MISP is a platform for sharing threat indicators, threat intelligence within private and public sectors.

MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing - Training Materials

Mon, 01 Jan 0001 00:00:00 +0000

Introduction

In a continuous effort since 2016, CIRCL frequently gives practical training sessions about MISP (Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing). The purpose is to reach out to security analysts using MISP as a threat intelligence platform along with users using it as an information sharing platform.

This page includes all the materials used during the training, including slides and a virtual machine, preconfigured with the latest version of MISP. All the training materials are open source and available at the following location https://github.com/MISP/misp-training.

Network exposure change detection service

Mon, 01 Jan 0001 00:00:00 +0000

Network exposure change detection service

A periodic external view on the exposure of network services can help identifying network service outages. But further more it can detect if new services have been established, either by an employee, a supplier or an attacker. Sometimes new services are places on purpose, sometimes by accident, or for instance to maintain access by criminals.

This service is based on periodic network port scans. It is able to detect and send the result to an email address, containing the changes seen since the last subsequent scans.

Pandora Document and File Analysis

Mon, 01 Jan 0001 00:00:00 +0000

Pandora Document and File Analysis

Pandora is an analysis framework designed to determine if a file is suspicious, conveniently displaying the results. Pandora provides a user-friendly content preview interface for large documents, including a preview of the metadata. This allows users to view files without the need to open them locally.

Can I submit sensitive documents for analysis?

Yes, by default, the files are only accessible to the active browser session. The files are not shared (besides the hash lookup) with third parties or external services.

Passive DNS

Mon, 01 Jan 0001 00:00:00 +0000

Passive DNS version 2.0

CIRCL Passive DNS is a database that stores historical DNS records from various resources, including malware analysis and partners. The DNS historical data is indexed, making it searchable for incident handlers, security analysts, or researchers.

In November 2023, CIRCL released version 2.0 of its Passive DNS service. The new version is backward-compatible with the previous 1.0 version. The output format remains Passive DNS - Common Output Format, and the query interface is similar. New headers were introduced to support some new functionalities, including filtering and pagination. If no headers are set, the Passive DNS API falls back to the previous 1.0 version’s behavior.

Passive SSL

Mon, 01 Jan 0001 00:00:00 +0000

Passive SSL

CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address, which makes it searchable for incident handlers, security analysts or researchers.

How do you collect the SSL certificates?

The CIRCL Passive SSL database uses public scanning datasets like the excellent scans.io project.

For more information, Passive SSL was presented at FIRST 2015 in Berlin.

Penetration Testing - An Introduction

Mon, 01 Jan 0001 00:00:00 +0000

Introduction

In the past CIRCL gave practical trainings “Penetration Testing 1.0.1 - Introduction: Penetration Testing & Ethical Hacking”.

This page links to the materials used during a training including slides and links to the virtual machines download pages.

Instructions for setting up the private / personal lab is part of the slides.

Duration

This training is available in to formats:

1 day - All exercises are demonstrated. Attendees can practice the exercises later on, back at home.
2 day - Hands-on exercises. Attendees will practice all exercises during the training with support from the instructor.

VMs

Slides

Penetration Testing 1.0.1 - Introduction: Penetration Testing & Ethical Hacking

License

Materials are licensed under the CC-BY license.

Updates

2016-12-02 - Initial release of slides version 1.0.0
2021-05-28 - Initial release of slides version 1.0.1

Training and Technical Courses

Mon, 01 Jan 0001 00:00:00 +0000

Introduction

CIRCL offers courses to its members and organizations based in Luxembourg and worldwide.

In their mission to improve information security, CIRCL is sharing its field experience through a set of training or technical courses. Due to diversity of competences within the team, CIRCL is able to provide a large diversity of information security trainings. Courses target technical experts but also non-technical staff in the topics of incident handling, malware analysis, operational security and system forensics.

URL Abuse Testing

Mon, 01 Jan 0001 00:00:00 +0000

URL Abuse and Security Testing

URL Abuse is a public CIRCL service to review the security of an URL (internet link). Users regularly encounter links while browsing the Internet or receiving emails. When there are some doubts regarding an URL (e.g. potential phishing attacks or malicious links), users can submit an URL for review via URL abuse.

How to use the service?

The service is an online web service where any user can submit a link. You will need javascript enabled to access the page and the content is delivered when available via AJAX.

Vulnerability-Lookup Service

Mon, 01 Jan 0001 00:00:00 +0000

Multi-Source Vulnerability-Lookup and Collaboration

Vulnerability-Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD).

Vulnerability-Lookup is accessible via a web interface, RSS/Atom and an HTTP API. Vulnerability-Lookup is an interface to search publicly known information from security vulnerabilities in software and hardware along with their corresponding exposures. You can also register and collaborate on the vulnerability intelligence by adding comments or even reporting vulnerabilities.

Services on CIRCL

AIL - Analysis Information Leak framework - Training Materials

Introduction

Bug Report or Issues

CIRCL Cybersecurity Training Initiatives

CIRCL Cybersecurity Training Initiatives

MISP-NG (CEF 2016-LU-IA-0098)

CIRCL hashlookup

CIRCL hashlookup (hashlookup.circl.lu)

Sources included in CIRCL hashlookup

Is it a database of malicious or non-malicious hash of files?

Digital Forensic - Training Materials

Introduction

Training Materials: 75 TF-CSIRT Meeting - DFIR-1.0.1

CIRCL - Virtual Summer School (VSS) 2025

Training Materials: Edition December 2024

AUSCERT2024

Dynamic Malware Analysis

Dynamic Malware Analysis (DMA)

IP to ASN Mapping Whois Service

IP to ASN Mapping Service with History

MISP - Malware Information Sharing Platform & Threat Sharing for the financial sector

Information sharing within the financial sector

MISP - Open Source Threat Intelligence Platform

MISP - Open Source Threat Intelligence Platform

MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing - Training Materials

Introduction

Network exposure change detection service

Network exposure change detection service

Pandora Document and File Analysis

Pandora Document and File Analysis

Can I submit sensitive documents for analysis?

Passive DNS

Passive DNS version 2.0

Passive SSL

Passive SSL

How do you collect the SSL certificates?

Penetration Testing - An Introduction

Introduction

Duration

VMs

Slides

License

Updates

Training and Technical Courses

Introduction

URL Abuse Testing

URL Abuse and Security Testing

How to use the service?

Vulnerability-Lookup Service

Multi-Source Vulnerability-Lookup and Collaboration