Security Posts

Detecting SSH Username Enumeration

/dev/random - Thu, 2018/08/16 - 22:02
A very quick post about a new thread which has been started yesterday on the OSS-Security mailing list. It’s about a vulnerability affecting almost ALL SSH server version. Quoted from the initial message; It affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000) It is possible to enumerate usernames on a server that offers SSH services publicly. Of course, it did not take too long to see a proof-of-concept posted. I just tested it and it works like a charm: $ ./ssh-check-username.py victim.domain.com test [*] Invalid username $ ./ssh-check-username.py victim.domain.com xavier [+] Valid username This is very nice/evil (depending on the side you’re working on). For Red Teams, it’s nice to enumerate usernames and focus on the weakest ones (“guest”, “support”, “test”, etc). There are plenty of username lists available online to brute force the server. From a Blue Team point of view, how to detect if a host is targeted by this attack? Search for this type of event: Aug 16 21:42:10 victim sshd[10680]: fatal: ssh_packet_get_string: incomplete message [preauth] Note that the offending IP address is not listed in the error message. It’s time to keep an eye on your log files and block suspicious IP addresses that make too many SSH attempts (correlate with your firewall logs). [The post Detecting SSH Username Enumeration has been first published on /dev/random]
Categories: Security Posts

AntiCoinMiner mining campaign

Zscaler Research - Thu, 2018/08/16 - 19:14
Coinminer malware has been on the rise for some time. As more and more users become aware of this threat and try to take measures to protect themselves, cybercriminals are attempting to cash on that fear by serving crypto-miner malware from a website claiming to offer a coinminer blocker. Although the website looks unprofessional and would appear suspicious to most, there are plenty of non-tech savvy users who may fall for it. Figure 1. Source website We have observed two variants of this malware strain being served from the above mentioned website as well as coin-blocker[.]com. In both cases malware operator is using malicious miner code written by another author for his financial gains and in the process also getting duped himself/herself.   CryptoMiner Variant #1 MD5s: 927adcebfa52b3551bdd008b42033a6e and c777e949686f49cc0a03d0d374c5e68a The first malware variant was getting downloaded with file names like 'cr_blocker_v12.exe', 'apollo.exe' and was making extensive use of batch files. First it will drop and execute a batch file , which in turn, runs a PowerShell command (a slightly modified version of the PowerShell script from http://moneroocean[.]stream) to download and execute a batch script (again a copy of moneroocean's xmrig_setup.bat) from same website.  The purpose of final batch script is to download, setup and run monero miner on infected system.   Figure 2. Execution flow and Batch file executed by malware The above script is sourced from a script that is published on MoneroOcean's GitHub account with two minor modifications. The malware author has modified the DownloadFile URL to point to a copy of official miner batch file that is hosted on the malware author's site. The second and obvious modification is the wallet address change, where the attacker is collecting the revenue from this fradulent mining campaign. This address has not earned much yet (as of August 16, 2018, just 1.298239 XMR has been paid), but this campaign is just getting started, so it is early to draw any conclusions.   CryptoMiner Variant #2 MD5s: d3fa184981b21e46f81da37f7c2cf41e The second malware variant was seen being downloaded with filename start_me_now.exe which will further download another file named start_me.exe from same domain and executes that file. The downloaded file is an SFX archive containing multiple files, including both xmr-stak and xmrig miner with same configuration. Image: Cryptominer SFX variant execution flow diagram The malware operator has used a version of Playerz Multi Hidden Cryptocurrency Miner from multicryptominer[.]com with the addition of silent.exe containing an embedded copy of xmrig miner. Silent.exe will run xmrig miner by injecting it into a process such as notepad.exe. Figure 3. SFX Script from start_me.exe Batch files are just one-line scripts in this case as seen below; run.bat will run c:\ProgramData\playersclub\player.exe and share.bat will open xmrminingpro[.]com/share.html in an attempt to convince the user to share this website on social media sites - Twitter, Facebook and Google Plus - resulting in further infections. Figure 4. Batch files Setup.exe and all other files which are part of this SFX archive belong to Playerz Multi Hidden Cryptocurrency Miner, whose details follow.   Playerz Multi Hidden Cryptocurrency Miner setup.exe It will first run setup.exe, which will copy the folder “pcdata” and its files to C:\programdata\playersclub and run installer.exe. Figure 5. Autohotkey script from setup.exe   Installer.exe It will register and run xmr-stak as a service using launchserv.exe, allowing it to run with higher privileges, and also create C:\programdata\playersclub\player.txt by taking configuration data from playerconfig.txt: Figure 6. Autohotkey script from installer.exe Launchserv.exe will use following configuration to register service: Figure 7. LaunchServ.ini file   systemSpawn.exe systemSpawn.exe is registered as a service with the purpose of ensuring player.exe exists in the C:\programdata\playersclub\ folder and, if not download and run it with escalated privileges using PaExec.exe (similar tool to Microsoft's PsExec) from poweradmin[.]com/paexec/. Figure 8. Autohotkey script from systemSpawn.exe It will run player.exe using the following switches to gain escalated privileges: -s (run the process in the system account), -x (display the UI on the Winlogon secure desktop), -d (don't wait for process to terminate [non-interactive]), -i (run the program so that it interacts with the desktop of the specified session on the specified system. If no session is specified, the process runs in the console session).   player.exe Player.exe is the main process responsible for managing the xmr-stak.exe process. It will do all of the things mentioned by the malware author on its website, such as: run when the computer is idle; check if video or audio is being played; automatically download and, if needed, update miner software; kill processes mentioned in all ProcessesList.txt, and more. Ironically, the Playerz Multi Hidden Cryptocurrency Miner author has provided a wallet address for donations to help fund the development of this malware. Figure 9. Donation address mentioned on the website But that was not enough, the author also added a backdoor functionality to mine cryptocurrency for his own address in the mutlicryptominer binary. It will check the modified timestamp of player.txt, and if that file is more than five days old, it will get latest config from multicryptominer[.]com/pool2.xml. Figure 10. Downloading latest configuration from C&C It will parse the received data as seen below: Figure 11. Parsing configuration from C&C Response from the C&C server: Figure 11. Configuration received from server It will then calculate time for running the original author's and the second level malware operator's miner on the infected system: Figure 12. Calculation time distribution for author's and customer's address mining In case the server did not respond with the proper configuration, or player.txt is not more than five days old, it will run the second level malware operator's miner for 105 minutes and author’s for 15 minutes; otherwise, it will distribute time among mining addresses depending on a value received from the server. At the time of analysis, the server was sending the maximum possible value of nine, which means it is splitting mining time between author and customer in a 3-to-1 ratio (90 minutes for author and 30 minutes for customer). After it is done downloading the backdoor configuration and calculating time, it will start timers for various activities: Figure 13. Timers for running and stopping the mining process   When conditions are met for running the miner—for example, when the system is idle and no video or audio is playing—it will run the miner using runProcesses.exe. This will also ensure that the end user will not notice any obvious system slow downs from miner operation. Figure 14. Run miner processes using runProcesses.exe It also starts a timer with callback to kill the process after timeout.   runProcesses.exe This will try to detect CPU and graphics to run miner with optimal settings and, in case no configuration is downloaded from C&C, it also includes hardcoded wallet addresses for mining. Figure 15. Hardcoded addresses used if configuration is not received from server   Conclusion There is a rising trend of new cryptominer malware families as well as existing malware families adding cryptominnig support as highlighted in our previous writeup here. AntiCoinMiner malware operator is leveraging the tried and tested scareware tactics theme very similar to FakeAV malware families, where it gives a false sense of security to the end user while exploiting their machine for financial gains. The malware operator is using an off-the-shelf cryptominer malware for this campaign; however the original cryptominer malware author has a backdoor functionality embedded in the code which deceives the second level malware operator by stealing large portion of CPU cycles from the infected machines to mine coins for the original author. Zscaler ThreatLabZ is actively monitoring for threats like these and will continue to ensure coverage for Zscaler customers.   IOCs MD5s: 927adcebfa52b3551bdd008b42033a6e d3fa184981b21e46f81da37f7c2cf41e c777e949686f49cc0a03d0d374c5e68a Ecd13814885f698d58b41511791339b6 642cccf03f9493b3d91d84e1b0e55e9c Da8d0c73863afe801bb8937c4445f5f9 D3fa184981b21e46f81da37f7c2cf41e E6569c2c9bceb6a5331d39a897e99152 06ded4e24118a4baccfd2f93fffe3506 927adcebfa52b3551bdd008b42033a6e f8df9d2adf5b92dc4dd419098d444bde B0cec3e582a03c978eaff9a8d01f3c31 D204728ac2e98ac380953deb72d3ca57 c842a49268b52892268e3ff03205b2de 95ea8c948a5254a3b24cbbf3edec1a1a URLs: www.xmrminingpro[.]com/start_me_now.exe xmrminingpro[.]com/cr_blocker_v12.exe xmrminingpro.com/Crypto_Blocker_.BAT.exe coin-blocker[.]com/Coin_Blocker_v1.55.exe xmrminingpro[.]com/Apollo.exe coin-blocker[.]com/Coin_Blocker_v1.5.exe coin-blocker[.]com/old/apollo_stream.exe coin-blocker[.]com/apollo/apollo_x86.exe Wallet Addresses: From Samples: 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQsjqdY9cck94oTET4i 48LYTsUuFis3eheaGJSVC1b4DiftHw8249KCELDPGLU7Ke7GddfV7vM8qmuoW3x3qy8hPXiEknM2jixquq4qbHYHHmWut4J 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQrzvo2Dv3ebJHC95XG 4BEqL8aYcuydaT26Rm9BBDgx5MAPeMSeJGgMd8RJDQKaPZEVySfAaTU8bVMsp2uykJZJ1aJDtyLRHREUBe1XXjfUAty7XJy 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQrzvo2Dv3ebJHC95XG 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQmRkHZngZS7So7FipR Author's wallet addresses: Hardcoded in sample: 472dyZhom95Higc85N5E1LbiY3kgbQvapcZ1DosRfjKX4EAvK3ZrdvuLxLMe4vTFbEUAhECZoDZHyGMdFJktrZZyNA3v1Wr Received from c&c: 48LYTsUuFis3eheaGJSVC1b4DiftHw8249KCELDPGLU7Ke7GddfV7vM8qmuoW3x3qy8hPXiEknM2jixquq4qbHYHHmWut4J Mentioned for Donation: 48YAdSiCmzSPXxbrqjhnkVNLfFwcX6uJvV6wVGxNdDZ1Fww43c6zdjo1HePWZY6KXp78q8kv5rcqFYM76uSpPv8u4E2pnuq
Categories: Security Posts

Do You Take Security Seriously?

AlienVault Blogs - Thu, 2018/08/16 - 15:00
Well Javvad Malik has created another awesome report taking on what taking security seriously actually looks like - both for customers and providers. Here's a little excerpt: The “we take security seriously” line is the security equivalent of the infamous call center “your call is important to us” line. Everybody says it because that’s what you say. Taking security seriously is not a statement to be made, it’s achieved by making security part of your process, and that’s visible to everyone. - Scott Helme Taking security seriously isn’t measured by a solitary point in time, nor can it be boiled down to implementing a single standard set of controls. There are many factors that contribute to this mindset. If someone says they take security seriously, they should be able to defend that statement in some manner. It doesn’t need to be a universally accepted position; it just needs to be something that shows they have put some thought into it and arrived at a logical conclusion. Security doesn’t always need to be visible. It doesn’t need to be done for ‘show’ - a “security theatre” if you will. The problem today is that too many companies don’t think about security in earnest at all - well at least not until they get breached. After a breach, however, they all inevitably state: ‘we take security seriously’. The Japanese say you have three faces. The first face, you show to the world. The second face, you show to your close friends, and your family. The third face, you never show anyone. It is the truest reflection of who you are. Similarly, you could say that security has three faces. The security you show to the world, the security that is visible internally in your organization, and the third reflects how you truly feel about security - that is the real measure of
seriously you take security. Read the whole report here!
Categories: Security Posts

Beers with Talos EP 35: Live from the RiRa at Black Hat

Cisco Talos - Thu, 2018/08/16 - 13:45


Beers with Talos (BWT) Podcast Ep. #35 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.
Ep. #35 show notes: Recorded Aug. 8, 2018 — We decided to broadcast while we were all together at Black Hat and invited everyone over for lunch and beers. Since we had a room full of people, we made this episode “choose your own podcast” and took topics from the audience. Neil Jenkins from the Cyber Threat Alliance came by to bestow befitting superhero swag on Matt and Adam for their work on VPNFilter. Headlining this event is our very special guest: Dave Bittner from The CyberWire.
The timeline:The topics3:50 - Roundtable - It gets interesting (read: long), but we bravely make it all the way down the table22:44 - Choose Your Own Podcast! We take a variety of questions, starting with the existential
40:20 - Neil Jenkins from the Cyber Threat Alliance drops in to improve Matt’s belt game
48:23 - Dave Bittner from The CyberWire joins us and reminds us he is a professional. And we are not.
The linksCyber Threat Alliance: https://www.cyberthreatalliance.org/
The CyberWire: https://thecyberwire.com/
==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).  Special Guest: Dave Bittner (@bittner)
Hosted by Mitch Neff (@MitchNeff). 

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com
Categories: Security Posts

[SANS ISC] Truncating Payloads and Anonymizing PCAP files

/dev/random - Thu, 2018/08/16 - 13:43
I published the following diary on isc.sans.org: “Truncating Payloads and Anonymizing PCAP files“: Sometimes, you may need to provide PCAP files to third-party organizations like a vendor support team to investigate a problem with your network. I was looking for a small tool to anonymize network traffic but also to restrict data to packet headers (and drop the payload). Google pointed me to a tool called ‘TCPurify’… [Read more]   [The post [SANS ISC] Truncating Payloads and Anonymizing PCAP files has been first published on /dev/random]
Categories: Security Posts

Phishing – Ask and ye shall receive

Fox-IT - Tue, 2018/08/14 - 15:25
During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to the username or password of the user that is logged on. In this case, a solution can be to just ask for credentials in order to increase your access or escalate our privileges throughout the network. This blogpost will go into the details of how the default credential gathering module in a pentesting framework like MetaSploit can be further improved and introduces a new tool and a Cobalt Strike module that demonstrates these improvements. Current situation Let’s say that we have a meterpreter running on our target system but were unable to extract user credentials. Since the meterpreter is not running with sufficient privileges, we also cannot access the part of the memory where the passwords reside. To ask the user for their credentials, we can use a post module to spawn a credential box on the user’s desktop that asks for their credentials. This credential box looks like the one in the image below. While this often works in practice, a few problems arise with using this technique:
  • The style of the input box stems from Windows XP. When newer versions of Windows ask for your credentials, a different type of input box is used;
  • The credential box spawns out-of-the-blue. Even though a message and a title can be provided, it does not really look genuine; it misses a scenario where a credential box asking for your credentials can be justified.
A better solution Because of these issues, this technique will perhaps not work on more security aware users. These users can be interesting targets as well, so we created a new script that solves the aforementioned problems. For creating a realistic scenario, the main approach was: “What would work on us?” The answer to this question must at least entail the following:
  • The credential box should be genuine and the same as the one that Windows uses;
  • The credential box should not be spawned out-of-the-blue; the user must be persuaded or should expect a credential box;
  • If (error) messages are used, the messages should be realistic. Real life examples are even better;
  • No or limited visible indications that the scenario is not real.
As a proof of concept, Fox-IT created a tool that uses the following two scenario’s:
  • Notifications that stem from an (installed) application;
  • System notifications that can be postponed.
With this, the attacker can use his creativity to deceive the user. Below are some examples that were created during the development of this tool: Outlook lost connection to Microsoft Exchange. In order to reconnect, the user must specify credentials to reestablish connection to Microsoft Exchange. Password that expires within a short period of time. The second scenario imitates notifications from Windows itself, such as pending updates that need to be installed. The notification toast tricks the user into thinking that the updates can be postponed or dismissed. When the user clicks on the notification toast the user will be asked to supply their credentials. If the user clicks on one of these notifications, the following credential box will pop up. The text of the credential box is fully customizable. Once the user has submitted their credentials, the result is printed on the console which can be intercepted with a tool of your choosing, such as Cobalt strike. We created an aggressor script for Cobalt Strike that extends the user interface with a variety of phishing options. Clicking on one of these options will launch the phishing attack on the remote computer. And if users enter their credentials, the aggressor script will store these in Cobalt Strike as well. The tool as well as the Cobalt Strike aggressor script are available on Fox-IT’s GitHub page: https://github.com/fox-it/Invoke-CredentialPhisher   Technical details During the development of this tool, there were some hurdles that we needed to take. At first, we created a tool that pops a notification balloon. That worked quite well, however, the originating source of the balloon was mentioned in the balloon as well. It’s not really genuine when Windows Powershell ISE asks for Outlook credentials, so that was not a solution that satisfied us. In recent versions of Windows, toast notifications were introduced. These notifications look almost the same as a notification balloon that we used earlier, but work entirely different. By using toast notifications, the problem that the originating source was shown was solved. However, it proved not possible to use event handlers on the toast notifications with native PowerShell. We needed an additional library that acts as a wrapper, which can be found on the following GitHub page: https://github.com/rkeithhill/PoshWinRT That library solved one part of the issue, but needed to be present on the filesystem of the target computer. That leaves traces of our attack which we do not want, plus, we want to leave the least amount of traces of our malicious code. Therefore, we encoded the library as base64 and stored that in the PowerShell script. The base64 equivalent of the library is evaluated and loaded from memory during runtime and will leave no trace on the filesystem once the tool has been executed. So, now we had a tool capable of sending toast notifications that look genuine. Because of how Windows works, we could also create an extra layer of trust by using an application ID as the source of the notification toast. That way, if you were able to find the corresponding AppID, it looks like the toast notification was issued by the application rather than an attacker. The notifcation toasts supports the following:
  • Custom toast notification title;
  • Custom credential box title;
  • Custom multiline toast notification message.
To make it more personal, it is possible to use references to attributes that are part of the System.DirectoryServices.AccountManagement.UserPrincipal object. These attributes can be found on the following Technet article: https://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.userprincipal_properties(v=vs.110).aspx. Additionally, the application scenario supports the following extra features when an application name is provided and can be found by the tool:
  • AppID lookup for adding extra layer of credibility. If no AppID is found, the tool will default to control panel;
  • Extraction of the application icon. The extracted icon will be used in the notification toast;
  • If no process is given or the process cannot be found, the tool will extract the information icon from the C:\Windows\system32\shell32.dll library. By modifying the script, it is easy to incorporate icons from other libraries as well;
  • Hiding of application processes. All windows will be hidden from the user for extra persuasion. The visibility will be restored once the tool is finished or when the user supplied their credentials.
Cmdline examples For the examples above, the following onliners were used: Outlook connection: .\Invoke-CredentialPhisher.ps1 -ToastTitle "Microsoft Office Outlook" -ToastMessage "Connection to Microsoft Exchange has been lost.`r`nClick here to restore the connection" -Application "Outlook" -credBoxTitle "Microsoft Outlook" -credBoxMessage "Enter password for user ‘{emailaddress|samaccountname}'" -ToastType Application -HideProcesses Updates are available: .\Invoke-CredentialPhisher.ps1 -ToastTitle "Updates are available" -ToastMessage "Your computer will restart in 5 minutes to install the updates" -credBoxTitle "Credentials needed" -credBoxMessage "Please specify your credentials in order to postpone the updates" -ToastType System -Application "System Configuration" Password expires: .\Invoke-CredentialPhisher.ps1 -ToastTitle "Consider changing your password" -ToastMessage "Your password will expire in 5 minutes.`r`nTo change your password, click here or press CTRL+ALT+DELETE and then click 'Change a password'." -Application "Control Panel" -credBoxTitle "Windows Password reset" -credBoxMessage "Enter password for user '{samaccountname}'" -ToastType Application Recommendations There are no specific recommendations that are applicable to this phishing technique, however, some more generic recommendations are still applicable:
  • Check if PowerShell script logging and transcript logging is enabled;
  • Raise security awareness;
  • Although it is quite hard to distinguish a fake notification toast from a genuine notification toast, users should have a paranoid approach when it comes to processes asking for their credentials.
Categories: Security Posts

Update: format-bytes Version 0.0.5

Didier Stevens - Tue, 2018/08/14 - 02:00
This new version has many new features and options. First there is the remainder (*) when using option -f to specify a parsing format. For example, -f “<i25s” directs format-bytes to interpret the provided data as a little-endian integer followed by a 25-byte long string: With the remainder (-f “<i25s*”), format-bytes will provide info for the remaining bytes (if any) after parsing (e.g. after the 25-byte long string): Options -c and -s changed ito -C and -S, so that option -s can be used to select items (to be consistent across my tools). Option -s can be used to select an item, like a string, to be dumped (options -a, -x and -d). If no dump option is provided, an hex-ascii dump (-a) is the default. And option –jsoninput can be used to process JSON output produced by oledump.py or zipdump.py, for example.   format-bytes_V0_0_5.zip (https)
MD5: 3D92BCAF8E31BFBF6F4917B3AAB64AEF
SHA256: AD43756F69C8C2ABF0F5778BC466AD480630727FA7B03A6D4DEC80743549845A
Categories: Security Posts

Fabricating a Trellis

Niels Provos - Fri, 2018/05/04 - 06:10

The garden needed some trellises for roses. We came up with a circle design and are fabricating it in the shop. Mild steel bar is bent into many different ring sizes and then put together into a fairly large trellis. I am also showing some really beautiful slow motion shots of welding and grinding in high dynamic range.
Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html&#x3f;id=5943, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

&#x26;#xa;Threat Hunting &#x26; Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone https://github.com/Cyb3rWard0g/HELK.git
cd HELK/
sudo ./helk_install.sh 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case http://192.168.248.29.
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding update.microsoft.com mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2: msupdater.com
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline, process.name, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content