AlienVault Blogs

Syndicate content
The most recent posts from across the AlienVault blogs.
Updated: 27 min 45 sec ago

Things I Hearted this Week, 19th October 2018

Fri, 2018/10/19 - 15:00
It’s been another eventful week in the world of cyber security. So let’s just jump right into it. NCSC has Been Busy NCSC collaborated with Australia, Canada, New Zealand, UK, and the USA to give us a report that highlights which publicly-available tools criminals are using to aid their cyber crimes. The agency also commented on how it keeps criminals at bay by stopping on average 10 attacks on the government per week. NCSC also published its Annual Review 2018 - the story of the second year of operations at the National Cyber Security Centre. Targeting Crypto Currencies It is estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen. Twitter Publishes Data on Iranian and Russian Troll Farms In an attempt to try and be more proactive in dealing with misinformation campaigns, Twitter has published its Elections Integrity dataset which includes attempted manipulation, including malicious automated accounts and spam. In other words it’s attempting to out - Iranian and Russian troll farms. In light of this, it’s worth also revisiting this article by Mustafa Al-Bassam in which he researched UK intelligence doing the same thing targeting civilians in Iran. Equifax Engineer Sentenced An Equifax engineer gets eight months for earning $75,000 from insider trading. He figured out he was building a web portal for a breach involving Equifax, which turned out to be the 2017 breach, and so decided to ride the stock drop. Mind the Skills Gap (ISC)2 has released its 2018 global cyber security workforce study and it looks like the cyber security skills gap has widened to 3 million. It’s worth bearing in mind that estimating the skills gap isn’t an easy task. You have to look into the types of organisations, the tools in place, the risk appetite, economic, political, environmental factors, a whole bunch of things. You need a pretty deep methodology (don’t get me started on survey methodologies) to accurately assess the skills gap - so, a survey of 1500 individuals won’t necessarily be completely accurate, but serves as a good discussion point to start from. On the topic of the skills gap, there are plenty of free resources for learning available these days. Check out this awesome list: GitHub Announcements When Microsoft acquired GitHub, many speculated this was the end of the site. However, on the contrary, a series of new features and enhancements shows GitHub ploughing forward in leaps and bounds. California to Change State Law for Connected Devices In a bid to strengthen cyber security, California passed a state law requiring all manufacturers of internet connected devices to improve their security features. By 2020, in order to sell their products in California, manufacturers will need to ensure that devices such as home routers have a unique pre-programed password or an enforced user authentication process as part of the set up. Default passwords such as ‘password’ or ‘default’ will be deemed weak and in breach of the state law. A great initiative, but part of me feels like it’s a bit premature. Why tech companies need to reinvent themselves every three to four years Former Cisco CEO John Chambers says doing the same thing, even if it’s the “right thing,” for too long is dangerous. The CumEx Files investigation Finally, a long, but fascinating read into a huge, months-long investigation that involved the cooperation of dozens of international partners to uncover how some of the wealthiest have swindled European taxpayers of billions.
Categories: Security Posts

Detecting Empire with USM Anywhere

Thu, 2018/10/18 - 20:13
Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems.  It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems. Empire can:
  • Deploy fileless agents to perform command and control.
  • Exploit vulnerabilities to escalate privileges.
  • Install itself for persistence.
  • Steal user credentials.
It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent. Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target. Staging Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’: This alert detects most Empire stagers on Windows, when they use Powershell to executed an encoded command. If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command.  The ‘Malware Infection - Windows Defender Malware Detected’ alert, shows the necessary information to locate the malicious file: An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service: Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") objProcess.Create str, Null, objConfig, intProcessID When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command: Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running. For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow: As this is a common technique for installing malware, USM identifies applications such as Powershell executed by HTML Applications. In this instance, USM creates an alarm for ‘Code Execution - Suspicious Process Created by mshta.exe’: Escalating Privileges After infection, the attacker will try to escalate privileges. For that, they can use one of the ‘privesc’ Empire modules. One of the most dangerous will try to bypass Windows UAC by abusing the native Event Viewer. When Event Viewer runs, it tries to execute mmc.exe from  HKCU\Software\Classes\mscfile\shell\open\command registry. Thus, an attacker can use that location to place a process that will run with high level integrity. Trying this would result in a registry key hijack attempt, that is detected by AlienVault agent and deployed in USM with a ‘Privilege Escalation - Windows UAC Bypass’ alert: Empire C&C
The Empire agent will access the network through a crafted powershell command. Although this command combines a number of obfuscation techniques (such as case switching) and Base64 encoding, some features in its structure are invariant and allow for detection. When the decoded command is registered by ‘Windows Powershell Login Channel’ and sent to the USM engine, it will trigger a ‘Hacking Tool - Powershell Empire agent CnC activity’ alert announcing that Empire has been detected on the machine: Other features The Empire framework also provides several modules to enable persistence on the infected machine such as: scheduled tasks, a number of registry keys, or WMI event subscriptions. USM Anywhere alerts of each scheduled task with a low priority alarm: These alerts provide full information about the task content, responsible user, and other key data. To steal system credentials, an attacker can also rely on Empire modules. The mimikatz module can operate after a high privileges agent is installed in the victim’s machine. Executing mimikatz leverages an iterative file listing process easy to detect with USM: The alert  ‘Credential Access - Powershell script executing mimikatz’ deploys the command and other interesting data. Empire also uses registry keys for persistence. Some interesting registries to monitor with USM are SOFTWARE\Microsoft\Windows\CurrentVersion\Run and SOFTWARE\Microsoft\Windows\CurrentVersion\Debug. Thanks Chris Doman for collaboration Appendix Host detection Empire is detected as it is installed and executed on a machine with the following detections: Malware Infection - Windows Defender Malware Detected Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command Code Execution - Suspicious Process Created by mshta.exe Privilege Escalation - Windows UAC Bypass Hacking Tool - Powershell Empire agent CnC Activity Credential Access - Powershell script executing mimikatz Security Critical Event - Windows Scheduled Job Created Network detection Empire is detected as it communicates over the network via the following network detections: ETPRO TROJAN Observed PS Empire Downloader SSL Cert via MalDoc Oct 20 ETPRO TROJAN PowerShell Empire Request HTTP Pattern ETPRO TROJAN PowerShell Empire Response HTTP Pattern ETPRO TROJAN PowerShell Empire Malicious SSL Certificate Detected ETPRO TROJAN PowerShell Empire SSL Cert ETPRO TROJAN Receiving Possible PowerShell Empire Stager ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc Macro ETPRO CURRENT_EVENTS PowerShell Empire Session Initial Activity ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
Categories: Security Posts