Security Posts

Mi conferencia en X1Red+Segura en vídeo: Datos en tiempos de Cambridge Analytica

Ayer sábado tuve la oportunidad de participar una vez en las jornadas de X1Red+Segura que se organizaron en las instalaciones de la Universidad Politécnica de Madrid en la Ciudad Universitaria y aproveché para hablar de los "Datos en tiempos de Cambridge Analytica".  Pero además aprovecho para dejaros un par de vídeos más para animar el fin de semana.
Figura 1: Mi conferencia en X1Red+Segura en vídeo: Datos en tiempos de Cambridge Analytica
Es una charla que solo había hecho una vez antes, durante el Talent Show de México y no está publicada en vídeo, así que aproveché para hacerla otra vez y que quedara grabada para todos en Internet y subirla a Mi Canal Youtube que luego se me olvidan y se pierden para siempre.
Hoy en la charla de X1Red+Segura }:)A post shared by Chema Alonso (@chemaalonso) on May 19, 2018 at 3:04am PDT
La esencia de la charla ya la conocéis, está casi todo recogido en el artículo que escribí hace no demasiado tiempo en este blog y que titulé: "Cambridge Analytica no es ni siquiera la puntita del iceberg en el mundo de hoy", y que podéis leer antes de ver la charla - además de ver alguna de las conferencias que van enlazadas que tienen mucho que ver con lo que cuento en la charla de hoy -.

Figura 3: Datos en tiempos de Cambridge Analytica
La charla la tenéis en vídeo, pero como la grabación que tengo es la del streaming de Internet, para que podáis seguirla un poco mejor he subido las diapositivas que utilicé a mi canal de SlideShare, así que podéis ir siguiendo las diapos a mejor calidad al tiempo que seguís la charla.
Figura 4: Datos en tiempos de Cambridge Analytica
Además, como es un domingo más que interesante en términos de deporte, con las carreras de MotoGP, la final del Máster ATP 1000 de Roma de tenis en el que Rafa Nadal se juega otro título, y el Real Madrid en la final de basket de la Final Four, os dejo un par de vídeos que tienen que ver con el deporte.
A estos monstruos se les da el Snowboard

Dancho Danchev's Mind Streams of Information Security Knowledge - The World's Most Comprehensive Threats Database

Dear blog readers, it's been several years since I last posted a quality update, further sharing actionable intelligence with the security community. As, it's been several years since I last posted a quality update I feel it's about time that we take the stakes a little higher by successfully launching what can be best described as the industry's leading and most versatile JSON-capable threats
Categories: Security Posts

Introduction to Dancho Danchev's Infowar Monitor 2.0

Dear blog readers it's been quite some time since I last posted a quality update following my dissapearance in 2010. I wanted to express my gratitude to everyone who participated in the search including colleagues and companies and wanted to say thanks for taking your time and effort to keep track and follow my research and disappearance. . As I've been busy working on Dancho Danchev's Blog -
Categories: Security Posts

Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available

Dear, blog, readers, as, of, today, I'm, making, publicly, available, my, portfolio, of, services, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, network, assets, profiling, real, life, personalization, of, malicious, actors, OSINT, analyses, in-depth, understanding, and, processing, of, tactics, techniques, and, procedures (TTPs), including, the,
Categories: Security Posts

Invitation to Join a Security Community

Dear blog readers, as I'm currently busy launching a private security community, I decided, to publicly announce, its, existence. Topics of discussion: - cybercrime research - threat intelligence - malicious software Request an invite:
Categories: Security Posts

DDanchev is for Hire!

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger? Approach me at
Categories: Security Posts

Project Proposal - Cybercrime Research - Seeking Investment

Dear blog readers, I'm currently seeking an investment regarding a cybercrime research project with the project proposal available on request. Approach me at
Categories: Security Posts

Book Proposal - Seeking Sponsorship - Publisher Contact

Dear blog readers, as I'm currently busy writing a book, I'm currently seeking a publisher contact, with the book proposal available on request.   Approach me at
Categories: Security Posts

[SANS ISC] Malicious Powershell Targeting UK Bank Customers

/dev/random - Sat, 2018/05/19 - 13:45
I published the following diary on “Malicious Powershell Targeting UK Bank Customers”: I found a very interesting sample thanks to my hunting rules… It is a PowerShell script that was uploaded on VT for the first time on the 16th of May from UK. The current VT score is still 0/59. The upload location is interesting because the script targets major UK bank customers as we will see below… [Read more]   [The post [SANS ISC] Malicious Powershell Targeting UK Bank Customers has been first published on /dev/random]
Categories: Security Posts

Things I Hearted this Week, 18th May 2018

AlienVault Blogs - Fri, 2018/05/18 - 15:00
You know the BBC have got their priorities really wrong they pitch Meghan Markle saying her father snubbing the Royal wedding as "Breaking news". What is surprising though is that I haven't seen all that many phishing emails related to the wedding hitting my inbox. Maybe the scammers know that I wouldn't pay much attention anyway. Meghan Markle says her father will not now be attending her wedding to Prince Harry on Saturday — BBC Breaking News (@BBCBreaking) May 17, 2018 But enough about the royals, let's take a peek under the bonnet and see what the cyber spark plugs bring to us this week. Watch Me Patch, Nay Nay In 2017 alone, businesses on average were forced to decide how to address an average of 40 new vulnerabilities per day. With so many new vulnerabilities being published, some businesses may flounder when it comes to developing effective patch strategies.  Related, Botnet Cashouts How much does it cost to run a botnet? Apparently, it can be quite expensive according to the work of C.G.J Putnam at the University of Twente in the Netherlands. For a botnet linked to 10m devices, the cost can be in the region of $16m. That's a lot of change, until you start looking at the potential returns. The team says that DDoS attacks using a network of 30,000 bots can generate around $26,000 a month. Spam advertising with 10,000 bots generates around $300,000 a month, and bank fraud with 30,000 bots can generate over $18m per month. But the most profitable undertaking is click fraud, which generates well over $20m a month of profit. Phish Teachers, Hack Grades Police in Concord, California arrested a teenager and charged him with 14 felony counts after discovering the high-schooler launched a phishing campaign directed at teachers in order to steal their passwords and change grades. Not only did he raise his own grades, he raised some of his classmates... and in others he lowered his classmates' grades. When Tech Flaws Can Ruin Your Life This is a really good and sad story, but one that needs to be looked at in a wider context. It's not very uncommon to see security researchers blocked by legal threats. Sometimes it's because the product manufacturer wants to avoid some bad publicity. However, in this case, the flaws related to a breathalyser that is used widely across the U.S. These flaws meant that the results of the tests are disputable, casting doubt on countless convictions. As technology creeps / has crept into nearly every aspect of life, and people (including law enforcement) often blindly accept the results which could severely impact people's lives - are legal pressures to stifle research acceptable? On the topic of law enforcement It's Way Too Hard to Turn off Facebook Tracking Citizens Against Monopoly discovered that Facebook makes it difficult. The steps for opting out of ad targeting are almost endless: visiting eleven different areas of Facebook's user preferences section, clearing out three different caches of personal interests, disallowing four different types of ads, and limiting seven different actions on the site to friends only. And even all this doesn't completely turn off ads. A Bad Case Of Gas Several US gas pipelines have seen their electronic systems for communicating with customers shut down in what is reported to be a cyber attack. While all systems are up and running now, and didn't impact operational systems, it's not the first time US pipelines have been targeted. In 2012, a federal cyber response team said it had identified a number of 'cyber intrusions' targeting natural gas pipeline sector companies. Social Media: The Zero Trust Game How to we acknowledge, address, and resolve the battlefield that social media has become? The spreading of information via social media platforms has been the subject of multiple studies, particularly in the wake of numerous reported misinformation campaigns. In a recent post by Twitter concerning the 2016 election in the US, the company "expanded the number of people notified about interactions with Twitter accounts potentially connected to a propaganda effort by a Russian government–linked organization known as the Internet Research Agency” and that “approximately 1.4 million people have now received a notification from Twitter.” Tactics to influence people from the bottom up are not limited solely to elections. We have now seen claims that bots are looking to hijack the gun debate. Related and not to miss out the big story Dark Networks The good folk over at recorded future have a good analysis on dark networks and broken it down into three distinct communities. Hacking the Hackers A hacker has breached Securus, the company that helps cops track phones across the US. You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data. Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records. Random Not So Security Stuff Well, apparently only 150 people will come to my funeral, and only 50 of those will consider me a "buddy".
Categories: Security Posts

Introducing Team Foundation Server decryption tool

Fox-IT - Thu, 2018/05/17 - 13:06
During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft’s Team Foundation Server (TFS). TFS can be used for developing code, version control and automatic deployment to target systems. This blogpost provides two tools to decrypt sensitive information that is stored in the TFS database. Decrypting TFS secrets Within Team Foundation Server (TFS), it is possible to automate the build, testing and deployment of new releases. With the use of variables it is possible to create a generic deployment process once and customize it per environment.1 Sometimes specific tasks need a set of credentials or other sensitive information and therefor TFS supports encrypted variables. With an encrypted variable the contents of the variables is encrypted in the database and not visible for the user of TFS. However, with the correct amount of access rights to the database it is possible to decrypt the encrypted content. Sebastian Solnica wrote a blogpost about this, which can be read on the following link: Fox-IT wrote a PowerShell script that uses the information mentioned in the blogpost. While the blogpost mainly focused on the decryption technique, the PowerShell script is built with usability in mind. The script will query all needed values and display the decrypted values. An example can be seen in the following screenshot: The script can be downloaded from Fox-IT’s Github repository: It is also possible to use the script in Metasploit. Fox-IT wrote a post module that can be used through a meterpreter session. The result of the script can be seen in the screenshot below. There is a pull request pending and hopefully the module will be part of the Metasploit Framework soon. The pull request can be found here: References [1]
Categories: Security Posts

Fabricating a Trellis

Niels Provos - Fri, 2018/05/04 - 06:10

The garden needed some trellises for roses. We came up with a circle design and are fabricating it in the shop. Mild steel bar is bent into many different ring sizes and then put together into a fairly large trellis. I am also showing some really beautiful slow motion shots of welding and grinding in high dynamic range.
Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Threat Hunting & Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone
cd HELK/
sudo ./ 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["","",""]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2:
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline,, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content