Security Posts

Top 10 PCI DSS Compliance Pitfalls

AlienVault Blogs - 2 hours 24 min ago
Despite the fact that PCI DSS has been in effect for over a decade, and most merchants are achieving compliance, some of the world’s largest retailers have been hit by to data breaches. The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organizations. For example, more than five million credit card numbers were stolen in 2018 hacks of two major retailers.  Earlier this year, I hosted a webcast with Jacques Lucas from Terra Verde (one of our partners) covering challenges and best practices for achieving and maintaining compliance with PCI DSS. In his role as a QSA, Jacques has "seen it all" in terms of what commonly causes stumbling blocks for organizations on their compliance journey, which he summarized in a slide covering the Top 10 Pitfalls for PCI DSS Compliance. As a follow-on from the webcast, I wanted to dive into that area further to provide tips and best practices to help companies address those Top 10 Pitfalls for PCI-DSS.  1. Improper scoping The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE, and fail to include them in scope. Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope, and need to be secured and monitored. Some examples include: IAM servers; Domain controllers; Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems; AV Management servers and more. Pro-tip: Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks. 2. Failing to patch systems regularly PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, in one high profile breach it took the company more than four months to identify an unpatched vulnerability that provided a foothold for their devastating data breach. Pro-tip: Identifying unpatched assets and applications is a must. Be sure you schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in- scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation. 3. Failing to audit access to cardholder data PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected. In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants. Pro-tip: Implement two-factor authentication on all of your CDE assets. Schedule periodic audits against these assets, to verify that controls are working properly. Additionally, enable monitoring on all CDE assets to capture a baseline. Finally, configure your SIEM to trigger alarms for all activity that falls outside this baseline so you can respond quickly to potential threats. Source: 2017 SecurityMetrics Guide To PCI DSS Compiance 4. Failing to review and monitor audit logs daily PCI DSS requirement 10 covers all of the implementation details for logging and log monitoring within the CDE. Unfortunately, these logs are worthless unless and until you have a process to review them and technology to support it. By reviewing logs on a daily basis, you’ll discover errors and anomalies that may signal a threat - before they do any damage. Fact: It takes an organization an average of 206 days to detect a data breach2. If most organizations were successfully reviewing logs on a daily basis, they’d find breaches within hours rather than days (or, months). 5. Failing to shut down third party vendor remote access after use Third party vendors often request remote access for a variety of valid reasons - to post, download, or transfer data,  to update systems and applications, or to troubleshoot any of the above. The challenge is lack of follow-up once that access is no longer needed, leaving gaping holes in your network. Pro-tip: Automate the termination of third party access once it’s no longer needed. Regularly review accounts and their access level (especially the privileged ones) to determine if they’re still necessary. Monitor third party access and trigger SIEM alerts when activity is outside the norm. Keep asset inventories continually updated, and document vendor access requests to facilitate follow up. 6. Failing to identify and change vendor default configurations 2084 passwords. That’s the current number of default passwords stored on for over 500 different technology vendors. Failing to change the vendor’s default password leaves the door wide open to cyber criminals keen to steal credit card holder data to sell on the dark web. Pro-tip: In addition to changing vendor default passwords, here are some additional best practices: Change the name of default administrator accounts to ones that are unrecognizable as “privileged” Change Wi-Fi configurations for Wi-Fi routers connected to the CDE (rename default SSID names, encryption keys, and SNMP community strings) Develop, implement, and assess configuration standards for each of your in-scope asset groups Disable unnecessary services and protocols Monitor configuration changes to critical system files with File Integrity Monitoring Source: Ponemon 2017 Cost of a Data Breach Study commissioned by IBM  7. Obsession on putting things out of scope It’s understandable that some IT teams would want to reduce the scope of the CDE, since that can shrink the cost,  time, and effort in achieving, maintaining, and demonstrating PCI DSS. There are a few techniques on reducing PCI DSS scope, such as reducing the number of systems that process cardholder data locally. As an example, tokenization eliminates CHD from being stored locally, within your environment by outsourcing to a payment services provider. While these scope reduction techniques may help reduce some of your overall risk, they’re not a silver bullet. You’re still on the hook to verify and demonstrate that your customers’ CHD is protected, no matter where it resides or how it’s being managed. Pro-tip: Don’t waste time obsessing over ways to narrow your exposure. Do the right thing and secure and isolate any systems that handle CHD, secure and monitor them. After all, your QSA may not agree with your narrow scope definition (even after all that hard work). 8. Failing to track where cardholder data is stored Some merchants may mistakenly believe that outsourcing CHD storage will offset their PCI DSS responsibility. It doesn’t. In fact, even if you outsource payment processing to a third party provider, you’re still responsible for knowing and attesting to where and how the CHD is stored, managed, and accessed. And since some payment processing providers may conduct business globally, it’s essential to verify these details before deciding to outsource to them. Pro-tip: Regardless of whether you’re storing CHD locally or outsourcing to a provider, ensure that you’re actively tracking where and how it’s being stored, who is accessing it, how they’re accessing it, and when and why they need to. Actively assess security controls with periodic vulnerability scanning, update inventories, and continually monitor activity to respond to threats and verify compliance. 9. Storing sensitive authentication data after authorization PCI DSS mandates the protection of Sensitive Authentication Data (SAD) which is comprised of full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more. Cyber criminals put a high value on SAD or “magnetic stripe data” because access to this raw data enables them to clone stolen credit cards for resale. Some merchants who rely on recurring billing may falsely believe that they must store all SAD for this purpose.  Instead, reduce your exposure by using a third party credit card vault and tokenization provider. In this setup, the CHD is replaced with a token during billing and payment authorization procedures. Fact: Credit card numbers remain in the top 10 most popular types of stolen data traded on the dark web. The value of stolen credit card account numbers varies from $5-$110, with CVV data adding a $5 uplift, full bank info another $15 and a full package of name, SS#, birthdate, and other personal data adding another $303. Source: Here’s How Much Your Personal Information Is Selling for on the Dark Web 10. Addressing PCI DSS compliance only during annual audit Let’s face it. PCI DSS compliance is deadline-driven. This can often lull IT folks into only following good monitoring practices when an audit or assessment is approaching. The downside is that you’ll find yourself constantly playing catch-up. As we know, security and compliance work is never done. Security and compliance are more easily achieved and maintained when they become embedded into your standard operating procedure. Pro-tip: Consolidate event correlation and threat detection technologies into a single platform for continual assessment and automated compliance status reporting. Implement security platforms that enable continuous monitoring and vulnerability assessment to achieve sustained PCI DSS compliance. In summary, remember that compliance is more of a journey than a destination. Considering the need for continuous due diligence, look for security approaches that support a rapid, scalable, and orchestrated response. Specifically, multi-functional security monitoring platforms simplify threat detection and response while also helping your team scale to meet the complexities of changing compliance requirements. Thanks to our valued partner Terra Verde for their input and collaboration in developing this Top 10 list. Glossary of Terms PCI - Payment Card Industry PCI DSS - Payment Card Industry Data Security Standard PCI SSC - Payment Card Industry Security Standards Council CHD - Cardholder Data CDE - Cardholder Data Environment SAD - Sensitive Authentication Data AOC - Attestation of Compliance ROC - Report on Compliance SAQ - Self-Assessment Questionnaire QSA - Qualified Security Assessor ASV - Approved Scanning Vendor CAV - Card Authentication Value (JCB) CVV - Card Verification Value (Visa and MasterCard) PAN CVC - Card Validation Code (MasterCard) CSC - Card Security Code (Amex)
Categories: Security Posts

Eraser – Windows Secure Erase Hard Drive Wiper

Darknet - The Darkside - 4 hours 14 min ago
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Eraser is a Windows focused hard drive wiper and is currently supported under Windows XP (with Service Pack 3), Windows Server 2003 (with Service Pack 2), Windows Vista, Windows Server 2008, Windows 7,8 ,10 and Windows Server 2012. Read the rest of Eraser – Windows Secure Erase Hard Drive Wiper now! Only available at Darknet.
Categories: Security Posts

Arduino para Hackers: PoCs & Hacks Just for Fun. Nuevo VBook de @0xWord #Arduino

Un informático en el lado del mal - 11 hours 3 min ago
Ayer se puso a disposición de todo el mundo el nuevo VBook de 0xWord que lleva por título "Arduino para Hackers: PoCs and Hacks Just for Fun". Y como os podéis imaginar está centrado en ayudar a los apasionados del research a meterse en el mundo del Hardware Hacking por medio de Arduino.

Figura 1: Arduino para Hackers: PoCs & Hacks Just for Fun. Nuevo VBook de @0xWord
Como sabéis, Arduino nació como un proyecto en el año 2005 enfocado a estudiantes que querían hacer herramientas simples y de bajo costo en proyectos digitales. Y vaya que si lo consiguieron los creadores de este proyecto. Hoy en día, muchos de los proyectos de hardware hacking utilizan Arduino como base del proyecto. 

Figura 2: Una hucha protegida con Latch y Biometría usando Arduino
Y por supuesto nosotros los utilizamos mucho siempre que hay que construir un poco de hardware. Se ha utilizado en proyectos nuestros de ElevenPaths, en el grupo de Ideas Locas de CDO y en otros proyectos personales de colaboradores de este blog. Aquí os dejo algunos trabajos en los que Arduino fue pieza fundamental.- Arducky: Un Rubber Ducky hecho sobre Arduino para hackear Windows - Latch y el IoT: Un timbre de puerta controlado por Latch y Arduino - Una hucha protegida por Latch y Biometría con Arduino - Seguridad Criptográfica en IoT con Arduino - Smolpion: Otro proyecto en Arduino para hacer un Rubber Ducky- La seguridad del IoT con Edison, Arduino y SinfonierY por eso pensamos que estaría genial tener un VBook, ya sabéis, una formación en modo Vídeo-Libro que poder seguir para formaros en esta disciplina durante un año entero y poder comenzar a hacer vuestros propios proyectos. Y ya está disponible para poder comenzar a seguir las explicaciones, hacer las prácticas y comenzar a hacer tus proyectos.
Figura 3: Arduino para Hackers: PoCs and Hacks Just for Fun
En resumidas cuentas,  Arduino es una plataforma electrónica Open Source diseñada para el uso sencillo tanto de hardware como de software y que tiene la finalidad de dar la capacidad al usuario de hacer sus propios proyectos interactivos. Dicha plataforma permite, de manera rápida y sencilla, la realización de multitud de proyectos de electrónica, automatismos, control, domótica, etcétera, y precisamente este, es uno de los motivos de su éxito: cualquier usuario con conocimientos básicos de informática y electrónica puede programar e implementar proyectos muy interesantes. Se trata de un pequeño cerebro que permite robotizar la vida del usuario.

Figura 4: Latch y un timbre de tu hogar con Arduino
El límite lo marca la imaginación del usuario, pero el abanico de posibilidades abarca desde un sistema para la apertura y cierre de la puerta de un garaje, pasando por un detector de presencia, luz y oscuridad, hasta la implementación de un termómetro o un cilindro neumático.
Este VBook de Arduino para Hackers: PoCs & Hacks Just for Fun pretende ser una guía de autoaprendizaje que permita al usuario conocer Arduino desde un nivel muy básico, realizando PoCs and Hacks ordenados por nivel de dificultad. En el libro se estudian aspectos tan básicos como son la instalación, el manejo de Arduino IDE, la instalación de las librerías, la estructura de un sketch y las funciones principales necesarias en la programación de una placa Arduino
Se trabajan los conceptos relacionados con hardware, las nociones elementales de software, el entorno y lenguaje del desarollador, así como el trabajo con las placas y los diferentes componentes analógicos y digitales disponibles. Todo esto, en el contexto de las explicaciones necesarias para poder entender las diferentes comunicaciones entre dispositivos y conexiones de Arduino a la red, entre las que se incluyen las comunicaciones serial, RF, NFC e Internet. Además, se introducirá al usuario en el interesante mundo de la domótica e IoT
Figura 5: Arduino para Hackers: PoCs and Hacks Just for Fun. Agenda del VBook de 0xWord
Os he subido a SlideShare la agenda completa de este VBook que ha hecho nuestro compañero Álvaro Núñez-Romero Casado. Como se puede ver, se trata de un VBook meramente práctico, ya que se presentan múltiples ejemplos de pequeños proyectos fácilmente realizables debido a todas las ventajas que proporciona Arduino, como flexibilidad, fiablididad y precio. El objetivo final es que el usuario descubra y explore el apasionante mundo que engloba Arduino, con todas sus posibilidades.

Figura 6: 0xWord VBooks
Éste es el Vídeo-Libro número cuatro de la colección de VBooks que puedes cursar en 0xWord:- VBook 01: Windows Server 2016: Administración y Seguridad - VBook 02: Ataques en Redes de datos IPv4 & IPv6 - VBook 03: Ethical Hacking - Packs VBooks 01, 02 y 03 - VBook 04: Arduino para Hackers: PoCs and Hacks Just for FunSaludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

Spectre, Meltdown researchers unveil 7 more speculative execution attacks

ArsTechnica: Security Content - 14 hours 33 min ago
Enlarge (credit: Aurich Lawson / Getty Images) Back at the start of the year, a set of attacks that leveraged the speculative execution capabilities of modern high-performance processors was revealed. The attacks were named Meltdown and Spectre. Since then, numerous variants of these attacks have been devised. In tandem, a range of mitigation techniques has been created to enable at-risk software, operating systems, and hypervisor platforms to protect against these attacks. A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems. The previous investigations into these attacks have been a little ad hoc in nature: examining particular features of interest to provide, for example, a Spectre attack that can be performed remotely over a network or Meltdown-esque attack to break into SGX enclaves. The new research is more systematic, looking at the underlying mechanisms behind both Meltdown and Spectre and running through all the different ways the speculative execution can be misdirected. Read 15 remaining paragraphs | Comments
Categories: Security Posts

Microsoft Patch Tuesday — November 2018: Vulnerability disclosures and Snort coverage

Cisco Talos - Tue, 2018/11/13 - 20:53
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated "critical," 40 that are rated "important” and one “moderate” and “low” vulnerability, each.

The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX.

This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption.

For more on our coverage for these vulnerabilities, check out the SNORTⓇ blog post here.

Critical vulnerabilitiesMicrosoft disclosed 11 critical vulnerabilities this month, which we will highlight below. There is also a critical advisory covering Adobe Flash Player.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557 and CVE-2018-8588 are all memory corruption vulnerabilities in the Chakra scripting engine. They all lie in the way that the scripting engine handles objects in memory in the Microsoft Edge internet browser. These vulnerabilities could corrupt memory in a way that an attacker could execute code in the context of the current user. An attacker needs to convince a user to open a specially crafted, malicious website on Microsoft Edge in order to exploit these bugs.

CVE-2018-8476 is a remote code execution vulnerability in the Windows Deployment Services TFTP server. The bug lies in the way the TFTP server handles objects in memory. An attacker could exploit this vulnerability by supplying the user with a specially crafted request.

CVE-2018-8553 is a remote code execution vulnerability in Microsoft Graphics Components that lies in the way Graphics Components handles objects in memory. An attacker can exploit this vulnerability by providing the user with a specially crafted file.

CVE-2018-8544 is a remote code execution vulnerability that exists in the way that the VBScript engine handles objects in memory. An attacker needs to trick a user into visiting a specially crafted website on Internet Explorer in order to exploit this vulnerability. Alternatively, the attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts Internet Explorer’s rendering engine.

ADV180025 addresses several vulnerabilities in Adobe Flash Player, which are outlined by Adobe in a separate release. Microsoft recommends updating to the latest version of Flash Player, as well as disabling Flash on its web browsers.

Important vulnerabilitiesThere are also 40 important vulnerabilities in this release. We would like to specifically highlight seven of them.

CVE-2018-8256 is a remote code execution vulnerability in PowerShell when it improperly handles specially crafted files. An attacker could execute malicious code on a vulnerable system. This update fixes the vulnerability by ensuring that PowerShell properly handles files.

CVE-2018-8574 and CVE-2018-8577 are remote code execution vulnerabilities in Microsoft Excel that occurs when the software fails to properly handle objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted Excel file, either as an email attachment or another method.

CVE-2018-8582 is a remote code execution vulnerability in Microsoft Outlook when the software fails to properly parse specially modified rule export files. Users who have their settings configured to allow fewer user rights are less impacted by this vulnerability than those who operate with administrative user rights. Workstations and terminal servers that use Microsoft Outlook are also at risk. An attacker needs to convince a user to open a specially crafted rule export file in an email in order to trigger this bug.

CVE-2018-8450 is a remote code execution vulnerability that exists when Windows Search handles objects in memory. An attacker could trigger this vulnerability by sending a specially crafted function to the Windows Search service, or via an SMB connection.

CVE-2018-8550 is an elevation of privilege in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. The vulnerability does not directly allow the user to execute arbitrary code, but it could be used in conjunction with other bugs to execute code with elevated privileges.

CVE-2018-8570 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. An attacker could exploit this bug by hosting a malicious website on Internet Explorer and then convincing the user to visit the link.

The other important vulnerabilities are:
Moderate vulnerabilitiesThe one moderate vulnerability is CVE-2018-8546, a denial-of-service vulnerability in the Skype video messaging service.

Low vulnerabilityThere is also one low-rated vulnerability, CVE-2018-8416, which is a tampering vulnerability in the .NET Core.

CoverageIn response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on

Snort rules: 32637, 45142, 45143, 48399 - 48404, 48374 - 48388, 48393 - 48395, 48360 - 48373, 48408 - 48410
Categories: Security Posts

Windows 10 October 2018 Update is back, this time without deleting your data

ArsTechnica: Security Content - Tue, 2018/11/13 - 20:21
Enlarge / This message, shown during Windows upgrades, is going to be salt in the wound. Just over a month since its initial release, Microsoft is making the Windows 10 October 2018 Update widely available today. The update was withdrawn shortly after its initial release due to the discovery of a bug causing data loss. New Windows 10 feature updates use a staggered, ramping rollout, and this (re)release is no different. Initially, it'll be offered only to two groups of people: those who manually tell their system to check for updates (and that have no known blocking issues due to, for example, incompatible anti-virus software), and those who use the media-creation tool to download the installer. If all goes well, Microsoft will offer the update to an ever-wider range of Windows 10 users over the coming weeks. For the sake of support windows, Microsoft is treating last month's release as if it never happened; this release will receive 30 months of support and updates, with the clock starting today. The same is true for related products; Windows Server 2019 and Windows Server, version 1809, are both effectively released today. Read 8 remaining paragraphs | Comments
Categories: Security Posts

IDA 7.2: Qt 5.6.3 configure options & patch

Hex blog - Tue, 2018/11/06 - 12:29
A handful of our users have already requested information regarding the Qt 5.6.3 build, that is shipped with IDA 7.2. Configure options Here are the options that were used to build the libraries on: Windows: ...\5.6.3\configure.bat "-nomake" "tests" "-qtnamespace" "QT" "-confirm-license" "-accessibility" "-opensource" "-force-debug-info" "-platform" "win32-msvc2015" "-opengl" "desktop" "-prefix" "C:/Qt/5.6.3-x64" Note that you will have … Continue reading IDA 7.2: Qt 5.6.3 configure options & patch
Categories: Security Posts

Pattern Welding Explained as Wearable Art

Niels Provos - Tue, 2018/08/28 - 06:37

Pattern-Welding was used throughout the Viking-age to imbue swords with intricate patterns that were associated with mystical qualities. This visualization shows the pattern progression in a twisted road with increasing removal of material. It took me two years of intermittent work to get to this image. I liked this image so much that I ordered it for myself as a t-shirt and am looking forward for people asking me what the image is all about. If you want to get a t-shirt yourself, you can order this design via RedBubble. If you end up ordering a t-shirt, let me know if it ends up getting you into any interesting conversations!

Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Threat Hunting & Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone
cd HELK/
sudo ./ 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["","",""]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2:
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline,, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content