Security Posts

Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (3 de 6)

Un informático en el lado del mal - Mon, 2021/01/18 - 08:00
En la parte anterior de este artículo vimos cuáles eran las utilidades del sistema que podríamos utilizar para hacer scripts. Ahora hay que ver cómo se puede hacer una batería de scripts que puedan construir la base de comandos para controlar el terminal. Para ello, tenemos que automatizar algunas opciones, como son, como crear scripts de exfiltración con los Accesos Directos por Voz usando Grabación de Comandos de Voz o con los Gestos Personalizados utilizando Plantillas de Programación y el pseudolenguaje de codificación VOWEL que definimos para esta prueba de concepto. 
Figura 21: Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (3 de 6)
Este último tenía un reto bastante complejo en su uso, ya que permite hacer cualquier cosa sobre la pantalla que hagas con tus dedos en el uso normal del dispositivo iPhone, pero el número de acciones por gesto es muy pequeño y, además, tienes que grabarlos a ciegas. Para el ejemplo de teclear el PIN de desbloqueo se puede hacer más o menos bien, y más o menos rápidamente, pero es un autentico reto si se quiere hacer, por ejemplo, para algo más complicado como escribir en el teclado una palabra - aunque sea un Atajo de Teclado - para poner una dirección de correo electrónico. Vamos a ver qué opciones tenemos para codificar los comandos y cuándo es mejor usar una u otra.
Grabación de Comandos de Voz
Lo primero que vamos a hacer es centrarnos en los Accesos Directos por voz. Como hemos visto en la parte anterior, se pueden hacer muchas cosas ellos. Desde mostrar una cuadrícula y pulsar en un icono con la voz, hasta abrir una app sin saber dónde se encuentra esta. Por ello van a ser muy útiles en su uso. Pensad que queremos abrir WhatsApp y no sabemos donde está en la pantalla del iPhone del objetivo. Pues ahí, lo mejor es utilizar un Acceso Directo de los comandos por voz que vienen en el sistema.
Figura 22: Accesos Directos disponibles por defecto en iOS
Para poder enlazar varios comandos por voz, se puede utilizar la opción de grabar el script con una grabación de comandos de voz. Para hacerlo, tenemos que tener activado el Control de Voz en el terminal iPhone (sale el icono del micrófono azul), y luego decir el comando de voz "Start Recording Commands". En ese momento se pondrá el icono en color azul y podremos hacer acciones en el terminal iPhone con la voz, que se irán grabando. Aquí tenemos un ejemplo.
Figura 23: Grabación de Comandos por Voz
Es importante entender que solo se pueden hacer cosas con la voz. Si tocas la pantalla con el dedo para hacer un Scroll-up o un "Swipe up", o cualquier otro gesto que no esté preparado para voz, no será grabado. Solo se graban comandos con la voz. Además, verás que controlar la zona de pantalla tendrás que ir haciendo uso de "Show Numbers", "Show Grid" o "Show Names" continuamente.
Figura 24: Show Numbers te numera dónde puedes hacer "tap"
Al principio es un poco engorroso, pero si te acostumbras a saber que debes utilizar "Show grid" cuando sean interfaces grandes y con pocos sitios donde tocar, a usar "Show names" en la zona de apps y "Show numbers" cuando quieras seleccionar un control dentro de una app cuando haya muchos o sean pequeños. Irás haciéndote con él. Además, teclear no es necesario ya que puedes usar la voz para decir textos cuando estés en cuadro de entrada de texto e incluso puedes decir direcciones de e-mail con la voz y deletreando "c-h-e-m-a-at-gmail-dot-com" en inglés.
Figura 25: Cuando grabes el comando de voz, se le pone un nombre para invocarlo
Cuando terminemos de hacer todas las acciones, bastará con decir "Stop Recording Commands" y poner como palabra para invocar ese gesto uno de nuestros queridos nombres en Klingon, para que quede ya programado ese script dentro de la lista de comandos disponibles a utilizar. Así, cuando hayas definido una acción, la debes codificar como la lista de acciones que debe utilizarse, poniendo algo como:
Command (Comando-Klingon)- Start Recording Command- Open WhatsApp- Show Grip- Seven- Show Numbers- Eighteen- Show Numbers- Thirteen- m-y-e-m-a-i-l-at-myserver-dot-com- ...- Stop Recording Command
De esa forma dejarás grabado un script en Klingon grabado con comandos de voz que podrás utilizar en el resto de acciones de exfiltración que vamos a crear. 
Plantillas de Programación de Gestos Personalizados
Los gestos personalizados nos van a permitir hacer acciones que no están disponibles en los Accesos Directos ni en los scripts disponibles de los Atajos (Shortcuts). Son para cosas puntuales, pero al igual que con la Grabación de Comandos de Voz, vamos a poder crear un sistema para codificar acciones con los Gestos Personalizados, haciéndolo a ciegas, que es como se hace la grabación de estos gestos.
Cuando comenzamos con este trabajo, si queríamos poder "programar" scripts con Gestos Personalizados a ciegas, de manera eficiente, necesitábamos resolver este problema, así que construimos una serie de Plantillas de Programación de gestos en papel cebolla para que pudiéramos saber exactamente en qué lugar tocábamos, y cuál era el gesto que había que realizar, y la solución fue bastante sencilla. Necesitábamos crear un sistema de coordenadas para la pantalla de un terminal iPhone al que referirnos. Es decir, como los nombres de las casillas en un tablero de ajedrez al que referirnos.
Figura 26: Construyendo las Plantillas de Programación de iPhone
Estas plantillas nos permitían ir anotando en un cuaderno los comandos, como si fuera la lista de movimientos de una partida de ajedrez, que nos ayudarían después, a la hora de la creación de los Gestos Personalizados, a hacerlo con eficacia sobre una pantalla ciega en la que podríamos replicar los movimientos con exactitud, usando la Plantilla de Programación de gestos.
Figura 27: Usando las Plantillas de Programación de Gestospara codificar los movimientos y acciones sobre un iPhone
Tras usarlas un poco, nos dimos cuenta rápidamente que la granularidad que necesitábamos para hacer determinadas acciones, como por ejemplo pulsar la letra "a" del teclado, no era la misma que para abrir una aplicación haciendo clic en el icono de la app en la pantalla principal, así que nos dimos cuenta de que la mejor solución era crear plantillas personalizadas para determinadas apps o necesidades, como esta que tenéis aquí que es para codificar posiciones en el teclado.
Con estas pantallas, codificar los gestos que hay que grabar en Gestos Personalizados es tan sencillo como ir apuntando el punto de aplicación del gesto, el gesto en sí, y el punto final del gesto, si fuera necesario. Tienes un mapa, al estilo de la codificación de las jugadas de una partida de ajedrez, para anotar los movimientos.
Figura 28: Uso de diferentes Plantillas de Programación
Por supuesto, al igual que se sucede a los diseñadores de experiencias de usuario en las pantallas de un terminal iPhone, los modelos y versiones del sistema operativo hacen que la codificación de las acciones sea distinta, y es necesario realizar Pantallas de Programación de gestos adaptadas a las características detalladas de cada terminal iPhone y de cada versión iOS con cambios relevantes. 
Con todo estos elementos, es decir, los Atajos de Teclado, los Accesos Directos por Voz, la Grabación de comandos de Voz, los Gestos Personalizados y los Atajos de Workflow, ya tenemos suficientes elementos para programar scripts de exfiltración de datos  en el terminal iPhone que necesite una R.A.T. (Remote Administration Tool) para ser invocada por uno o varios Comandos de Voz en Klingon. Es decir, vamos a poder dejar totalmente troyanizado un iPhone para controlarlo usando el Klingon. Por supuesto, siempre en los escenarios que describimos en la primera parte del artículo.
VOWEL (Voice Orders for Weaponizing Exfiltration Language)
Para poder dejar codificados los scripts de control remoto para la exfiltración de datos - que fue el cometido inicial de nuestro trabajo -, comenzamos anotar lo que había que ir haciendo en una lista de acciones donde definimos qué hay que grabar en el terminal. Esa lista de acciones está basada en el uso de unas primitivas de un pseudolenguaje de programación que llamamos VOWEL
Es decir,  una lista de actividades que se deben hacer para conseguir que un script concreto de control remote quede activado y disponible para su uso en el terminal que se quiere configurar. Nuestro propio lenguaje. Las primitivas que utilizamos para la lista de scripts que creamos fueron las siguientes, que son las vamos a ver en cada uno de los ejemplos.
  • Command  (cadena): Es el comando de voz que se ha definido para ejecutar esta acción. Aquí es donde utilizaremos, para los scripts finales, el lenguaje Klingon (que deberá estar instalado en terminal como se explicó en la primera parte de este artículo). Es igual que en el caso anterior donde utilizamos Grabación de Comandos de Voz basada en AccesosDirectos, pero con otra lista de acciones automáticas.
  • Template(X): Para Gestos Personalizados será la plantilla, de las que tenemos creadas, que hemos utilizado. Esta podrá ser la de la Pantalla Principal, la Pantalla de Teclado, la Pantalla de una App concreta, etcétera.
  • KeyboardShortcut ("xy","cadena"): Para Atajos de Teclado indica qué atajo debe ser creado en el sistema. "xy" serán las teclas que se pulsarán, y la "cadena" la palabra, URL, dirección de e-mail etcétera, por que será sustituida.
  • Tap (Secuencia de posiciones): Lista de posiciones donde se deberá hacer Tap - inicialmente pusimos Touch pero lo hemos cambiado a Tap - en la plantilla para grabar una secuencia de clics. Hay que tener en cuenta que entre cada Tap o Clic se debe dejar un tempo razonable para que de tiempo a que el terminal iPhone o la App respondan a ello. 
No utilizamos ninguna codificación especial para nuestros scripts, pero hay que tenerlo en cuenta a la hora de hacer la anotación. Nosotros dejábamos 1 segundo entre cada Tap, pero si hubiera que dejar más se podría dejar notado como:   Tap (A1, B2[2], C1, A1[2],C3)   donde estaríamos indicando que después de hacer Tap en la posición B2 de la plantilla que estamos utilizando hay que dejar una pausa de 2 segundos, y después de la posición A1 hay que dejar 3 segundos.
  • Scroll(Posición,Forma,Fuerza): En este caso identificamos el punto de inicio del gesto en la plantilla que se está utilizando, el movimiento de scroll a realizar, que puede ser algo como Up, Down, Upright, Upleft, DownRight, Downleft, Right, Left, etcétera, y la Fuerza es la cantidad de cuadrículas en la plantilla a desplazarse. 
Por supuesto, existen situaciones y gestos concretos en los que la codificación con este comando no es lo suficientemente ajustada, pero para las primeras versiones no sirvió sin necesidad de realizar primitivas más complejas.
  • Atajos(Script de Shortcut- workflow -): La última primitiva sería el uso de un automatismo hecho por un script de "Atajos" o "Shorcuts" que es como ha renombrado Apple al sistema de Workflow que viene en el sistema. No entramos a definir los Workflow, ya que ellos tiene su propia forma de codificar acciones en scripts que se puede compartir entre distintos terminales. En nuestro trabajo no hicimos uso de ningún script de Atajos para los ejemplos que vamos a ver en este artículo.
Lo bueno de esto es que, la codificación de un Atajo de Teclado también se puede hacer con una Grabación de Comandos de Voz, y una vez que tengamos un Gesto Personalizado grabado con sus Plantillas de Programación de gestos también podremos invocarlo con un comando de voz. Así que una vez que tengamos todos los elementos podremos hacer un script de acciones enorme que sea invocado con un único Comando Klingon hecho con Grabación de Comandos de Voz. Pero vamos a ver las pruebas que hicimos en la siguiente parte de este artículo.
Saludos Malignos!
*********************************************************************- Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (1 de 6)Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (2 de 6)Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (3 de 6)- Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (4 de 6)- Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (5 de 6)- Cómo "Klingonizar" un iPhone y tenerlo troyanizado con Control de Voz (6 de 6)*********************************************************************
Autor:Chema Alonso (Contactar con Chema Alonso) (Consigue 100 Tempos gratis con ESET)
Chema Alonso en MyPublicInbox
Sigue Un informático en el lado del mal RSS 0xWord
Categories: Security Posts

Multiple backdoors and vulnerabilities discovered in FiberHome routers

Zero Day | ZDNet RSS Feed - Mon, 2021/01/18 - 07:30
At least 28 backdoor accounts found in FiberHome FTTH ONT routers.
Categories: Security Posts

GDPR: German laptop retailer fined €10.4m for video-monitoring employees

Zero Day | ZDNet RSS Feed - Mon, 2021/01/18 - 06:44
NBB (notebooksbilliger.de) described the GDPR fine "as wrong as it is irresponsible."
Categories: Security Posts

ISC Stormcast For Monday, January 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7332, (Mon, Jan 18th)

SANS Internet Storm Center, InfoCON: green - Mon, 2021/01/18 - 04:00
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Update: Python Templates Version 0.0.4

Didier Stevens - Mon, 2021/01/18 - 02:00
Here is a bug fix version for my Python template (binary files). I use these templates as a starting point for new tools or for quick development of ad-hoc tools. python-templates_V0_0_4.zip (https)
MD5: 0ED3B69594A5BCD5069391177A6C1F79
SHA256: 15DBE4FD16F19FEBF4CB9381E4D59A1B7ECC11C43B48AE96FADD75FC53BB189F
Categories: Security Posts

Update: count.py Version 0.3.0

Didier Stevens - Sun, 2021/01/17 - 13:06
This is a Python 3 update for my count.py tool, a tool to count items. count_v0_3_0.zip (https)
MD5: 52B9E424640983892FAD7734D0388860
SHA256: 4ED5A3FD913E6953A4635AB93F015BEDE08DF3448125DD95E1EFCB47A320D0D5
Categories: Security Posts

Cyber News Rundown: Gaming Industry in Crosshairs of Cybercriminals

Webroot - Wed, 2021/01/13 - 23:07
Top gaming companies positioned to be next major cyberattack target After healthcare and higher education emerged as lucrative targets for cyberattacks in 2020, researchers have identified the video gaming industry as another key target. By scouring the dark web for stolen data belonging to any of the top 25 largest gaming firms, over a million unique and newly uploaded accounts were discovered. Additionally, researchers found credentials for over 500,000 gaming company employees exposed in previous data breaches but used for multiple accounts. Hardcoded backdoors discovered in Zyxel devices Researchers recently stumbled upon an undocumented admin account on multiple Zyxel devices using basic login credentials and granting full access to devices commonly used to monitor internet traffic. This vulnerability was first spotted when several warnings for unauthorized login attempts were identified using admin/admin as the username and password, presumably in hopes of accessing other unprotected devices on the network. This undocumented account can only be viewed through an SSH connection or a web interface and could be an issue for over 100,000 Zyxel devices currently connected to the internet. Vodafone operation reveals major data breach Vodafone’s budget operators ho. Mobile has revealed their systems were compromised late last month and a database containing sensitive information belonging to nearly 2.5 million customers was leaked. Along with personally identifiable information is data related to customer SIM-cards, which can be used to enable SIM-swap attacks that allow attackers to control specific users’ messaging services. The stolen database has been for sale on a dark web for a starting price of $50,000 since shortly after the attack was discovered. ElectroRAT quietly steals cryptocurrency across multiple operating systems After operating for nearly a year the silent cryptocurrency stealer ElectroRAT has finally been identified using multiple different Trojanized apps to operate on Windows, Mac and Linux systems. To make these malicious apps appear more credible, authors placed advertisments on social media and cryptocurrency-related websites that have led to thousands of installations. By spreading the attack across multiple different operating systems, the attackers increased their chances of accessing information of value. Vancouver’s TransLink Suffers Ransomware Attack Nearly a month after officials identified technical issues with IT systems at Metro Vancouver’s TransLink transportation authority, the interruption was discovered to be the work of the Egregor Ransomware group. While the attack didn’t compromise customer data, it is believed that employee banking and personal information was stolen. TransLink employees are working to restore systems to proper functionality, though some seem to have been more damaged than others. The post Cyber News Rundown: Gaming Industry in Crosshairs of Cybercriminals appeared first on Webroot Blog.
Categories: Security Posts

Maze Ransomware is Dead. Or is it?

Webroot - Wed, 2021/01/13 - 21:58
“It’s definitely dead,” says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. “At least,” he amends, “for now.” Maze ransomware, which made our top 10 list for Nastiest Malware of 2020 (not to mention numerous headlines throughout the last year), was officially shut down in November of 2020. The ransomware group behind it issued a kind of press release, announcing the shutdown and that they had no partners or successors who would be taking up the mantle. But before that, Maze had been prolific and successful. In fact, shortly before the shutdown, Maze accounted for an estimated 12% of all successful ransomware attacks. So why did they shut down? I sat down with Tyler to get his take on the scenario and find out whether Maze is well and truly gone. Why do you think Maze was so successful? Maze had a great business model. They were the group that popularized the breach leak/auction website. So, they didn’t just steal and encrypt your files like other ransomware; they threatened to expose the data for all to see or even sell it at auction. Why was this shift so revolutionary? The Maze group tended to target pretty huge organizations with 10,000 employees or more. Businesses that big are likely to have decent backups, so just taking the data and holding it for ransom isn’t much of an incentive.

Now think about this: those huge businesses also would’ve been subject to pricey fines for data breaches because of regulations like GDPR; and they’re also more likely to have big budgets to pay a ransom. So, instead of simply saying, “we have your data, pay up,” they said, “we have your data and if you don’t pay, we’ll expose it to the world – which includes the regulators and your customers.” Most of the time, paying the ransom is going to be the more cost effective (and less embarrassing) option. We don’t know if the Maze group invented this tactic, but they definitely set the trend, and a bunch of other ransomware groups started following it. Other than the leak sites, did they do anything else noteworthy or different from other groups? One of the bigger threat trends we saw in 2020 was malware groups partnering up for different pieces of the infection chain, such as Trojans, backdoors, droppers, etc. The botnet Emotet, for example, was responsible for a huge percentage of ransomware infections from various different groups. Maze, however, was pretty self-contained. We saw them working with a few other groups throughout 2020, but they had their own malspam campaign for delivery and everything else they needed in-house, so to speak. They were like a one-stop shop. Do you think the move to remote work during the pandemic contributed to their success? Absolutely, though you could say that about any ransomware group. Phishing and RDP attacks really ramped up when people started working from home. Home networks and personal devices are generally much less secure than corporate ones, and cybercriminals are always looking for ways to exploit a given situation for their gain. If Maze was doing so well, why did they shut down? Probably because they’d gotten too much attention. The more notoriety you get, the harder it is to operate. We see this with a lot of malware groups. They shut down for a while, either to lie low because the heat is on, or to just spend the money they’ve gotten from their payouts and enjoy life. Or, sometimes, they don’t lie low at all but just rebrand themselves under a new name. Either way, they tend to come back. For example, a ransomware variant called Ryuk went dark and came back as Conti. Emotet went away for a long time too and then came back under the same group name. How can you tell when an old group has rebranded? Unless they announce it in some way, the only way to really tell is if you can get a sample of the malware and reverse engineer it and look at the code. One of our threat researchers did that with a sample of Sodinokibi and discovered it had “GandCrab version 6” in its code. So, that’s an example of a rebrand, but it can be hard to spot. Do you think Maze is done for good? Not a chance. They attacked huge targets and got massive payouts. Most ransomware groups attack smaller businesses who are less likely to have strong enough security measures. Even the ones that targeted larger corporations, like Ryuk, still attacked businesses one-fifth the size of a typical Maze target. Now, the Maze group can relax and take a lavish vacation with all the money they got. But I’d be pretty shocked if they just abandoned such a winning business model entirely. The verdict: Maze may be gone for now, but experts are fairly certain we haven’t seen the last of this virulent and highly successful malware group. In the meantime, Tyler advises businesses everywhere to use the lull as an opportunity to batten down their cyber resilience strategies by implementing layered security measures, locking down RDP, and educating employees on cybersecurity and risk avoidance. Stay tuned for more ransomware developments right here on the Webroot blog. The post Maze Ransomware is Dead. Or is it? appeared first on Webroot Blog.
Categories: Security Posts

Abusing cloud services to fly under the radar

Fox-IT - Tue, 2021/01/12 - 15:53
tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020. Our threat intelligence analysts noticed clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests. In open source this actor is referred to as Chimera by CyCraft. NCC Group and Fox-IT have seen this actor remain undetected, their dwell time, for up to three years. As such, if you were a victim, they might still be active in your network looking for your most recent crown jewels. We contained and eradicated the threat from our client’s networks during incident response whilst our Managed Detection and Response (MDR) clients automatically received detection logic. With this publication, NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set. Throughout we use terminology to describe the various phases, tactics, and techniques of the intrusions standardized by MITRE with their ATT&CK framework . Near the end of this article all the tactics and techniques used by the adversary are listed with links to the MITRE website with more information. From initial access to defense evasion: how it is done In all the intrusions we have observed they are performed in similar ways by the adversary: from initial access all the way to actions on objectives. The objective in these cases appear to be stealing sensitive data from the victim’s networks. Credential theft and password spraying to Cobalt Strike This adversary starts with obtaining usernames and passwords of their victim from previous breaches. These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. With this valid admin account, a Cobalt Strike beacon is loaded into memory of patient zero. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control. Network discovery and lateral movement The adversary continues their discovery of the victim’s network from patient zero. Various scans and queries are used to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. If the obtained valid account is already member of the domain admins group, the first lateral move in the network is usually to a domain controller where the adversary also deploys a Cobalt Strike beacon. Otherwise, a jump host or other system likely used by domain admins is found and equipped with a Cobalt Strike beacon. After this the adversary dumps the domain admin credentials from the memory of this machine, continues lateral moving through the network, and places Cobalt Strike beacons on servers for increased persistent access into the victim’s network. If the victim’s network contains other Windows domains or different network security zones, the adversary scans and finds the trust relationships and jump hosts, attempting to move into the other domains and security zones. The adversary is typically able to perform all the steps described above within one day. During this process, the adversary identifies data of interest from the network of the victim. This can be anything from file and directory-listings, configuration files, manuals, email stores in the guise of OST- and PST-files, file shares with intellectual property (IP), and personally identifiable information (PII) scraped from memory. If the data is small enough, it is exfiltrated through the command and control channel of the Cobalt Strike beacons. However, usually the data is compressed with WinRAR, staged on another system of the victim, and from there copied to a OneDrive-account controlled by the adversary. After the adversary completes their initial exfiltration, they return every few weeks to check for new data of interest and user accounts. At times they have been observed attempting to perform a degree of anti-forensic activities including clearing event logs, time stomping files, and removing scheduled tasks created for some objectives. But this isn’t done consistently across their engagements. Framing the adversary’s work in the MITRE ATT&CK framework Credential access (TA0006) The earliest and longest lasting intrusion by this threat we observed, was at a company in the semiconductors industry in Europe and started early Q4 2017. The more recent intrusions took place in 2019 at companies in the aviation industry. The techniques used to achieve access at the companies in the aviation industry closely resembles techniques used at victims in the semiconductors industry. The threat used valid accounts against remote services: Cloud-based applications utilizing federated authentication protocols. Our incident responders analysed the credentials used by the adversary and the traces of the intrusion in log files. They uncovered an obvious overlap in the credentials used by this threat and the presence of those same accounts in previously breached databases. Besides that, the traces in log files showed more than usual login attempts with a username formatted as email address, e.g.<username>@<email domain>. While usernames for legitimate logins at the victim’s network were generally formatted like <domain>\<username>. And attempted logins came from a relative small set of IP-addresses. For the investigators at NCC Group and Fox-IT these pieces of evidence supported the hypothesis of the adversary achieving credentials access by brute force, and more specifically by credential stuffing or password spraying. Initial access (TA0001) In some of the intrusions the adversary used the valid account to directly login to a Citrix environment and continued their work from there. In one specific case, the adversary now armed with the valid account, was able to access a document stored in SharePoint Online, part of Microsoft Office 365. This specific document described how to access the internet facing company portal and the web-based VPN client into the company network. Within an hour after grabbing this document, the adversary accessed the company portal with the valid account. From this portal it was possible to launch the web-based VPN. The VPN was protected by two-factor authentication (2FA) by sending an SMS with a one-time password (OTP) to the user account’s primary or alternate phone number. It was possible to configure an alternate phone number for the logged in user account at the company portal. The adversary used this opportunity to configure an alternate phone number controlled by the adversary. By performing two-factor authentication interception by receiving the OTP on their own telephone number, they gained access to the company network via the VPN. However, they also made a mistake during this process within one incident. Our hypothesis is that they tested the 2FA-system first or selected the primary phone number to send a SMS to. However the European owner of the account received a text message with Simplified Chinese characters on the primary phone number in the middle of the night Eastern European Time (EET). NCC Group and Fox-IT identified that the language in the text-message for 2FA is based on the web browser’s language settings used during the authentication flow. Thus the 2FA code was sent with supporting Chinese text. Account discovery (T1087) With access into the network of the victim, the adversary finds a way to install a Cobalt Strike beacon on a system of the victim (see Execution). But before doing so, we observed the adversary checking the current permissions of the obtained user account with the following commands: net user net user Administrator net user <username> /domain net localgroup administrators If the user account doesn’t have local administrative or domain administrative permissions, the adversary attempts to discover which local or domain admin accounts exist, and exfiltrates the admin’s usernames. To identify if privileged users are active on remote servers, the adversary makes use of PsLogList from Microsoft Sysinternals to retrieve the Security event logs. The built-in Windows quser-command to show logged on users is also heavily used by them. If such a privileged user was recently active on a server the adversary executes Cobalt Strike’s built-in Mimikatz to dump its password hashes. Privilege escalation (TA0004) The adversary started a password spraying attack against those domain admin accounts, and successfully got a valid domain admin account this way. In other cases, the adversary moved laterally to another system with a domain admin logged in. We observed the use of Mimikatz on this system and saw the hashes of the logged in domain admin account going through the command and control channel of the adversary. The adversary used a tool called NtdsAudit to dump the password hashes of domain users as well as we observed the following command: msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv Note: the adversary renamed ntdsaudit.exe to msadcs.exe. But we also observed the adversary using the tool ntdsutil to create a copy of the Active Directory database NTDS.dit followed by a repair action with esentutl to fix a possible corrupt NTDS.dit: ntdsutil "ac i ntds" "ifm" "create full C:\Windows\Temp\tmp" q q esentutl /p /o ntds.dit Both ntdsutil and esentutl are by default installed on a domain controller. A tool used by the adversary which wasn’t installed on the servers by default, was DSInternals. DSInternals is a PowerShell module that makes use of internal Active Directory features. The files and directories found on various systems of a victim match with DSInternals version 2.16.1. We have found traces that indicate DSInternals was executed and at which time, which match with the rest of the traces of the intrusion. We haven’t recovered traces of how the adversary used DSInternals, but considering the phase of the intrusion the adversary used the tool, it is likely they used it for either account discovery or privilege escalation, or both. Execution (TA0002) The adversary installs a hackers best friend during the intrusion: Cobalt Strike. Cobalt Strike is a framework designed for adversary simulation intended for penetration testers and red teams. It has been widely adopted by malicious threats as well. The Cobalt Strike beacon is installed in memory by using a PowerShell one-liner. At least the following three versions of Cobalt Strike have been in use by the adversary:
  • Cobalt Strike v3.8, observed Q2 2017
  • Cobalt Strike v3.12, observed Q3 2018
  • Cobalt Strike v3.14, observed Q2 2019
Fox-IT has been collecting information about Cobalt Strike team servers since January 2015. This research project covers the fingerprinting of Cobalt Strike servers and is described in Fox-IT blog “Identifying Cobalt Strike team servers in the wild”. The collected information allows Fox-IT to correlate Cobalt Strike team servers, based on various configuration settings. Because of this, historic information was available during this investigation. Whenever a Cobalt Strike C2 channel was identified, Fox-IT performed lookups into the collection database. If a match was found, the configuration of the Cobalt Strike team server was analysed. This configuration was then compared against the other Cobalt Strike team servers to check for similarities in for example domain names, version number, URL, and various other settings. The adversary heavily relies on scheduled tasks for executing a batch-file (.bat) to perform their tasks. An example of the creation of such a scheduled task by the adversary: schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st 06:59:00 The batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the compromised system. Persistence (TA0003) The adversary loads the Cobalt Strike beacon in memory, without any persistence mechanisms on the compromised system. Once the system is rebooted, the beacon is gone. The adversary is still able to have persistent access by installing the beacon on systems with high uptimes, such as server. Besides using the Cobalt Strike beacon, the adversary also searches for VPN and firewall configs, possibly to function as a backup access into the network. We haven’t seen the adversary use those access methods after the first Cobalt Strike beacons were installed. Maybe because it was never necessary. After the first bulk of data is exfiltrated, the persistent access into the victim’s network is periodically used by the adversary to check if new data of interest is available. They also create a copy of the NTDS.dit and SYSTEM-registry hive file for new credentials to crack. Discovery (TA0007) The adversary applied a wide range of discovery tactics. In the list below we have highlighted a few specific tools the adversary used for discovery purposes. You can find a summary of most of the commands used by the adversary to perform discovery at the end of this article. Account discovery tool: PsLogList
Command used: psloglist.exe -accepteula -x security -s -a <date> This command exports a text file with comma separated fields. The text files contain the contents of the Security Event log after the specified date. Psloglist is part of the Sysinternals toolkit from Mark Russinovich (Microsoft). The tool was used by the adversary on various systems to write events from the Windows Security Event Log to a text file. A possible intent of the adversary could be to identify if privileged users are active on the systems. If such a privileged user was recently active on a server the actor executes Cobalt Strike’s built-in Mimikatz to dump its credentials or password hash. Account discovery tool: NtdsAudit
Command used: msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv It imports the specified Active Directory database NTDS.dit and registry file SYSTEM and exports the found password hashes into RecordedTV_pdump.txt and user details in RecordedTV_users.csv. The NtdsAudit utility is an auditing tool for Active Directory databases. It allows the user to collect useful statistics related to accounts and passwords. The utility was found on various systems of a victim and matches the NtdsAudit.exe program file version v2.0.5 published on the GitHub project page. Network service scanning
Command used: get -b <start ip> -e <end ip> -p get -b <start ip> -e <end ip> Get.exe appears to be a custom tool used to scan IP-ranges for HTTP service information. NCC Group and Fox-IT decompiled the tool for analysis. This showed the tool was written in the Python scripting language and packed into a Windows executable file. Though Fox-IT didn’t find any direct occurrences of the tool on the internet, the decompiled code showed strong similarities with the source code of a tool named GetHttpsInfo. GetHttpsInfo scans the internal network for HTTP & HTTPS services. The reconnaissance tool getHttpsInfo is able to discover HTTP servers within the range of a network. The tool was shared on a Chinese forum around 2016. Figure 1: Example of a download location for GetHttpsInfo.exe Lateral movement (TA0008) The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. The adversary attempts to move to a domain controller as soon as possible after getting foothold into the victim’s network. They continue lateral movement and discovery in an attempt to identify the data of interest. This could be a webserver to carve PII from memory, or a fileserver to copy IP, as we have both observed. At one customer, the data of interest was stored in a separate security zone. The adversary was able to find a dual homed system and compromise it. From there on they used it as a jump host into the higher security zone and started collecting the intellectual property stored on a file server in that zone. In one event we saw the adversary compromise a Linux-system through SSH. The user account was possibly compromised on the Linux server by using credential stuffing or password spraying: Logfiles on the Linux-system show traces which can be attributed to a credential stuffing or password spraying attack. Lateral tool transfer (T1570) The adversary is applying living off the land techniques very well by incorporating default Windows tools in its arsenal. But not all tools used by the adversary are so called lolbins: As said before, they use Cobalt Strike. But they also rely on a custom tool for network scanning (get.exe), carving data from memory, compression of data, and exfiltrating data. But first: How did they get the tools on the victim’s systems? The adversary copied those tools over SMB from compromised system to compromised system wherever they needed these tools. A few examples of commands we observed: copy get.exe \\<ip>\c$\windows\temp\ copy msadc* \\<hostname>\c$\Progra~1\Common~1\System\msadc\ copy update.exe \\<ip>\c$\windows\temp\ move ak002.bat \\<ip>\c$\windows\temp\update.bat Collection (TA0009) In preparation of exfiltration of the data needed for their objective, the adversary collected the data from various sources within the victim’s network. As described before, the adversary collected data from an information repository, Microsoft SharePoint Online in this case. This document was exfiltrated and used to continue the intrusion via a company portal and VPN. In all cases we’ve seen the adversary copying results of the discovery phase, like file- and directory lists from local systems, network shared drives, and file shares on remote systems. But email collection is also important for this adversary: with every intrusion we saw the mailbox of some users being copied, from both local and remote systems: wmic /node:<ip> process call create "cmd /c copy c:\Users\<username>\<path>\backup.pst c:\windows\temp\backup.pst" copy "i:\<path>\<username>\My Documents\<filename>.pst" copy \\<hostname>\c$\Users\<username>\AppData\Local\Microsoft\Outlook*.ost Files and folders of interest are collected as well and staged for exfiltration. The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR). How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers. The DLL’s used were side-loaded in memory on compromised systems. After placing the DLL in the appropriate directory, the actor would change the date and time stamps on the DLL files to blend in with the other legitimate files in the directory. Adversaries aiming to exfiltrate large amounts of data will often use one or more systems or storage locations for intermittent storage of the collected data. This process is called staging and is one of the of the activities that NCC Group and Fox-IT has observed in the analysed C2 traffic. We’ve seen the adversary staging data on a remote system or on the local system. Most of the times the data is compressed and copied at the same time. Only a handful of times the adversary copies the data first before compressing (archive collected data) and exfiltrating it. The adversary compresses and encrypts the data by using WinRAR from the command-line. The filename of the command-line executable for WinRAR is RAR.exe by default. This activity group always uses a renamed version of rar.exe. We have observed the following filenames overlapping all intrusions:
  • jucheck.exe
  • RecordedTV.ms
  • teredo.tmp
  • update.exe
  • msadcs1.exe
The adversary typically places the executables in the following folders:
  • C:\Users\Public\Libraries\
  • C:\Users\Public\Videos\
  • C:\Windows\Temp\
The following four different variants of the use of rar.exe as update.exe we have observed: update a -m5 -hp<password> <target_filename> <source> update a -m5 -r -hp<password> <target_filename> <source> update a -m5 -inul -hp<password> <target_filename> <source> update a -m5 -r -inul -hp<password> <target_filename> <source> The command lines parameters have the following effect:
  • a = add to archive.
  • m5 = use compression level 5.
  • r = recurse subfolders.
  • inul = suppress error messages.
  • hp<password> = encrypt both file data and headers with password.
The used password, file extensions for the staged data differ per intrusion. We’ve seen the use of .css, .rar, .log.txt, and no extension for staged pieces of data. After compromising a host with a Linux operating systems, data is also compressed. This time the adversary compresses the data as a gzipped tar-file: tar.gz. Sometimes no file extension is used, or the file extension is .il. Most of the times the files names are prepended with adsDL_ or contain the word “list”. The files are staged in the home folder of the compromised user account: /home/<username>/ Command and control (TA0011) The adversary uses Cobalt Strike as framework to manage their compromised systems. We observed the use of Cobalt Strike’s C2 protocol encapsulated in DNS by the adversary in 2017 and 2018. They switched to C2 encapsulated in HTTPS in Q3 2019. An interesting observation is they made use of a cracked/patched trial version of Cobalt Strike. This is important to note because the functionalities of Cobalt Strike’s trial version are limited. More importantly: the trial version doesn’t support encryption of command and control traffic in cases where the protocol itself isn’t encrypted, such as DNS. In one intrusion we investigated, the victim had years of logging available of outgoing DNS-requests. The DNS-responses weren’t logged. This means that only the DNS C2 leaving the victim’s network was logged. We developed a Python script that decoded and combined most of the logged C2 communication into a human readable format. As the adversary used Cobalt Strike with DNS as command & control protocol, we were able to reconstruct more than two years of adversary activity. With all this activity data, it was possible for us to create some insight into the ‘office’-hours of this adversary. The activity took place six days a week, rarely on Sundays. The activity started on average at 02:36 UTC and ended rarely after 13:00 UTC. We observed some periods where we expected activity of the adversary, but almost none was observed. These periods match with the Chinese Golden Week holiday. Figure 2: Heatmap of activity. Times on the X-axis are in UTC. The adversary also changed their domains for command & control around the same time they switched C2 protocols. They used a subdomain under a regular parent domain with a .com TLD in 2017 and 2018, but they started using sub-domains under the parent domain appspot.com and azureedge.net in 2019. The parent domain appspot.com is a domain owned by Google, and part of Google’s App Engine platform as a service. Azureedge.net is a parent domain owned by Microsoft, and part of Microsoft’s Azure content delivery network. Exfiltration (TA0010) The adversary uses the command and control channel to exfiltrate small amounts of data. This is usually information containing account details. For large amounts of data, such as the mailboxes and network shares with intellectual property, they use something else. Once the larger chunks of data are compressed, encrypted, and staged, the data is exfiltrated using a custom built tool. This tool exfiltrates specified files to cloud storage web services. The following cloud storage web services are supported by the malware:
  • Dropbox
  • Google Drive
  • OneDrive
The actor specifies the following arguments when running the exfiltration tool:
  • Name of the web service to be used
  • Parameters used for the web service, such as a client ID and/or API key
  • Path of the file to read and exfiltrate to the web service
We have observed the exfiltration tool in the following locations:
  • C:\Windows\Temp\msadcs.exe
  • C:\Windows\Temp\OneDrive.exe
Hashes of these files are listed at the end of this article. Defense evasion (TA0005) The adversary attempts to clean-up some of the traces from their intrusions. While we don’t know what was deleted and we were unable to recover, we did see some of their anti-forensics activity:
  • Windows event logs clearing,
  • File deletion,
  • Timestomping
An overview of the observed commands can be found in the appendix. For indicator removal on host: Timestomp the adversary uses a Windows version of the Linux touch command. This tool is included in the UnxUtils repository. This makes sure the used tools by the adversary blend in with the other files in the directory when shown in a timeline. Creating a timeline is a common thing to do for forensic analysts to get a chronological view of events on a system. The same activity group? A number of our intrusions involved tips from an industry partner who was able to correlate some of their upstream activity. Our threat intelligence analysts observed clear overlap between the various cases that NCC Group and Fox-IT worked in the threat’s infrastructure and capabilities, and as a result we assess with moderate confidence one activity group was carrying out the intrusions across the different type of victims. Some overlap is very generic for a lot for a lot of groups, like the use of Cobalt Strike, or exfiltration to OneDrive. But the tool used for exfiltration to OneDrive is very specific for this adversary. The use of appspot and azureedge domains as well. The naming convention for their subdomains, tools and scripts overlap too. In summary: The adversary: Working hours match with GMT+8. Infrastructure: appspot.com and azureedge.net for C2 with a strong overlap in naming convention for subdomains and actual overlap in some subdomains between intrusions. Capability: Password spraying/credential stuffing. Cobalt Strike. Copy NTDS.dit. Use scheduled tasks and batch files for automation. The use of LOLBins. WinRAR. Cloud exfil tool and exfil to OneDrive. Erasing Windows Event Logs, files and tasks. Overlap in filenames for tools, staged data, and folders. Victim: Semiconductors and aviation industry. We considered labelling them as two activity groups, as of the difference in victims between various intrusions. But all the other overlap is strong enough for us to consider it as one group right now. This group might have gotten a new customer interested in different data which changed the intent and victims of the adversary. But most importantly: The largest overlap is in the top half of the pyramid of pain: domain names, host artifacts, tools, and TTPs. And these are the hardest for the adversary to change, and most effective for long-lasting detection! Figure 3: Pyramid of pain by David J Bianco Fox-IT and NCC Group found some very strong overlap between what we’ve seen in our intrusion, and what Cycraft describes in their APT Group Chimera report and Blackhat presentation. The bulk of the victims they describe are in different regions than we observed which is likely caused by field of view bias. SentinelOne also describes an attack and shares IOC’s that show strong overlap with the intrusions we investigated. Conclusion At this moment we believe based on the evidence observed that the various intrusions were performed by the same group. We can only report what we observed: first they stole intellectual property in the high tech sector, later they stole passenger name records (PNR) from airlines, both across geographical locations. Both types of stolen data are very useful for nation states. Answering if this group has an advanced persistent threat (APT) technique, has some sort of state affiliation, or where they come from goes beyond the scope of this write-up. The threat intelligence and IOC’s we are sharing are intended to help discover and present intrusions by this and adversaries. A word of thanks goes out to all the forensic experts, incident responders, and threat intelligence analysts who helped victims identifying and eradicating the adversary. And everybody from NCC Group and Fox-IT (part of NCC Group) for all the contributions to this article. IOC TypeDataObservedNoteBinary MD5133a159e86ff48c59e79e67a3b740c1e–get.exe (GetHttpsInfo)Binary MD5328ba584bd06c3083e3a66cb47779eac–psloglist.exeBinary MD565cf35ddcb42c6ff5dc56d6259cc05f3–update.exe (WinRAR)Binary MD54d5440282b69453f4eb6232a1689dd4a–msadcs.exe (Cloud exfil tool)Binary MD590508ff4d2fc7bc968636c716d84e6b4–msadcs.exe (Cloud exfil tool)Binary MD5c9b8cab697f23e6ee9b1096e312e8573–jucheck.exe (WinRAR)Binary MD5dd138a8bc1d4254fed9638989da38ab1–msadcs.exe (NTDSAudit)C2 domainEuDbSyncUp[.]comQ4 2017 – Q4 0218–C2 domainUsMobileSos[.]comQ4 2017 – Q4 2018–C2 domainofficeeuupdate.appspot[.]comQ4 2017 – Q4 2018–C2 domainMsCupDb[.]comQ4 2017 – Q4 2018–C2 domainofficeeuropupd.appspot[.]comQ3 2019 – Q1 2020–C2 domainplatform-appses.appspot[.]comQ4 2019 – Q1 2020–C2 domainwatson-telemetry.azureedge[.]netQ4 2019 – Q1 2020–C2 domaineurope-s03213.appspot[.]com2019–C2 domaineustylejssync.appspot[.]com 2019–C2 domainfsdafdsfdsaflkjkxvzcuifsad.azureedge[.]net2019–C2 domainictsyncserver.appspot[.]com2019–C2 domainsowfksiw38f2aflwfif.azureedge[.]net 2019–Filenamefs_action*.bat–Task automationFilenamefs_action*.ps1–Task automationFilenameupdate.bat–Task automationFilenameupdate*.bat–Task automationFilename*dsinternals*.dll –Dsinternals lib files Filenameget.exe–GetHttpsInfoFilenameadsDL_<dir>.log–Staging dataFilenamegroup_membership.csv–SharpHound outputFilenamelocal_admins.csv–SharpHound outputFilenamemsadcs.exe–Various toolsFilenamemsadcs1.exe–WinRARFilenameOneDrive.exe–Cloud data exfilFilenamesessions.csv–SharpHound outputFilenameRecordedTV.ms–WinRARFilenameRecordedTV_*.csv–Staging dataFilenameRecordedTV_*.ms–Staging dataFilenameRecordedTV_*.rar–Staging dataFilenameRecordedTV_*.txt–Staging dataFilenameteredo.tmp–WinRARFilenameupdate.exe–WinRARFilenamehsperfdata.sqm–Archive with toolsFilenameupdate*.log–Staging dataHostnameDESKTOP-0FVJ37C–Origin of login to ExchangeIPv4 address47.75.0[.]147Q2 2019Password sprayIPv4 address59.47.4[.]27Q2 2019ADFS loginIPv4 address45.9.248[.]74Q2 2019Citrix loginIPv4 address172.111.210[.]53Q2 2019Citrix loginIPv4 address103.51.145[.]123 2019Initial access IPv4 address119.39.248[.]32 2019Initial accessIPv4 address120.227.35[.]98 2019Initial accessIPv4 address14.229.140[.]66 2019Mount the file-share IPv4 address172.111.210[.]53 2019Initial accessIPv4 address188.72.99[.]41 2019Initial accessIPv4 address45.9.248[.]74 2019Initial accessIPv4 address47.75.0[.]147 2019Password sprayIPv4 address5.254.112[.]226 2019Initial accessIPv4 address5.254.64[.]234 2019Initial accessIPv4 address59.47.4[.]27 2019Initial accessIPv4 address39.109.5[.]135Q3 2017VPN server loginIPv4 address43.250.200[.]106Q3 2017VPN server loginIPv4 address119.39.248[.]101Q3 2017VPN server loginIPv4 address220.202.152[.]47Q3 2017VPN server loginIPv4 address119.39.248[.]20Q3 2017VPN server loginIPv4 address185.170.210[.]84Q3 2017VPN server loginIPv4 address43.250.201[.]71Q3 2017VPN server loginIPv4 address23.236.77[.]94Q3 2017ADFS loginPathC:\Code\NtdsAudit\src\NtdsAudit\obj\Release\–NTDSAudit artifactsPathC:\Users\Public\Appdata\Local\–Staging and toolsPathC:\Users\Public\Appdata\Local\Microsoft\Windows\INetCache–Staging and toolsPathC:\Users\Public\Libraries\–Staging and toolsPathC:\Users\Public\Videos\–Staging and toolsPathC:\Windows\Temp\–Staging and toolsPathC:\Windows\Temp\tmp–Staging and toolsURI in CS beacon/externalscripts/jquery/jquery-3.3.1.min.js Q3 2019 – Q1 2020–URI in CS beacon/externalscripts/jquery/jquery-3.3.2.min.jsQ2 2019 – Q3 2019–URI in CS beacon/jquery-3.3.2.slim.min.jsQ1 2020–User-agentMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko–Web VPN loginUser-agentMozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko–Cobalt Strike beacon Observed discovery commands TechniqueCommandAccount discoverynet userAccount discoverynet user AdministratorAccount discoverynet user /domainAccount discoverydir \\<hostname>\c$\usersAccount discoverydsquery user -limit 0 -s <hostname>Account discoverypsloglist.exe -accepteula -x security -s -a <current_date>Account discoverymsadcs.exe  “NTDS.dit” -s “SYSTEM” -p RecordedTV_pdmp.txt –users-csv RecordedTV_users.csvBrowser bookmark discoverytype \\<hostname>\c$\Users\<username>\Favorites\Links\Bookmarks bar\Imported From IE\*citrix*Domain trust discoverynltest /domain_trustsFile and directory discoverydir \\<hostname>\c$\File and directory discoverydir /o:d /x /s c:\File and directory discoverydir /o:d /x \\<hostname>\<fileshare>File and directory discoverycacl <path to file>Network service scanningget -b <start ip> -e <end ip> -pNetwork service scanningget -b <start ip> -e <end ip>Network share discoverynet shareNetwork share discoverynet view \\<hostname>Permission groups discoverynet localgroup administratorsProcess discoverytasklist /v |findstr explorerProcess discoverytasklist /v |findstr taskhostProcess discoverytasklist /v |findstr 1716Process discoverytasklist /v /s <hostname/ip>Query registryreg query \\<host>\HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\ServersQuery registryreg query \\<host>\HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Internet SettingsRemote system discoverytype \\<host>\c$\Users\<username>\Favorites\Links\Bookmarks bar\Imported From IE\*citrix*Remote system discoverytype \\<host>\<path>\Cookies\*ctx*Remote system discoveryreg query \\<host>\HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\ServersRemote system discoverydir /o:d /x \\<hostname>\c$\users\<username>\FavoritesRemote system discoverynet view \\hostnameRemote system discoverydsquery server -limit 0System information discoveryfsutil fsinfo drivesSystem information discoverysysteminfoSystem information discoveryvssadmin list shadowsSystem network configuration discoveryipconfigSystem network configuration discoveryipconfig /allSystem network configuration discoveryping -n 1 -a <ip>System network configuration discoveryping -n 1 <hostname>System network configuration discoverytracert <ip>System network configuration discoverypathping <ip>System network connections discoverynetstat -ano | findstr ESTSystem Owner/User DiscoveryquserSystem service discoverynet startSystem service discoverynet useSystem time discoverytime /tSystem time discoverynet time \\<ip/hostname> Observed Defense evasion commands
Indicator Removal on Host: Clear Windows Event Logs wevtutil cl "Windows PowerShell" wevtutil cl application wevtutil cl security wevtutil cl setup wevtutil cl system Indicator Removal on Host: File Deletion del /f/q *.csv *.bin del /f/q *.exe del /f/q *.exe *log.txt del /f/q *.ost del /f/q .rar update .txt del /f/q \\c$\windows\temp*.txt del /f/q \\c$\Progra~1\Common~1\System\msadc\msadcs.dmp del /f/q msadcs* del /f/q psloglist.exe del /f/q update* del /f/q update* .txt del /f/q update.rar del /f/q update*rar del /f/q update12321312.rarschtasks /delete /s /tn "update" /f schtasks /delete /tn "update" /f shred -n 123 -z -u .tar.gz MITRE ATT&CK references NameTypeIDMore infoInitial AccessTacticTA0001https://attack.mitre.org/tactics/TA0001/External Remote ServicesTechniqueT1133https://attack.mitre.org/techniques/T1133/Valid AccountsTechniqueT1078https://attack.mitre.org/techniques/T1078/ExecutionTacticTA0002https://attack.mitre.org/tactics/TA0002/Command and Scripting Interpreter: PowerShellTechniqueT1059.001https://attack.mitre.org/techniques/T1059/001/Command and Scripting Interpreter: Windows Command ShellTechniqueT1059.003https://attack.mitre.org/techniques/T1059/003/Scheduled Task/Job: Scheduled TaskTechniqueT1053.005https://attack.mitre.org/techniques/T1053/005/System Services: Service ExecutionTechniqueT1569.002https://attack.mitre.org/techniques/T1569/002/Windows Management InstrumentationTechniqueT1047https://attack.mitre.org/techniques/T1047/PersistenceTacticTA0003https://attack.mitre.org/tactics/TA0003/External Remote ServicesTechniqueT1133https://attack.mitre.org/techniques/T1133/Hijack Execution Flow: DLL Side-LoadingTechniqueT1574.002https://attack.mitre.org/techniques/T1574/002/Valid AccountsTechniqueT1078https://attack.mitre.org/techniques/T1078/Privilege EscalationTacticTA0004https://attack.mitre.org/tactics/TA0004/Valid AccountsTechniqueT1078https://attack.mitre.org/techniques/T1078/Defense EvasionTacticTA0005https://attack.mitre.org/tactics/TA0005/Deobfuscate/Decode Files or InformationTechniqueT1140https://attack.mitre.org/techniques/T1140/Indicator Removal on Host: Clear Windows Event LogsTechniqueT1070.001https://attack.mitre.org/techniques/T1070/001/Indicator Removal on Host: File DeletionTechniqueT1070.004https://attack.mitre.org/techniques/T1070/004/Indicator Removal on Host: TimestompTechniqueT1070.006https://attack.mitre.org/techniques/T1070/006/Hijack Execution Flow: DLL Side-LoadingTechniqueT1574.002https://attack.mitre.org/techniques/T1574/002/Masquerading: Rename System UtilitiesTechniqueT1036.003https://attack.mitre.org/techniques/T1036/003/Masquerading: Match Legitimate Name or LocationTechniqueT1036.005https://attack.mitre.org/techniques/T1036/005/Use Alternate Authentication Material: Pass the HashTechniqueT1550.002https://attack.mitre.org/techniques/T1550/002/Valid AccountsTechniqueT1078https://attack.mitre.org/techniques/T1078/Credential AccessTacticTA0006https://attack.mitre.org/tactics/TA0006/Brute Force: Password SprayingTechniqueT1110.003https://attack.mitre.org/techniques/T1110/003/Brute Force: Credential StuffingTechniqueT1110.004https://attack.mitre.org/techniques/T1110/004/OS Credential Dumping: LSASS MemoryTechniqueT1003.001https://attack.mitre.org/techniques/T1003/001/OS Credential Dumping: NTDSTechniqueT1003.003https://attack.mitre.org/techniques/T1003/003/Two-Factor Authentication InterceptionTechniqueT1111https://attack.mitre.org/techniques/T1111/DiscoveryTacticTA0007https://attack.mitre.org/tactics/TA0007/Account DiscoveryTechniqueT1087 Account Discovery: Local AccountTechniqueT1087.001https://attack.mitre.org/techniques/T1087/001/Account Discovery: Domain AccountTechniqueT1087.002https://attack.mitre.org/techniques/T1087/002/Browser Bookmark DiscoveryTechniqueT1217https://attack.mitre.org/techniques/T1217/Domain Trust DiscoveryTechniqueT1482https://attack.mitre.org/techniques/T1482/File and Directory DiscoveryTechniqueT1083https://attack.mitre.org/techniques/T1083Network Service ScanningTechniqueT1046https://attack.mitre.org/techniques/T1046Network Share DiscoveryTechniqueT1135https://attack.mitre.org/techniques/T1135Permission Groups DiscoveryTechniqueT1069https://attack.mitre.org/techniques/T1069Process DiscoveryTechniqueT1057https://attack.mitre.org/techniques/T1057Query RegistryTechniqueT1012https://attack.mitre.org/techniques/T1012Remote System DiscoveryTechniqueT1018https://attack.mitre.org/techniques/T1018System Information DiscoveryTechniqueT1082https://attack.mitre.org/techniques/T1082System Network Configuration DiscoveryTechniqueT1016https://attack.mitre.org/techniques/T1016System Network Connections DiscoveryTechniqueT1049https://attack.mitre.org/techniques/T1049System Owner/User DiscoveryTechniqueT1033https://attack.mitre.org/techniques/T1033System Service DiscoveryTechniqueT1007https://attack.mitre.org/techniques/T1007System Time DiscoveryTechniqueT1124https://attack.mitre.org/techniques/T1124Lateral MovementTacticTA0008https://attack.mitre.org/tactics/TA0008/Lateral Tool TransferTechniqueT1570https://attack.mitre.org/techniques/T1570/Remote Services: SMB/Windows Admin SharesTechniqueT1021.002https://attack.mitre.org/techniques/T1021/002/Remote Services: SSHTechniqueT1021.004https://attack.mitre.org/techniques/T1021/004/Remote Services: Windows Remote ManagementTechniqueT1021.006https://attack.mitre.org/techniques/T1021/006/Use Alternate Authentication Material: Pass the HashTechniqueT1550.002https://attack.mitre.org/techniques/T1550/002/CollectionTacticTA0009https://attack.mitre.org/tactics/TA0009/Archive Collected Data: Archive via UtilityTechniqueT1560.001https://attack.mitre.org/techniques/T1560/001/Automated CollectionTechniqueT1119https://attack.mitre.org/techniques/T1119/Data from Information Repositories: SharePointTechniqueT1213.002https://attack.mitre.org/techniques/T1213/002/Data from Local SystemTechniqueT1005https://attack.mitre.org/techniques/T1005/Data from Network Shared DriveTechniqueT1039https://attack.mitre.org/techniques/T1039/Data Staged: Local Data StagingTechniqueT1074.001https://attack.mitre.org/techniques/T1074/001/Data Staged: Remote Data StagingTechniqueT1074.002https://attack.mitre.org/techniques/T1074/002/Email Collection: Local Email CollectionTechniqueT1114.001https://attack.mitre.org/techniques/T1114/001/Command and ControlTacticTA0011https://attack.mitre.org/tactics/TA0011/Application Layer Protocol: Web ProtocolsTechniqueT1071.001https://attack.mitre.org/techniques/T1071/001/Application Layer Protocol: DNSTechniqueT1071.004https://attack.mitre.org/techniques/T1071/004/Encrypted Channel: Asymmetric CryptographyTechniqueT1573.002https://attack.mitre.org/techniques/T1573/002/Protocol TunnelingTechniqueT1572https://attack.mitre.org/techniques/T1572/ExfiltrationTacticTA0010https://attack.mitre.org/tactics/TA0010/Automated ExfiltrationTechniqueT1020https://attack.mitre.org/techniques/T1020/Data Transfer Size LimitsTechniqueT1030https://attack.mitre.org/techniques/T1030/Exfiltration Over C2 ChannelTechniqueT1041https://attack.mitre.org/techniques/T1041/Exfiltration Over Web Service: Exfiltration to Cloud StorageTechniqueT1567.002https://attack.mitre.org/techniques/T1567/002/
Categories: Security Posts

MACsec MKA Validation - Why Back-to-Back Tests Fall Short

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
In my previous blog, I focused on validation for MACsec hardware implementations. In this one, I…
Categories: Security Posts

TSN Frame Preemption Meets Stringent Latency Requirements of 5G Fronthaul

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
Adoption of 5G Giving Birth to an Ethernet-Based Fronthaul The operators adopting 5G are…
Categories: Security Posts

BreakingPoint Strike Lists: A New Default for Better Cybersecurity Testing

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
With the Application and Threat Intelligence (ATI) strikepack release of 2019 (ATI-2019-24), astute…
Categories: Security Posts

New TSN Standards Like IEEE 802.1CB Highlight Importance of Having the Right Test Solution in Place

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
While working with a customer who was using low-end, low-budget traffic generators, it turned out…
Categories: Security Posts

MACsec Hardware Testing—Why Back-to-Back Validation Falls Short

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
MACsec has become an important encryption technology that is shipped with next-generation chips,…
Categories: Security Posts

ATI Adds Maze Ransomware Attack Campaign

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
Last month, the Application and Threat Intelligence (ATI) Team released a new type of cyberattack…
Categories: Security Posts

Monitoring SSL VPN Gateways - A Step-by-Step Guide

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
Virtual private network (VPN) connectivity is one of the most critical services in today’s…
Categories: Security Posts

Assess the Effectiveness of Dynamic NGFW Updates: Palo Alto Security Audit

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
One benefit of breach and attack simulation is continuous assessment, and I set Keysight Threat…
Categories: Security Posts

Assess Cloud-based Web Application Firewalls with Breach and Attack Simulation

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
Securing your web applications is a necessity. As the 2020 Verizon DBIR reports, web application…
Categories: Security Posts

Lessons Learned from Verizon DBiR 2020

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
Verizon had just released its annual Data Breach Incident Report (DBiR) 2020. It analyzes 32,002…
Categories: Security Posts

Disinfection of PPE such as N95 respirator masks

Niels Provos - Sun, 2020/03/29 - 18:29
An article from Consolidated Sterilizer Systems starts with: "With the global Covid-19 pandemic everywhere in the news, many healthcare professionals and concerned citizens are grappling with the shortage of respirator masks, vital tools for ensuring that healthcare workers are not infected by the people they’re trying to help."

The article suggests that microwave steam based disinfection has been effective at disinfecting, specifically removing H1N1, from non-metal N95 respirator masks. Here is a 3D grid that can be placed into a glass tupperware container filled with some water and then put into a microwave. Don't put anything with metal into the microwave. Alternatively, you can use this grid in the oven as well; see the description in the article.


This grid is 4.4" square and 1.25" tall. It's easy for me to produce any other dimensions.

The log reduction for microwave steam is around ~5, i.e. 100,000 times less viable virus. The article does not give a protocol. I put the filter in the microwave for 3 minutes which was sufficient to boil the water for 2 minutes. For oven steam, the protocol requires 3 hours under warm water steam and let to a slightly smaller log reduction of ~4.8, i.e. 63,000 times less viable virus. This requires an oven that has good temperature control.



Disclaimer: It is unclear if this is effective for disinfection. Even with high-temperature filament, it is unclear if a 3d printed grid is appropriate for this application.
Categories: Security Posts
Syndicate content