Sunday, April 16, 2017

ShadowBrokers PCAPs, etc.

I spent some time enjoying Easter Sunday by analyzing the Shadowbrokers EternalBlue attacks vs. a Windows 7 system. It is a service-side attack vs. TCP port 445. On Monday I analyzed EternalRomance and DoublePulsar.

I will update this post as I test other exploits and victim operating systems.

EternalBlue is the 2017 version of MS08-067, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.

I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.

PCAPs are here: https://cyber.gd/shadowbrokers

Includes:
  • eternalromance-success-2008r2.pcap (new)
  • eternalromance-doublepulsar-meterpreter.pcap (new)
  • eternalblue-success-unpatched-win7.pcap
  • eternalblue-failed-patched-win7.pcap
  • doublepulsar-backdoor-connect-win7.pcap
VirusTotal PCAP analysis (Includes both Snort and Suricata alerts):
I confirmed that MS17-010 mitigates this attack. Patch now!

Default Windows event logging shows nothing. Neither EMET nor Applocker stopped EternalBlue.

Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):
  • EternalBlue: smb.mid == 65
  • DoublePulsar: smb.mid == 81
I disabled SMB1 on Windows 7, which stopped EternalBlue with default settings. I need to test more since EternalBlue can allegedly use SMB2. EternalRomance appears to be SMB1-only.

SMB1 is awful, and should be disabled regardless (be sure to test).

It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.

DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.

Monday, October 24, 2016

Quality not Quantity talk, commands, and links


Quality not Quantity: Continuous Monitoring's  Deadliest Events



Commands:

Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}

User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}

Full command line of all processes (requires https://support.microsoft.com/en-us/kb/3004375):
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}

Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}

References:

  1. Mandiant M-Trends 2016: https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
  2. Verizon DBIR: http://www.verizonenterprise.com/DBIR/2015/
  3. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA
  4. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
  5. The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
  6. Patch-crazy Aust Govt fought off EVERY hacker since 2013 http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/
  7. CIS Critical Security Controls: https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015
  8. AppLocker: https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx
  9. AppLocker CSP: https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx
  10. Windows 10 Enterprise 90-day Trial: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
  11. Microsoft EMET: https://support.microsoft.com/en-us/kb/2458544
  12. Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 
  13. Windows Commands Abused by Attackers http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html

Tuesday, August 09, 2016

Time is on your Side talk and links





Links from the talk:

Friday, April 01, 2016

Quality not Quantity talk, commands, and links

Quality not Quantity: Continuous Monitoring's  Deadliest Events

Commands:

Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}

User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}

Full command line of all processes (requires https://support.microsoft.com/en-us/kb/3004375):
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}

Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}

References:

  1. Mandiant M-Trends 2016: https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
  2. Verizon DBIR: http://www.verizonenterprise.com/DBIR/2015/
  3. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA
  4. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
  5. The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
  6. Patch-crazy Aust Govt fought off EVERY hacker since 2013 http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/
  7. CIS Critical Security Controls: https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015
  8. AppLocker: https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx
  9. AppLocker CSP: https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx
  10. Windows 10 Enterprise 90-day Trial: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
  11. Microsoft EMET: https://support.microsoft.com/en-us/kb/2458544
  12. Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 
  13. Windows Commands Abused by Attackers http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html


    Friday, December 11, 2015

    CISSP Study Guide 3E - Shipping Now

    Just a note to say the CISSP Study Guide 3E is in stock and shipping from Amazon.





    Electronic editions should be available in January. We are working on the 11th Hour CISSP Study Guide update now, chapters are due by April (but I hope to have it done before then).