Monday, April 23, 2018
SANS Blue Team Summit
Here is a copy of my SANS Blue Team Summit talk Threat Hunting via Windows Event Logs
Tuesday, April 03, 2018
Friday, September 22, 2017
DerbyCon 7: DeepBlueCLIv2 Talk and links
Here's a link to my DerbyCon 7 talk: Introducing DeepBlueCLI v2, Now Available in PowerShell and Python
Viedo of my talk (thank you: Adrian Crenshaw): http://www.irongeek.com/i.php?page=videos/derbycon7/t205-introducing-deepbluecli-v2-now-available-in-powershell-and-python-eric-conrad
Last year's talk: http://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html
References:
Viedo of my talk (thank you: Adrian Crenshaw): http://www.irongeek.com/i.php?page=videos/derbycon7/t205-introducing-deepbluecli-v2-now-available-in-powershell-and-python-eric-conrad
DeepBlueCLI GitHub site: https://github.com/sans-blue-team/DeepBlueCLI
Last year's talk: http://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html
References:
- Deconstructing Petya: how it spreads and how to fight back, https://nakedsecurity.sophos.com/2017/06/28/deconstructing-petya-how-it-spreads-and-how-to-fight-back/
- Mandiant M-Trends 2015, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
- Command Line Kung Fu Episode #31: Remote Command Execution, http://blog.commandlinekungfu.com/2009/05/episode-31-remote-command-execution.html
- https://github.com/jaredhaight/PSAttack
- https://github.com/darkoperator/Posh-VirusTotal
- https://www.virustotal.com/en/documentation/public-api/
- http://blog.securityonion.net/2017/09/elastic-stack-alpha-release-and.html
- https://github.com/philhagen/sof-elk
- https://nxlog.co/products/nxlog-enterprise-edition
- https://github.com/williballenthin/python-evtx
- https://github.com/libyal/libevtx
Sunday, April 16, 2017
ShadowBrokers PCAPs, etc.
I spent some time enjoying Easter Sunday by analyzing the Shadowbrokers EternalBlue attacks vs. a Windows 7 system. It is a service-side attack vs. TCP port 445. On Monday I analyzed EternalRomance and DoublePulsar.
I will update this post as I test other exploits and victim operating systems.
EternalBlue is the 2017 version of MS08-067, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.
I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.
PCAPs are here: https://cyber.gd/shadowbrokers
Includes:
I confirmed that MS17-010 mitigates this attack. Patch now!
Default Windows event logging shows nothing. Neither EMET nor Applocker stopped EternalBlue.
Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):
SMB1 is awful, and should be disabled regardless (be sure to test).
It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.
DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.
I will update this post as I test other exploits and victim operating systems.
EternalBlue is the 2017 version of MS08-067, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.
I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.
PCAPs are here: https://cyber.gd/shadowbrokers
Includes:
- eternalromance-success-2008r2.pcap (new)
- eternalromance-doublepulsar-meterpreter.pcap (new)
- eternalblue-success-unpatched-win7.pcap
- eternalblue-failed-patched-win7.pcap
- doublepulsar-backdoor-connect-win7.pcap
I confirmed that MS17-010 mitigates this attack. Patch now!
Default Windows event logging shows nothing. Neither EMET nor Applocker stopped EternalBlue.
Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):
- EternalBlue: smb.mid == 65
- DoublePulsar: smb.mid == 81
SMB1 is awful, and should be disabled regardless (be sure to test).
It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.
DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.
Monday, October 24, 2016
Quality not Quantity talk, commands, and links
Quality not Quantity: Continuous Monitoring's Deadliest Events
Commands:
Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}
User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}
Full command line of all processes (requires https://support.microsoft.com/en-us/kb/3004375):
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}
AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}
Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}
References:
- Mandiant M-Trends 2016: https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
- Verizon DBIR: http://www.verizonenterprise.com/DBIR/2015/
- USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA
- Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
- The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
- Patch-crazy Aust Govt fought off EVERY hacker since 2013 http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/
- CIS Critical Security Controls: https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015
- AppLocker: https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx
- AppLocker CSP: https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx
- Windows 10 Enterprise 90-day Trial: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
- Microsoft EMET: https://support.microsoft.com/en-us/kb/2458544
- Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375
- Windows Commands Abused by Attackers http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html
Friday, September 23, 2016
DeepBlueCLI: a PowerShell Module for Hunt Teaming via Windows Event Logs
Here's a video of my 2016 DerbyCon talk DeepBlueCLI. Thank you, @irongeek_adc
A copy of my 2016 DerbyCon talk DeepBlueCLI slides:
Github site: https://github.com/sans-blue-team/DeepBlueCLI
Link to my Quality Not Quantity talk, which inspired DeepBlueCLI.
A copy of my 2016 DerbyCon talk DeepBlueCLI slides:
Github site: https://github.com/sans-blue-team/DeepBlueCLI
Link to my Quality Not Quantity talk, which inspired DeepBlueCLI.
Wednesday, September 07, 2016
Subscribe to:
Posts (Atom)