Blog

Archive for July, 2019

Analyzing Compressed PowerShell Scripts, (Mon, Jul 22nd)

Malicious document 1d5794e6b276db06f6f70d5fae6d718e contains VBA macros, as can be verified with oledump.py:

Stream 15 is a “Stream O” and that is something we talked a bout before: these forms are often used to hide the payload.

No surprise here, it contains a BASE64 string:

And that is often indicative of PowerShell scripts.

Decoding the BASE64 string with base64dump.py here:

It’s UNICODE (UTF16), a characteristic of encoded PowerShell arguments:

This yields a PowerShell script, with more BASE64.

That BASE64 string is not a PowerShell script:

It’s compressed data: DeflateStream. DeflateStream tells us that this is Zlib compression, with header (raw). My tool translate.py can be used to decompress this:

This gives us the final PowerShell script, a downloader:

translate.py is a tool to transform (translate) byte streams. By default, it operates byte per byte with a given Python expression to translate a single byte.

Option -f directs the tool to operate on the complete byte stream, and the given Python expression is a function that expects a byte stream. ZlibD and ZlibRawD are buildin Python functions to inflate Zlib compressed data, with header and without reader (raw) respectively.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Malicious RTF Analysis CVE-2017-11882 by a Reader, (Sun, Jul 21st)

This is a maldoc analysis submitted by reader Ahmed Elshaer.

 

I have come across a malicious rtf file that can be found here. I have started investigating it as usual using Didier Tool rtfdump.

As you can see it have a lot of nested strings, and only one of the strings had a control word of an object although it was not marked by as object ‘O’.

By selecting the object 157 and hex decoding the output, we can see that this object is calling Equation Editor EQNEDT32.EXE, which is another Microsoft component.


We can see all the strings in that object.


I tried to run this rtf file on a sandbox to see what this object can do, I found that it uses a Stack buffer overflow vulnerability in Equation Editor which is referenced CVE-2017-11882 this Vulnerability allow it to run code, like here to downloaded a vbscript which contains a powershell encoded base64 command. This code was downloaded from pastebin.

This Powershell encoded command here can be decoded using base64dump.

And we can see it gets downloaded as svchost.exe which then will be executed as you can see in the VBScript.

References:
https://www.hybrid-analysis.com/sample/d74e7786c5c733e88eaccfbc265e155538a504f530e3ce2639c138277418c716?environmentId=120
Exploit Poc: https://github.com/embedi/CVE-2017-11882
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
Mitigation: https://www.kb.cert.org/vuls/id/421280/

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Re-evaluating Network Security – It is Increasingly More Complex, (Sat, Jul 20th)

I saw an interesting report [1] this week released last month (June 2019) by the Enterprise Strategy Group (ESG) about the increase complexity dealing with network security. The report highlights these three things:

  • Increase in the past 2 years where network security is more complex and challenging (83% of those survey agree)
  • Business difficulty keeping up with network security (i.e. wrong network security, process and controls)
  • Looking for new types of network security that includes consolidation and architecture featuring centralizing management

The report identified three main factors related to the increase in network security complexity. The attack surface and the workload are both growing and the threats and vulnerabilities are more complex to identify and deal with. The security team has to keep up with more devices that add complexity to a network (IoT, tablets, phones, laptops, cloud computing, etc) that are now widely integrated to the enterprise. Complex security events can lead to short or extended network outages, application or network availability, loss of proprietary data and/or productivity.

In The Need for Change section, the report highlight the following priorities: “[…] the biggest factors driving network security include preventing/detecting malware threats (47%), regulatory compliance (42%), support for cloud computing initiatives (38%), and the need for network security to be more scalable to support dynamic business processes and new business initiatives (34%).”[1]

What keeps you up at night? Are your priorities similar to those identified in this report?

[1] https://www.cisco.com/c/dam/en/us/products/collateral/security/defense-orchestrator/esg-research-insights-report.pdf

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Malicious PHP Script Back on Stage?, (Thu, Jul 18th)

It’s amazing how we can find old scripts coming back to life for some obscure reasons. If today, Powershell or JavaScript (and its derivations) are very common languages used to perform malicious actions, PHP remains also a good candidate. One of my hunting rules is to search for reversed PHP commands using the strrev() function. A few days ago I found a PHP script on pastebin.com that contained the following functions:

$rnfir_zap = strrev('edoced_46esab');$e_nn = strrev('etalfnizg');eval($e_nn($rnfir_zap(implode('',$ro_ie))));

This is a very common technique to obfuscate basic strings-based detection mechanisms. The variable ro_ie’ was an array of concatenated strings:

$ro_ie = array('1TsJc9pI1n+FcaUmZpNJ1DrRe','pjPdgw+YnCwAWNmUhSHjMHiWA','5zZPLf9x3dLQlwEs9U7e6XSYT','U6n731a81qd79/k/382F71hsN',
'G8GyN51N918XjhrHr9PpL+pFC','gf2X/XSX141s0eTSXO1/7r8Ov','Xu9S1efBevzdvl9O4mY1z2j7o','fT4tPrdrxQ+cU34S9Fv6cVrzz',
'nCjf4H2l0sWfqw/2gn5XeD2uM','RwHfx5bVmd9nnMq5yd3+DwvfH','jMvn77um3mB/WqP2uZ1wQbhlo','WrQ5bod/Du7taMawTRp4BlxVM',
'a57RCqON15PR0+UiiwDh7/kq0','4efaAD/wqRLvCyyeM3Se7rD25','JmvoiXPl7qtWPjsrJ8wPvWAK8','dcXfbCa96QFpPCBxpE6OLbv3W’,
...
Easy to decode, rebuild the strings from the array, decode and decompress the data. Guess what you will find? Another obfuscated script. So, I started to work on it and found interesting behaviours.
 
Most of the strings used in the second script are Base64-encoded and placed in an array. They are used via a function which takes an index as parameter. Example:
function decode($i)(
  $array = Array('T' .'W' .'96' .'aWxsYS80LjAgKGNvbXBhdG' .'lib' .'GU7IE1TS' .'UUg'
                 .'OC4w' .'Oy' .'BX' .'aW5' .'kb3dzIE5UIDY' .'uMCk=','c2FmZV9tb2R' .'l',b3’
                 ...);
  return(base64_decode($array[$i]))
}
...
$_56 = decode(1);
The malicious script creates files in ‘/dev/shm//’. That’s clever: /dev/shm is writable by any user on a Linux system and is more stealthy than dumping files to /tmp or /var/tmp!
 
Many integers are replaced by the round() function with mathematical expressions. Example:
return preg_replace(MA_B(243),MA_B(244) .$_69,$_74,round(0+0.33333333333333+0.33333333333333+0.33333333333333));
The round() function above returns 1’.
 
The presence of many ‘wp_xxxx’ strings reveals that the script is targeting WordPress websites. There is indeed a hooking[1] function in place:
@add_action(wp_footer’,’check_wp_load',mt_rand(1,10));
This hook injects malicious code in the WordPress footer.
 
Other interesting techniques are present. The script checks that the WordPress website has a good reputation by querying the Google safebrowing API:
$_34=$_SERVER[HTTP_HOST];
$_0="http://google.com/safebrowsing/diagnostic?site=$_34;
[email protected]($_0); // Perform the HTTP query
if ($_67 != ‘' && strpos($_67,'is listed as suspicious')!== false) {
   ...
There is an anti-bot / anti-analysis control in place. Here are the extracted strings from the array of Base64 strings mentioned above:
66.249.[6-9][0-9].[0-9]+
72.14.[1-2][0-9][0-9].[0-9]+
74.125.[0-9]+.[0-9]+
65.5[2-5].[0-9]+.[0-9]+
74.6.[0-9]+.[0-9]+
67.195.[0-9]+.[0-9]+
72.30.[0-9]+.[0-9]+
38.[0-9]+.[0-9]+.[0-9]+
124.115.6.[0-9]+
93.172.94.227
212.100.250.218
71.165.223.134
209.9.239.101
67.217.160.[0-9]+
70.91.180.25
65.93.62.242
74.193.246.129
213.144.15.38
195.92.229.2
70.50.189.191
218.28.88.99
165.160.2.20
89.122.224.230
66.230.175.124
218.18.174.27
65.33.87.94
67.210.111.241
81.135.175.70
64.69.34.134
89.149.253.169
64.233.1[6-8][1-9].[0-9]+
64.233.19[0-1].[0-9]+
209.185.108.[0-9]+
209.185.253.[0-9]+
209.85.238.[0-9]+
216.239.33.9[6-9]
216.239.37.9[8-9]
216.239.39.9[8-9]
216.239.41.9[6-9]
216.239.45.4
216.239.46.[0-9]+
216.239.51.9[6-9]
216.239.53.9[8-9]
216.239.57.9[6-9]
216.239.59.9[8-9]
216.33.229.163
64.233.173.[0-9]+
64.68.8[0-9].[0-9]+
64.68.9[0-2].[0-9]+
72.14.199.[0-9]+
8.6.48.[0-9]+
207.211.40.82
67.162.158.146
66.255.53.123
24.200.208.112
129.187.148.240
129.187.148.244
199.126.151.229
118.124.32.193
89.149.217.191
122.164.27.42
149.5.168.2
150.70.66.[0-9]+
194.250.116.39
208.80.194.[0-9]+
62.190.39.205
67.198.80.236
85.85.187.243
95.134.141.250
97.107.135.[0-9]+
97.79.239.[0-9]+
173.255.233.[0-9]+
184.168.191.[0-9]+
95.108.157.[0-9]+
209.235.253.17
80.203.168.254
91.121.139.153
65.106.217.107
212.227.136.64
216.27.40.61
125.212.44.207
118.169.43.123
118.169.40.20
http
google
slurp
msnbot
bot
crawl
spider
robot
httpclient
curl
php
indy library
wordpress
charlotte
wwwster
python
urllib
perl
libwww
lynx
twiceler
rambler
yandex
trend
virus
malware
wget
The next step was to find the code used to download another stage. Again, based on the same technique with Base64-encoded strings. The rebuilt URL is:
hxxp://net44net[.]net/net/2.php?u=aHR0cDovLzUyLjIwOS4yNDguMjglMkZ0cm9qYW4ucGhw
As in many cases, the domain does not resolve (and seems for sale according to domaintools.com)… Queries to some passive DNS databases revealed an IP address but it does not reply. Your last hope is often to Google for some strings. I found a blog post from 2012(!) which described exactly the same behaviour [2] but, with some differences in the code:
  1. Files were stored in /tmp instead of /dev/shm/.
  2. The hooked WP function is wp_head() instead of wp_footer().
  3. No call to Google safebrowsing.

But the domain used to download the second stage is the same. Why does the script come back to life?

Some possible scenarios:
  1. The more recent script (posted on the 10th of July) has been revamped?
  2. The script has been found on an old compromised server?
  3. Did somebody find the script somewhere else? The pastie title is “PHP Trojan?” but it not referenced anywhere else according to Google.
Note that both hashes of both scripts are unknown on VT.  If you have more information about this script or the technique used, feel free to share!
 
 
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

The Other Side of Critical Control 1: 802.1x Wired Network Access Controls, (Thu, Jul 18th)

Today’s story is a short how-to on implementing 802.1x authentication for wired switch ports.  In other words, workstations have to authenticate to be allowed on the wired network (just like your wireless network should be configured).  I was actually surprised to see 802.1x as part of the CIS Critical Control #1, where you’d expect “hardware inventory” stuff to go – it’s actually CC 1.6, 1.7 and 1.8.  But this does make sense, this not only controls where and when your gear can authenticate, but also controls the access that the “not your gear” stuff has (if any) when that stuff tries to connect.

So why do people want this, and why is it part of the Critical Controls?  Because it really is about controlling both your known and unknown inventory.  Known devices authenticate properly, and are given access to the network.  Unknown devices (visitors, or unsanctioned gear of any kind) are either denied access or shuffled off to a jail or guest VLAN.  Either way, the access requests for the “unknown” devices are all logged and can then be investigated if that’s the next step in your organization.  Only known inventory is allowed access to the network.

Infrastructure Components

The diagram below outlines the various systems components used in Network Authentication (802.1x) for both wired and wireless networks.  The assumptions here are:

  • Microsoft Active Directory
  • The “free” Microsoft CA and Network Policy Server (RADIUS) are both used
  • Group Policies and the other MS automation is used to make the various processes and policies work

 

Authentication Sequences – Wired Networking

Domain Member Workstations (also anything that’s been issued a Cert manually)

  • The workstation uses its certificate to authenticate to the RADIUS Server
  • In turn, the RADIUS server also uses its certificate to authenticate to the workstation, to prove that it’s a trusted RADIUS host
  • When authentication is complete, the device is permitted
  • If required, after the user logs in, the user certificate can be used to authenticate the user to the network as well.
  • If the authentication fails, the user is not on the network – they might be in a guest vlan, a “failed authentication” vlan, or simply blocked from network access altogether (read on to the switch config section for more details)
  • And yes, the “purist” 802.1x diagram has about 15 more steps and arrows, but I did say “brief” in my description of this article J

MAC Address Authentication / Bypass

Printers can be issued certificates and work exactly like workstations, but in many cases the printers are outsourced, or if they do own them, a majority of them will be so old (or so cheap) that they won’t support 802.1x authentication.  In those cases, often the client opts to use MAC Address Bypass (MAB) authentication to authenticate the printers.  In this case:

  • The switch acts as a “proxy” sort-of.  The switch collects the MAC address of the device, then uses it to authenticate to the RADIUS host, using the MAC address for both the userid and password
  • The RADIUS server authenticates that to AD.  The RADIUS server then permits the access if that account is found.
  • The switch port permits the device (or denies if the account does not authenticate)

The problem with this is that MAC address spoofing is not a challenge for most attackers.  In fact, you could likely automate something like this with a Raspberry Pi (discover the printer address, and present it out a second Ethernet – or even just act as a transparent bridge).

Wired Telepohones


Cisco wired telephone handsets identify themselves as such using CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discover Protocol).  In many implementations the switch port “trusts” the handsets, and places them on a dedicated voice VLAN.  Telephone handsets do not authenticate in this implementation.

The problem here is obvious, the handsets are simply trusted – and both CDP and LLDP are easily spoofed.

Wired handsets (Cisco in particular, but certainly most other major brands as well) can be issued certificates by their management application – the Cisco implementation uses “LSC” (Locally Significant Certificates).  In some cases the management app can work as a subordinate CA to the enterprise CA (which in our fictitious company is a Microsoft Certificate Server).  In other cases, the voip management app is a CA all on its own, in that design you’d need a separate policy in NPS, or maybe even a separate RADIUS host for the phones.

CERTIFICATE GOTCHAS

Machine Certificates

In the MS Certificate Authority, ensure that the machine certificate template specifies the FQDN of the host in its SAN (Subject Alternative Name) field.  Without this, Windows 10 stations will fail on authentication, as they present their FQDN as their station name (earlier versions of Windows presented their CN – common name).Certificate Authority.  What this normally means is that in the SAN field, you specify the DNS name, UPN and SPN.

User Certificates

Similarly, the fields for the User Certificates are important – use the Fully Distinguished name and (at least) the UPN in the SAN field:

RADIUS Server Certificates

You might think that a standard Server Certificate would work here, but the CA Template for RADIUS servers *must* be based on the “RAS and IAS Servers” template, or it just plain won’t work.

 

Group Policies

User and Computer Certificates

This GPO forces Users and Computers to request Certificates from the Certificate Authority.  This process initiates a “CSR” (Certificate Signing Request).  The CA automatically processes all CSRs from domain member workstations and users, and issues the requested certificate.  Push this certificate out first, and ensure that most or (preferably) all workstations have their certs before you proceed on.

Wired Authentication GPO

This GPO governs authentication of wired workstations, using the 802.1x protocol.

The key points in this GPO are:

  • 802.1x is authenticated
  • Certificates are used for authentication (the selection for “Smart Card or Certificate” is made)
  • Only the Computer Certificate is used
  • The CA is authenticated, and only the enterprise CA can be used
  • The user is never prompted to allow certificates from other CAs
  • Disabling the enforcement of 802.1x at the client allows the use of this workstation on other networks (home Ethernet networks for instance)

This GPO also needs to be pushed out with some “wait time” factored in, before you can configure your switches.  This ensures that when you set the enforcement on the switch policy, the workstations are able to authenticate.  This GPO starts a new service on the workstations, “Wired AutoConfig”.  Checking for this service in a running state is a handy way to ensure that your workstations are “ready to roll” for 802.1x.

The fun part here is that if machines don’t reboot or cycle power after they get this GPO, the service won’t start.  And with Windows 7 and 10, it’s really common now to see machines only reboot for patches – people just seem to lock, sleep or hibernate them anymore.  You may need to enforce a reboot or manually start the service with a script to get this step completed.

RADIUS Server Configuration

Wired Authentication using 802.1x

The radius policy for wired 802.1x is set up with:

Conditions:

Settings:

  • EAP Configuration = Configured
  • Ignore User Dial-in Properties = True
  • Access Permission = Grant Access
  • EAP Method = Microsoft Smart Card or other Certificate
  • NAP Enforcement = Allow Full Network access  (you can set an ACL if you want)
  • Tunnel Medium-Tyupe = 802
  • Tunnel-Pvt-Group-ID =
  • Tunnel Type = VLAN

Not that you can also set a VLAN for non-compliant hosts, normally this is set on the switch port, and is set to some internet-only “guest” VLAN, or else a “jail” VLAN where there are just enough resources for the helpdesk to remediate your computer (see the switch section of this article for those settings)

MAC Address Bypass (MAB) – Printer Authentication

If you choose to implement MAB, you’ll need to define a group that the printer “accounts” will be in.  Using Fine Grained Password Policy (FGPP), you’ll want to relax your password policy enforcement for these accounts.  Also set those accounts so they can’t actually login to the domain.

The printers get the same policy as the workstations in NPS, except:

  • Set the authentication type as unencrypted / PAP instead of EAP
  • The membership should be to your MAB / FGPP group rather than the entire domain
  • This policy will need to be ordered before the Wired NPS Policy

Printer Password Policy

The default domain policy enforces a password policy, which denies accounts the use of their account name as their password – for instance the user “Joe User”, with the userid of  “juser”, cannot use “juser” as their password.

To make things work for MAC address authentication, use a “fine grained password policy” (FGPP) that relaxes this requirement for printer accounts, which use their MAC address for both userid and password in the MAB (MAC Address Bypass) implementation.  This policy is illustrated below, and is applied only to the group “MAB Group for FGPP”, which is also shown:

Apply this policy to the OU or the AD Group that the printers are in.

Switch Configuration

First, the switch configuration is set up to allow 802.1x authentication, and the authentication source is pointed to (at least) 2 RADIUS hosts.

radius server RADIUS01
 address ipv4 auth-port 1812 acct-port 1813
 key

     radius server RADIUS02
       address ipv4 auth-port 1812 acct-port 1813
       key

aaa group server radius RADIUSGROUP
 server name RADIUS01
 server name RADIUS02

dot1x system-auth-control

aaa authentication dot1x default group RADIUSGROUP
aaa accounting dot1x default start-stop group RADIUSGROUP

Next, the individual ports are configured.  A typical workstation / phone / printer port is shown here:

interface GigabitEthernetx/0/y

 

 description some description goes here

 

 switchport access vlan 101

The “native vlan”, also the VLAN assigned for successful 802.1x authentication

 switchport mode access

 

 switchport voice vlan 105

Voice VLAN

 trust device cisco-phone

This tells 802.1x to “trust” phones.  Not recommended, use LSC (Locally Significant Certificates) or equivalent instead.

If LSCs are used, this line should be removed

 authentication event fail action next-method

Fail to successive authentication methods (see below)

 authentication event server dead action authorize voice

Allow voice VLAN access even if RADIUS servers are down

 authentication order dot1x mab

Try 802.1x authentication first, then MAB

 authentication priority dot1x mab

 

 authentication port-control auto

 

 authentication periodic

Re-authenticate periodically

 authentication timer reauthenticate server

 

 mab

Allow MAB (MAC Address Bypass)

 dot1x pae authenticator

Enable 802.1x port authentication

 dot1x timeout server-timeout 30

 

 dot1x timeout tx-period 10

 

 dot1x max-req 3

 

 dot1x max-reauth-req 10

 

 auto qos voip cisco-phone

 

 spanning-tree portfast

abbreviated STP negotiation for workstations

 spanning-tree bpduguard enable

Prevents people from bolting their own switches to this port. 

 

 

OPTIONAL:

 

These two commands cover the two cases of “didn’t authenticate” – either the client isn’t 802.1x capable or it is, but failed the authentication.

 

dot1x guest-vlan

The guest VLAN is where you end up if the client isn’t 802.1x capable (which is the default windows configuration), and if you fail any configured MAC address bypass. 

dot1x auth-fail vlan

If your station is 802.1x capable and fails authentication, then your end up in the “authenticated failed” vlan.

 

Again, I did cover off the configuration for both MAC Address authentication and “trust the phones”.  Neither is recommended if you are truly trying to secure things.  However, in an open office environment with controlled access (visitor signin and locked doors), you can make the case that there are at least some compensating controls to hinder a physical pen-tester or on-premise attacker.

Given how hard the telephony and printer vendors make 802.1x, customers often take these two “shortcuts”.  Just be sure that everyone knows what they’re giving up when they go there!

Do you have any success stories (or “down in flames” stories) of 802.1x authentication projects you’ve seen?  Please, share using our comment form!

===============

Rob VandenBrink
rob coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 3 of 7 12345...»