Monday, December 28, 2015

LogRhytm: How to recover SA password on Microsoft SQL Server 2008 R2

This article will come very handy if you ever end up in a situation like I did.
MS SQL Server installed (while installing LogRhythm) without prompting me to pick a password for SA account. Guess what - cant login.
Have a read, if you cant fins the article, DM, I'll send you a PDF.


Wednesday, December 23, 2015

SIEM - LogRhythm Installation

This document shows the installation process for LogRhythm XM after the MS SQL server has been completely
installed and updated to SP3.

Run the Installation Wizard

For XM, select ALL of the options and click on Install

  All Green. Click on Exit. 

Tuesday, December 22, 2015

Monday, December 21, 2015

Monday, December 7, 2015


Analysing and Reverse Engineering Ransomware
Vishal Thakur GIAC-GREM


Ransomware (CryptoLocker, CryptoWall, TeslaCrypt - many versions exist) has been the biggest and most effective malware type in recent years and apart from being quite effective and wide-spread, has also been one of the biggest money-makers for malware writers in the recent history of commercial-grade malware.
It is a widely accepted that the encryption caused by these malware is impossible to break. Which does not leave the victim with much choice other than paying the ransom and hope the they get the decryption keys as promised (if they do not have a working copy of the backup for encrypted data) or simply forget about the data that has been lost and move on.
While that maybe true for most cases - there are copies of these ransomware where the system is not relying on AES encryption based solely on Private and Public keys. I have come across ransomware that is using its own encryption engines (which is harder to protect against in some cases, as these do not rely on Microsoft’s CryptoAPIs at all). The one positive in this case is that it is possible to reverse these executables and find out what type of encryption is being used, which allows us to dig deeper and find out how to find the decryption keys. In some cases, the key is actually generated during execution (infection phase) and then sent back to the C2 servers. This makes it even easier to extract the artifacts that may contain the actual key (voila!) or at least lead us in the right direction.
Keep all of the above in mind, I decided to spend some time and effort in reversing an executable file derived from a ransomware code that encrypts data on the victim’s computer and then asks them to pay ransom in exchange of the decryption key. In the following sections, I provide step by step information on how the reversing was done and how the information can be used to get the decryption key.


For the purpose of this paper, we’ll call the executable ‘vishuwerehere.exe’. This file, when executed, targets the victim’s user directories and encrypts the data (a list of certain file extensions) using AES. It then creates a text file letting the victim know that their data has been encrypted and they need to pay the ransom if they want the decryption key.


  1. First step is to find out if the exe has been packed or not. Every reverse-engineer has his favorite tool for this purpose. I usually go for something like ExeInfo PE.
  1. As we can see, this one doesnt seems to be packed. We’ll find out in the next step if that is the case or not.
  2. Running the exe in BinText quickly confirms that - I get more than 200 strings, usually this would mean that the chances of this being packed are remote. We can also use something as simple as strings or strings2 for this and the result will be the same.
  1. Time to do what most reverse-engineers do next. Run it in IDA and then in Olly!
  2. In IDA, I’ll be looking for ‘interesting’ strings. Let’s take a quick look.


First things first
PeStudio gives you the functions that you are looking for in order to confirm what’s really happening here. ‘EncryptFile’ leaps out straightaway.
‘get_MachineName’ is being used to grab the computer name to identify the victim.
‘userName’ can be used in order to target data to be encrypted. Then there are the usual suspects - SHA256 (hashing) etc.  
Next, we look at the other strings that could give away more about the nature of the malware in question.
AES_Encrypt’ could mean two things. One of them is pretty bad and one of them could possibly be not so bad. Bad news is that the malware is using Asymmetric encryption to do the job - very hard to decrypt without the key. Not so bad news is that it is possible that the malware is not using a private key in the background for encryption. Why is it not so bad news? It could mean that the malware is generating the key locally and then sending  it off to the C2 - which means that there is a slight possibility that we can try to extract the key from memory or from the traffics that is going out over the network. Not essentially an easy task but nonetheless, it does provide some hope!
encryptDirectory’ is another string  that stands out. This simply means what it says.

Other than the obvious ones that I have mentioned above, there are a few more that sound interesting - more so from a curiosity angle than anything else.


This is where the fun begins! I have exclusively used OllyDbg for this one. There is a lot in this exe that needs to be looked at but here are a few that stand out and should be enough for us to get started and get a handle on this malware.
Most of the functions below are self-explanatory.

He is trying to get the computer name

Creating process - pretty basic stuff

There goes your sandbox

He doesn't wants to target certain OS versions

Now, that would be pretty helpful....

As I mentioned above, some of the functions above are pretty obvious and self-explanatory. 


Finding out the C2 connection that is being made is the easiest part. I call it the 3-step approach:
  1. Execute (in sandbox - most malware will run)
  2. Capture (use your fav tool)
  3. Analyse (Follow the stream and you’ll be served the complete URL on a platter)
More important than that (in most cases, the damage has already been done, you can only use the URL to block traffic to and from it into your network), you can reverse the malware and see if there is a chance that it was using a locally created key to encrypt the files rather than a public key based on a private key being held by the bad actors.
If you end up finding that the malware is relying on creating a local key, you still are in the game and there is a possibility of complete data recovery.
I have come across this scenario quite a few times in the past so it is definitely worth exploring and spending some time on trying to reverse engineer the malware. If nothing else, it will give you a better understanding of the threats that ransomware poses to your network.

Happy reversing!!


Monday, November 23, 2015

New Banking Phishing Campaign hits Australia

There is a new phishing campaign that is currently targeting Australia and New Zealand. This is coming through email and SMS media. The message asks the user to the click on a link and update their details. Please make sure that your end-users are aware of this and DO NOT click on these links. Bad actors behind this campaign grab various details (credit cards, DOB, License, Address etc) and the data is then saved into a database (PHP framework being used in the backgroud to facilitate this).
The domain being used is not flagged by any vendor at this moment (checked virustotal and all major security vendor sites).
Please BLOCK this domain at GW for added security. Depending on your organization’s policies – you can use wildcards.

Block these additional URLs as well:

Thursday, November 12, 2015

GIAC Certification - GREM Exam Tips

If you look at my LinkedIn profile, you'll see that I have passed more certification exams than I can remember! The reason I bring that up is to let you know that GIAC GREM exam was by far the toughest.

Thought I'd share my journey with you!

The Start.

I sat the class-room course SANS FOR610 and our instructor (Jake Williams) was awesome - highly entertaining and super-knowledgeable. Cant get any better than that, as the course really is hardcore and can get a bit tiring at times.

If you get a chance to sit the class-room course, I'd always suggest you do it over the on-demand version. Access to a SANS instructor is unmatched by any advantages the Online course might offer. You can ask questions as they come up in your mind, the real-world examples and stories the instructors share with you, the labs, interaction with fellow attendees and networking with people while you're doing the course is invaluable. I made a few good connections while I was there. Also, you get to meet other instructors (I was at the cyber-defense event, so there were community nights etc., which were really informative and fun).

The Test. 
I took my time to sit the test. With a full time job and family, its hard to find time to study as much as I would like to. And study you need to, if you want to pass this exam. Like Jake told us on the first day, there's a reason the word 'engineering' is in the course title - it is a tough one.

I took nearly four months to sit the exam after taking the course (three work-overseas trips and two other certifications in between!). Last few weeks I really stepped it up - stayed up late and went through the course books back to front.

One of the biggest help I had (and you should too), was the mp3 audio files by Lenny Zeltzer - the ones you get as part of self-study after you take the course. I listened to these every chance I could get. I had them on my phone and played them in the car. I listened to Lenny go through the course until I knew what he was going to say next! REAL BIG help, trust me on this one.

The Preparation.
I did quite a bit. I did grab malware samples whenever I could and tried to reverse them as best as I could. In hindsight, I think this really helped. When you're working on malware not from the labs, you're dealing with stuff you dont know about. You end up learning a lot. I was not successful most of the times but kept getting better. All of this starts to make sense as you gain more and more experience. It was a slow process for me but I did get better at reversing and analyzing.

When you look around the web for tips on GIAC exams, indexing is big. Everyone tells you to make an index for your books and most people tell you their indices are quite big.
Make what you will of this, but I didnt really end up with a huge index. It was a few pages. I did not rely on it too much during the test and I didnt really think a bigger index would have helped. Keep in mind though, I'm talking specifically about the GREM exam. Not sure if the other exams require bigger indices. Also, I knew my books really well by the time I took the exam and I knew where to look. I did label my books with colored tabs. That, I believe was more helpful than the index.

The Index and labels. 
As I mentioned above, I relied a lot on the labels through-out my study and also the exam. I labeled everything with a sticky tab that I felt was important. Also, while reading through the books, I highlighted all the keywords and important bits. While labeling and indexing, I went through the books again and looked for the highlighted bits and put them either on the index or labeled them.

The Exam. 
Keep in mind that you only get less than 2 minutes per questions. I tried to be at a level where I could answer a few questions without having to look at the books. Some questions I knew but had to confirm by looking at the books - but this is a lot faster than looking for the complete answer. Some questions I had to lookup.

You get a 15 minute break during the exam - I didnt bother. Once you're in the zone, I guess its better to get it done with in one hit.

The Result.
I passed quite easily with more than 80% (70.7% is the pass percentage). Would've loved to get 90% - which is what I was really aiming for but didnt get there.

One more thing I want to share with you is that I found the exam to be a lot harder than the practice exams. Maybe it's just me and I got a bit unlucky in that sense.

The biggest tip I can give you is this - go through the course material back to front, reverse ALL samples that were provided to you during the course and try to get some more. I did go through some other books but I dont think they are really required for the exam. I read through Practical Malware and MAC. One book I can really recommend is Windows Internals - this book really helped me in learning more details about things that are relevant to this course (good to know).

Last thing, enjoy learning everything as your're studying for the exam - it really makes it easier and you learn more.

The Impact.
Getting certified - does it make a difference? YES, it does.
You feel  a lot more confident - people around you (esp. the ones who know how hard it is) respect you a lot more.
As soon as I updated my LinkedIn profile (added the GREM badge) the number of recruitment agent emails went up overnight!

Are GIAC certifications and SANS courses worth the hype - YES. I will definitely be doing more with SANS, not just for the career opps but primarily to learn more. I really did learn a great deal and plan keep learning more.

Any questions, let me know!


Tuesday, November 10, 2015

Sunday, November 8, 2015

Reverse Engineering: Rebuilding the IAT

Malware is somtimes packed in order to make it harder to analyse. Some times, the author deliberately changes the IAT so that the malware does not behave as expected and becomes really hard to disassemble.

Follow this process to rebuild the IAT -

Load the malware into a disassembler (Olly or IDA)

Locate the OEP (Original Entry Point)

Dump the process (eg. use OllyDumpEx)

Attach the process to a tool like Scylla while it's paused in the debugger

Hit the search function to find the IAT

Fix Dump in order to dump the process with the fixed IAT.

Now you can reload the fixed process into the debugger/disassembler and continue to reverse.

If Scylla does not find the IAT, use other tools.

Memory Forensics: Volatility Usage Sequence

This is just my way of using Volatility for memory forensics. I find this sequence to be the best in order to get the most out of the exercise and it also allows me to make sure that I dont miss any of the basics.

Here we go:

As soon as you have the memory image, copy it on to your forensics machine and start analyzing it using volatility. 

1. Specify the --profile if needed


2. Run both of these modules: 
  • pslist
  • psscan

Run just this module:
  • psxview

3. Run connscan - this will give you all the connections that are being attempted

4. Run sockscan - this will give you all the ports that are being used

5. Run procdump (or procexedump) - this will let you 'dump' the process (get an 'exe' for the process that you are after, out of the mem image)

6. Run dlllist - this will give you a list of all the DLLs (analyzing DLL-injections)

7. Run malfind - this will find the suspicious sections of code for you. This module combines 'pefile' and 'pydasm' both. Very useful. 

8. Run printkey - this will extract the registry keys for you, again, very helpful. 

Virtual Memory

9. Run pslist - this will give you the process list, which you can use for finding virtual memory space for the desired processes

10. Run memdump - this will dump the memory of the process

11. Run driverscan - gives you all the drivers that are on the system memory

12. Run modules and modscan - gives you all modules and drivers loaded on to the system memory

13. Run consoles - give you all the commands that have been used. 

14. Run cmdscan - again, gives you all the commands, only without  the output.

15. Run apihooks -  run this to get a list of all in-line hooks in user and kernel mode. 

16. Run vaddump - finally, this will give you an extraction of mem regions from the VAD tree.

This is the sequence that I always use for any mem analysis job and it works for me. There are other modules that come handy time to time but that is mostly on an ad-hoc basis, as required. 

Hope this helps you in your analysis tasks!


Tuesday, September 29, 2015

Hex Plus - a very handy app

Downloaded this app to my phone today - really helpful. I would recommend it highly if you need to convert values frequently for networking or coding purposes. Reversing requires something like this all the time. I have put it to the test and it works just great. Very simple, fast and gives me exactly what I need from an app like this.

Get it for android from Google Play


Tuesday, September 22, 2015

Reverse Engineering: Assembly Instructions

Here is a list of main instructions that you could come across when reversing code:

push — Push Stack.
The push instruction places its operand onto the top of the hardware supported stack in memory. Specifically, push first decrements ESP by 4, then places its operand into the contents of the 32-bit location at address [ESP]. ESP (the stack pointer) is decremented by push since the x86 stack grows down - i.e. the stack grows from high addresses to lower addresses.

pop — Pop stack
The pop instruction removes the 4-byte data element from the top of the hardware-supported stack into the specified operand (i.e. register or memory location). It first moves the 4 bytes located at memory location [SP] into the specified register or memory location, and then increments SP by 4.

lea — Load effective address
The lea instruction places the address specified by its second operand into the register specified by its first operand. Note, the contents of the memory location are not loaded, only the effective address is computed and placed into the register. This is useful for obtaining a pointer into a memory region.

add — Integer Addition
The add instruction adds together its two operands, storing the result in its first operand. Note, whereas both operands may be registers, at most one operand may be a memory location.

sub — Integer Subtraction
The sub instruction stores in the value of its first operand the result of subtracting the value of its second operand from the value of its first operand. As with add

inc, dec — Increment, Decrement
The inc instruction increments the contents of its operand by one. The dec instruction decrements the contents of its operand by one.

and, or, xor — Bitwise logical and, or and exclusive or
These instructions perform the specified logical operation (logical bitwise and, or, and exclusive or, respectively) on their operands, placing the result in the first operand location.

not — Bitwise Logical Not
Logically negates the operand contents (that is, flips all bit values in the operand).

neg — Negate
Performs the two's complement negation of the operand contents.

shl, shr — Shift Left, Shift Right
These instructions shift the bits in their first operand's contents left and right, padding the resulting empty bit positions with zeros. The shifted operand can be shifted up to 31 places. The number of bits to shift is specified by the second operand, which can be either an 8-bit constant or the register CL. In either case, shifts counts of greater then 31 are performed modulo 32.

jmp — Jump

Transfers program control flow to the instruction at the memory location indicated by the operand.

jcondition — Conditional Jump
These instructions are conditional jumps that are based on the status of a set of condition codes that are stored in a special register called the machine status word. The contents of the machine status word include information about the last arithmetic operation performed. For example, one bit of this word indicates if the last result was zero. Another indicates if the last result was negative. Based on these condition codes, a number of conditional jumps can be performed. For example, the jz instruction performs a jump to the specified operand label if the result of the last arithmetic operation was zero. Otherwise, control proceeds to the next instruction in sequence.
A number of the conditional branches are given names that are intuitively based on the last operation performed being a special compare instruction, cmp (see below). For example, conditional branches such as jle and jne are based on first performing a cmp operation on the desired operands.

je <label> (jump when equal)
jne <label> (jump when not equal)
jz <label> (jump when last result was zero)
jg <label> (jump when greater than)
jge <label> (jump when greater than or equal to)
jl <label> (jump when less than)
jle <label> (jump when less than or equal to)

cmp eax, ebx
jle done

cmp — Compare
Compare the values of the two specified operands, setting the condition codes in the machine status word appropriately. This instruction is equivalent to the sub instruction, except the result of the subtraction is discarded instead of replacing the first operand.

call, ret — Subroutine call and return
These instructions implement a subroutine call and return. The call instruction first pushes the current code location onto the hardware supported stack in memory (see the push instruction for details), and then performs an unconditional jump to the code location indicated by the label operand. Unlike the simple jump instructions, the call instruction saves the location to return to when the subroutine completes.
The ret instruction implements a subroutine return mechanism. This instruction first pops a code location off the hardware supported in-memory stack (see the pop instruction for details). It then performs an unconditional jump to the retrieved code location.

Full article at:


Malware Analysis: Commonly used Windows functions

WriteFile function
Writes data to the specified file or input/output (I/O) device.This function is designed for both synchronous and asynchronous operation. For a similar function designed solely for asynchronous operation, see WriteFileEx.

CreateProcess function
Creates a new process and its primary thread. The new process runs in the security context of the calling process.
If the calling process is impersonating another user, the new process uses the token for the calling process, not the impersonation token. To run the new process in the security context of the user represented by the impersonation token, use the CreateProcessAsUser or CreateProcessWithLogonW function.

LookupPrivilegeValue function
The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.

RegCloseKey function
Closes a handle to the specified registry key.

RegSetValue function
Sets the data for the default or unnamed value of a specified registry key. The data must be a text string.
Note:  This function is provided only for compatibility with 16-bit versions of Windows. Applications should use the RegSetValueEx function.

RegOpenKeyEx function
Opens the specified registry key. Note that key names are not case sensitive.
To perform transacted registry operations on a key, call the RegOpenKeyTransacted function.

GetCurrentProcess function
Retrieves a pseudo handle for the current process.

GetTickCount function
Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.

CreateFile function
Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe. The function returns a handle that can be used to access the file or device for various types of I/O depending on the file or device and the flags and attributes specified.
To perform this operation as a transacted operation, which results in a handle that can be used for transacted I/O, use the CreateFileTransacted function.

WriteFile function
Writes data to the specified file or input/output (I/O) device.
This function is designed for both synchronous and asynchronous operation. For a similar function designed solely for asynchronous operation, see WriteFileEx.


Using Putty to connect to Google Linux Instance

1. Create a linux instance on google compute. 

2. Download WinSCP and install it. This will give you PuttyGen, which is needed to create a key that we'll use to connect to the instance. 

3. Using PuttyGen, create a new key pair. 


4. Copy the public key like shown in the above image. Save both the public and private keys from this screen for future use. You will need the private key file to connect using Putty. 

5. Logon to the Google Developers Console and navigate to 'Compute > Compute Engine > Metadata > SSH Keys' and click on Edit. 

6. In the blank field, paste the public key that you copied from Puttygen and Save. 

7. Go to Putty now. 

8. In the host name, type in the username and IP of the instance in this format: username@ipaddress. Eg. matthew@

9. Leave everything else as default on this screen. 
10. Click on 'Connection' on the left and select SSH to expand it. 
11. Select 'Auth' under SSH and browse for the private key that you saved in PuttyGen.

12. This is it. You can save this session for future use if you want but at this point, you should be able to connect via ssh to your instance on Google Compute.