Tuesday, August 1, 2017

Detecting Lateral Movement - PsExec execution with Demo





PsExec can be used quite easily on any network to move laterally from one system to another. Here's one way of detecting lateral movement.


Demo:
We'll create a PsExec session and then look for the events and note them down. These can then be used for monitoring alerts or forensic investigations.

Launch a PsExec session from one machine to another and note the time:

Machine A -
 

Session launched on Machine B - 





Now we look through the Windows Events Viewer and find the events for this session.
Looking through the Security events, we can see in the image below the Logon event (ID 4624)  was created for the session that we launched (note the timestamp).



Details of the event should give us more information on the event.




This tells us clearly that the logon was from our Machine A, through PsExec:
Next, we need to look for the service that was created as part of this session. PsExec creates the process PSEXECSV.exe on the host system when successfully launched. 


In order to find that the process created on this host system (Machine B), we need to look under the System events.




Look at the details:







These are the events you need to monitor/investigate for PsExec execution on the host systems. The whole process can be automated through a SIEM for passive monitoring for security events or can be executed ad-hoc as needed for investigations and incident response.

When investigating systems post-incident, you can acquire the events files at this location in Win8* :

C:\Windows\System32\winevt\Logs




Once acquired, these files can be reviewed in the Windows Events Viewer on your investigation machine.

:)

Share:

Tuesday, July 25, 2017

Thursday, July 20, 2017

TrickBot Banking Malware - some features of interest

Here's one:

It creates this dir - c:\Users\%username%\appdata\Roaming\winapp\

Now - if you're thinking that creating this dir yourself and then read/write protecting it will make this malware not execute fully, you're wrong :)

If it cant access that location to create the directory, it simply dumps the PE on Desktop and executes from there.

Cool stuff!
Share:

Thursday, July 6, 2017

Wednesday, June 28, 2017

Petya NotPetya Quick and Dirty Analysis

I'll leave the detailed version to hasherezade :)
This is a quick look at what the malware is about and what functions it uses.

Looks for physical drives on the infected computer.



Here's the bundled-in psexec, as dllhost.dat:

Here's another PE, looks like used to launch the runndll32.exe as perfc.dat:


Infection starts.



dllhost.dat > PsExec




System restart.

Encryption.














Provider: MS RSA AES


 This is where it starts in user-land.


All the familiar messages.





And here's all the WMI stuff.
Also, note that rundll32.exe is called by '%s' - perfc.dat in this case.










Running PSExec on the entire subnet, after accepting the EULA of course :)


 Extensions to be encrypted.





Looks out for the extensions it wants to encrypt (hard-coded, different to the ones seen earlier in Petya mid-2016).


Encryption part.












And here are all the encryption functions that are called.

Like I said earlier, this is a quick look into the malware not a detailed analysis. But it should give you some insight into how it works.


Share:

Tuesday, June 27, 2017

Petya extentions targetted

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb
.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql
.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
Share:

Petya Mem Strings

Some interesting strigns pulled from the Petya executble:
 

<assemblyIdentity
    version="5.1.0.0"
    processorArchitecture="x86"
    name="Microsoft.Windows.Shutdown"
    type="win32"
<description>Windows Shutdown and Annotation Tool</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="asInvoker"
                uiAccess="false"
            />
        </requestedPrivileges>
    </security>
</trustInfo>
</assembly>


00026671-00002512,dllhost.dat,"%WINDIR%\dllhost.dat",2512,2880,2017-6-27.07:45:34.603,"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"""

c:\src\Pstools\psexec\EXE\Release\psexec.pdb
c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb

Direct PsExec to run the application on the remote
computer or computers specified. If you omit the computer
ComputerName
CONIN$
Connecting to 192.168.xx.xx...
Connecting to 192.168.xx.xx...
                                                                              
Starting PsExec service on 192.168.xx.xx...
                                                                              
Connecting with PsExec service on 192.168.xx.xx...
                                                                              
Starting %WINDIR%\System32\rundll32.exe on 192.168.xx.xx...
Connecting with PsExec service on 192.168.xx.xx...
ConnectNamedPipe
CONOUT$
ControlService

that file and print sharing services are enabled on %s.
the password is transmitted in clear text to the remote system.
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
UseDelayedAcceptance


00024659-00002880,rundll32.exe,"%WINDIR%\System32\rundll32.exe",2880,2292,2017-6-27.06:42:15.996,"C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1""
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
2.    Send your Bitcoin wallet ID and personal installation key to e-mail
[j j
\Sessions\1\Windows\ApiPort
\ThemeApiPort
AddressFamily
AppData
AQIAAA5mAAAApAAA6vAGjmKL1o/z1WoWFbD8HoXQxvta/l23/sisYXlY3R/b2LYb
GBVOO2YNwJuwEsKdn6WHHKMbDnT/orfba9XaLwwelJeehFIraOnQSXSuVih7CWRJ
AuthenticodeEnabled
AutodialDLL


DhcpDomain
DhcpNameServer
Dhcpv6Domain
Disable
DisableBranchCache
DisableEngine
DisableImprovedZoneCheck
DisableLocalOverride
DisableMetaFiles
DisableUserModeCallbackFilter
DisplayString
dllhost.dat


Enabled
EnableDhcp
EnableLinkedConnections
EnablePunycode
Export
FE04.tmp
FipsAlgorithmPolicy
HelperDllName
Hostname
Image Path
l your files safely and easily.  All you
 need to do is submit the payment and purchase the decryption key.
 Please follow the instructions:
 1. Send $300 worth of Bitcoin to following address:


Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have b
PackedCatalogItem
PageAllocatorSystemHeapIsPrivate


TROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED
  IN!
Type
UseDelayedAcceptance
UseHostnameAsAlias
UseOldHostResolutionOrder
Users
Version
Webclient
Windows
WinHttpSettings
WinSock 2.0 Provider ID
WinSock_Registry_Version
wowsmith123456@posteo.net.


00026129-00001968,FE04.tmp,"%TEMP%\FE04.tmp",1968,2880,2017-6-27.06:45:10.817,"%TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}""
%OSUSER%-PC\%OSUSER%:123456


00026131-00002720,schtasks.exe,"%WINDIR%\System32\schtasks.exe",2720,2724,2017-6-27.06:45:08.804,"" /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45""
(40,4):LogonType:
ERROR:
ERROR: No mapping between account names and security IDs was done.
No mapping between account names and security IDs was done.
00026195-00002796,shutdown.exe,"%WINDIR%\System32\shutdown.exe",2796,1820,2017-6-27.06:45:09.425,"%WINDIR%\system32\shutdown.exe" /r /f""
0 0(000


Shutdown and Annotation Tool
00026671-00002512,dllhost.dat,"%WINDIR%\dllhost.dat",2512,2880,2017-6-27.07:45:34.603,"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"""
!This program cannot be run in DOS mode.
"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"


%WINDIR%\System32\rundll32.exe started on 192.168.56.11 with process ID 2996.

 
Share:

Tuesday, May 30, 2017

Python: converting Shodan CSV into IOCs CSV

This is a small script that converts the CSV downloaded from Shodan into a new CSV that is usable for ingesting into other platforms (eg. ThreatConnect etc). You can grab the IOCs column (eg. IPs) and create a new csv file with just that column - this new CSV can then be ingested into any other platform. You can pick and chose what column(s) you want to carry over into the new CSV - minor tweaks would be required. I'll keep updating this script and make it as interactive as possible - watch the gitHub repo!
Get it here.


Share:

Tuesday, May 23, 2017

Sunday, May 14, 2017

Malware: WannaCry RansomWare - Infection Vector unlikely to be Phishing

By now, the whole world has heard of the new ransomware WannaCry and its variants. Some of you might be wondering why there hasnt been anything posted here on this sire regarding the phishing aspect of the campaign. The reason is quite simple. Unlike what many security vendors have reported, it is highly unlikely that the infection is being spread through phishing campaigns. The malware is targeting victims across the world, based on the well-known SMBv1 vulnerability that was released by ShadowBrokers very recently. It is looking like the internet is being scanned for vulnerable computers and then attacked with the malware.

Easy wins: disable SMB, make sure you are not blocking the killSwitch.

There is a lot of reporting around this now but most of it is just re-tweets and news stories which add little to nothing to the real campaign.

Here's a good RE paper from Jake Williams on the payload.
And here's the tool that you can use to prevent WannaCry infections if you cant patch your systems.


Share:

Wednesday, May 10, 2017

Tuesday, May 9, 2017

Phishing: PayPal theme 10 May 2017 | CredSteal

Originally published in PhishCentral

This one is active currently - trying to lure victims into downloading and opening a HTML file, that fires up locally in the browser but POSTs information online, back to the c2 when the 'submit' button is hit, if the information matches the conditions in the script.
This what the email body looks like. 

The HTML Attachment


Clever JS in the background makes the connection. It is obfuscated. 
The actual HTML content only loads if internet is available. The JS fetches the page contents and then displays them in the browser. 

Locally saved html, loaded into a browser with internet avaialble

The actual content is served from this server:  www.infosec1.net

PCAP of the request in the background

The content served

The whole HTML is encrypted and is only decrypted on the go in the browser. When decrypted, we can see the JS code that executes in the browser. 

Decrypted Code

The JS code is clever and checks for a few conditions. If the conditions are met, it POSTs the info to the c2 - http://www.bootstrapcdn3.net/e0445952.php and if the conditions are not met, it re-directs to legit PayPal site. 

One of the conditions. 

Final condition that directs the traffic


IOCs for this:
www.infosec1.net
www.bootstrapcdn3.net
3061027594cf895b2e4a7ca0000f6bfe


:)
Share: