Mar 07 2023

Diving Deeper Into Windows Event logs for Security Operation Center (SOC) – Guide

Category: Log Management,Security logs,Windows SecurityDISC @ 8:13 am

Cyber Security operations center is protecting organizations and the sensitive business data of customers. It ensures active monitoring of valuable assets of the business with visibility, alerting and investigating threats, and a holistic approach to managing risk.

Analytics service can be an in-house or managed security service. Collecting event logs and analyzing logs with real-world attacks is the heart of the security operation center.

Events – The security operations center

Events are generated by systems that are error codes, devices generate events with success or failure to their normal function. so event logging plays an important role to detect threats. In the organization, there are multiple numbers and flavors of  Windows, Linux, firewalls, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware, etc.

These devices usually track attackers’ footprints as logs and forward them to SIEM tools for analysis. In this article, will see how events are pushed to the log collector. To know more about windows events or event ids refer Here.

Windows Event logs

Log Collector

It’s a centralized server to receive logs from any device. Here I have deployed Snare Agent on Windows 10 machine. So we will collect windows event logs and Detect attacks on windows 10 machines attacks using Snare Agent.

The snare is SIEM(SECURITY INCIDENT AND EVENT MANAGEMENT) Solution for log collector and event analyzer in various operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL events generated by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.

Snare Installation

  • For Demo purposes, I have been using no credentials but it is always recommended to use strong passwords to protect logs without a leak.

Snare Web interface:-

  • By default, snare will run at Port 6161.
  • A random port can also be chosen with TCP or UDP or TLS/SSL Protocols.
  • Snare will ask for credentials to log in. Here I have given no authentication.
  • The below figure shows the snare agent install success and provides additional details on screen.

Network & File Destination Configuration

  • Our windows 10 is started sending event logs to the Snare console.
  • Snare console is running at localhost and collecting logs from a windows machine.

NOTE: Logs can be sent to a centralized server, then the centralized server push logs to SIEM (To reduce the load in SIEM this method is used), send snare logs directly to SIEM (If your SIEM is capable of good storage for a long and short-term log retention this method can be deployed), It recommended to configure your SIEM with port details of snare and test connection should be the successor to collect logs.

  • So you can change network destination IP to SIEM IP or LOG COLLECTOR IP.
  • Above figure shows destination is configured with localhost to collect and store event logs in various format SNARE, SYSLOG, CEF (Common Event Format) or LEEF (Log Event Extended Format)
  • By default, it will be collecting logs and saving file with snare format & logs are forwarded to SIEM.

Access Configuration

  • Web server port, authentication for console access, and Web server Protocol can be easily defined according to your environment.
  • The above figure shows a configuration with Web server port 6161, Snare agent port 6262, and HTTP as web server protocol for demo purposes, It is recommended to install a certificate for secure connection to forward logs.

Objective Configuration

  • The objective includes events with different categories which can be windows Log on/Log off, access to file or directory, security policy change, system restart, and shutdown.
  • Modify or delete specific events to assign a priority(CriticalHighLow & Information)

Audit Service Statistics

  • Audit Service ensures snare is connected and sends logs to SIEM.
  • It shows daily average bytes of events transmitted to SIEM.
  • In case of network failures, Soc Administrator can check the status of the service.

Security Certification – The security operations center

  • To make connection encrypted and generate a self-signed certificate to WEB-UI, snare agent, and network destination certificate validation to establish a secure way of forwarding logs to SIEM.
Security operations center

Restart-Service

  • If SIEM is not collecting Event logs from the Snare agent for a while, then it’s time to troubleshoot and retrieve logs from the snare server.
  • The above figure shows Snare services are restarted successfully.

Events – The security operations center

  • Windows 10 is forwarding event logs to your deployed SIEM or events can be viewed in the snare console.
  • Every time you cannot open and lookup for intrusions to your environment with snare, for this reason, we are forwarding logs to SIEM for Intelligence to detect attacks.
  • SIEM will be Intelligent to trap attackers by building an effective correlation rule.
  • Above pictures with Event Ids 4625 which is failed password attempt to Windows 10 machine followed by Successful 4689 Event.
  • List of Windows Event Ids Here

NOTE: Above figures shows failed attempts followed by a successful login.

Correlation rule & Incidents

  • It’s an engine designed to write a defensive rule to detect offensive guys, Each rule will be a unique incident.
  • Example: Assume that you’re writing a rule for a brute-force attempt, Brute-force attempts will have continuous threads with a different passphrase to the server.
  • As per NOTE: failed attempts followed by a successful login.

Correlation Rule : failed password attempts + Followed by successful Login = Brute-force (Incident)

Now your customer environment is ready for Known use case(Brute-force detected), you can also build or write your own use case and deploy in your SIEM to detect sophisticated cyber-attacks !!!

Mastering Windows Security and Hardening: Secure and protect your Windows environment from cyber threats using zero-trust security principles

Previous posts on Security Logs

Tags: Security Operation Center


Mar 05 2023

BlackLotus UEFI bootkit disables Windows security mechanisms

Category: Windows SecurityDISC @ 7:27 am

ESET researchers have published the first analysis of a UEFI bootkit capable of circumventing UEFI Secure Boot, a critical platform security feature. The functionality of the bootkit and its features make researchers believe that it is a threat known as BlackLotus.

UEFI bootkit Windows

BlackLotus investigation

This UEFI bootkit has been sold on hacking forums for $5,000 since at least October 2022. IT can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.

“Our investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component — an HTTP downloader — in our telemetry late in 2022. After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware,” says Martin Smolár, the ESET researcher who led the investigation into the bootkit.

What is this UEFI bootkit capable of?

The bootkit exploits a more than one-year-old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate — but vulnerable — binaries to the system in order to exploit the vulnerability.

BlackLotus can disable operating system security mechanisms such as BitLocker, HVCI, and Windows Defender. Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and an HTTP downloader responsible for communication with the Command and Control server and capable of loading additional user-mode or kernel-mode payloads. Interestingly, some of the BlackLotus installers ESET has analyzed do not proceed with bootkit installation if the compromised host uses locales from Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.

Not many threat actors are using it yet

BlackLotus has been advertised and sold on underground forums since at least early October 2022. “We can now present evidence that the bootkit is real, and the advertisement is not merely a scam,” says Smolár. “The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”

UEFI bootkits pose a significant threat

Many critical vulnerabilities affecting the security of UEFI systems have been discovered in the past few years. Unfortunately, due to the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left systems vulnerable even a long time after the vulnerabilities have been fixed, or at least since we were told they had been fixed.

UEFI bootkits are very powerful threats, having full control over the operating system boot process and thus being capable of disabling various operating system security mechanisms and deploying their own kernel-mode or user-mode payloads in early boot stages. This allows them to operate very stealthily and with high privileges. So far, only a few have been discovered in the wild and publicly described.

UEFI bootkits may lose on stealthiness when compared to firmware implants — such as LoJax, the first in-the-wild UEFI firmware implant, discovered by ESET Research in 2018 — as bootkits are located on an easily accessible FAT32 disk partition. However, running as a bootloader gives them almost the same capabilities, without having to overcome multiple layers of security features protecting against firmware implants.

“The best advice, of course, is to keep your system and its security product up to date to raise the chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence,” concludes Smolár.

BlackLotus UEFI bootkit: Mitigations and remediation

ESET researchers offer the following advice:

  • It is essential to ensure that both your system and its security software are regularly updated. This increases the likelihood of thwarting a threat in its early stages, before it can establish pre-OS persistence.
  • In order to prevent the exploitation of known vulnerable UEFI binaries to bypass UEFI Secure Boot, it is necessary to revoke them in the UEFI revocation database (dbx). On Windows systems, updates to the dbx should be disseminated through Windows Updates.
  • The issue with revoking widely used Windows UEFI binaries is that it can render thousands of outdated systems, recovery images, or backups incapable of booting. As a result, revocation can often be a time-consuming process.
  • Note that revocation of the Windows applications used by BlackLotus would prevent installation of the bootkit, but as the installer would replace the victim’s bootloader with the revoked one, it could make the system unbootable. In such a scenario, the issue can be resolved by either reinstalling the operating system or recovering the ESP.
  • If the revocation would happen after BlackLotus persistence is set, the bootkit would remain functional, as it uses a legitimate shim with custom MOK key for persistence. In this case, the safest mitigation solution would be to reinstall Windows and remove the attackers’ enrolled MOK key by using the mokutil utility (physical presence is required to perform this operation due to necessary user interaction with the MOK Manager during the boot).

Tags: BlackLotus UEFI bootkit


Feb 20 2023

Active Directory Penetration Testing Checklist – 2023

Category: Windows SecurityDISC @ 10:11 am

This article covers Active directory penetration testing that can help for penetration testers and security experts who want to secure their network.

Active Directory Pentesting” Called as “AD penetration Testing” is a directory service that Microsoft developed for the Windows domain network. Using it you can to control domain computers and services that are running on every node of your domain.

Also Read: Active Directory Kill Chain Attack & Defense Guide

Active Directory Penetration Testing

In this section, we have some levels, the first level is a reconnaissance of your network. every user can enter a domain by having an account in the domain controller (DC).

Active Directory Penetration Testing Checklist

All this information is just gathered by the user that is an AD user. In the username, there are two parts the first is the domain name and the second part is your username. like below :

Reconnaissance Commands:

+             c:\ > net user

By running this command in CMD (Command Prompt) you can easily see local users on your PC.

+             c:\ >whoami

This command can help you to see the current user associated with Active Directory logged in.

+             c:\ >whoami /groups

This command helps you to show you the current group

+             c:\ > net user \domain

This command shows you all users from any group in the active directory.
also, you can see every user’s group by running this command :

+             c:\ > net user [username] domain.

To have a better look, you can user “AD Recon” script. AD Recon is a script written by “Sense of Security“.

It uses about 12 thousand lines of PowerShell script that gives you a good look to AD and all info that you will need it.

You can download this script from GitHub: https://github.com/sense-of-security/ADRecon screenshots of the report of this app:

active directory penetration Testing

Picture2 – List of AD GroupsPicture3 – List of DNS Record Zones

When you get all AD users, now you should take a look at the group policy. The group policy is a feature of Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. in the group policy, you can see environment policy such as”Account Lockout Policy“.

It is a method that provides you networks users to be secure from password-guessing attacks. Also, you can see “Password Policy“. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.

When you get all the data that you need, now you can execute different attacks on users like :

Brute Force Active Directory

To brute force attack on active directory, you can use Metasploit Framework auxiliaries. You can use below auxiliary:

msf > use auxiliary/scanner/smb/smb_login

The options of this auxiliary you can set username file and password file. and set an IP that has SMB service open.

then you can run this auxiliary by entering “run” command.

If you try false passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out“.

If you try it on all accounts, all users will be disabled and you can see disorder in the network. As you can see in Password Policy, you can set your password list to brute-force.

All hashes are stored in a file named “NTDS.dit” in this location :

C:\Windows\NTDS

You will extract hashes from this file by using mimikatz. mimikatz has a feature which utilities the Directory Replication Service (DRS) to retrieve the password hashes from NTDS.DIT file. you can run it as you can see below :
mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv

Then you can see hashes and password (if the password can be found).

The active directory includes several services that run on Windows servers, it includes user groups, applications, printers, and other resources.

It helps server administrators to manage devices connected with the network and it includes a number of services such as Domain, Certificate Services, Lightweight Directory Services, Directory Federation and rights management.

Active directory penetration testing is required for any organization, nowadays APT groups actively targeting Active Directories using different techniques.

Mastering Active Directory: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Active Directory Penetration Testing


Jan 28 2023

PlugX Malware Sneaks Onto Windows PCs Through USB Devices

Category: Malware,Windows SecurityDISC @ 9:29 am

PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.

The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.

According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victims’ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.

PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.

The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.

Scope of Infection

The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.

So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.

PlugX Malware Being Distributed through Removable USB Devices

Malware Analysis

Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks. 

PlugX’s USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.

Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS

The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesn’t show hidden files, the malicious files in recycle bin aren’t displayed, but, surprisingly, it isn’t shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.

Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats

InfoSec books | InfoSec tools | InfoSec services

Tags: PlugX Malware


Jan 23 2023

Windows event log analysis and incident response guide

Category: Log Management,Security logs,Windows SecurityDISC @ 6:00 pm

Microsoft Log Parser Toolkit: A Complete Toolkit for Microsoft’s Undocumented Log Analysis Tool

Windows Security Monitoring: Scenarios and Patterns

Malware Forensics Field Guide for Windows Systems

Infosec books | InfoSec tools | InfoSec services

Tags: Windows Event Log


Jan 22 2023

Windows 11 is getting ReFS support

Category: File Security,Windows SecurityDISC @ 10:16 am

Recent Windows 11 Insider builds include support for ReFS, the Resilient File System. The file system is currently only available in Windows server operating systems, but not in client systems.

Resilient File System is designed to “maximize data availability, scale efficiently to large data sets across diverse workloads, and provide data integrity with resiliency to corruption” according to Microsoft.

ReFS vs NTFS

NTFS, the New Technology File System, is the default file system on client versions of Microsoft’s Windows operating system. It is a proprietary file system introduced in Windows NT 3.1 and also supported on Linux and BSD.

ReFS and NTFS support a wide range of features, but there are major differences between the two file systems as well.

The Resilient File System, for example, supports file and volume sizes of up to 35 petabytes. NTFS, on the other hand, supports a maximum of 256 terabytes. A petabyte equals 1024 terabytes. While most home systems are very far away from reaching these file and volume sizes, it is clear that the 256 terabyte limit will be reached eventually.

ReFS supports the following features exclusively (compared to NTFS):

  • Block clone — aims to convert expensive physical file copy operations to quick logical ones. Reduces workloads, reduces I/O and increases the performance of the operations.
  • Sparse VDL — allows ReFS to zero files rapidly, which reduces the creation time of fixed VHDs significantly.
  • Mirror-accelerated parity (on Storage Spaces Direct) — designed to deliver high performance and capacity efficient storage. ReFS divides volumes, which can have their own drives, into performance and capacity tiers.  Writes occur in the performance tier and data is moved to the capacity tier in real-time.
  • File-level snapshots — creates a new file that contains data and attributes of a source file.

ReFS lacks support for several important features that NTFS supports. Major features that are missing include file system compression and encryption support, support for disk quotas and removable media, or booting.

ReFS support in Windows 11

ReFS support adds a new option to the Windows 11 operating system. It is possible that the file system will only be supported in Enterprise, Education and Workstation editions of Windows 11. On the other hand, a Pro version of Windows 11 was used by the Twitter user who revealed the support information.

Another aspect that needs to be considered is that there is no direct NTFS to ReFS conversion; this makes it very likely that ReFS can only be selected during initial setup of the operating system, but not while it is running.

Windows 11 administrators may enable ReFS on Windows 11 Insider builds using ViVeTool and the ID42189933. It is recommended to create a full system backup before attempting to install Windows 11 on ReFS.

https://www.ghacks.net/2023/01/22/windows-11-is-getting-refs-support/


Resilient File System (ReFS) (wikipedia.org)

Tags: file security, NTFS, ReFS


Jan 12 2023

Microsoft Exchange Vulnerabilities Most Exploited by Hackers Targeting Financial Sector

During the month of November, researchers at the cybersecurity firm LookingGlass examined the most significant vulnerabilities in the financial services industry in the United States.

The company looked at assets with public internet-facing assets from more than 7 million IP addresses in the industry and discovered that a seven-year-old Remote Code Execution vulnerability affecting Microsoft Windows was at the top of the list.

According to CISA, the “Financial Services Sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions.”

Reports stated that the industry employs about 8 million Americans and contributes $1.5 trillion, or 7.4% of the nation’s overall GDP.

Microsoft Exchange Vulnerabilities

Over 900 times in the financial sector have been affected by a critical remote code execution vulnerability identified as (CVE-2015-1635), affecting Microsoft Windows and it has been around for seven years.

If this vulnerability is exploited successfully, a remote attacker may execute arbitrary code with system privileges and result in a buffer overflow.

The next most often exploited vulnerability was (CVE-2021-31206), which affects Microsoft Exchange Servers. Reports say in the month of November, this vulnerability was exploited 700 times in the financial services industry in the United States.

Top list of vulnerabilities in the financial services sector

“Our data holdings attribute roughly 7 million of these to the U.S. financial services sector, which includes insurance companies, rental & leasing companies, and creditors, among other subsectors”, explains LookingGlass researchers.

According to recent reports from the U.S. Department of Treasury, ransomware attacks alone cost U.S. financial institutions close to $1.2 billion in 2021, a nearly 200% increase from the year before. 

The Financial Crimes Enforcement Network (FCEN) of the Treasury identified Russia as the main source of numerous ransomware variants hitting the industry in its study.

Joint Cybersecurity Advisory: Compromise of Microsoft Exchange Server

Tags: Microsoft Exchange Vulnerabilities


Dec 31 2022

Windows event log analysis

Category: Information Security,Windows SecurityDISC @ 1:37 pm

Windows Security Monitoring: Scenarios and Patterns

Malware Forensics Field Guide for Windows Systems

Infosec books | InfoSec tools | InfoSec services


Tags: Windows event log analysis, Windows Malware Forensics, Windows Security Monitoring


Dec 29 2022

Active Directory Exploitation Cheat Sheet

Category: Cheat Sheet,Windows SecurityDISC @ 12:59 pm

https://ethicalhackersacademy.com/blogs/ethical-hackers-academy/active-directory

Active Directory is a Microsoft service run in the Server that predominantly used to manage various permission and resources around the network, also it performs an authenticates and authorizes all users and computers in a Windows domain type networks.

Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000’s of computers in the single point of control called “Domain controller” which is one of the main targeted services by the APT Hackers.

Though exploiting Active directory is a challenging task, It is certain to activate directory exploitation Cheat Sheet which contains common enumeration and attack methods which including the several following phases to make it simple.

  • Recon
  • Domain Enum
  • Local Privilege Escalation
  • User Hunting
  • Domain Admin Privileges
  • Database Hunting
  • Data Exfiltration
  • Active Directory Exploitation Tools

Reconnaissance

Recon Phase contains various modules, including Port scan that performs the following operations.

PORT SCAN
Import-Module Invoke-Portscan.ps1
<#
Invoke-Portscan -Hosts "websrv.domain.local,wsus.domain.local,apps.domain.local" -TopPorts 50 echo websrv.domain.local | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Invoke-Portscan -Hosts 172.16.0.0/24 -T 4 -TopPorts 25 -oA localnet
#>

AD MODULE WITHOUT RSAT

The secret to being able to run AD enumeration commands from the AD Powershell module on a system without RSAT installed, is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management on a system that has the RSAT installed.

Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to enumerate the active directory.

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Get-Command get-adcom*

Domain Enumeration

DOMAIN

  • Get current domain
Get-NetDomain (PowerView)
Get-ADDomain (ActiveDirectory Module)
  • Get object of another domain
Get-NetDomain -Domain domain.local
Get-ADDomain -Identity domain.local
  • Get domain SID for the current domain
Get-DomainSID
(Get-ADDomain).DomainSID
  • Get domain policy for the current domain
Get-DomainPolicy
(Get-DomainPolicy)."system access"
  • Get domain policy for another domain
(Get-DomainPolicy -domain domain.local)."system access"
  • Get domain controllers for the current domain
Get-NetDomainController
Get-ADDomainController
  • Get domain controllers for another domain
Get-NetDomainController -Domain domain.local
Get-ADDomainController -DomainName domain.local -Discover

NETUSER
More on: To Get a list of users in the current domain





Infosec books | InfoSec tools | InfoSec services






Tags: Active Directory Exploitation Cheat Sheet


Dec 22 2022

Windows: Still insecure after all these years

Category: Windows SecurityDISC @ 1:56 pm

OPINION: With every Windows release, Microsoft promises better security. And, sometimes, it makes improvements. But then, well then, we see truly ancient security holes show up yet again.

03-internet-explorer-and-windows-95.jpg

 by Steven Vaughan-Nichols

For longer than some of you have been alive, I’ve been preaching the gospel of using more secure desktop operating systems. You see, Windows has been insecure since 1985’s Windows 1.0, really an MS-DOS extension, rolled out the door. Then, as now, there were more secure options. Then it was Unix desktop operating systems. Today it’s Linux desktops.

Why hasn’t Microsoft ever gotten its security act together? The fundamental problem is that Windows was never, ever meant to work on a network. It worked as a standalone PC operating system. And, even today, 37 years later, the same pre-internet problems keep showing up. Unix and Linux started with the premise that there’s more than one user on the system, and you need to secure accounts and programs from other users, local or remote. This has served these operating systems well.  

In addition, the developers from Redmond may say they rewrite Windows code from the bottom up to make it more secure. But, they don’t. 

Take, for example, Microsoft recently patched zero-day remote code execution Windows Scripting Languages Remote Code Execution Vulnerability, CVE-2022-41128, With a  Common Vulnerability Scoring System (CVSS) rating of 8.8, it’s a baddie. This is a Windows JavaScript scripting language security hole. Specifically, it’s a hole in Internet Explorer (IE) 11’s JScript9 JavaScript engine. 

Also: Hackers are still finding — and using — flaws in Internet Explorer

It’s a nasty one. It affects every version of currently supported Windows. That includes everything from Windows 8.1 to all the various Windows Servers and Windows 11. Since it showed up, North Korean hackers exploited it to infect South Korean users with malware.

It works by presenting the victims with a malicious document. When an innocent opens the document, it then downloads a rich text file (RTF) remote template. The HTML inside would then be rendered by the IE engine. Then — ta-da! — you’ve got a case of some malware or the other. 

The Google Threat Analysis Group (TAG) that found it said, “This technique has been widely used to distribute IE exploits via Office files since 2017. Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser.”

Oh, guys, it is so, so much older than that. I described this kind of problem in the long-defunct magazine PC Sources in 1992 when I found it in Windows for WorkGroup 3.1. Then, as now, Windows and its native programs treated document data as programming instructions. 

That’s why according to Atlas VPN, “Microsoft Office remains the most widely exploited software for malware delivery.” How bad is it? Try 78.5% of all attacks. Office on your PC, Office 365, it doesn’t matter. They’re all open to attacks. 

Now, then, what’s the elephant in the room I haven’t mentioned yet? It’s that IE retired back in June 2022. It’s been replaced by Microsoft Edge. 

So, why the heck are all versions of Windows vulnerable to an IE attack in late 2022? Isn’t it history? I mean, IE was never in Windows 11, anyway. You’d like to think that, but no matter what version of Windows you’re using, the IE engine is still in Windows and still ready to run JavaScript attacks.

Windows’s fundamental security flaws have never been fixed. They never will be. Backward compatibility is far more important to Microsoft than security. So, the company continues to play patch a hole. 

If, like me, you favor security over backward compatibility, you’ll run Linux. Despite what you’ve heard, Linux is not that hard to use. But, if you’d rather not go to the effort, just buy a Chromebook. Anyone can use a Chromebook, and, since it’s based on Linux, it’s a lot more secure. 

https://www.zdnet.com/article/windows-still-insecure-after-all-these-years/

Infosec books | InfoSec tools | InfoSec services

Tags: windows security


Dec 21 2022

Windows Code-Execution Vulnerability Let Attackers Run Malicious Code Without Authentication

It has recently been discovered by researchers that Windows has a vulnerability that allows code execution that rivals EternalBlue in terms of potential. It is possible for an attacker to execute malicious code without authentication by exploiting this newly-tracked vulnerability CVE-2022-37958

It is possible to exploit this vulnerability in a wormable way, which can lead to a chain reaction that can impact other systems that are vulnerable, and a new attack can be launched.

A greater range of network protocols is affected by this vulnerability as opposed to the earlier version, which gave attackers more flexibility.

Successful exploitation of this vulnerability allows any Windows application protocol that accesses the NEGOEX protocol may enable an attacker to remotely execute arbitrary code.

Despite the list of protocols that have been identified, there could be other protocols and standards that are affected as well.

On a target system, there is no user input or authentication required by a victim in order for this vulnerability to succeed. This vulnerability has been classified by Microsoft as “Critical,” with a maximum severity for all categories.

As a result, CVSS 3.1 now has an overall score of 8.1 out of 10. It is important to note that systems with unpatched default configurations are vulnerable to this flaw.

The reclassification was performed by X-Force Red in accordance with its responsible disclosure policy with Microsoft.

Recommendations

For the time being, IBM won’t release the full technical details regarding the vulnerabilities and patches until Q2 2023, in order to give defenders a chance and enough time to apply them.

Security Intelligence recommends that users and administrators apply the patch as soon as possible due to the widespread use of SPNEGO, which ensures that they are protected.

All systems running Windows 7 and newer are compatible with this fix, which is part of the security updates for September 2022.

Moreover, X-Force Red recommends the following additional recommendations:-

  • Identify which services are exposed to the internet, such as SMB and RDP.
  • You should continuously monitor your attack surface, including Windows Authentication-enabled servers.
  • In the event that the patch cannot be applied, set Kerberos or Net-NTLM as the default authentication providers on Windows and remove Negotiate as the default authentication provider.

Windows Code-Execution Flaw

Infosec books | InfoSec tools | InfoSec services

Tags: Windows Code-Execution Vulnerability


Dec 16 2022

Microsoft revised CVE-2022-37958 severity due to its broader scope

Microsoft revised the severity rate for the CVE-2022-37958 flaw which was addressed with Patch Tuesday security updates for September 2022.

Microsoft revised the severity rate for the CVE-2022-37958 vulnerability, the IT giant now rated it as “critical” because it discovered that threat actors can exploit the bug to achieve remote code execution.

The CVE-2022-37958 was originally classified as an information disclosure vulnerability that impacts the SPNEGO Extended Negotiation (NEGOEX) security mechanism.

The SPNEGO Extended Negotiation Security Mechanism (NEGOEX) extends Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) described in [RFC4178].

The SPNEGO Extended Negotiation (NEGOEX) Security Mechanism allows a client and server to negotiate the choice of security mechanism to use.

The issue was initially rated as high severity because the successful exploitation of this issue required an attacker to prepare the target environment to improve exploit reliability.

Microsoft addressed the vulnerability with the release of Patch Tuesday security updates for September 2022.

IBM Security X-Force researcher Valentina Palmiotti demonstrated that this vulnerability is a pre-authentication remote code execution issue that impacts a wide range of protocols. It has the potential to be wormable and can be exploited to achieve remote code execution.

“The vulnerability could allow attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP), by default.” reads the post published by IBM. “This list of affected protocols is not complete and may exist wherever SPNEGO is in use, including in Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication negotiation is enabled, such as for use with Kerberos or Net-NTLM authentication.”

Unlike the CVE-2017-0144 flaw triggered by the EternalBlue exploit, which only affected the SMB protocol, the CVE-2022-37958 flaw could potentially affect a wider range of Windows systems due to a larger attack surface of services exposed to the public internet (HTTP, RDP, SMB) or on internal networks. The expert pointed out that this flaw can be exploited without user interaction or authentication.

IBM announced it will release full technical details in Q2 2023 to give time organizations to apply the security updates.

CVE-2022-37958

Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats

InfoSecBooks & Tools

Tags: CVE-2022-37958 severity


Dec 12 2022

95.6% of New Malware in 2022 Targeted Windows

Category: Malware,Windows SecurityDISC @ 11:06 am

Malware attacks are a growing problem in our increasingly digital world. By infiltrating computers and networks, malicious software can cause serious harm to those affected by it.

One of the most common types of malware is ransomware (encryption-based malware), which prevents users from accessing their files until they pay a hefty fee to the cyber attacker. This type of attack has been used to target everything from individuals to large organizations, including government agencies and healthcare providers.

In addition to financial losses, malware attacks can have devastating effects on businesses and individuals. In some cases, sensitive data can be stolen or destroyed as part of an attack. This can lead to identity theft and other forms of fraud, as well as put organizations at risk for long-term damage if confidential information is exposed or compromised.

Research Findings

A recent study by Atlas VPN shows how malware infection is on the rise and the trends in the new malware samples found in the first three quarters of 2022. 

According to researchers, 59.58 million samples of new Windows malware were found in the first three quarters of 2022 and these make up 95.6% of all new malware discovered during that time period. 

This analysis was based on data by AV-TEST GmbH, an independent organization that evaluates and rates antivirus and supplies services in IT Security and Antivirus Research. The study also includes new malware samples detected in the four quarters of 2021 and the first three quarters of 2022. 

Windows, Linux, and Android Malware

Overall, there is a downward trend in the data with the malware samples this year has decreased by 34% as compared to the same period last year. However, the numbers are still exceptionally high.

Following Windows on the list is Linux malware with 1.76 million new malware samples – 2.8% of the total malware threats in 2022. 

Android malware takes third place with the first three quarters of 2022 seeing 938,379 new Android malware threats, constituting 1.5% of the total new malware. 

Lastly, 8,329 samples of never before seen malware threats aimed at macOS were observed in the same period. 

Total Number of Malware

The study also shows that the total number of malware threats found in the first three quarters of 2022 across all operating systems amount to 62.29 million. This is about 228,164 malware threats daily. 

If we make a quarter-by-quarter comparison, the first quarter of 2022 saw the most significant number of malware samples – 22.35 million. However, this number dropped by 4% to 21.49 million in the second quarter of this year. Again, it decreased by another 14% to 18.45 million. 

The numbers continue to plummet into the fourth quarter of the year with 7.62 million new threats found in October and November – nearly 60% less than at the same time last year. 

Protection Against Malware

Malware is a pervasive threat to internet users on both personal and professional networks. It can cause serious damage to computers, networks, and data that can be expensive to fix. Fortunately, there are steps you can take to protect yourself from malware.

The most important step in protecting your network from malware is keeping your anti-malware software up to date. Regularly updating anti-malware programs ensures that they’re able to detect the latest threats and keep them away from your computer or network.

Additionally, be sure not to click on suspicious links or download files from unknown sources as these could contain malicious code that could harm your system.

Another way to stay safe online is by using a secure web browser with built-in security features like pop-up blockers, phishing protection, and ad blockers ((don’t use it on Hackread.com though :0)) for enhanced protection against malicious activities.

95.6% of New Malware in 2022 Targeted Windows

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Tags: Malware, Malware Analysis


Dec 09 2022

ATTACKING ACTIVE DIRECTORY WITH LINUX

Category: Cyber Attack,Windows SecurityDISC @ 11:33 am

Mastering Active Directory: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022

Tags: ATTACKING ACTIVE DIRECTORY, Mastering Active Directory


Nov 01 2022

An Unofficial Patch Has Been Released for Actively Exploited Windows MoTW Zero-Day

Category: Information Security,Windows Security,Zero dayDISC @ 1:34 pm

There is an unofficial patch from 0patch for a Zero-Day flaw in Microsoft Windows that allows bypassing the MotW (Mark-of-the-Web) protections that are built into the operating system and at moment it’s actively exploited.

By utilizing files signed with malformed signatures, this zero-day flaw is able to bypass MotW protections. Various legacy Windows versions as well as all versions that are supported by Microsoft are affected by the issue.

It has been determined by cybersecurity analysts that the Magniber ransomware was being installed on victims’ devices with the help of stand-alone JavaScript files by threat actors.

Unofficial Patch

0patch released this unofficial security patch to fix this flaw since it’s a critical zero-day vulnerability and is exploited by threat actors vigorously in the wild.

Why this patch has been tagged as “Unofficial”?

This patch is tagged as unofficial due to its release source, in short, this patch has not been released by Microsoft itself. 

But, until the release of any official patch from Microsoft, users can use this security patch to keep their systems protected against threat actors exploiting this zero-day flaw.

Free Micropatch Availability

Due to this zero-day vulnerability, multiple Windows versions are affected and here below we have mentioned all the affected versions of Windows that are eligible for the free micropatches:-

  • Windows 11 v21H2
  • Windows 10 v21H2
  • Windows 10 v21H1
  • Windows 10 v20H2
  • Windows 10 v2004
  • Windows 10 v1909
  • Windows 10 v1903
  • Windows 10 v1809
  • Windows 10 v1803
  • Windows Server 2022
  • Windows Server 2019 

The installation process for this micropatch will require an account on the 0patch website, and it can be created for free. Once done, you’ll need to download its agent for your Windows device which will automatically install this patch.

Unofficial Windows Patch


Sep 28 2022

3 types of attack paths in Microsoft Active Directory environments

Category: Windows SecurityDISC @ 8:37 am

Attack path types

From the perspective of a defender, there are three types of attack paths:

  • Ones that can be fixed in minutes
  • Ones that take days or weeks to resolve, and
  • Ones that can’t be fixed without significant structural changes or breaking critical software.

Here’s some background to help understand why they break down into those categories.

Identity attack paths are the adversary’s favorite target for lateral movement and privilege escalation. They allow an adversary with initial access to go from a low-privileged user to a high-value target or full takeover of the environment by exploiting misconfigurations and user behaviors within a directory service like Active Directory or Azure Active Directory. These paths are numerous and exploiting any single attack path is difficult for defenders to detect, as attackers often use legitimate tools and credentials and their activities thus appear identical to normal user activity.

Defenders will want to eliminate as many attack paths as possible, but some are easier than others to fix. From our experience, these Identity Attack Paths can be grouped into three main categories:

Quick fix

A decent percentage of attack paths in the average enterprise AD environment can be fixed in minutes simply by changing configurations.

For example, one of my favorite attack paths to fix is non-Domain Admins with ownership rights over Domain Controllers. This attack path is a common byproduct of automation accounts that join systems to the domain. It can also happen when someone promotes a computer to a Domain Controller (DC). Promoting a system to a Domain Controller does not change the security owner of the object in Active Directory. Therefore, “Bob” could have created a server in the directory and sometime later that system is promoted into a DC – now Bob owns a DC. Anyone that can get access to Bob now has a path to compromise a DC.

Here’s why this is my favorite attack path: your internal business applications don’t typically use the “owner” relationship to function. That means that unlike other ACL rights like “GenericWrite,” you can be confident that changing the owner of an object to the Domain Admins group should not cause unforeseen issues within the environment. This can be done by finding each Domain Controller object in Active Directory Users and Computers, right-clicking it and selecting “Properties,” then “Security,” then “Advanced,” then “Change” and changing ownership to the Domain Admins group.

There are examples of this that are quite obvious once you see them. A couple weeks ago I found a “WIFIAuth” user object that had full control over the entire domain. No enterprise system is going to need such a gross overuse of privilege to function and is another obvious misconfiguration that can be remediated immediately.

Some of these remediations can have dramatic results, removing thousands of attack paths with just a few hours of work.

Moderate fix

The next category is attack paths that take days or weeks of work to fix.

These might require additional research by the analyst team, a more complicated remediation process, require changes in behavior, or make it more difficult for other business users to do their job. Fixing these might involve weighing the risks of the attack path versus the side effects of the remediation or doing more work to make sure the remediation has as little impact as possible. Here’s a couple examples:

A service account with GenericWrite over a Domain Controller. To answer how this should be remediated you need to understand what the service is doing and how often this is occurring. This can typically be answered by using Windows Event Logs. For most actions exercising an Access Control Entry (ACE) right in Active Directory, a corresponding Windows Event log will be generated. Before remediating the issue, it’s important to collect these logs and see if that service is using that right. If not, removing that right will remove that path from the adversary. However, if the service is in use, then it should be reviewed to see if it should, in fact, be run on a Domain Controller. Perhaps it can be segmented in some way (for example, by only using Tier Zero accounts on Tier Zero systems).

Another example is Domain Administrators (DA) logging in to servers or workstations with their DA credentials. DA credentials should be limited to use within Domain Controllers or other Tier Zero systems. Admins should have other credentials for modifying servers or workstations. This fix may take some time as it involves changing user behavior and a GPO will have to be pushed to the environment to create a new group for “Workstation Admins” and “Server Admins” for access on both respectively (Domain Admins have access this access by default, which is why they’re commonly used in this way). Abusing DA logins is an extremely common way to abuse the domain, so while the fix may take some adjustment, the security payoff is worth it.

Won’t fix

The final category is attack paths that probably won’t be fixed. Fixing these paths usually requires such a significant amount of change to fix that other mitigating controls may be preferable.

For example, consider on-premises Microsoft Exchange. Exchange has a history of requiring a ton of privileges, which basically made a compromise of Exchange equal to compromise of AD itself. While this has gotten better over the years and Microsoft explains how to reduce these permissions, Exchange Server can only be completely segmented by introducing a split permission model. The work here can be very tedious, break other integrations, and cause issues when reaching out to support. For this reason, many of our customers choose not to fully implement split permissions but pursue one of the following:

  • Introduce a DENY ACE on Tier Zero accounts blocking this access
  • Use this finding to fast-track their transition to Office 365
  • Deploy compensating monitoring controls around these specific accounts

Any of the three are valid approaches as security is a risk management process.

Active Directory

Active Directory Administration Cookbook:


Dec 27 2021

Windows Event Log Analysis

Category: Log Management,Security logs,Windows SecurityDISC @ 11:14 am

Trace and Log Analysis: A Pattern Reference for Diagnostics and Anomaly Detection

Trace and Log Analysis: A Pattern Reference for Diagnostics and Anomaly Detection by [Dmitry Vostokov, Software Diagnostics Institute]

Tags: Trace and Log Analysis, Windows Event Log


Dec 24 2021

Experts warn of a new stealthy loader tracked as BLISTER

Category: Malware,Windows SecurityDISC @ 12:17 pm

Security researchers spotted a campaign that is employing a new stealthy malware tracked as BLISTER that targets windows systems.

Elastic Security researchers uncovered a malware campaign that leverages a new malware and a stealthy loader tracked as BLISTER, that uses a valid code signing certificate issued by Sectigo to evade detection.

BLISTER loads second-stage payloads that are executed directly in the memory of the Windows system and maintain persistence. The malicious code has a low detection rate and implements multiple tricks to avoid detection.

“A valid code signing certificate is used to sign malware to help the attackers remain under the radar of the security community. We also discovered a novel malware loader used in the campaign, which we’ve named BLISTER. The majority of the malware samples observed have very low, or no, detections in VirusTotal.” “The infection vector and goals of the attackers remain unknown at this time.”

Blister campaign

The certificate used to sign the loader code was issued by Sectigo for a company called Blist LLC, which has an email address from a Russian provider Mail.Ru.

The loader is embedded into legitimate libraries, such as colorui.dll, to avoid raising suspicion, it can be initially written to disk from simple dropper executables. 

Upon execution, BLISTER decodes bootstrapping code stored in the resource section with a simple 4-byte XOR routine. The malware authors heavily obfuscated the bootstrapping code that initially sleeps for 10 minutes before executing in an attempt to evade sandbox analysis.

Then the loader decrypts the embedded malware payload, experts reported the use of CobaltStrike and BitRat as embedded payloads. The payload is loaded into the current process or injected into a newly pawned WerFault.exe process.

In order to achieve persistence, BLISTER copy itself to the C:\ProgramData folder and re-names a local copy of rundll32.exe. Then it creates a link to the current user’s Startup folder to launch the malware at logon as a child of explorer.exe.

Elastic’s researchers shared Yara rules for this campaign along with indicators of compromise.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

InfoSec is the page where the InfoSec community interacts, and share InfoSec & compliance related information.

“You Become What You Think About Ask; and it shall be given to you Seek; and you shall find Knock; and it shall be opened unto you.”

Tags: BLISTER, InfoSec Page, Malware Analysis, stealthy loader


Dec 22 2021

Patch these 2 Active Directory flaws to prevent the takeover of Windows domains

Category: Windows SecurityDISC @ 12:48 pm

Microsoft released an alert on a couple of Active Directory vulnerabilities, that have been fixed with the November 2021 Patch Tuesday security updates, that could allow threat actors to takeover Windows domains.

The flaws, tracked as CVE-2021-42287 and CVE-2021-42278, can be chained to impersonate domain controllers and gain administrative privileges on Active Directory.

Microsoft is now warning customers to address both issues immediately due to the public availability of Proof-of-concept exploit code. The IT giant also published a guide to help customers in detecting the attempts of exploitation of both issues.

“Both vulnerabilities are described as a ‘Windows Active Directory domain service privilege escalation vulnerability’.A few weeks later, on December 12, 2021, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.” states Microsoft. “When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.”

The CVE-2021-42278 vulnerability is a security bypass issue that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

Experts pointed out that sAMAccountName attributes usually end with “$” in their name. “$” was used to distinguish between user objects and computer objects. With default settings, a normal user has permission to modify a machine account (up to 10 machines) and as its owner, they also have the permissions to edit its sAMAccountName attribute.

Tags: Active Directory flaws


Sep 18 2021

‘OMIGOD’ Azure Critical Bugfix? Do It Yourself—Because Microsoft Won’t

Category: Security Operations Center,Windows SecurityDISC @ 10:47 pm

Using OMI on Microsoft Azure? Drop everything and patch this critical vulnerability, snappily named OMIGOD. But wait! You probably don’t know whether you’re using OMI or not.

Y’see, Open Management Infrastructure (OMI) is often silently installed on Azure—as a prerequisite. And, to make matters worse, Microsoft hasn’t rolled out the patch for you—despite publishing the code a month ago. So much for the promise of ‘The Cloud.’

What a mess. In today’s SB Blogwatch, we put the “mess” into message.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Difficult Hollywood.

OMI? DIY PDQ

What’s the craic? Simon Sharwood says—“Microsoft makes fixing deadly OMIGOD flaws on Azure your job”:

Your next step”
Microsoft Azure users running Linux VMs in the … Azure cloud need to take action to protect themselves against the four “OMIGOD” bugs in the … OMI framework, because Microsoft hasn’t. … The worst is rated critical at 9.8/10 … on the Common Vulnerability Scoring System.

Complicating matters is that running OMI is not something Azure users actively choose. … Understandably, Microsoft’s actions – or lack thereof – have not gone down well. [And it] has kept deploying known bad versions of OMI. … The Windows giant publicly fixed the holes in its OMI source in mid-August … and only now is advising customers.

Your next step is therefore obvious: patch ASAP.

‘OMIGOD’ Azure Critical Bugfix? Do It Yourself—Because Microsoft Won’t

Tags: Azure Critical Bugfix


Next Page »