Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Chat GPT Alternatives

OpenAI’s Chat GPT offers the reality of high-performing AI chatbots. The purpose of these chatbots is to communicate with users in a conversational manner. And being open source, users can suggest any improvements. 

As a result, this technology has taken the internet by storm. Millions of users are using it, but there have been some issues with this chatbot. Particularly when Chat GPT is at capacity and users cannot access it.

Therefore it’s good to know about some quality Chat GPT alternatives. Here are some options that can help you to level up with AI more easily if Chat GPT is not working for you. Some are more complex, and others far more accessible, while some are free and others have pricing structures too.

Chat GPT Alternatives – examples

Bloom

Blo Bloom om is an open-source multi-language model. This Chat GPT alternative added 384 graphic cards with a total of 80 GB of memory to 176 billion parameters to train – 1 billion more than the GPT 3 model.


Chinchilla

DeepMind researchers developed a project named Chinchilla, which is more intimately known as the GPT3 killer.

It’s an optimal computing model that has 70 billion protocols. It has four times more data than Gopher, also developed by DeepMind. Chinchilla is reportedly one of the best options for downstream evaluation tasks (also known as the task a user wants to solve).

It’s a top-notch AI-based writing tool and has educational data on history. Therefore, it can create articles with proper style and structure minus grammatical errors. Without human help, it can produce a useful and readable article in less than an hour.


Megatron-Turing Natural Language Generation

Microsoft and Nvidia made a language model with 530 billion parameters, making it bigger and better than others available. Called Megatron-Turing Natural Language Generation, it is one of the best English language models – trained on SuperPOD by the Selene supercomputer.


Jasper

Jasper AI is a writing model previously known as Jarvis. Jasper has bought other writing tools, such as Shortly AI and Headline, and these will be integrated into Jasper in the coming years.

You can select a topic and fill out the relevant form, and Jasper will create the article for you according to the instructions you have entered. Jasper has a 5-day free trial, with its ‘starter’ plan starting at $24 per month.


Replika

Replika is pretty close to Chat GPT in conversational uses, and you can have similar conversations here, too. It can talk and give text replies at any time without delay. It is primarily an AI chatbot you can use to discuss general topics like love and life, just like you do with friends.


ELSA

ELSA stands for English Language Speech Assistant, a language learning app. It is available on Android and iOS platforms to download. The app analyzes users’ speech and helps them learn and understand the language.

There are more Chat GPT alternatives too, some with more specific applications than others. Here’s a list of a few, including those mentioned above.


ELSA has free and Pro options and Pro costs $11.99 for one month, $8.66p/m for three months, and $6.25p/m for one-year access.


Final thoughts

We have discussed some of the top alternatives of Chat GPT above. You can perform a wide range of functions using these alternatives, and there are others too – including Rytr, Socratic and Faceapp – which uses AI modeling on imagery.


So, when Chat GPT is not working, you’re not sure about the price or if you require another specific application that is more easily served by an alternative, you can use one of these instead.

What is Phishing and key points to remember

What is phishing

Phishing is a type of online scam in which attackers send fraudulent emails or create fake websites with the intention of tricking individuals into divulging sensitive information such as login credentials, credit card numbers, and other financial information. The attackers often pose as trusted organizations or individuals and use various tactics to persuade the victim to click on a link or download an attachment. The link or attachment may contain malware that can infect the victim's device or redirect the victim to a fake website where they are prompted to enter their personal information.


Phishing attacks can be difficult to recognize because the attackers go to great lengths to make their emails and websites look legitimate. To protect against phishing attacks, it is important to be cautious when clicking on links or downloading attachments in emails, and to verify the authenticity of the sender and the website before entering any personal information. It is also a good idea to use a secure web browser and to keep your antivirus software up to date.


What is smishing


Smishing is a type of social engineering attack that involves the use of SMS text messages to trick individuals into divulging sensitive information or clicking on malicious links. Smishing attacks often target mobile phone users and can be used to steal personal information such as login credentials, credit card numbers, and other financial information. Smishers use a variety of tactics to lure victims into falling for their scams, including posing as trusted organizations or individuals, creating a sense of urgency or fear, and offering incentives or rewards. To protect against smishing attacks, it is important to be cautious when receiving text messages from unknown numbers and to verify the authenticity of the message before clicking on any links or providing personal information.


Different type of phishing and their defination


There are several different types of phishing attacks, including:


Spear phishing: This type of phishing attack is targeted at a specific individual or organization and often involves the attacker posing as someone the victim knows or trusts.


Whaling: Similar to spear phishing, but the target is a high-level executive or someone with significant influence within an organization.


Clone phishing: This type of attack involves the attacker sending a legitimate email or creating a fake website that is a copy of a legitimate one, but with a malicious link or attachment.


Vishing: This type of attack involves the use of voice calls or voicemails to trick victims into divulging sensitive information.


Impersonation attacks: These attacks involve the attacker pretending to be someone else, such as a colleague or a customer service representative, in order to obtain sensitive information.


CEO fraud: Also known as "business email compromise," this type of attack involves the attacker pretending to be the CEO or another high-level executive and requesting sensitive information or money from an employee.


Some key points to remember about phishing:

  1. Be wary of unexpected or suspicious emails, especially those that contain links or attachments.
  2. Do not click on links or download attachments from unfamiliar or untrusted sources.
  3. Be cautious when providing personal or financial information online, especially in response to an email or unsolicited request.
  4. Pay attention to the website's address, or URL, before entering sensitive information. Make sure it begins with "https" and has a lock icon, indicating that it is a secure site.
  5. Use anti-virus and anti-malware software and keep it up-to-date.
  6. Use strong and unique passwords for all of your accounts, and enable two-factor authentication if it is available.
  7. Keep your operating system and other software up-to-date with the latest security patches.
  8. Be aware of phishing attacks that use phone calls or text messages as well as email. Do not provide personal or financial information in response to unsolicited phone calls or text messages.

Remember, if something seems too good to be true or seems suspicious, it is always better to err on the side of caution and not click on links or download attachments from unfamiliar or untrusted sources.

How to become a successfull cyber security engineer from cyber security analyst

Here are some steps you can take to become a successful cyber security engineer from a cyber security analyst:


Build your technical skills: As a cyber security analyst, you may already have a strong foundation in cyber security technologies and practices. However, to become a cyber security engineer, you should aim to expand your technical skillset and knowledge in areas such as network security, security architecture, and system design.


Gain practical experience: Hands-on experience is crucial in the field of cyber security. Consider volunteering for security-related projects or internships to gain practical experience and build your portfolio.


Pursue additional certifications: Earning industry-recognized certifications such as the Certified Information Systems Security Professional (CISSP) can demonstrate your expertise and commitment to the field.


Develop your leadership skills: Cyber security engineering roles often involve leading and managing teams of analysts. To prepare for these responsibilities, consider taking courses or seeking opportunities to develop your leadership and management skills.


Stay up-to-date: The field of cyber security is constantly evolving, so it's important to stay current with the latest technologies, trends, and best practices. Consider joining professional organizations or attending conferences to stay informed and connected to the industry.

What are the key tools to know for cyber security engineering role

Here are some key tools that are commonly used in cyber security engineering roles:


Network monitoring tools: These tools allow security engineers to monitor network traffic and identify unusual activity or potential threats. Examples include Wireshark, Splunk, and SolarWinds.


Vulnerability scanners: These tools scan systems and networks for known vulnerabilities and provide recommendations for remediation. Examples include Nessus, Qualys, and Rapid7.


Security information and event management (SIEM) systems: These systems collect and analyze security-related data from various sources to identify potential threats and provide alerts. Examples include Splunk, LogRhythm, and IBM QRadar.


Password managers: These tools help security engineers store and manage complex passwords securely. Examples include LastPass and 1Password.


Encryption tools: These tools are used to protect data by encoding it in a way that can only be accessed by those with the correct decryption key. Examples include BitLocker (for Windows) and FileVault (for Mac).


Firewalls: These tools act as a barrier between a network and the Internet, blocking unauthorized access and protecting against cyber threats. Examples include Palo Alto Networks and Check Point.


Risk assessment and management tools: These tools help security engineers identify and prioritize risks, and develop strategies for mitigating them. Examples include GRC platforms such as RSA Archer and MetricStream.

Cyber incident in medibank

The Medibank Group detected unusual activity on its network.



In response to this event,  as per Medibank they took immediate steps to contain the incident, and engaged specialised cyber security firms.

At this stage there is no evidence that any sensitive data, including customer data, has been accessed.

As part of response to this incident, #Medibank will be isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss.

As Medibank continue to investigate this incident, their priorities are to ensure the ongoing security of customers, our employees, and stakeholder information, and the continued delivery of Medibank services.

Investigations are ongoing, and #Medibank will provide regular updates. Medibank's health services continue to be available to their customers, this includes ability to access customer health providers, as  Medibank work through this incident.

Medibank CEO David Koczkar said:

“I apologise and acknowledge that in the current environment this news may make people concerned.

"Our highest priority is resolving this matter as transparently and quickly as possible.

“We will continue to take decisive action to protect Medibank Group customers and our people.

“We recognise the significant responsibility we have to the people who rely on us to look after their health and wellbeing and whose data we hold.

"We are working around the clock to understand the full nature of the incident, and any additional impact this incident may have on our customers, our people and our broader ecosystem."



Zero-day Vulnerabilities in Microsoft Exchange Server.

Microsoft has released Customer Guidance for Reported #zeroday #Vulnerabilities in #Microsoft #Exchange Server. According to the blog post, “Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”



The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft #Exchange Server 2013, 2016, and 2019. Note: Microsoft Exchange Online is not affected. 

An attacker could exploit these vulnerabilities to take control of an affected system.

The current Exchange Server #mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns how to do it is describe in the below microsoft  blogpost

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Google Hacking :-

Basic Operators:-
1) And (+) :- This operator is used to include multiple terms in a query which is to be searched in google.
example:- if we type "hacker+yahoo+science" in google search box and click search, it will reveal the results something which are related to all the three words simultaneously i.e. hacker, yahoo and science.

2 ) OR (|) :- The OR operator, represented by symbol( | ) or simply the word OR in uppercase letters, instructs google to locate either one term or another term in a query.

3) NOT :- It is opposite of AND operator, a NOT operator excludes a word from search.
example:- If we want to search websites containing the terms google and hacking but not security then we enter the query like "google+hacking" NOT "security".




Advanced Operators:-
1) Intitle :- This operator searches within the title tags.
examples:- intitle:hacking returns all pages that have the string "hacking" in their title.

intitle:"index of" returns all pages that have string "index of" in their title.

Companion operator:- "allintitle".



2) Inurl :- Returns all matches, where url of the pages contains given word.
example:- inurl:admin returns all matches, where url of searched pages must contains the word "admin".

Companion operator:- "allinurl".


3) Site :- This operator narrows search to specific website. It will search results only from given domain. Can be used to carry out information gathering on specific domain.
example:- site:www.microsoft.com will find results only from the domain www.microsoft.com

4) Link :- This operator allows you to search for pages that links to given website.
example:- link:www.microsoft.com
Here, each of the searched result contains asp links to www.microsoft.com

5) Info :- This operator shows summary information for a site and provides links to other google searches that might pertain to that site.
example:- info:www.yahoo.com

6) Define :- This operator shows definition for any term.
example:- define:security
It gives various definitions for the word "security" in different manner from all over the world.

7) Filetype :- This operator allows us to search specific files on the internet. The supported file types can be pdf, xls, ppt, doc, txt, asp, swf, rtf, etc..
example:- If you want to search for all text documents presented on domain www.microsoft.com then we enter the query something like following.
"inurl:www.microsoft.com filetype:txt"


POPULAR SEARCH:
Google Search :- "Active Webcam Page" inurl:8080 Description- Active WebCam is a shareware program for capturing and sharing the video streams from a lot of video devices. Known bugs: directory traversal and cross site scripting.

Google Search :- "delete entries" inurl:admin/delete.asp Description- AspJar contains a flaw that may allow a malicious user to delete arbitrary messages. The issue is triggered when the authentication method is bypassed and /admin/delete.asp is accessed directly. It is possible that the flaw may allow a malicious user to delete messages resulting in a loss of integrity.

Google Search :- "phone * * *" "address *" "e-mail" intitle:"curriculum vitae"
Description- This search gives hundreds of existing curriculum vitae with names and address. An attacker could steal identity if there is an SSN in the document.

Google Search :- intitle:"index of" finance.xls Description- Secret financial spreadsheets 'finance.xls' or 'finances.xls' of companies may revealed by this query.

Google Search :- intitle:"index.of" robots.txt Description- The robots.txt file contains "rules" about where web spiders are allowed (and NOT allowed) to look in a website's directory structure. Without over-complicating things, this means that the robots.txt file gives a mini-roadmap of what's somewhat public and what's considered more private on a web site. Have a look at the robots.txt file itself, it contains interesting stuff. However, don't forget to check out the other files in these directories since they are usually at the top directory level of the web server!

Google Search :- intitle:index.of.admin Description- Locate "admin" directories that are accessible from directory listings.

Google Search :- inurl:"nph-proxy.cgi" "start browsing" Description- Returns lots of proxy servers that protects your identity online.

DNS Logs Anomaly Hunting Checklist for Security and SOC Analyst

 

DNS Logs Anomaly Hunting Checklist for SOC Analyst

 

 


Check for the hosts with a high volume of uncommon record types (TXT, NULL, CNAME, etc.)

 

• Command and control channels may utilize specific DNS records such as ( TXT and CNAME requests ) to execute malware.

 

• Explore Top Level Domains, TLDs (.xyz, .me, .biz, etc ), and TLDs for geographical regions in which your organization does not regularly operate.

 

• The proliferation of TLDs has made it easier for attackers to continually add new domains to their infrastructure to evade threat intel lists, as well as register doppelganger domains for common websites.

 

• Inbound/ Outbound Requests for TLDs of geographical regions outside of your organization’s point of presence should be considered suspicious and reviewed, especially regions synonymous with cybercrime and anonymization.

 

• Aggregate and Filter on DNS application logs with the response code NXDOMAIN (domain does not exist) to review hosts seen with a high volume of DNS resolution failures.

 

• There are many benign reasons for failed DNS queries; however, the abnormal volume can be a strong indicator of possible threat activity. For example, malware utilizing Domain generation algorithms ( DGAs ) will cycle through multiple generated domains until a valid reply is received. Since most of the domains requested will not exist, it will generate a high volume of NXDOMAIN responses. In addition, abnormal NXDOMAIN volume could highlight hosts requesting malicious domains that are no longer active.

 

• Look for hosts with high DNS request volume for multiple subdomains of a single parent domain.

 

• A common method of communicating data is by including it in the query string itself in place of the subdomain (commonly encoded using Base64). Identifying requests of multiple suspicious subdomains for a specific domain could help to highlight this method of communication.

 

• Identify suspicious requests by reviewing queries of domains that are abnormally long, or domains with a high level of entropy.

 

• Hunting abnormal long queries with a high amount could help identify encoded data hidden in query strings as well as evidence of DGA domains.

 

• Review endpoints process names for any unusually named processes or processes that are not regularly seen generating logon requests.

 

• Attackers can simply register new domains to evade detection by threat intel lists. Identifying newly registered domains could help to easily identify suspicious activity.

 

• DNS fluxing is a technique used by attackers to hide an actual phishing or malware domain behind constantly changing compromised hosts (IP) which are acting as proxies. To accomplish this, the Time to Live (TTL) for DNS is set very low (close to 5 min) so that the changes made in DNS will reflect quickly over the internet. Because it is constantly changing, this makes it hard to identify, and take down the actual source.DNS query for a domain, having a TTL less than 5-10 mins, should be one way to hunt. Then getting different IP addresses for the same domain is also a way to hunt.

 

• Allowed Traffic on Port 53 Inbound Transition Control Protocol (TCP), zone transfer and should only be allowed between primary and secondary DNS servers. If zone transfer happens with an external IP/Domain which is considered as a high alert.

 

• DNS Should Not Query Unusual Destinations, this often indicates the potentially malicious traffic.

Kerberoasting Attack and Detection

Kerberoasting 

is a common attack used by malicious actors once access is gained to a organization's internal network and a domain account is compromised. Kerberoasting allows an attacker to elevate their privileges by gaining access to passwords for service accounts on the domain.



 

 

Key Points

• Using Kerberoasting  attacker extracts service account credential hashes from Active Directory for offline cracking by exploiting a combination of weak encryption and poor service account password.  

  • Kerberoasting is effective because an attacker does not require domain administrator credentials to pull off this attack and can extract service account credential hashes without sending packets to the target.

 

Detecting Kerbaroasting:

  • Event ID: 4768 (Kerberos TGS Request) The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • Event ID “4769” with the vulnerable encryption RC4 “0x17” and “0x18” types in Kerberoasting and ticket option 0x40810000.

 

Elements of a Kerberoasting Attack

 

Here is how a Kerberoasting attack works in practice:

 

  • To begin with, an attacker compromises the account of a domain user. The user need not have elevated or “administrator” privileges. The attacker authenticates to the domain.
 
  • When the malicious  user is authenticated, they receive a ticket granting ticket (TGT) from the Kerberos key distribution center (KDC) that is signed by its KRBTGT service account in Active Directory.
 
  • Next, the malicious actor requests a service ticket for the service they wish to compromise. The domain controller will retrieve the permissions out of the Active Directory database and create a TGS ticket, encrypting it with the service’s password. As a result, only the service and the domain controller are capable of decrypting the ticket since those are the only two entities who share the secret.
 
  • The domain controller provides the user with the service ticket that is then presented to the service, which will decrypt it and determine whether the user has been granted permission to access the service. At this point, an attacker may extract the ticket from system memory, and crack it offline.
 
  • For password cracking, tools such as Impacket, PowerSploit and Empire contain features that automate the process: requesting service tickets and returning crackable ticket hashes in formats suitable for submission to cracking tools such as John the Ripper and Hashcat, which will pry plaintext credentials from vulnerable hashes.
 
 

 

 

Finding Golden and Silver Tickets

 

Purpose: Identify suspicious TGT (Golden) and TGS (Silver) tickets by comparing the MaxTicketAge from the domain policy to the difference in the StartTime and EndTime of the cached authentication ticket.

Data Required : Remote Access to collect susicious tickets OR

Schedule task to write possible bad tickets to application event log for log/SIEM review

Collection Considerations : Consider running local scripts and collecting the application event log rather than a scan to reduce noise See here

Analysis Techniques:Comparative time analysis of domain policy vs cached tickets

 

Identify suspicious TGT (Golden) and TGS (Silver) tickets  

 

  • Event ID: 4624 (Account Logon)
  • The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • Event ID: 4672 (Admin Logon)
  • Account Domain is blank & should be DOMAIN.
  • Event ID: 4768 (Kerberos TGS Request)
  • The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • The Account Domain field is blank when it should be DOMAIN
  •  The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  •  Account Name is a different account from the Security ID.

 

 

BloodHound

  • BloodHound is an Active Directory (AD) reconnaissance tool.
  • BloodHound outputs results as JSON files
  • BloodHound can collect information about the following objects (users, computers, groups, gpos)
  • BloodHound can archive collected a ZIP file
  • Hunt for Suspicious Process execution via Services.exe
  • Hunt for Suspicious Process Injection

Hacking , ATT&CK phase , kill chain and incident response phases

There are some common steps used by industry and most commons in Cyber field are listed below.

 HACKING Methodology (Steps) 

Footprinting (whois,nslookup) » 

Scanning (Nmap,fping) » 

Enumeration (dumpACL, showmount, Iegion, rpcinfo » 

Gaining Access(Tcpdump) »

Escalating Privilege(John the ripper, getadmin) »

Pilfering (Rhosts. userdata, configtile. registry) » 

Covering Tracks (zap, rootkits) »

Creating Backdoors (corn, at, startup folder, keylogger, rdp) »

Denial Of Service (synk4, ping Of death). 

 

MITRE ATT&CK:

Reconnaissance» 

Resource Development » 

Initial Access» Execution »

 Persistence »

 Privilege Escalation » 

Defense Evasion» 

Credential Access » 

Discovery »

 Lateral Movement »

 Collection »

Command and Control »

 Exfiltration»

 Impact.

 

CYBER KILL CHAN: 

Reconnaissance» 

Weaponization»

Delivery » 

Exploitation »

Installation »

Command and Control » 

Action and Objective .

 

Incident Response: 

Identify »  Protect »  Detect »  Respond»  Recover. 

SANS Incident Response:

 Preparation »  Identification»  Containment »  Eradication »  Recovery »  Lesson Learned

Web shells Detectting and Hardening servers against webshell


web shells and its Challenges in detecting 


Web shells can be built using any of several languages that are popular with web applications. Within each language, there are several means of executing arbitrary commands and there are multiple means for arbitrary attacker input. Attackers can also hide instructions in the user agent string or any of the parameters that get passed during a web server/client exchange.
 
When analyzing script, it is important to leverage contextual clues. For example, a scheduled task called “Update Google” that downloads and runs code from a suspicious website should be inspected more closely.

With web shells, analyzing context can be a challenge because the context is not clear until the shell is used. In the following code, the most useful clues are “system” and “cat /etc/passwd”, but they do not appear until the attacker interacts with the web shell:

Another challenge in detecting web shells is uncovering intent. A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do.

These file-upload web shells are simple, lightweight, and easily overlooked because they cannot execute attacker commands on their own. Instead, they can only upload files, such as full-featured web shells, onto web servers. Because of their simplicity, they are difficult to detect and can be dismissed as benign, and so they are often used by attackers for persistence or for early stages of exploitation.

Finally, attackers are known to hide web shells in non-executable file formats, such as media files. Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.

These challenges in detecting web shells contribute to their increasing popularity as an attack tool. We constantly monitor how these evasive threats are utilized in cyber attacks, and we continue to improve protections


Web shell: Finding Web Shells

Purpose: Identify web shells (stand-alone|injected)

Data Required : Web server logs (apache, IIS, etc.)

Collection Considerations : Collect from all webservers, and ensure that parameters are collected.

POST data should be collected.

• For apache consider using mod_security or mod_dumpio

• For IIS use Failed Request Tracing / Custom Logging

Analysis Techniques:

Look for parameters passed to image files (e.g., /bad.png?zz=ls

 

Web logs things to notice

    • User-Agent is rare

    • User-Agent is new

    • Domain is rare

    • Domain is new

    • High frequency of http connections

    • URI is same

    • URI varies but length is constant.

    • Domain varies but length is constant

    • Missing referrer

    • Missing or same referrer to multiple uri’s on single dest.

 

 

Endpoint detection strategies:

• Look for creation of processes whose parent is the webserver (e.g., apache, w3wp.exe); these will come from functions like:

○ PHP functions like exec(), shell_exec(), etc.

○ asp(.net) functions like eval(), bind(), etc.)

• Looking for file additions or file changes (if you have a change management process and schedule to easily differentiate 'known good') -- (using something like inotify on linux (or FileSystemWatcher in .NET), to monitor the webroot folder(s) recursively)

 

Other Notable things:

IIS instance (w3wp.exe) running commands like ‘net’, ‘whoami’, ‘dir’, ‘cmd.exe’, or ‘query’, to name a few, is typically a strong early indicator of web shell activity.

 

Look for suspicious process that IIS worker process (w3wp.exe), Apache HTTP server processes (httpd.exe, visualsvnserver.exe), etc. do not typically initiate (e.g., cmd.exe and powershell.exe)

 

Look for suspicious web shell execution, this can identify processes that are associated with remote execution and reconnaissance activity (example: “arp”, “certutil”, “cmd”, “echo”, “ipconfig”, “gpresult”, “hostname”, “net”, “netstat”, “nltest”, “nslookup”, “ping”, “powershell”, “psexec”, “qwinsta”, “route”, “systeminfo”, “tasklist”, “wget”, “whoami”, “wmic”, etc.)

 

lolbas:

    - rundll32.exe

    - dllhost.exe

    tools:

    - net.exe

    - powershell.exe

    - ipconfig.exe

    - CobaltStrike

    - BloodHound

    - nslookup.exe

 

execution:

        - "T1055.012 - Process Injection: Process Hollowing"

    - behavior: RUNDLL32 created ~20 instances of DLLHOST without command-line arguments.

      id: 1669ecb0-3a8a-4858-9efd-23e5c01ad643

      type: Process Created

      cmdLine:

      - C:\\Windows\\System32\\dllhost.exe

      process: C:\\Windows\\System32\\dllhost.exe

      parentProcess: C:\\Windows\\System32\\rundll32.exe

 

Attackers need to execute tools. Look at Windows Event ID's 4688/592. Stack and look for outliers. Group by execution time and user."

 

Hardening servers against web shells

A single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences. With script-based malware, however, everything eventually funnels to a few natural chokepoints, such as cmd.exe, powershell.exe, and cscript.exe. As with most attack vectors, prevention is critical.

Organizations can harden systems against web shell attacks by taking these preventive steps:

  • Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.
 
  • Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
 
  • Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
 
  • Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
 
  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.
 
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
 
  • Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.

Social Engineering Red flags and Email investigation

 

Social Engineering -

 A single individual or groups of people attempting to gain access to your systems by utilizing the following methods.

 

Relies on interaction with humans, tricked into handing over credentials - humans are the weakest link therefore they try Deceptive techniques into breaking in.

 


 

 Type of Social engineering Attacks :

  • Phishing - malicious email - sends a link
  • Spear-phishing - targets individuals or specific groups
  • Email spoofing - masquerading as someone else - appear as someone you think you know.
  • Baiting - entice victim to do something, leave a usb lying around.
  • Tailgating - gain access by following an employee through a door/gate.


Indicator or Red Flags to look for investigation:

 


 


Email Sphere phishing: In this email fraud the perpetrator will ask for confidential and sensitive information. This type of attack resembles with e-mail spoofing fraud but in here in almost all cases the sender is someone trustworthy with an authoritative position in the organization.

 

Business email compromise is when criminals use email to abuse trust in business processes to scam organizations out of money or goods.

 

The Email forensic investigator can use several header fields to trace the email but it can be broadly categorized into the following area of interest the investigator should look into:

Sender's SMTP Server (OUTGOING Mail Server) >>

 Encrypted mail header >> 

Typical To, From, Subject, and Date Lines >> 

Mail transfer email client information >>

Various X-header information added by different SMTP server and email clients during the whole email sending process.

 

CI/CD Pipelines and Automation

Modern web applications are built using modern continuous integration and deployment processes. 


This means that you run tests specific to whatever environment you are pushing to whether that's DEV, STAGING or PROD.



Control     Name          Priority          
3.1     CI/CD Pipeline     1    

Description: Implement a CI/CD pipeline  

Difficulty:      Medium     


Control     Name                           Priority     
3.2     Application Environments      2     

Description: Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements     

Difficulty:    Medium   

Control     Name                               Priority            
3.3     Application Data Separation      3     

Description: Make sure that dev and test environments are not using the same data as production. If the use of live data is required then make sure that data is anonymized. 

Difficulty:   Difficult     

Control     Name                       Priority         
3.4     CI/CD Administration     3    

Description: Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements

Difficulty:  Medium  

Control     Name             Priority           
3.5     Credential Store     1     

Description: Create a secure encrypted place to store senstive credentials like passwords, API keys, etc.   

 Difficulty: Medium    

Control     Name                                                       Priority           
3.6     Centralized Software Composition Analysis     1 

Description:  Scan source code for vulnerable libraries and open source software from within a CD stage   

Difficulty: Easy   

Control     Name                                     Priority  
3.7     Centralized Static Code Analysis     2    

Description: Scan source code for vulnerabilities in the source code itself from within a CD stage     

Difficulty:  Easy  

Control     Name                                     Priority    
3.8     Centralized Sensitive Data Analysis     2    

Description: Scan source code for secrets, credentials, API keys and similar from within a CD stage    

Difficulty: Easy     

Control     Name                                                                  Priority
3.9    
Dynamic Application Security Testing -DAST             3                        

Description:Scan running application for vulnerabilities

Twitter Facebook Favorites More