Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

Showing posts with label viruses. Show all posts
Showing posts with label viruses. Show all posts

Hacking , ATT&CK phase , kill chain and incident response phases

There are some common steps used by industry and most commons in Cyber field are listed below.

 HACKING Methodology (Steps) 

Footprinting (whois,nslookup) » 

Scanning (Nmap,fping) » 

Enumeration (dumpACL, showmount, Iegion, rpcinfo » 

Gaining Access(Tcpdump) »

Escalating Privilege(John the ripper, getadmin) »

Pilfering (Rhosts. userdata, configtile. registry) » 

Covering Tracks (zap, rootkits) »

Creating Backdoors (corn, at, startup folder, keylogger, rdp) »

Denial Of Service (synk4, ping Of death). 

 

MITRE ATT&CK:

Reconnaissance» 

Resource Development » 

Initial Access» Execution »

 Persistence »

 Privilege Escalation » 

Defense Evasion» 

Credential Access » 

Discovery »

 Lateral Movement »

 Collection »

Command and Control »

 Exfiltration»

 Impact.

 

CYBER KILL CHAN: 

Reconnaissance» 

Weaponization»

Delivery » 

Exploitation »

Installation »

Command and Control » 

Action and Objective .

 

Incident Response: 

Identify »  Protect »  Detect »  Respond»  Recover. 

SANS Incident Response:

 Preparation »  Identification»  Containment »  Eradication »  Recovery »  Lesson Learned

Social Engineering Red flags and Email investigation

 

Social Engineering -

 A single individual or groups of people attempting to gain access to your systems by utilizing the following methods.

 

Relies on interaction with humans, tricked into handing over credentials - humans are the weakest link therefore they try Deceptive techniques into breaking in.

 


 

 Type of Social engineering Attacks :

  • Phishing - malicious email - sends a link
  • Spear-phishing - targets individuals or specific groups
  • Email spoofing - masquerading as someone else - appear as someone you think you know.
  • Baiting - entice victim to do something, leave a usb lying around.
  • Tailgating - gain access by following an employee through a door/gate.


Indicator or Red Flags to look for investigation:

 


 


Email Sphere phishing: In this email fraud the perpetrator will ask for confidential and sensitive information. This type of attack resembles with e-mail spoofing fraud but in here in almost all cases the sender is someone trustworthy with an authoritative position in the organization.

 

Business email compromise is when criminals use email to abuse trust in business processes to scam organizations out of money or goods.

 

The Email forensic investigator can use several header fields to trace the email but it can be broadly categorized into the following area of interest the investigator should look into:

Sender's SMTP Server (OUTGOING Mail Server) >>

 Encrypted mail header >> 

Typical To, From, Subject, and Date Lines >> 

Mail transfer email client information >>

Various X-header information added by different SMTP server and email clients during the whole email sending process.

 

Mimikaz


What is Mimikatz?

If you’re into penetration testing and windows red teaming then you might have probably heard of mimikatz, but in case you’re wondering or have heard of the tool but don’t know what it does, let’s see what is mimikatz.

Written in C-language, Mimikatz is a very powerful post-exploitation tool and as described by CrowdStrike CTO and Co-Founder, “The AK-47 of Cyber Attacks.” 

Some even claim mimikatz to be a Swiss Army Knife of Windows Credentials. Benjamin Delpy, who is the developer of this tool, claims that he created this tool to play with Windows Security. He maintains his own GitHub repository where he has provided the source code for the tool and updates it on a regular basis.

What can be done using Mimikatz?

Although known widely for credential dumping, this is not the only thing that it can do. 

Mimikatz is also capable of assisting in lateral movements and privilege escalations. Attacks like Pass-the-Hash, Pass-the-Ticket, Over-Pass-the-Hash, Kerberoasting etc. can also be achieved with Mimikatz.

Mimikatz Attack Capabilities

Mimikatz has numerous modules that let attackers perform a variety of tasks on the target endpoint. Some of the more important attacks facilitated by the platform are:

  • Pass-the-Hash—obtains an NTLM hash used by Windows to deliver passwords. This allows attackers to reuse the password without having to crack the hash.

  • Pass-the-Ticket—Mimikatz was famously used to break the Kerberos protocol. It can obtain a Kerberos “ticket” for a user account and use it to login as that user on another computer.

  • Kerberos Golden Ticket—obtains the ticket for the hidden root account (KRBTGT) that encrypts all authentication tickets, granting domain admin access for any computer on the network.

  • Kerberos Silver Ticket—exploits Windows functionality that grants a user a ticket to access multiple services on the network (via the Ticket Granting Server or TGS). The Kerberos protocol may not check the TGS key, allowing attackers to reuse the key and impersonate the user on the network.

  • Pass the Key—obtains a unique key used by a user to authenticate to a domain controller. The attacker can reuse this key to impersonate the user.

Anatomy of a Mimikatz Attack:

Mimikatz abuses and exploits the Single Sign-On functionality of Windows Authentication that allows the user to authenticate himself only once in order to use various Windows services. 

After a user logs into Windows, a set of credentials is generated and stored in the Local Security Authority Subsystem Service (LSASS) in the memory. As the LSASS is loaded in memory, when invoked mimikatz loads its dynamic link library (dll) into the library from where it can extract the credential hashes and dumps them onto the attacking system, and might even give us cleartext passwords.






Malware analysis, Tools and technique

 
                      
What is Malware Analysis?
Malware analysis is a process analyzing the samples of malware family such as Trojan, virus, rootkits, ransomware, spyware in an isolated environment to understanding the infection, type, purpose, functionality by applying the various methods based on its behavior to understanding the motivation and applying the appropriate mitigation by creating rules and signature to prevent the users.
 
Malware analysis plays an essential role in avoiding and understanding cyber attacks. When incident response teams are brought into an an incident involving malware, the team will typically gather and analyze one or more samples in order to better understand the attacker’s capabilities and to help guide their investigation.
 
Type of Malwares:

Type

What It Does

Real-World Example

Ransomware

disables victim's access to data until ransom is paid

RYUK

Fileless Malware

makes changes to files that are native to the OS

Astaroth

Spyware

collects user activity data without their knowledge

DarkHotel

Adware

serves unwanted advertisements

Fireball

Trojans

disguises itself as desirable code

Emotet

Worms

spreads through a network by replicating itself

Stuxnet

Rootkits

gives hackers remote control of a victim's device

Zacinlo

Keyloggers

monitors users' keystrokes

Olympic Vision

Bots

launches a broad flood of attacks

Echobot

Mobile Malware

infects mobile devices

Triada

 
How to perform Malware Analysis 
There are various types of analysis and related malware analysis tools that mainly used to break down the malware.
  • Static Malware Analysis
  • Dynamic Malware Analysis
  • Memory Forensics
  • Web Domain Analysis
  • Network interactions Analysis etc
Static Malware Analysis?
This procedure includes extraction and examination of different binary components and static behavioral inductions of an executable, for example, API headers, Referred DLLs, PE areas and all the more such assets without executing the samples.
Any deviation from the normal outcomes are recorded in the static investigation comes about and the decision given likewise. Static analysis is done without executing the malware whereas dynamic analysis was carried by executing the malware in a controlled environment.
 
1.Disassembly – Programs can be ported to new computer platforms, by compiling the source code in a different environment.
 
2.File Fingerprinting – network data loss prevention solutions for identifying and tracking data across a network
 
3.Virus Scanning -Virus scanning tools and instructions for malware & virus removal. Remove malware, viruses, spyware and other threats. ex: VirusTotal, Payload Security
 
4.Analyzing memory artifacts – During the time spent breaking down memory ancient rarities like[RAM dump, pagefile.sys, hiberfile.sys] the inspector can begin Identification of Rogue Process
 
5.Packer Detection – Packer Detection used to Detect packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.+ New Symbols+.
Static Malware analysis Tools
Ghidra and IDA : IDA Pro has been the go to SRE (Software Reverse Engineering) Suite for many years until Ghidra’s release in 2019. Since then Ghidra’s popularity has grown exponentially due to it being a free open-source tool that was developed and is still maintained by the NSA
 
Websites like : Hybrid-analysis, Virustotal.com
 
Other tools : Md5deep, PEiD, Exeinfo PE, RDG Packer,D4dot,PEview, WinDbg,Hxd
What is Dynamic Malware Analysis?
The dynamic analysis should always be an analyst’s first approach to discovering malware functionality. in dynamic analysis, will be building a virtual machine that will be used as a place to do malware analysis.
 
In addition, malware will be analyzed using malware sandbox and monitoring process of malware and analysis packets data made by malware.
Dynamic analysis tools: 
Some common Dynamic analysis are Wireshark, Netcat, Procmon, Process Explorer, Process Monitor,Regshot, ApateDNS Procmon, Procdot, Regshot, , Process Hacker, PeStudio, Fiddler, Wireshark, Cuckoo Sand box, Ghidra.
After you have gather some data its time for analysis:

  • Upload hash data/or file to site such virus total /anyrun / hybrid analysis to get info
  • If IP or domain name available, check DB of known Adversaries.
  • Use packet capture and traffic analysis, if external connection suspected by malware
  • Obtain the malicious file analyze in sandbox to identify indicators.
  • Use 'log s from SIEM and EDR to identify other infected endpoint.
  • Take the identified endpoint of the network, do not power off
  • Use data gathered to setup blocks for future attacks.

SIEM Rules from Event log ID and use cases


 Below are some guidance on rule creation and what event to look for:
Collection - Domain Controller - User Activity - Network Share Accessed
This rule looks for Windows Event ID 5140 which indicates that a network share has been accessed. When on Workstations or Domain controllers, this event can be used to identify access to C$ or Admin$. Common false positives will be IPC$, \Sysvol, \Netlogon.
 
Credential Access - AD - Account Lockout - Service Account
Event ID 4740
 
Defense Evasion - Domain Controller - System Change - Event Logs Cleared
Identifies the deletion of event logs from a windows host or domain controller. This may be performed to destroy evidence of malicious activity on a system.
Event ID 1102
 
Discovery - AD - Account Enumeration - Host
Event ID 4771, 4625,4768
 
Discovery - AD - Kerberoasting
This rule looks for activity on Active Directory indicative of Kerberoasting attacks. Kerberoasting is where an attacker cracks a Kerberos service ticket and rewrites them in order to gain access to a targeted service.
Event ID 4769
 
Execution - Network - Access Attempt - Unicode Domain
Identifies web requests where the website domain contains Unicode characters. Unicode allows the display of foreign characters within the URL bar and can be used to attempt to trick users to go to malicious websites.
URL is : *?xn--.*? Log source : web proxy Server and Firewalls
 
Exfiltration - Email - Auto Forwarding
This rule looks for many emails from a single internal user going to an external email address, indicative of a user forwarding their external mail content to a personal mailbox.
Vendor Msg id is : send , and status is: originating
 
Initial Access - ADFS - Excessive Login Failures
Identifies a large volume of ADFS failures, which may indicate account enumeration, brute-force login activity or a client misconfiguration.
Event ID 1201,1203,1205
 
Initial Access - Remote Access - Login Attempt - Different Geos
Identifies VPN login attempts by the same user across geographically distant locations in a short time period. This may indicate account compromise, especially if the user is not traveling.

 
Lateral Movement - Domain Controller - Login Attempt - Interactive
Identifies a remote interactive login to a domain controller.
Event ID 4624 and Session type is 10,2
 
Persistence - Domain Controller - System Change - Audit Policy Changed
Identifies system audit policy changes on windows hosts. This represents a change to the type of security events logged by the system and may be a pre-attack activity to avoid detection.
Event ID 4719,4905,4912
 
Persistence - Domain Controller - System Change - Domain Policy Changed
Event ID 4739
 
Persistence - Domain Controller - System Change - Multiple Processes Created
Identifies a large number of processes being created in a short time on a monitored windows host. The presence of an abnormal volume of abnormal processes may indicate the host has been compromised or is being misused.
Event ID 4688  Unique value>=10
 
Persistence - Domain Controller - System Change - Scheduled Task
Identifies the creation of new scheduled tasks as well as changes to existing tasks. The creation of new scheduled tasks or the removal of existing ones may be technique to maintain persistence.
Event ID:4698,4699,4700,4701,4702
 
Persistence - Domain Controller - System Change - Service Installed
Identifies the installation of unexpected services on a system. The installation of unexpected services may be an indicator of system compromise or misuse.
Event ID: 7045,4697,601
 
Privilege Escalation - AD - Group Change - Admin
Identifies attempts to change a user's group membership in AD. The high risk associated with delegating certain permissions in AD warrants a high level of scrutiny. For example, the promotion of a domain user to domain admin.
Event ID: 4728,4732,4746,4751,4756,4761
 
Privilege Escalation - ATP - Golden Ticket
This rule looks for Golden Ticket related activity identified by Azure ATP. See here for more details: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external.
Event ID 2009,2013,2027,2032,2022
 
Hunting the Fileless Malware & Powershell Activities:
Event IDs (4104, 4103, and 4688)
 
  • Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands , Hunting these Event ID provides soc operations to record all the obfuscated commands as pipeline execution details under the event ID 4103.It should be enabled to process and get the malicious commands.
  • Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For Example Obfuscated scripts that are decoded and executed at the run time.This gives additional visibility on remote command.
  • If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and Suspicious commands can be observed at the logging level of “warning”.
 
USE CASE: DNS QUERY Objective: The mission of this hunt is to drill down DNS logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible DNS tunneling, domain generation algorithm (DGA) domains, and traffic to risky top-level domains (TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days

Linux Compromises & Access Tools and Where to Find Them

 Linux compromises 


  • Linux systems are 'occasionally' targeted by actors, especially cryptomining and ransomware crews.
  • This process can be similar to Windows machine compromises but some areas are specific to each flavour
  • The below are a brief overview of the exploitation, protection, detection and remediation processes of Linux operating systems.

Exploitation:
    • Same process as windows devices:
    • Exploit external facing service
    • Establish persistence
    • Collect credentials
    • Move laterally
Protection:
    • Similar to Windows:
    • Patch
    • Including applications
    • Cron job with apt / yum update
    • Limit number of admins with sudo powers
    • Application whitelisting (fapolicyd)
    • ACSC also have a Linux hardening worksheet which could be useful (Hardening Linux Workstations and Servers)


Detection:
    • Utilising Logs
    • Weblogs
    • Exploitation attempts
    • Webshells
    • Commandline logging
    • SSH logs
    • Memory images (which I don’t think is a viable way for continuous detection, for incident response more likely)
    • Use Yara rules to search for malware; Volatility plugin

 

Process data:

    • ps -eaf
    • pstree

 

Get service (cron) data:

    • ls -la /etc/cron*
    • Cron jobs redirecting to "> /dev/null" are worth checking out
Remediation:
    • Change passwords
    • Regenerate keys (e.g. In ssh)
    • Remove added users
    • Clean off malware (webshells, scripts, implants)
    • Remove cron jobs
    • Monitor for reconnection attempts (from known malicious IPs)

 

Fantastic Access Tools
    •   Attackers are increasingly using remote access tools to gain and maintain access to the network, through the utilisation of either:
    • Tools already deployed (and obtaining creds)
    • Deploying own software

Generic detection to help find these tools in your org
    • Event 4688 - process names
    • Event 4697 - service creation event (if tool was installed as a service)
    • Sysmon - process names, DNS lookups / network traffic to known RMT domains
    • Firewall logs - connections classified as app
    • Can also manually check with a host using:
    • Wmic /node:<target> process list

 

Tool brief overviews
  • Recent report: Anomali, ‘ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs’
    • DameWare
    • Requires incoming connection from the internet on various ports
    • Connects to IPv6 local host
    • Shodan.io - product:dameware
    • Dwrcs.exe
    • GoToAssist
    • Generates outgoing HTTP/S traffic - look for logmein or gotoassist
    • Gotoassist.exe
    • ConnectWiseControl / ScreenConnect
    • Generates outgoing HTTP/S traffic
    • Screenconnect.clientservice.exe
    • Commonly used for phishing emails with a URL that deploys ScreenConnect directly
Guidance:
    • Keep an eye out for any remote management/access tools
    • Most of them will probably be "legit". If they are, ensure they:
    • Use MFA
    • Turn on logging
    • Manage the users
    • Turn off processes when not in use

------------------------------------------------------------------------------------------
SDBBot
  • SDBBot is a remote access trojan identified by Proofpoint in 2019. The ACSC issued an alert in November last year about increased sightings in attacks targeting healthcare. It's often used to drop ransomware.
  • Initial infection is usually via ISO or Excel email attachments. It sends C&C traffic over port 443 in a plaintext protocol. 


Prevention:
    • Microsoft's Attack Surface Reduction rules
    • Block ISO attachments and downloads 
    • Block non-HTTPS traffic over port 443


'Lo-Tech OT hacking'
  • A general primer on finding and securing 'human-machine interfaces', or HMIs - i.e. dashboards for SCADA/OT equipment.
  • Common exposed HMIs include HVACs, fridges, etc. 
  • Cool Shodan search: https://www.shodan.io/search?query=screenshot.label%3Aics
  • HMIs are easy to find and access. Targeted industrial sabotage is unlikely; most hackers are bored and poking at low-hanging fruit. 
  • This maps with OTORIO's report about the Israeli reservoir 'hack' in December. They concluded that the attackers likely 'did not possess any deep industrial capabilities or knowledge' and targeted the system solely because it was unprotected. 
  • Note:  we calle attacks on these devices 'annoying' but 'unlikely to be dangerous'. An attendee pointed out that a hacked fridge could be catastrophic for a hospital or pharmacy storing temperature-controlled medications.

  • Recommendation is network scanning and searching Shodan for modbus and dnp3, plus other common HMI ports and protocols. 
 
Teamviewer and remote access security
  • In light of the Florida water incident, they added some points about securing remote access/support tools. Nothing too exciting, just 'figure out what tools are in use at your organization' and 'maybe try to secure them?' 
  • Apparently there will be a more detailed brief on this incident later.

Windows Event log for Detection and Best practice



Event log is an important part of cyber investigation we will look into best practice and some important logs that you should look for detection.

Hackers try to hide their presence for as long as possible. Event ID 104 Event Log was Cleared and event ID 1102 Audit Log was Cleared could indicate a problem. Event ID 4719 System audit policy was changed could also show malicious activity. Application crashes can also indicate the presence of a hacker.

 

Table 1 – Application Crashes

 

ID

Level

Event Log

Event Source

App Error

1000

Error

Application

Application Error

App Hang

1002

Error

Application

Application Hang

BSOD

1001

Error

System

Microsoft-Windows-WER- SystemErrorReporting

WER

1001

Informational

Application

Windows Error Reporting

EMET

1 2

Warning Error

Application Application

EMET


Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage

 

ID

Level

Event Log

Event Source

Account Lockouts

4740

Informational

Security

Microsoft-Windows-Security- Auditing

User Added to Privileged Group

4728, 4732, 4756

Informational

Security

Microsoft-Windows-Security- Auditing

Security-Enabled group Modification

4735

Informational

Security

Microsoft-Windows-Security- Auditing

Successful User Account Login

4624

Informational

Security

Microsoft-Windows-Security- Auditing

Failed User Account Login

4625

Informational

Security

Microsoft-Windows-Security- Auditing

Account Login with Explicit Credentials

4648

Informational

Security

Microsoft-Windows-Security- Auditing


High-value assets, like domain controllers, shouldn't be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.

 

 

Best Practices


1.Collect Logs in a Single Place
  • If logs are stored in multiple locations then becomes harder to parse and analyze for any investigation. For example, an organization stores log files of its computers and network in archives for regular inspection of possible threats.
  • If these archives are stored in multiple locations then it is much harder to analyze logs from all locations manually.
 
2.Segment different logs into different files to easily access for researching and reading them
  • This practice means to keep the logs segmented into different categories. For example, keep the Application logs, Security logs, System logs, Network logs in each different segmented archives so that it will be easier to parse through particular logs for threat inspection.

 

3. Regular Log analysis for Potential Threats

  • Organisations should constantly keep tabs on their archived event logs. The routine check helps in identifying undetected short or long-term threats that may harm the data. This check can be done on the weekly or monthly basis. Big corporations which have a large number of collected logs require daily check up to keep their data integrity.

 

4. Archive Logs, Do not Overwrite

  • In Windows OS, the default size of the physical log file is 20 Mb which can be sufficient for a single user.
  • For an organization, the default file size is not enough for log management because the older logs get overwritten by new logs. But this can be overcome by archiving the logs. As the new logs enter the system, the older event logs get archived to a secure location which helps in troubleshooting the system if a problem is encountered.

 

5. Access to limited personnel & accesses should be logged

  • The logs access should be kept limited to authorized personnel only such as the administrator and the log analyst who maintains the integrity of the logs and constantly observe logs for potential threats.

 

6. Regularly upgrade or update log management infrastructure if there is any

  • Log management is not an easy task. It takes the experience with the proper knowledge to manage logs and to find threats that are critical for compromising the system.
  • Most organizations use log management infrastructure and tool which makes it much easier to handle the event logs. The analyst should constantly look for new upgrades and updates of the tool to keep the system safe from new threats and vulnerabilities.

 

7. Use copies of logs for Forensic Investigation

  • Event logs are a great help in a Forensic investigation as each and every event is recorded in the log files.
  • Whenever the investigation is being done using event logs make sure to create multiple copies of the acquired logs for maintaining the integrity of log data. This helps in protecting the original logs.

 

8. Store Multiple Backups

  • Storing multiple backups of logs in a secured place is a great way to protect log data from attackers who can exploit the log infrastructure. If the original log archives are lost or encrypted then backups will help in identifying the root cause of the attack. There are two types of backups:
  • Hot Backup: Backup of most recent logs. (1 to 4 Weeks)
  • Cold Backup: Backup of all logs for a long period of time. (6 to 12 Months)

Twitter Facebook Favorites More