Author Archive: SEC-LABS R&D

Hunt for nuget/Squirrel update vulnerability

A few days ago, a post on medium stated that an arbitrary code execution was possible in Squirrel which affected Teams and other applications which used Squirrel and Nuget for updates.

https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12

In the post, Teams is mentioned as example but other affected application were mentioned on twitter.

So, to see what our environment is up to with regards to this. Our favorite place to go to: Defender ATP – Advanced Hunting!

To explain the query, since there are other apps than teams which uses Squirrel, we aim to keep the query as broad as we can.

Since some applications uses Squirrel and web for updates we can’t simply say that all web requests are malicious. But we have done some verification and discovered many apps vulnerable to this.

To make it more easy to overview we’re adding the URL to a column

To continue this we can count unique URL’s to find anomalies

Edit: An Updated Query can be found on the link below here http://blog.sec-labs.com/2019/07/advanced-hunting-defender-atp-squirrel/

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1), 
                       ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1), 
                       "Default")
| where exeURL != "Default"
| sort by EventTime desc 
|project EventTime, 
          ComputerName,
          exeURL,
          FolderPath, 
          ProcessCommandLine, 
          AccountName, 
          InitiatingProcessCommandLine, 
          ReportId, 
          ProcessId, 
          InitiatingProcessId

Defender Application Control would definitely block this attack and other mitigations in operating system will harden the clients in your environment.

Happy Hunting!

Hunting for USB Rubber Ducky/ Bad USB with ATP

Alright, so we’re here again with a hunting query to help catching some bad people out there.

This hunting started as a discussion with a customer and we figured out we should be able to chain the queries to see what happens after an event to be able to decide if it’s malicious or not.

Just to clear things out:
A USB Rubber Ducky is not something your AV solution would pick up. It’s a keyboard, it’s a preprogrammable keyboard. It exactly the same thing as plugging in a USB keyboard and type, except you’ve already told the keyboard what to type.

The ducky language is very simple as shown in below example

DELAY 3000
gui r
DELAY 100
STRING powershel xxxxxxxx
ENTER

The example will wait for 3 seconds, press win key and “r” and wait for another 100 ms and then type powershell xxxxxxx and then enter

USB rubber ducky

You encode the textfile to a binary and loads it to the flash memory inside (which is read by the rubber ducky, not by the device you connect it to) well you can make some changes to that, but in general and depending how you configure it.

Hunting USB devices

It’s easy to find the PnP event which could be headsets, mass storage devices, keyboards etc.

    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | project 
        EventTime,
        ComputerName,
        DeviceDescription=tostring(parsed.DeviceDescription),
        ClassName=tostring(parsed.ClassName),
        DeviceId=tostring(parsed.VendorIds),
        VendorIds=tostring(parsed.VendorIds), MachineId , ReportId 

Mass storage devices

MiscEvents
| where ActionType == "PnpDeviceConnected"
| extend ParsedFields=parse_json(AdditionalFields)
| project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription),
DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), MachineId, ComputerName, EventTime
| where ClassName contains "drive" or ClassName contains "usb"
| where DeviceDescription contains "Mass Storage"

But idea to hunt for duckies is that we want to see what happens after the device load.

  • Device connected
  • Someone executes powershell or cmd within a certain amount of time (10 seconds)

To explain further

We gather all devices where action type is “PnpDeviceConnected” and where the device description is “HID Keyboard Device”

Then we gather process starts which contains powershell or cmd and then we compare the time for the event and only present the ones where the process start happened within 10 seconds after the device load event.

// Hunting for malicious HID Keyboard devices
// PNP Event and Powershell or CMD within 10 seconds after driver load
let MalPnPDevices =
    MiscEvents
    | where ActionType == "PnpDeviceConnected"
    | extend parsed=parse_json(AdditionalFields)
    | sort by EventTime desc nulls last 
    | where parsed.DeviceDescription == "HID Keyboard Device"
    | project PluginTime=EventTime, ComputerName,parsed.ClassName, parsed.DeviceId, parsed.DeviceDescription, AdditionalFields;
ProcessCreationEvents
| where ProcessCommandLine contains "powershell" or
        ProcessCommandLine startswith "cmd" 
| where isnotempty(ProcessCommandLine)         
| project ProcessCommandLine, ComputerName, EventTime, ReportId, MachineId
| join kind=inner MalPnPDevices on ComputerName
| where (EventTime-PluginTime) between (0min..10s)
| where ComputerName == ComputerName1

Of course, the 10 seconds is basically the Delay time. If an attacker sets 11 seconds, we would miss it. But this query would have to be trimmed for your environment.

There is also another thing, as an attacker, you would like to deliver the payload as quick as possible but still want the driver to be able to load.

I usually use between 3-6 seconds as initial payload for my duckies.

happy hunting ATP

You could also chain this with other events, like networkevents to discover network request after a specific event.

Happy Hunting!

Sec-Labs R&D

Custom IOCs in Defender ATP

Working with custom IOC can be done via the UI or script (Powershell or Python).

This post will describe the UI way for creating a custom IOC

Go to settings and in the Rules section click on Allowed/Blocked List

You can create an IOC based on File hash, IP address and URLs/Domains

When creating a new IOC you have the options to Import (more on that later) and a wizard.

We click on the Add indicator text and start by filling in the template.

To get the filehash you can just use powershell “get-filehash” or if you have that information from another system or a list from somewhere.

You can set the Custom date for IOC expiration if you want.

You can at this point look at the impact for this IOC by clicking on the Show statistics which will get the data for that specific ile hash from the last 30 days

From this view you could take action and stop the file if needed depending on the situation.

Click next and add details for response action, alert details etc


Scope the machines to different machine groups

Click save in the summary.

Import IOC

The CSV template is comma separated

IndicatorType,IndicatorValue,ExpirationTime,Action,Severity,Title,Category,Description,RecommendedActions

New alert

Threat and Vulnerability management with Defender ATP

Until today you had to keep track on vulnerabilities in applications, create your custom dashboards and use 3rd party systems for the inventory.

Today microsoft released Threat and Vulnerability Management Dashboard as a part of Defender ATP.

TVM Dashboard

This dashboard provides a lot of insight in your environment with cloud scale, even the systems which are never in the office.

You can find the new dashboard by clicking on the little castle with the flag in the menu bar.

Dashboard

This part gives you a full overview of vulnerabilities like

  • Exposure Score
  • Configuration Score
  • Top vulnerable applications
  • Top exposed machines
  • Top remediation activities
  • Exposure distribution

You are also presented with the top security recommendations


Security Recommendations

In the security recommendations view you can view and sort based on components, remediation type etc

If we look at the details for one of the entries we can se a description, vulernability details, the affected machines and related CVE’s

security recommendation details

If we from this view clicks on Open Sofware page, we can see further details

If we from this view opens one of the items, we can see the risks, category and other ID’s

Working with remedation plans

We can create activities and set the due date for that activity

This an also be exported to a CSV file

When we have selected items for remediation we can look in the remediation view for follow up

Sofware Inventory

In this part we get an overview of all applications, weaknesses and if there are any known exploits.

The information from TVM is also linked to the machine page

Happy Hunting!

March updates to Windows 10 for Cloud App Discovery integration in MDATP

Who doesn’t want to get in control of their Cloud App Usage, and get a nice cloud usage dashboard like this?

With the latest March 2019 Updates to Windows 10, 1709 and 1803 Microsoft has back ported the Cloud App Discovery Capabilities from 1809 so now you will get Discovery Data from Windows 10 devices ranging from 1709 and above, all you need to do is to enable the integration and your machines that are on boarded to MDATP will start reporting in.

Microsoft has also included some back porting regarding Automatic Investigation, Remediation, Memory Forensic.

Happy Hunting

https://support.microsoft.com/en-us/help/4489890/windows-10-update-kb4489890
https://support.microsoft.com/en-us/help/4489894/windows-10-update-kb4489894

Hunting Windows Defender Exploit Guard with ATP

Alright, since I happen to be in a blog mode I keep the posts coming.

This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.

So what’s this Exploit Guard?

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.

Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements

ComponentDetails
Attack Surface Reduction (ASR)A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
Network Protection Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
Controlled Folder AccessProtects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
Exploit ProtectionA set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Example of ASR rules

• Block Office apps from creating executable content
• Block Office apps from launching child process
• Block Office apps from injecting into process
• Block Win32 imports from macro code in Office
• Block obfuscated macro code

Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.

If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.

This following dashboard is a part from the Monitor and Report section in the portal

Back to Defender ATP and the hunting which this post was supposed to be all about.

We have published some posts now about hunting custom alerts.

In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.

We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.

Examples from the output:

AsrOfficeMacroWin32ApiCallsAudited
AsrPsexecWmiChildProcessBlocked
ControlledFolderAccessViolationBlocked
ExploitGuardAcgAudited
ExploitGuardChildProcessAudited
ExploitGuardNetworkProtectionBlocked
ExploitGuardNonMicrosoftSignedAudited
ExploitGuardWin32SystemCallBlocked
SmartScreenAppWarning
SmartScreenUrlWarning
SmartScreenUserOverride

Interesting note “SmartScreenUserOverride” is a separate event which you can query

When we had the raw Actiontypes we created the query to cover as much as we could.

//Happy Hunting
MiscEvents 
| where ActionType contains "asr" or
        ActionType contains "Exploit" or
        ActionType contains "SmartScreen" or
        ActionType contains "ControlledFolderAccess"
| extend JsonOut = parse_json(AdditionalFields)
| sort by EventTime desc 
| project EventTime, ComputerName, InitiatingProcessAccountName, ActionType,  
         FileName, FolderPath, RemoteUrl, ProcessCommandLine, InitiatingProcessCommandLine,
         JsonOut.IsAudit,JsonOut.Uri,JsonOut.RuleId,JsonOut.ActivityId
         

We are also parsing AdditionalFields to be able to add extra value to events which contained such data.

From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment

Happy Hunting!

Defender ATP and PowerBI

Maybe, you don’t want management in the ATP portal, even though it’s configurable via roles, and maybe they don’t want to be there.

One thing I know is that most managers loves numbers, so why not provide them with a PowerBI report.

You can perfectly use cloud based option and there is an app for Windows Defender ATP already there for you to use.

Configure your connector and you’re all good to go

The dasboard looks like the following picture

With the many different tiles you, or your manager, can dig deeper in to events like in this following example with alert status

It’s also possible to filter data based on who a case was assigned to, who resolved the case etc.

If you have a PowerBI Pro account, you could subscribe to get scheduled reports.

You can also to quick filter

This is an easy win for your manager

Automate response with Defender ATP and Microsoft Flow

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

  • Start by browsing to https://flow.microsoft.com and create a new flow
  • Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.


We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content

Actions

Pro tips:

  • Use get alert to be able to add more dynamic content to use in subsequent steps
  • Use get machine to be able to get more information like IP, Computername etc
  • Start building your automated playbooks. This will save you time

CTF, Capture The Flag

CTF, Capture the Flag is a known form of a game mode for various games like Paintball, laser games and Computer games, but it’s also used in Computer Security.

Capture the Flag is a really good way of enhancing your Security skills, it starts with a few clues and quests you must solve to retrieve the flag for the challenge. These are named as Jeopardy-style CTF. They are often devided into different types of challenges i.e.:

  • Cryptography
  • Web
  • Forensics
  • Binary Exploitation
  • Reversing
  • Networking

There are also modes for CTF called Attack-Defense, where the teams have to defend their own network or machine and att the same time attack the opponents. There is also a version like one team is defending and the other one is attacking, a Blue Team – Red Team approach.  Blue Team defends and tries to find out how and when the Red Team makes their way to get the Flag.

flags

Who is CTF for?

It’s for everyone with a interest in cyber security.

Qualify for bigger events

Some CTF’s are qualifiers for bigger CTF events, so get going and solve the challenges!

Example challenge from (https://capturetheflag.withgoogle.com):

This CTF has beginner challenges (which I can recommend if you’re new to this).

Amongst the beginner challenges we have the following one.

CTF challenge

This challenge want us to find the flag which will look like “CTF{xxxxxx}” by using the clues in the text and the file which we are able to download.

We download the file (Attachment) and extract the content

The clue from the challenge indicates it’s something fishy with this .ico file.

Tha the initial view, it looks alright.

Let’s use binwalk which is a tool for searching binary images for embedded files and executable code to see if there is something hidden inside.

It looks like we’re getting somewhere, it seems to be a zip archive.

Let’s try to list the content with 7zip

Works! Next step would be to unpack the content in our hunt for the flag

We have extracted our files

And we now have the flag!

We enter it on the website and the challenge is completed and can start the next challenge…

Where to start?

So, for those of you who are new or want to get some good links into CTF,  I have tried to gather all CTF Links in this post for reference, I will try to keep the links updated along the way.