Security – SEC-LABS R&D

Azure Sentinel New connectors, Zscaler, Barracuda, and Citrix. They have also added new hunting queries and machine learning-based detections to assist in prioritizing the most important events.

Insider Risk Management in Microsoft 365 – to help identify and remediate threats stemming from within an organization. Now in private preview, this new solution leverages the Microsoft Graph along with third-party signals, like HR systems, to identify hidden patterns that traditional methods would likely miss. https://www.microsoft.com/en-us/microsoft-365/blog/?p=233542

Microsoft Authenticator Microsoft makes Microsoft Authenticator available to customers as part of the Azure Active Directory (Azure AD) free plan. Deploying Multi-Factor Authentication (MFA) reduces the risk of phishing and other identity-based attacks by 99.9 percent.

Microsoft Defender Advanced Threat Protection (ATP)—Microsoft extends endpoint detection and response capability in Microsoft Defender ATP to include MacOS, now in preview. Microsoft also plans to add support for Linux servers.

Azure Security Center—Microsoft announces new capabilities to find misconfigurations and threats for containers and SQL in IaaS while providing rich vulnerability assessment for virtual machines. Azure Security Center also provides integration with security alerts from partners and quick fixes for fast remediation.

Microsoft information protection and governance—The compliance center in Microsoft 365 now provides the ability to view data classifications categorized by sensitive information types or associated with industry regulations. Machine learning also allows you to use your existing data to train classifiers that are unique to your organization, such as customer records, HR data, and contracts.

Microsoft Compliance Score—Now in public preview, Microsoft Compliance Score helps simplify regulatory complexity and reduce risk. It maps your Microsoft 365 configuration settings to common regulations and standards, providing continuous monitoring and recommended actions to improve your compliance posture. Microsoft also introduces a new assessment for the California Consumer Privacy Act (CCPA).

For the full list see:

https://www.microsoft.com/security/blog/2019/11/04/microsoft-announces-new-innovations-in-security-compliance-and-identity-at-ignite/?fbclid=IwAR0Fa1YHBV2GfqxGaxzOVUsSLQEHvlR5CFAhvoQziJ9I-mnmsolnRiY0qbk

News, Uncategorized

Ignite, Security

CTF, Capture The Flag

SEC-LABS R&D 2019-03-21 0 Comments

CTF, Capture the Flag is a known form of a game mode for various games like Paintball, laser games and Computer games, but it’s also used in Computer Security.

Capture the Flag is a really good way of enhancing your Security skills, it starts with a few clues and quests you must solve to retrieve the flag for the challenge. These are named as Jeopardy-style CTF. They are often devided into different types of challenges i.e.:

Cryptography
Web
Forensics
Binary Exploitation
Reversing
Networking

There are also modes for CTF called Attack-Defense, where the teams have to defend their own network or machine and att the same time attack the opponents. There is also a version like one team is defending and the other one is attacking, a Blue Team – Red Team approach. Blue Team defends and tries to find out how and when the Red Team makes their way to get the Flag.

Who is CTF for?

It’s for everyone with a interest in cyber security.

Qualify for bigger events

Some CTF’s are qualifiers for bigger CTF events, so get going and solve the challenges!

Example challenge from (https://capturetheflag.withgoogle.com):

This CTF has beginner challenges (which I can recommend if you’re new to this).

Amongst the beginner challenges we have the following one.

This challenge want us to find the flag which will look like “CTF{xxxxxx}” by using the clues in the text and the file which we are able to download.

We download the file (Attachment) and extract the content

The clue from the challenge indicates it’s something fishy with this .ico file.

Tha the initial view, it looks alright.

Let’s use binwalk which is a tool for searching binary images for embedded files and executable code to see if there is something hidden inside.

It looks like we’re getting somewhere, it seems to be a zip archive.

Let’s try to list the content with 7zip

Works! Next step would be to unpack the content in our hunt for the flag

We have extracted our files

And we now have the flag!

We enter it on the website and the challenge is completed and can start the next challenge…

Where to start?

So, for those of you who are new or want to get some good links into CTF, I have tried to gather all CTF Links in this post for reference, I will try to keep the links updated along the way.

CTF Time – https://ctftime.org/
Hack The Box – https://www.hackthebox.eu/
CTF 365 – https://ctf365.com/
CTF Field Guide – https://trailofbits.github.io/ctf/
CBT Nuggets Preparation Tips –
https://www.cbtnuggets.com/blog/2018/07/how-to-prepare-for-a-capture-the-flag-hacking-competition

Security

Challenges, CTF, Security

Audit Scheduled tasks using Azure Sentinel

SEC-LABS R&D 2019-03-19 1 Comment

Azure Sentinel is a powerful cloud based SIEM solution.
This blog series will be on how to work with Sentinel.

It will be example based on different solutions which we might run into.

This first post is about how you can work with logs and get insight in Scheduled Tasks as a way for attackers to persist in your network

For further information regards Sentinel, visit https://azure.microsoft.com/en-us/services/azure-sentinel/

Scheduled Tasks

By default there are no events created if someone creates or modifieds a scheduled task. To enable logging you have to enable logging of object access.

To view current settings, use the following command:

auditpol.exe /get /category:*

Only Success is required for this. This enables us to get the event 4698

To enable logging, create a new GPO and assign the following settings (depending if you want success/failure or only success)

You also have to configure your agents to send log to your workspace, you can download the agent from the Azure Sentinel workspace / <workspace name> / Advanced Settings

Otherwise, you can add the Sentinel workspace to your existing agents

$Agent = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
$ID= "<WorkspaceID>"
$Key = "<key>"
$Agent.AddCloudWorkspace($ID,$Key)
restart-service HealthService

In Azure Sentinel – Data connectors, configure Security Events

Verify heartbeats from computers


Heartbeat | summarize argmax(TimeGenerated, *) by Computer

So now we have logs from 2 computers and now we want to query Scheduled Tasks

A simple way is to just query the EventID

We can use project to format our table but we still want to get information about the tasks that were created to get a better overview

According to documentation we can use Parse operator into one or more calculated columns

https://docs.microsoft.com/en-us/azure/kusto/query/parseoperator

//Example
SecurityEvent
| where EventID == "4698"
| parse EventData with * '"SubjectUserName">' SubjectUserName '<' * '"SubjectDomainName">' SubjectDomainName '<' *

This query will

Select all events where eventid=4698
parse the column event data and look for ‘”SubjectUserName”>’
Put everyting to a column named SubjectUserName until character ‘<‘
the wildcard will run the samething again
Continue parsing until ‘”SubjectDomainName”>’
Put everything into column SubjectDomainName until character ‘<‘

To continue this to get some really useful information we continue to parse the content until we get everything we need

//Sec-Labs Demo - Sentinel Hunting for Scheduled Tasks Persistance
let start=datetime("2019-03-12T19:39:47.762Z");
let end=datetime("2019-03-19T22:39:47.762Z");
SecurityEvent
|where TimeGenerated > start and TimeGenerated < end
| where EventID == "4698"
| parse EventData with * '"SubjectUserName">' SubjectUserName '<' * '"SubjectDomainName">' SubjectDomainName '<' * '"TaskName">\\' TaskName '<' * 'Author>' Author '<' * '<Command>' SchedCommand '</Command' * 'Arguments>' SchedArgs '</Arguments' * 'WorkingDirectory>' SchedDir '&' *
| where isnotempty (SubjectUserName) 
| project TimeGenerated,SubjectUserName,Computer,Activity,SubjectDomainName,TaskName,SchedCommand,SchedArgs,SchedDir
| project-rename CreatedBy = SubjectUserName

To rename columns, you can use project-rename <new name> = <old column name>

Happy Hunting!

Detect

Azure, Cloud, Preview, Security, Sentinel, SIEM, SOC

6000+ sites are still leaking sensitive WordPress config files

SEC-LABS R&D 2018-07-10 0 Comments

Well, this isn’t anything new, not at all!

Google Hacking Database has been around for a long time.

We started to dig into WordPress config files and realized that it’s very common to create a backup of your config file, which is not a bad idea.

This config file contains the base configuration of a wordpress installation like Database Connection (user name, password, ost) and other sensitive information.

Example

config

What’s really bad is that some admins seems to store the file in the web root and changed the extension to txt will will be read in the browser.

If we change the file extension to .txt it will be managed by the web server/php interpreter as any other txt file and present the content to the user.

So if we look at one part that exists in the WordPress config file.
“define(‘AUTH_KEY’, ‘” and we also have some other phrases like “wp-config.php”.

If you want an idea of how bad it is we can let google sort that out for us using some search operands available.
Since google knows the content of all files it has indexed which are most of them we just search for the content using “intext:” and filter on txt files using “filetype:”

intext:define(‘AUTH_KEY’, ‘ wp-config.php filetype:txt

The result shows about 6000+ results (and probably some false positives in the results).

ghdb

This file is not something that would be read by the user and you should not be able to download the php file either ;).

What you need to do

Don’t place sensitive files in the web root that doens’t have to be there
Configure permissions
Definitely don’t place backup files in the webroot, in case you don’t have to temporarily to reinstall a web application but otherwise, keep them away from the internet

Detect, Identify

GHDB, Security, Web

Tag Archive: Security

SANS Threat Hunting Summit – Link list

Microsoft announces new innovations in security, compliance, and identity at Ignite

CTF, Capture The Flag

Audit Scheduled tasks using Azure Sentinel

6000+ sites are still leaking sensitive WordPress config files

What you need to do