tag:blogger.com,1999:blog-82005741161757667752024-03-13T20:07:08.111-07:00MALware FORensics SECuritymalforsechttp://www.blogger.com/profile/15339003536364790652noreply@blogger.comBlogger3413tag:blogger.com,1999:blog-8200574116175766775.post-9533859166422582712022-10-05T13:15:00.001-07:002022-10-05T13:21:43.188-07:00Tools, Tools Everywhere!<p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">How do we get from hunting and detecting Tools (and IOC´s) to actually trying to detect some TTPs and preferably the big one TACTICS?</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTuhDMoBN32f0JD-bDheUfk98syEmy7Sj-TKiEQIayefPXoMpl9VFyOYvrUk0a3-v-wEEsXvCqNuT9pfzGqYgSxl13N7gnAA52vjf4VulQs6NfROr8TI4YwxqQWiX39ctUgoEsFBafgps3JdZtXY60EFLClz68uMlrZ50nc8UQM_KcvAA5F257o9n_rA/s671/6vuygl.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="372" data-original-width="671" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTuhDMoBN32f0JD-bDheUfk98syEmy7Sj-TKiEQIayefPXoMpl9VFyOYvrUk0a3-v-wEEsXvCqNuT9pfzGqYgSxl13N7gnAA52vjf4VulQs6NfROr8TI4YwxqQWiX39ctUgoEsFBafgps3JdZtXY60EFLClz68uMlrZ50nc8UQM_KcvAA5F257o9n_rA/w432-h239/6vuygl.jpg" width="432" /></a></div><br /><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkoInzV8sTzo2GVQJqYYYhMV-lxPM8XZCRJy4S8Pwd8CcDmOt_0DoXsenbg3-Y4fkgn_H6lGom4mBs7zS_MwQhpGM_wn078YeAtEyh0bYOdpvngqOU5onj0bI3CpkHopfCpi_2WKHV2UyjgL6ChnFv4wd7eYaDNjYCcXHwCA6cZXfsq_iIJRKFYsZ4mQ/s1202/Screen%20Shot%202022-10-05%20at%2021.54.09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="296" data-original-width="1202" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkoInzV8sTzo2GVQJqYYYhMV-lxPM8XZCRJy4S8Pwd8CcDmOt_0DoXsenbg3-Y4fkgn_H6lGom4mBs7zS_MwQhpGM_wn078YeAtEyh0bYOdpvngqOU5onj0bI3CpkHopfCpi_2WKHV2UyjgL6ChnFv4wd7eYaDNjYCcXHwCA6cZXfsq_iIJRKFYsZ4mQ/w498-h123/Screen%20Shot%202022-10-05%20at%2021.54.09.png" width="498" /></a></div><br /><p class="p1" style="font-family: "Helvetica Neue"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: center;"><span style="font-size: xx-small;">From Mitre Attack, detection on Account Discovery:Domain Account</span></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><h4 style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: left;">Lets look at the definitions first (I steal them from Ryan Stillions Blog on TTPs)</h4><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Tactics</b></p><p class="p3" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: justify;">Merriam-Webster:</p><p class="p3" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: justify;"><b><i><span> </span>"the science and art of disposing and maneuvering forces in combat"</i></b> </p><p class="p3" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: justify;"><b><i><span> </span>"the art or skill of employing available means to accomplish an end"</i></b></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Techniques</b></p><p class="p3" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: justify;">Merriam-Webster:</p><p class="p3" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: justify;"> <span> </span><b><i>"a way of doing something by using special knowledge or skill"</i></b> </p><p class="p3" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: justify;"> <span> </span><b><i>"the way that a person performs basic physical movements or skills"</i></b></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p4" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 15px;"><b></b><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">I’m a practical guy so I like to find Tactics by thinking if “<b>this is a mean to an end</b>” and sort of have an idea if that is detectable.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><h4 style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: left;">TI Report to Tactics</h4><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Lets grab the latest TheDFIRReport (from 2022-09-16 <a href="https://thedfirreport.com/2022/09/26/bumblebee-round-two/">BumbleBee: Round Two</a> and see if we can find any Tactics.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Shoutout to TheDFIRReport for a great job and for sharing their work!</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b><br /></b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Lets take a few findings from the report and see if we can find Tactics:</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Finding</b>:</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">C:\Windows\system32\cmd.exe /C net group "domain admins" /domain</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Proposed tactic:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Querying the/a DomainController for users in the “domain admins” group</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Finding</b>:</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">C:\Windows\system32\cmd.exe /C nltest /dclist:</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Proposed Tactic:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Query the/a domain controller to get a list of all domain controllers</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Finding:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">C:\Windows\system32\cmd.exe /C af.exe -f "objectcategory=computer" > ad_computers.txt</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Proposed Tactic:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Query the domain controller for all computers in the domain</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Finding:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">C:\programdata\procdump64.exe -accepteula -ma lsass.exe C:\programdata\lsass.dmp</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Proposed Tactic:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Get credentials by reading lsass.exe process memory</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Finding:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">net<span class="Apple-converted-space"> </span>localgroup Administrators sql_admin /ADD</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Proposed Tactic:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Add user to the local Administrators group</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Finding:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">A remote service was created on one of the workstations in order to dump lsass</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><b>Proposed Tactic:</b></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Executing code through running a service on remote host</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><h4 style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; text-align: left;">NO More TOOLS?</h4><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEObnU-sMswh_tasTZxZcUIRg_GjOSowVt6SgcAhMXja4TBttQfvZMmjKOVPuj_iuLJdfAZqCyqTNvAS8W_Ei8tAc68Dou4VhneqlgnplVrPtolFc4dMJ2rVO-fk7whPdxj1yM7iWM3iDgYYTgSHDGiVvFZZ7j6NiSunm2pWRd-pk4OiYgYhXcbH7jjA/s400/ool.jpeg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="400" data-original-width="400" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEObnU-sMswh_tasTZxZcUIRg_GjOSowVt6SgcAhMXja4TBttQfvZMmjKOVPuj_iuLJdfAZqCyqTNvAS8W_Ei8tAc68Dou4VhneqlgnplVrPtolFc4dMJ2rVO-fk7whPdxj1yM7iWM3iDgYYTgSHDGiVvFZZ7j6NiSunm2pWRd-pk4OiYgYhXcbH7jjA/s320/ool.jpeg" width="320" /></a></div>So we have been able to(hopefully) find some Tactics based on some findings in a Threat Intel report, TheDFIRReport.<p></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">By rewriting the findings into Tactics I hope to be able to write detection on a much higher level that Tools and once and for all leave the hunt for new tools behind me(at least in theory).<br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">The reasoning behind that was explained in my last blog post “Tactics, the killer of YOLO Command lines?” Where Pyramid of Pain and the DML model was discussed.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">If anyone have comments on my Tactics please let me know. Otherwise I will look into making detections on these for my nest blog post.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;">References:</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">TheDFIRReport: <a href="https://thedfirreport.com/2022/09/26/bumblebee-round-two/">BumbleBee: Round Two</a> </p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="color: black;">Ryan Stillions: <a href="http://ryanstillions.blogspot.com/2014/04/on-ttps.html">on TTPs </a></span></p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="color: black;"><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)">Net group command</a> </span></p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="color: black;"><a href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems">Net command </a></span></p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="color: black;"><a href="http://www.joeware.net/freetools/tools/adfind/usage.htm">Adfind usage </a></span></p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="color: black;"><a href=" https://learn.microsoft.com/en-us/sysinternals/downloads/procdump">Procdump</a></span></p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="color: black;">Malforsec: <a href=" http://malforsec.blogspot.com/2022/09/tactics-killer-of-yolo-command-lines.html">Tactics, the killer of YOLO Command lines?</a>”</span></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Mitre Att&ck: <a href="https://attack.mitre.org/techniques/T1087/002/">Account Discovery:Domain Account </a></p>malforsechttp://www.blogger.com/profile/15339003536364790652noreply@blogger.com0tag:blogger.com,1999:blog-8200574116175766775.post-50099954407773175682022-09-19T07:12:00.001-07:002022-09-19T08:21:19.945-07:00Tactics, the killer of YOLO command lines?<p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">As a big fan of <a href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html">“The Pyramid of Pain”</a> and <a href="http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html">“Detection Maturity Levels”</a> I have had good faith in building robust detection and upping my chances to detect adversary behavior in my networks.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">The Pyramid of Pain does a great job in painting a clear<span class="Apple-converted-space"> </span>picture on what to focus on to make sure my detection is relevant now and in the foreseeable future: <b><a href="http://ryanstillions.blogspot.com/2014/04/on-ttps.html">TTPs</a></b>.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"></p><div class="separator" style="clear: both; text-align: center;"></div><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg4Gd5_yxe0E59sjP7XWVM3HzwZCBBd2NOTmuguNhqS3gh-UcvEEyjC5sy0Jf8tOplKfznyKfkezKaRzFx98qilVgPxe8Bze3OO_O2k7ZU2dpzZQTjlxHbNx_Zc5UMTY2MW-3pPB76Jd5KLc-gvqR_b_ZD251jd6bYTxr4zpm4LxTxJe4ioQtl2IA1piw" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="289" data-original-width="406" height="227" src="https://blogger.googleusercontent.com/img/a/AVvXsEg4Gd5_yxe0E59sjP7XWVM3HzwZCBBd2NOTmuguNhqS3gh-UcvEEyjC5sy0Jf8tOplKfznyKfkezKaRzFx98qilVgPxe8Bze3OO_O2k7ZU2dpzZQTjlxHbNx_Zc5UMTY2MW-3pPB76Jd5KLc-gvqR_b_ZD251jd6bYTxr4zpm4LxTxJe4ioQtl2IA1piw=w320-h227" width="320" /></a></div><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p>Tactics, Techniques and Procedures, not Tools, Techniques<span class="Apple-converted-space"> </span>and Procedure and not Tools, Tools and Pools either ;). Only thing I would like to change is that it should be named PTTs: Procedures, Techniques and Tactics to make sure that the stuff to detect, and<span class="Apple-converted-space"> </span>what adversaries really would struggle to change, was Tactics. The Queen of TTPs and the saviour of our CERT, SOC and CSIRT teams.<p></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">The TTPs are explained in detail by Ryan Stillions in his Detection Maturity Level blog post and they are split up into their own DML levels. Procedures are level 4, Techniques are level 5 and Tactics are on level 6. (Note DML level 8 is Goals). So according to the DML model detecting on level 6 Tactics would be excellent.<span class="Apple-converted-space"> </span></p><div class="separator"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjj3wDQ5qkkCfKZ09IoV4pFd0se0Rj0aBgyq7ruAcRwocL2iDn9bvM-x3kVnym2O1DENAOp1QRpTTh_KChZNyT-jlmPsd44Xt2rbRdsMxT2g9AVNa3G28vOzFVGN0ulDHAc3yzLf98eJ_maRmzkkq9liF0eiDf-NgiipRo89VNRWZ1qzygcL5m95S_5ZQ" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="596" data-original-width="442" height="201" src="https://blogger.googleusercontent.com/img/a/AVvXsEjj3wDQ5qkkCfKZ09IoV4pFd0se0Rj0aBgyq7ruAcRwocL2iDn9bvM-x3kVnym2O1DENAOp1QRpTTh_KChZNyT-jlmPsd44Xt2rbRdsMxT2g9AVNa3G28vOzFVGN0ulDHAc3yzLf98eJ_maRmzkkq9liF0eiDf-NgiipRo89VNRWZ1qzygcL5m95S_5ZQ=w149-h201" width="149" /></a></div><p></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">The <a href="https://www.duo.uio.no/bitstream/handle/10852/84713/PhD-Bromander-2021.pdf?sequence=1#page=45">advanced DML</a> model presented by Siri Bromander et al does add an upper level 9, Identity, to the DML model but that is not relevant for this rant, ehm blog post.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">So this should be pretty easy then. Find tools that detect on DML level 6, even 5 could be acceptable in some cases, install, test , tune and head for the pub to get some beers and wait for the adversaries to get caught with their network operations. Straight forward right? Bummer. No tools detect on this level. The favorite for detection tools seem to be<span class="Apple-converted-space"> </span>detecting other tools. Commandlines are very much looked for by detection tools in my experience. Detecting LOLbins seem to be a special favorite. LOLBINS and <a href="https://lolbas-project.github.io/">LOLBAS</a> are great stuff, mainly for offensive purposes, but having the knowledge of them and alerting or at least logging when they are used might be very helpful in an IR setting. But there is a lot of them and writing good detection becomes extra hard as these binaries are used daily in our infrastructure and always being one ^ away from missing the execution of a ”YOLO commandline” makes for a lot of work in creating signatures and also tuning away false positive alerts from that kind of detection.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">No tools readily available to fix my detection needs then, I am afraid. We need to look into building our own detection to reach nirvana at DML level 6 !</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="Apple-converted-space"> </span>Best practice should be to look into which adversaries we should be most afraid of, or at least who we think is most likely to visit our networks, and start making sure we will catch them red handed if they as much as use one of their Tactics in our infrastructure. Lets say we do find which threat actors we need to be on the lookout for (probably some of them are in the ransomware business). So we pick up the best threat intel reports we can find and start looking for TTPs and in particular for Tactis. Lots of IOCs to find, hashes all over the place, even some malware names pop up(tools that is). Most common being Cobolt Strike Beacon maybe. A lot of reports confuse TTPs with IOCs, tools and other artifact that we are not willing to bet our lives on when creating detection. Almost all TI report do have a <a href="https://attack.mitre.org/">MITRE Att&ck</a> reference table of some sorts today with at least Technique references.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">That brings me over to my frustration with the MITRE Att&ck framework. Because MITRE Att&ck is another part in the detection pussle that confuses me, and it seem to be confusing a lot of others as well. The <a href="https://www.youtube.com/watch?v=KnFtekfyysA">excellent speech by Martin Eian at this years FIRST conference in Dublin</a> inspired me to write this post. MITRE Tactics are indeed goals not DML Tactics. We can not write detection for Tactics like “Defense Evation”, “Execution” and “Credential Access”.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">MITRE Techniques, on the other hand, can be made into detection, at least some of them.<span class="Apple-converted-space"> </span></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Lets look at a much used example: OS Credential dumping T.1003 is not good enough, but the sub technique T1003.0001 LSASS memory is a good candidate. I am not sure if this is a technique or a tactic according to the DML model. But to confuse me even more in the detection section things like “Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module”.<span class="Apple-converted-space"> </span>Not so much help there either, Back to detecting Tools again.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">To me it looks like we have this huge framework that help us detect the stuff that we really should not care too much about.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Do we as a community(IT Security/Sec analyst) lack the understanding of techniques and tactics? And does the MITRE Att&ck framework confuse us, the CSIRTs, SOCs and CERTs, in creating robust and reliable detection? Some has tried to say that Procedures is the correct level for detection: The <a href="https://www.scythe.io/library/summiting-the-pyramid-of-pain-the-ttp-pyramid">TTP pyramid by Cristopher Peacock</a>. I do not believe that this is the correct way to look at this problem. Maybe procedures are an OK detection level(4 that is). But ignoring Techniques and Tactics that should be even better, feels wrong.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Is the correct way to do this then to come up with our own Techniques and Tactics?<span class="Apple-converted-space"> </span></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Massive job but probably doable. Especially since there, in theory, should be fewer detections to create at this level. They should also be relevant for longer. It would of course be much better if this was covered in a framework like MITRE Att&ck as it would be scrutinized by people much smarter than me. And also by more security analysts(detection engineers) than one organization can hire.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">One other thing is that when we create our own detection based on our own tactics it is harder to test and verify that our detection work properly. Frameworks for that mainly adhere to MITRE Att&ck, so there will be a job mapping things if testing should be automated, but also more manual work in purple team situations.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Finding tactics from TI reports is no easy task. As they are kind of hidden in the language and not explicitly mentioned as detection opportunities or described by MITRE Att&ck.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Lets try a couple of examples:</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><ol class="ol1"><li class="li1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">TA007 using mimikatz to dump credentials from LSASS<br />The tactic might be “Get credentials from LSASS memory”.<span class="Apple-converted-space"> </span>The goal here is credential access. This tactic is not directly detectable in it self. The closest we come, at least I get, is to detect reading LSASS process memory or if I want trying to read LSASS process memory. This can be achieved by detecting when a read operation is performed on on the LSASS object. Detecting when a handle to the sass object with read permissions is asked for will give us both successful and non successful tries to read the LSASS process memory. Detecting this will detect all TOOLS used for the purpose, any Procedure and all Techniques used while performing the LSASS dump. Not even <a href="https://wikipedia.org/wiki/Mohamed_Salah">Mohamed Salah</a> can get that pass through to <a href="https://wikipedia.org/wiki/Roberto_Firmino">Roberto Firminio</a> unseen :)<br /><br />Event and Tracing Windows (ETW) logs can help us with this: EventCode 4656<span class="Apple-converted-space"> </span>- “A handle to an object was requested” will give info when an application wants to access LSASS and EventCode 4663 - “An attempt was made to access an object” will give us info on when access to LSASS actually was performed.<br /><br /></li><li class="li1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">The threat actor utilized the “-r” option in PsExec to define a custom name (“mstdc”) of the remote service created on the target host (<a href="https://thedfirreport.com/2022/04/25/quantum-ransomware/">Thedfirreport</a>)<br />I propose “Running service on remote host” as a tactic. This is a lateral movement goal. To be able to detect this tactic we need to look into service executions and figure out if a network logon was performed or what other methods is used to execute something remotely.<br /><br />ETW logs will cover this one too with something like: EventCode 4697 - “A Service was installed on the system” and EventCode 4624 - “An account was successfully logged on”.</li></ol><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;">Are these really tactics and am I able to detect them correctly and reliably?</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Am I not understanding the Pyramid of Pain, DML model, MITRE Att&ck and the detection challenges?</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Too NOOB to figure out the right tools for the job?</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Can we climb almost to the top of the DML model and reach level 6? Or is that not doable for us mere mortals? Is that for the ML and AI Gods only?</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Please if you have a solution to my detection challenges let me know.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Also good detection material like the book by Andrei Miroshnikov: “<a href="https://www.amazon.com/Windows-Security-Monitoring-Scenarios-Patterns/dp/1119390648">Windows Security Monitoring: Scenarios and Patterns</a>“ are really welcome.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://threathunterplaybook.com/intro.html">Threat Hunters Playbookbook</a> have done much right. Making things available as notebooks is a really good idea.</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">I like listening to the podcast “<a href="https://www.dcppodcast.com/">detection challenging paradigms</a>” … Which makes for good input when pondering on detection challenges.</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Hopefully Martin Eian will have a breakthrough with MITRE and save my day. In the mean time I will be making my own detection and trying to figure out the best way to test it reliably…</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;">Happy ignoringing YOLO ^c^o^mandlin^e^s!!</p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">References:</p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">There is no TTP, by Martin Eian at The FIRST conference in Dublin</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://www.youtube.com/watch?v=KnFtekfyysA">https://www.youtube.com/watch?v=KnFtekfyysA</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Pyramid of pain by Davi Bianco</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html">http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Detection Maturity Levels by Ryan Stillions</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html">http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">On TTPs by Ryan Stillions</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="http://ryanstillions.blogspot.com/2014/04/on-ttps.html">http://ryanstillions.blogspot.com/2014/04/on-ttps.html</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">The TTP pyramid by Christopher Peacock</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://www.scythe.io/library/summiting-the-pyramid-of-pain-the-ttp-pyramid">https://www.scythe.io/library/summiting-the-pyramid-of-pain-the-ttp-pyramid</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Semantic Cyberthreat Modelling by Siri Bromander, Audun Jøsang and Martin Eian</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://www.duo.uio.no/bitstream/handle/10852/84713/PhD-Bromander-2021.pdf?sequence=1#page=45">https://www.duo.uio.no/bitstream/handle/10852/84713/PhD-Bromander-2021.pdf?sequence=1#page=45</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Mitre Att&ck Matrix fro enterprise</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://attack.mitre.org/">https://attack.mitre.org/</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Lolbins by Oddvar Moe</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://lolbas-project.github.io/">https://lolbas-project.github.io/</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Commandline Obfuscation by Wietze Baukema</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation">https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">The DFIR Report</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/">https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Windows Security Monitoring: Scenarios and Patterns by Andrei Miroshnikov</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://www.amazon.com/Windows-Security-Monitoring-Scenarios-Patterns/dp/1119390648">https://www.amazon.com/Windows-Security-Monitoring-Scenarios-Patterns/dp/1119390648</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Threat Hunter Playbook by Roberto Rodriguez</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://threathunterplaybook.com/intro.html">https://threathunterplaybook.com/intro.html</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Mohamed Salah</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://wikipedia.org/wiki/Mohamed_Salah">https://wikipedia.org/wiki/Mohamed_Salah</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Roberto Firminio</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://wikipedia.org/wiki/Roberto_Firmino">https://wikipedia.org/wiki/Roberto_Firmino</a></p><p class="p2" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p><p class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;">Detection Challenging Paradigms podcast with Jared Atkinson and Jonathan Jonson</p><p class="p3" style="color: #dca10d; font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><a href="https://www.dcppodcast.com/">https://www.dcppodcast.com/</a></p>malforsechttp://www.blogger.com/profile/15339003536364790652noreply@blogger.com0tag:blogger.com,1999:blog-8200574116175766775.post-77674510302240782302017-01-08T16:11:00.000-08:002017-01-08T16:13:32.553-08:00Sundown Exploit kitSeeing that Sundown EK have evolved lately I got curious and wanted to take a look at what new trickery this EK had come up with.<br />
I looked at it when it started to rise last summer, but back then it was not very adwanced and looked to had stolen most of the code from other EK's.<br />
<br />
But several have mentioned lately that it had started to use stegonografy and also weaponized with new exploits.<br />
<br />
@Kafeine - <a href="http://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html" target="_blank">CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits</a><br />
@TrendLabs - <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/" target="_blank">Updated Sundown Exploit Kit Uses Steganography</a><br />
<br />
<h2>
<b>So lets see under the hood of Sundown EK anno 2017</b></h2>
I just reached out to <a href="http://malware-traffic-analysis.net/2017/01/06/index2.html" target="_blank">malware-traffic-analysis</a> for a recent pcap.<br />
<br />
For reference I have added the output from wireahark showing what was requested from the client. So it will be easier to see what actions have been taken by the EK code. More details over at malware-traffic-analysis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMDpj_32H6-NMZ5mOCadUhmRWhZ0UMU25SgQ82dMVrVrI6YvKrNgJASbLFwzvA8yMUgX3ZLrD0pWxNydIohxbjb_YJSPc5f0OJzj4l9qw6kqieIHOIcSLXB0W2asDb-XZIj0mg03dZlKVM/s1600/0_wireshark_out_1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMDpj_32H6-NMZ5mOCadUhmRWhZ0UMU25SgQ82dMVrVrI6YvKrNgJASbLFwzvA8yMUgX3ZLrD0pWxNydIohxbjb_YJSPc5f0OJzj4l9qw6kqieIHOIcSLXB0W2asDb-XZIj0mg03dZlKVM/s400/0_wireshark_out_1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h4>
Landing - As always some obfuscation trickery</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7bKSGhKFWxkiib9N_ZVJk__7gcbAwgNfw4vjO7YzhYqhzVysHB2YcqsIY31j40vHUh7Q7dTusXxsh_rmqN3n4ek4fs5XWp_LJcqnFOMagDyrKuFARDONPCzpus8rlvsChSwkb0FWzFdm/s1600/1_landing_obf.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7bKSGhKFWxkiib9N_ZVJk__7gcbAwgNfw4vjO7YzhYqhzVysHB2YcqsIY31j40vHUh7Q7dTusXxsh_rmqN3n4ek4fs5XWp_LJcqnFOMagDyrKuFARDONPCzpus8rlvsChSwkb0FWzFdm/s400/1_landing_obf.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<h4>
Landing - Deobfuscated</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW0gYVjyY4Z8tfg1maGUr7piH9eFp2INccUFkgi0qMz9SRZVbq4MS49mLBWaiVvKqPxoqW30PqL6mXQt-bOAa5gTuCfEL-0hrHQ93Xwe8Y4rADX3a-OYqHi4k-T73pg7jqYvBu3uPX0uXk/s1600/2_landing_deobf.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW0gYVjyY4Z8tfg1maGUr7piH9eFp2INccUFkgi0qMz9SRZVbq4MS49mLBWaiVvKqPxoqW30PqL6mXQt-bOAa5gTuCfEL-0hrHQ93Xwe8Y4rADX3a-OYqHi4k-T73pg7jqYvBu3uPX0uXk/s400/2_landing_deobf.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
Finally we have something we can read and try to understand.</div>
</div>
<div>
<br /></div>
<div>
<div>
The landing seem still to spray out what ever its got and hope that something will stick to the client.</div>
<div>
3 Flash files are set for download and a mysterious image.</div>
</div>
<div>
<br /></div>
<h4>
Landing - Flash 1</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhErEOlCWDAJMHrNtFO26hYfF-y9ljIEK-b67LzSVMO698xN-wG7CMhkMYMaqqHEP5w4_MCnjjWelgc_ZLzdvWMsbK5d1p_SDjRa5ezvRYP7NfL8YKnjTglB4qn-GmxZ2XtnMl8SF2akqvX/s1600/3_flash_1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhErEOlCWDAJMHrNtFO26hYfF-y9ljIEK-b67LzSVMO698xN-wG7CMhkMYMaqqHEP5w4_MCnjjWelgc_ZLzdvWMsbK5d1p_SDjRa5ezvRYP7NfL8YKnjTglB4qn-GmxZ2XtnMl8SF2akqvX/s400/3_flash_1.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<div>
Code for loading the flash file. At the bottom we also see the url for the payload. We can confirm that this flash was successfully run as we also see from wireshark that the payload url was requested from the client.</div>
<div>
<a href="https://www.virustotal.com/en/file/19fb31aa5a1cdab846138d1009eec5d292dc0804579e7ca25fcc9a199f21eced/analysis/1483917113/" target="_blank">VirusTotal link</a></div>
</div>
<div>
<br /></div>
<h4>
Landing - Flash 2</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCZb0NZzWPvl0tCwLMZu34ekJR40d20drrXEsEcAalno_4SF7_6HiLwegGYwqD5p3aAarZosUZDfakED9XgYtISvKUsnGnvEhV9S_mMtDdLugdfi8VpoIVjZWff7eH8CuWEns2c6cPJHCP/s1600/4_flash_2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCZb0NZzWPvl0tCwLMZu34ekJR40d20drrXEsEcAalno_4SF7_6HiLwegGYwqD5p3aAarZosUZDfakED9XgYtISvKUsnGnvEhV9S_mMtDdLugdfi8VpoIVjZWff7eH8CuWEns2c6cPJHCP/s400/4_flash_2.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<div>
More flash to run... No payload reference on this one?</div>
<div>
Probably cve-2016-4117</div>
<div>
<a href="https://www.virustotal.com/en/file/353d43559eef91a2a533d897721a68261b43a5f84bb59d6372bdfac0ce57b826/analysis/1483917162/" target="_blank">VirusTotal Link</a></div>
</div>
<div>
<br /></div>
<h4>
Landing - Flash 3</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy1WXsn3Kql5zkJEM91nP-Nu1fKF8js42OOGagYJTbu2BT3rh08FisXOYIRBcCDsTzpiAJinyhbXZX18H40BhwWw9lmxlKzHItZEo-OrnXxQvCWtQwtcVdJXAZEBp5I4ulexEZRl10J8b4/s1600/5_flash_3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy1WXsn3Kql5zkJEM91nP-Nu1fKF8js42OOGagYJTbu2BT3rh08FisXOYIRBcCDsTzpiAJinyhbXZX18H40BhwWw9lmxlKzHItZEo-OrnXxQvCWtQwtcVdJXAZEBp5I4ulexEZRl10J8b4/s400/5_flash_3.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
Even more flash. Looks like some shellcode is provided at the bottom too... which it probably is and the payload url added. If we unescape the hexstring:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbx0QZmM8wLTCEmxuabquHBnCM0LLFHwAkSJRqnDlMZljPahxsM2Ex33yXKUn_f2IKyI7-rAqO_0mEjK6Sr7yizBGnvD0Vffk95hl0rmx6UmeS3d5c3ZzclesK-X6UHfPzQmO0q2qdFzC/s1600/6_unescape_hex.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbx0QZmM8wLTCEmxuabquHBnCM0LLFHwAkSJRqnDlMZljPahxsM2Ex33yXKUn_f2IKyI7-rAqO_0mEjK6Sr7yizBGnvD0Vffk95hl0rmx6UmeS3d5c3ZzclesK-X6UHfPzQmO0q2qdFzC/s400/6_unescape_hex.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<div>
Pobably cve-2015-7645</div>
<div>
<a href="https://www.virustotal.com/en/file/67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6/analysis/1483917311/" target="_blank">VirusTotal - Link</a></div>
</div>
<div>
<br /></div>
<h4>
Landing - png stegonografy</h4>
<div>
To what we really have been waiting for. Stegonography in real life. Awesome. Finally we can use the skills we have been training in all those CTFs?</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsryJFdrBUTvficLelwnU4fHrzdHjxZnG54QRfwUj85W_S0Uya0ReoPJzWo9RxQn_Ighm0YXvDe347vSXFbeVFRjwsAUdT22ft2qBCjcIt3GuwqGNG9IahETiuIll4JmUu_wM2gzQH_J-E/s1600/9_png_browser.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsryJFdrBUTvficLelwnU4fHrzdHjxZnG54QRfwUj85W_S0Uya0ReoPJzWo9RxQn_Ighm0YXvDe347vSXFbeVFRjwsAUdT22ft2qBCjcIt3GuwqGNG9IahETiuIll4JmUu_wM2gzQH_J-E/s400/9_png_browser.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
Nice white little image there</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj91vRp79FlHjJgQzCSj2hq5U_3BHs55ZgYSyic1sqcFbGWmTR41K4ndxoq4Ei2iPqo-x_Cq5IXjQzwZ2eGc9WA3ydMQ1d64AeBgYGydaWXCyMtbOp1uMQKMDUuRNuliKZ1Q_VIDWlbHyBn/s1600/7_documnet_png.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="15" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj91vRp79FlHjJgQzCSj2hq5U_3BHs55ZgYSyic1sqcFbGWmTR41K4ndxoq4Ei2iPqo-x_Cq5IXjQzwZ2eGc9WA3ydMQ1d64AeBgYGydaWXCyMtbOp1uMQKMDUuRNuliKZ1Q_VIDWlbHyBn/s400/7_documnet_png.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
OK, so the image is loaded</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYbpDPWKX8x6RQrL3LYjM4xaqCkHVxAg7tHFMbS5pDftFtzhffyZumnIQNQSHaMD7t1Y5E8X9YTV-olXZEqYUe1WqmrVhzoTxdrOm-JEY73Ci0WYtoM6rTzgzOKJhpBHtO3eupsD5AAmfT/s1600/8_png.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYbpDPWKX8x6RQrL3LYjM4xaqCkHVxAg7tHFMbS5pDftFtzhffyZumnIQNQSHaMD7t1Y5E8X9YTV-olXZEqYUe1WqmrVhzoTxdrOm-JEY73Ci0WYtoM6rTzgzOKJhpBHtO3eupsD5AAmfT/s400/8_png.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<div>
And things are done with the image</div>
<div>
We better use some vodoo on this image file then and see whats hidden inside.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span></div>
<h4>
png file decoded</h4>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUSipcdaOhJeMM4SZolJCXO9LjmLtcyJ7f2hqSnXgtFM09nSLfEv8nVnkxHB2mx48_VEsW2ny2W0qyhIiRDwEkeRkKikwCGx9c5RNO_YNoK8SSIMgmy6se0wNhFFoT6J-pZ3nTM1BdyhNQ/s1600/10_png_decoded.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUSipcdaOhJeMM4SZolJCXO9LjmLtcyJ7f2hqSnXgtFM09nSLfEv8nVnkxHB2mx48_VEsW2ny2W0qyhIiRDwEkeRkKikwCGx9c5RNO_YNoK8SSIMgmy6se0wNhFFoT6J-pZ3nTM1BdyhNQ/s400/10_png_decoded.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
What else. Moar JavaScript of course.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOBPo7nEhTqOorjIFk5eQB4s6EtvyLLAxfptLR7GTkxq_1Vbtbm2CEBPU765NJqeXSwkj1nNJfv7uudg8fbC83yWgFBJZG0YHhJjL9D9vRiqdkexi6ewNT8gR5V1DmPTeIuKyeGlxN7vjK/s1600/11_png_shell.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="47" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOBPo7nEhTqOorjIFk5eQB4s6EtvyLLAxfptLR7GTkxq_1Vbtbm2CEBPU765NJqeXSwkj1nNJfv7uudg8fbC83yWgFBJZG0YHhJjL9D9vRiqdkexi6ewNT8gR5V1DmPTeIuKyeGlxN7vjK/s400/11_png_shell.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
<div>
The same shellcode pops up again.</div>
<div>
This looks like old IE exploit code from sundown. Maybe the new exploits where not added when this pcap was taken?</div>
<div>
Pobably cve-2015-2419</div>
<div>
<a href="https://www.virustotal.com/en/file/e0f4197860164b1dfadfd02dc1b39ea5e3274540915814f9111d8108b8d142ab/analysis/1483917363/" target="_blank">VirusTotal Link</a></div>
</div>
<div>
<br /></div>
<div>
<h4>
Payload - encrypted and in clear</h4>
<div>
Strangely sundown EK provides payload both in encrypted form and in clear. </div>
<div>
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOIW11JKvdTEiNIun-OuX-riFgpLgBF_7nbOgdN2tHcsd6g5V4X9i0tiln8q_uQilCUL7FDmMxumt7onQM4KfMEs0hsV1CaTyILJRNyAAENLC29vPZktGXxHMm6v-JC31YvW3-muE4e81X/s1600/12_payload_clear.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOIW11JKvdTEiNIun-OuX-riFgpLgBF_7nbOgdN2tHcsd6g5V4X9i0tiln8q_uQilCUL7FDmMxumt7onQM4KfMEs0hsV1CaTyILJRNyAAENLC29vPZktGXxHMm6v-JC31YvW3-muE4e81X/s400/12_payload_clear.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
As seen payload in clear.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRz7FypLLSUBFYAp-jf6PH7axtggrg0_poALjYTCEomIAAevFrRXMyQQi9LiuJcv938ecSKEkN3nN4goQ-qneW9KXyKL_333dmM0JmKd8ho3j-Fp7rY0WjcZKaoKpCFa6s5rhYWzHjD2J-/s1600/13_payload_enc.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRz7FypLLSUBFYAp-jf6PH7axtggrg0_poALjYTCEomIAAevFrRXMyQQi9LiuJcv938ecSKEkN3nN4goQ-qneW9KXyKL_333dmM0JmKd8ho3j-Fp7rY0WjcZKaoKpCFa6s5rhYWzHjD2J-/s400/13_payload_enc.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
And payload RC4 encrypted.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-nyx64M_l3vDjWVHqFTdK4uCSjT50XckeUtN_1CRZ66aBc3gVxQUjgxGvq-ksHWiqurkFzhL7xItb7vuP8vh_7NCvgTo5cCAjwjzEZT8UVdimR-nAawliMwYonSDOzOyfZkQh26dpy9iX/s1600/14_payload_decrypt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-nyx64M_l3vDjWVHqFTdK4uCSjT50XckeUtN_1CRZ66aBc3gVxQUjgxGvq-ksHWiqurkFzhL7xItb7vuP8vh_7NCvgTo5cCAjwjzEZT8UVdimR-nAawliMwYonSDOzOyfZkQh26dpy9iX/s400/14_payload_decrypt.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
After RC4 decryption.</div>
<div>
<br /></div>
<div>
<a href="https://www.virustotal.com/en/file/05b96b412347a1383d7add644b2bc29142ec79df581655ffca4731dbde742d40/analysis/1483918077/" target="_blank">Virustotal Link</a></div>
<div>
<br /></div>
<div>
<h3>
Epilogue</h3>
<div>
Encryption of payloads have started. Maybe sundown will discontinue the clear text download of payloads in the future.</div>
<div>
Using Stego is at least a cool feature.</div>
<div>
Sundown still seem to be gready and just throws all exploits it got at you, hopes that something will be successful and downloads payloads in various formats after that.</div>
<div>
As @Kafeine reported new exploit added recently. Maybe there will be a fight between Sundown and Rig for the EK throne in the weeks and months to come?</div>
<div>
<br /></div>
<div>
Todo: look more into the flash files for details. Out of luck finding the newly announced exploits so I guess I need another go soon.</div>
<div>
<br /></div>
<div>
No Python coding needed for this task(RC4 decryption only, but that code was on disk already) so we have to fill the void with som diffrent Python: Monty Python. Nice to blog so I could look through some old stuff again. What better than the <a href="https://www.youtube.com/watch?v=tS_JBDRk8o0" target="_blank">TrojanRabbit</a>? Enjoy!</div>
</div>
<div>
<br /></div>
<div>
Happy Sundown EK hunting</div>
<div>
<br /></div>
<div>
@malforsec</div>
malforsechttp://www.blogger.com/profile/15339003536364790652noreply@blogger.com0