Year: 2016

Blocking DNS Tunneling at the Host

There was a time where there was an alarming rate at which malware would use some unique port that wasn’t used by other services. The port was usually some ephemeral port. These days though, it is being seen more and more of malware using ports commonly open outbound on a system such as 22, 25, 53, 80, and 443. The one that we will focus on is 53, which is registered for DNS, and blocking it from an attack commonly known as DNS tunneling.

It is best to think through what systems are needed to be contacted for DNS services. Once you have that in mind, we can begin blocking any other DNS traffic that might be malicious. We will do this with the Windows Firewall.

Configuring the way to block port 53 traffic to a specific IP address and to every IP address except for one can be found HERE.

Understand the DNS traffic can be routed through another port. Unfortunately, the Windows Firewall won’t be able to help with that detection.

Under The Wire!

Under The Wire, the PowerShell gaming server is now web based and can be access at www.underthewire.tech. On there, you will find directions to access our servers using you own instance of PowerShell. To date, we have two games that are live with another in production.

Parsing Registry files with RegRipper

The registry of a system contains a lot of good data that can be used forensic analysis. Parsing that data from dead box forensics (bit image) using RegRipper (rip.pl) will provide you with a lot of useful information. RegRipper is an automated HIVE parser that can parse the forensic contents of the SAM, SECURITY, SYSTEM, SOFTWARE, and the NTUSER.DAT HIVES that it is pointed at. You can even use this to forensically mine the contents of restore point registry files. RegRipper utilizes plugins and aside from the default ones installed during installation, more are available online. The program is available for use on Linux or Windows. The Windows variant includes a GUI.

Rip.pl can be invoked by pointing the -r HIVEFILE at the hive you would like to mine forensically. You also need to tell RegRipper the type of hive file it is (sam, security, software, system, ntuser). Hives can be found at C:\Windows\system32\config and the ntuser.dat is located on the root of the each users profile. Once RegRipper is installed on your system, you can use the below syntax to get started and useful options.

# rip.pl -r -f
[Useful Options]
-r Registry hive file to parse
-f Use(sam, security, software, system, ntuser)
-1 List all plugins
-h Help

No Need to Unzip, Just Use Zcat or Zgrep

There will be times when you may encountered a zipped file and want to quickly parse it without having to unzip it. When the time comes, zcat and zgrep will be your savior. The usages of both are very straightforward but there are man pages for both for further reading. Basic usages of the two are depicted below.

Display the contents of a zipped file

Search for specific characters/words in zipped files.

Analyzing Various Memory Capture Formats

In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference.

FTK Imager
– Outputs to .mem
– Can be analyzed in Volatility
Vol.py –f –profile=

VMWare (.vmem)
– .vmem and .vmsm are created when a VM is suspended
– Can be analyzed with Volatility (.vmem and .vmsm have to be in the same directory) Vol.py –f –profile=

DumpIt
– Outputs to .raw
– Can be analyzed in Volatility
Vol.py –f –profile=

Hibernation file (hiberfile.sys)
– The File is created when a system is put into hibernation mode
– Located at the root of the C:\
– The file needs to be converted before using. It can be converted to .img using Volatility
Vol.py imagecopy –f hiberfile.sys –O –profile=
– After conversion to .img, it can be analyzed in Redline or Volatility
Vol.py –profile=

Mandiant Memoryze
– Outputs to .img
– Can be analyzed in Redline or Volatility
Vol.py –profile=

Crash Dumps
– Extension will be .dmp
– Will be written to C:\Windows\Minidump or C:\Windows by default
– Dumps can be forced to happen by adding the value called namedCrashOnCtrlScroll with a REG_DWORD value of 0x01 at HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\kbdhid\Parameters. After rebooting the machine, hold down the rightmost CTRL key and press the SCROLL LOCK key twice
– Can be analyzed with Volatility
Vol.py –profile= – Can be analyzed in Redline but must be converted to .img first
Vol.py imagecopy –f –O –profile=

Application Whitelisting with Applocker

If you are a part of defending an infrastructure, then you know defense-in-depth is the name of the game. The more detection systems that can be employed to detect anomalies or malicious actions, the better chance you stand to have a safe network. One of many ways to aid in this endeavor is application whitelisting. While there are many different types of application whitelisting, I’d like to focus on the Windows Applocker.

Applocker does have some cons. For starters, the feature is available in Win7 and Server 2008R2 and up. Applocker is limited to Windows 7 Enterprise and Ultimate along with Server 2008R2 clients. For XP and Vista, you can use Software Restriction Policy to provide some defense but not as much as what Applocker would provide.

To configure it, you need to go to Administrative Tools and open up Group Policy Management console on your Domain Controller. Once you are there, right click on the Default Domain Policy and click Edit to open Group Policy Management Editor. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. You should see the below screen. Take note to the options available on the right pane after click on Applocker and those shown below in the left pane.

Applocker

The first thing we want to do is setup the rule enforcements by clicking on “Configure Rule Enforcement” in the middle of the right pane. From there we have the option of audit only (logging) or enforcing when a rule of that category is triggered.

The next thing we need to do is add the rules, which are the options under Applocker in the left pane. Below is a quick breakdown of those categories.

Executable Rules: This will contain the rules which apply to executable files.
Windows Installer Rules : This will contain the rules which apply for the windows installer packages with .msi and .msp extensions.
Script Rules : This will contain rules which apply to scripts files with .ps1, .cmd, .vbs, .bat, .js extensions.

Now that we have Applocker configured, we need to turn on the Application Identity service across the domain, in order to do that we will create a GPO. The path to said GPO is Computer Configuration > Windows Settings > Security Settings > System Services> Application Identity.

Network Grep for the Folks Who Love to Grep!

Network grep (ngrep) is a great program that allows you to search and filter network packets rather quickly. There is some resemblance to the well-known Linux grep program. Ngrep can analyze live traffic or saved pcaps. The man pages for ngrep are rather straightforward. Ngrep currently recognizes IPv4/ 6, TCP, UDP, ICMPv4/6 and IGMP. The program also understands regular and hex expressions, which is a huge benefit. In the simplest terms, ngrep applies the most common features of grep at the network layer. A few key switches that I will typically use are below but a full list can be found on the man pages.

-q | Will ‘quiet’ the output by printing only packet headers and relevant payloads
-t | Print the timestamp every time there is a match
-i | Ignore case
-I | Read in saved pcap
-w | Expression must match word – regex
-W byline | Linefeeds are printed as linefeeds, making the output pretty and more legible
-s | Set BPF capture length

Below are a few examples of common usages of ngrep.

This command will query all interfaces and protocols for a string match of ‘HTTP’.

If you have a network capture file in .pcap format, use -I $FILE to filter the capture instead of a network interface. This can be handy, for example, if you have a record of a networking event and you need to do a quick analysis.

Reverse of the above command, using only the -O flag will filter against a network interface and copy the matched packets into a capture file in .pcap format.

Search for .exe

Monitor for current email transactions and print the addresses.

This will grab the password and username of all ftp sessions.

Capture network traffic incoming to eth0 interface and show parameters following HTTP GET or POST methods

Monitor all traffic on your network using port 80 with a source IP of 12.34.56.78

Monitor all traffic on your network using port 80 with a source IP of 12.34.56.78 and destination of 98.76.54.32

Search the word “login” tranversing port 23 using regex

The match expression can be combined with a pcap filter. For example, suppose we wanted to look for DNS traffic mentioning cyberfibers.com

Berkley packet filter (bpf) adds to the flexibility of ngrep. Bpf specifies a rich syntax for filtering network packets based on information such as IP address, IP protocol, and port number.

IP address

IP protocol

Port number

For even more granularity, you can combine primitives using boolean connectives and, or and not to really specify what your looking for.

Extracting Data with Bulk Extractor

When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to extract key information from digital media. Its usage is valuable no matter the type of case you may be working. A list of the type of information it can extract is depicted on their webpage at https://github.com/simsong/bulk_extractor/wiki/Testing.

There is a Windows and Linux variant of the program both capable of running from the command line or GUI. It is 4-8 times faster than other tools like EnCase or FTK due to its multi-threading. The program is capable of handling image files, raw devices, or directories. After it completes, it outputs its findings to an .xml file, which can be read back into Bulk Extractor for analysis. The output will look similar to below.

Bulk_Extractor

The scanners that you selected to run against your image file have will out to a report in the reports column. Not all scanners generate their own report as they may bucket the information that they find with another report. The chart above can help you determine where a scanner will output. Also, when a selected scanner doesn’t return any suitable data, you will not see a report for it. When you do select a report, it will output its findings to the middle column. From there you can type in strings to search for our just scroll down to view the data. If you want to go further into it data, just click on one of the findings in the middle column and more output will appear in the image column all the way to the right. The image column by default will display the text and the location of the data in the image file. There is an option though to change the image output from text to hex.

(more…)

Analyzing Memory in the Wonderful World of Redline

Redline is one of a few memory capture/analyzer programs that I keep in my toolkit. How it works is that the software needs to only be installed on the system that you will be analyzing the data on and from there, you would configure the options you want to include grabbing a copy of live memory and save the custom script from Redline. With said script in hand, you would then run it on the system from which memory will be captured. The output will be saved to the location from where the script ran from. With the output data in hand, you would then take it back to you analyst system and import the data into Redline.

Upon importing the data, you will be presented with a few options to aid you in your investigation and after that, you will be presented with a gui of said data. Redline will also provide an MRI (Malware Risk Index) score based on a multiple factors and if it considers it to be bad or very suspicious, it will have a red circle next to it as seen below.

redline

Redline has the ability to analyze memory captures for Memoryze and other captures in the format of .img. I have tried other memory capture formats with 50/50 results.

Another Layer of Defense… Microsoft Baseline Security Analyzer (MBSA)

Once installed, you can use the program via the GUI or command line. If utilizing the GUI, it is very straightforward as there are only three options available (scan a computer, scan multiple computers, and view existing security reports).

At the conclusion of a scan, a report will be produced at which time you will be presented with an overall assessment and a breakdown of each category analyzed. The score is broken down into four categories, which are depicted below.

• Green checkmark — check passed
• Yellow exclamation — check failed – (non-critical)
• Red “X” — check failed (critical)
• Blue “I” — additional information

An additional benefit is that the program depicts what was scanned, the result details, and how to fix the program. While MBSA shouldn’t be the only defense a user has on their system, it should definitely be in their arsenal.

When a scan is performed, the program reaches out to the Internet to get the latest information, in order to accurately depict the state of the system. There may be cases where an Internet connection is not feasible and in that case, you can use MBSA offline. The offline assessment would then only be able to provide the information it knows about as of the last time it scanned and had Internet access. The use MBSA offline yet still have updated information, you can air-gap a few files over to the system doing the scanning. The files needed to do an offline assessment are

• Security update catalog (wsusscn2.cab), available from the Microsoft website: http://go.microsoft.com/fwlink/?LinkID=74689.
• Windows Update Redistribution Catalog (wu redist.cab) at http://update.microsoft.com/redist/wuredist.cab.
• Authorization catalog (muauth.cab) for Windows Update site access, available from the Microsoft website or by examining the contents of the wuredist.cab file at http://update.microsoft.com/redist/wuredist.cab.
• Windows Update Agent standalone installers (if not already installed). The latest versions are available by examining the contents of the wuredist.cab file at http://update.microsoft.com/redist/wuredist.cab.

(more…)

Linux Secure Copy (SCP)

SCP is a must for quick transfer of files in native environments. In order to interact with a Windows machine, an SSH server is needed on the system but you may be able to get around that be specifying a different port.

Below are a few examples of how it help you in your daily work.

Copy the file “some_data.txt” from a remote host to the local host

Copy the file “some_data.txt” from the local host to a remote host

Copy the directory “some_dir” from the local host to a remote host’s directory “data”

Copy the file “data.txt” from remote host “sys_1” to remote host “sys_2”

your_username@sys_2:/some/remote/directory/
Copying the files “data.txt” and “more_data.txt” from the local host to your home directory on the remote host

Copy the file “data.txt” from the local host to a remote host using port 2264

Copy multiple files from the remote host to your current directory on the local host

Search Exchange 2010 Mailboxes

NOTE: The user you run the script with must have the “Discovery Management” RBAC Role.

This script will search all mailboxes for email with attachments named “document1” and “document2” regardless of the file extension. The script will then copy the email message to the “admin.mailbox” mailbox in a folder called “Search_07102014”. Once the script is complete open “admin.mailbox” in Outlook and you’ll see the “Search_11242015” folder under the Inbox containing all the results.

This modification will search for all “.doc” and “.pdf” files and copy them to the same mailbox and folder.

To search for keywords use this modification.

Bitnami