Month: March 2016

Application Whitelisting with Applocker

If you are a part of defending an infrastructure, then you know defense-in-depth is the name of the game. The more detection systems that can be employed to detect anomalies or malicious actions, the better chance you stand to have a safe network. One of many ways to aid in this endeavor is application whitelisting. While there are many different types of application whitelisting, I’d like to focus on the Windows Applocker.

Applocker does have some cons. For starters, the feature is available in Win7 and Server 2008R2 and up. Applocker is limited to Windows 7 Enterprise and Ultimate along with Server 2008R2 clients. For XP and Vista, you can use Software Restriction Policy to provide some defense but not as much as what Applocker would provide.

To configure it, you need to go to Administrative Tools and open up Group Policy Management console on your Domain Controller. Once you are there, right click on the Default Domain Policy and click Edit to open Group Policy Management Editor. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. You should see the below screen. Take note to the options available on the right pane after click on Applocker and those shown below in the left pane.

Applocker

The first thing we want to do is setup the rule enforcements by clicking on “Configure Rule Enforcement” in the middle of the right pane. From there we have the option of audit only (logging) or enforcing when a rule of that category is triggered.

The next thing we need to do is add the rules, which are the options under Applocker in the left pane. Below is a quick breakdown of those categories.

Executable Rules: This will contain the rules which apply to executable files.
Windows Installer Rules : This will contain the rules which apply for the windows installer packages with .msi and .msp extensions.
Script Rules : This will contain rules which apply to scripts files with .ps1, .cmd, .vbs, .bat, .js extensions.

Now that we have Applocker configured, we need to turn on the Application Identity service across the domain, in order to do that we will create a GPO. The path to said GPO is Computer Configuration > Windows Settings > Security Settings > System Services> Application Identity.

Network Grep for the Folks Who Love to Grep!

Network grep (ngrep) is a great program that allows you to search and filter network packets rather quickly. There is some resemblance to the well-known Linux grep program. Ngrep can analyze live traffic or saved pcaps. The man pages for ngrep are rather straightforward. Ngrep currently recognizes IPv4/ 6, TCP, UDP, ICMPv4/6 and IGMP. The program also understands regular and hex expressions, which is a huge benefit. In the simplest terms, ngrep applies the most common features of grep at the network layer. A few key switches that I will typically use are below but a full list can be found on the man pages.

-q | Will ‘quiet’ the output by printing only packet headers and relevant payloads
-t | Print the timestamp every time there is a match
-i | Ignore case
-I | Read in saved pcap
-w | Expression must match word – regex
-W byline | Linefeeds are printed as linefeeds, making the output pretty and more legible
-s | Set BPF capture length

Below are a few examples of common usages of ngrep.

This command will query all interfaces and protocols for a string match of ‘HTTP’.

If you have a network capture file in .pcap format, use -I $FILE to filter the capture instead of a network interface. This can be handy, for example, if you have a record of a networking event and you need to do a quick analysis.

Reverse of the above command, using only the -O flag will filter against a network interface and copy the matched packets into a capture file in .pcap format.

Search for .exe

Monitor for current email transactions and print the addresses.

This will grab the password and username of all ftp sessions.

Capture network traffic incoming to eth0 interface and show parameters following HTTP GET or POST methods

Monitor all traffic on your network using port 80 with a source IP of 12.34.56.78

Monitor all traffic on your network using port 80 with a source IP of 12.34.56.78 and destination of 98.76.54.32

Search the word “login” tranversing port 23 using regex

The match expression can be combined with a pcap filter. For example, suppose we wanted to look for DNS traffic mentioning cyberfibers.com

Berkley packet filter (bpf) adds to the flexibility of ngrep. Bpf specifies a rich syntax for filtering network packets based on information such as IP address, IP protocol, and port number.

IP address

IP protocol

Port number

For even more granularity, you can combine primitives using boolean connectives and, or and not to really specify what your looking for.