Friday, November 27, 2020

Essential Event Log Configurations to be Corelated

Considering Windows audit event logging, there are plenty of guides available in the Internet to follow. Most of the event configurations would overlap. However, we have to consider the most optimal and practical implementation based on our business case, server capability, security requirements & experience.

    1) Microsoft audit policy recommendations
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

    2) What event ID's to monitor for AD compromise (This is a good example to show that if we already collect these events, we would be able to monitor them in SIEM)
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

    3) Collection of event log configurations (The site contains cheat sheets for other log functionalities such as Sysmon too. If we like to cover MITRE ATT&CK techniques, that is also possible)
    https://www.malwarearchaeology.com/cheat-sheets

If we go through the above guides, we would understand that apart from the Security audit log, we can utilize several other default log files (RDP, Powershell, SMB) and external log files such as Sysmon logs, are helpful in covering the full picture.  Some of the event logs are more useful in a AD and some are more useful in a File server. Therefore, start with simple but proper security audit log configuration(e.g. CIS or Microsoft) first and get into the process. Then integrate other log files into the collection. Understand the practical issues in implementation such as log file size. Then look into the monitoring and visualization. SIEM may have a set of default use cases which is now useful after proper log configuration. If not, with your experience and business requirement, a new use case can be defined.

For Linux audit log
    1) Audit configuration rule compilation by Florian Roth. The rule set is commented and can be used as a guide to understand the required audit configurations.
    https://github.com/Neo23x0/auditd

For other Applications
    1) Consider logs such as Apache access log, MySQL or even email logs. Security team should go through the log and check whether the log is rich enough and have all the necessary data required in auditing perspective. If not, it should be improved before forwarding to the SIEM for monitoring and alert generation.

Thursday, November 19, 2020

Event Log Retention Requirements as mandated by Major Compliance Regulations

On September 20th, 2016, Digital Edge released an article on Log Management Laws and Regulations. Below is a little "Cheat Sheet" on the Event Log Retention Requirements as mandated by major compliance regulations:

Regulation

Retention Requirement

HIPAA

7 years

PCI DSS

1 year

SOX

7 years

ISO 27001

3 years

FISMA

3 years

GPG 13

3+ months 

NERC CIP

3 years

GLBA

6 years

DoDI 8500.2

5 years

NIST

3 years

Sunday, August 30, 2020

Remove PostgreSQL in Ubuntu 18.04

Once I was using PostgreSQL and when I no longer need to keep the installation, I wanted to remove it completely. 

So I used the command listed below to remove the PostgreSQL.

#sudo apt-get --purge remove postgresql  

Even though the un-installation was successful, when I go to login there's still a "PostgreSQL" user. I tried running sudo deluser PostgreSQL but all I get is

/usr/sbin/deluser: The user `PostgreSQL' does not exist.

In order to verify the existence of the user, I checked the passwd file.

cat /etc/passwd | grep -i postgre
postgres:x:1001:1001:PostgreSQL:/opt/ManageEngine/OpManager/pgsql:/bin/sh

Then only I realized that the Login Name and User Name are not the same. So I tried removing the user "postgres" using the command below and it was successful. 

sudo deluser postgres


 

 

 

Wednesday, August 12, 2020

Why / Why Not Virtual Patching

 While the goal of many organizations is to maintain operating systems and other business application software are always up to date with latest security patches, realities impede the progress in being able to quickly address a vulnerability before a malicious adversary can be taken advantage.

There are many factors that complicate the ability to mitigate a given vulnerability once it has been identified. These factors include:

  • Obsolete/legacy applications being used by the organization.
  • Application dependencies that can caused the functional errors when being patched. Therefore, proper testing is required before applying a patch to the software or operating system in a application system and to address issues that can be introduced by the patch.
  • Operational delays due to lack of resources and expertise within the organization to allocate for vulnerability management.

Therefore, the patch response time vary greatly due to the above given circumstances.

In a situations where traditional patches are not feasible, a virtual patch can be utilized to reduce the likelihood of a successful cyber attack. It helps to mitigate vulnerabilities in a separate layer, where you get to fix problems in applications without making alteration to the application directly. A virtual patch deals with the process or method of fixing problems by altering or eliminating vulnerabilities by controlling the inputs and outputs to and from the applications.

The virtual patching solution helps organizations to:

  • Mitigates the risk of an exploit quickly, until an effective, permanent patch can be tested and released by the application vendor for vulnerabilities in operating systems and business applications.
  • Maintain normal patching cycle without interrupting operations, if a vulnerability arises midway between scheduled patch releases.
  • Reduces or eliminates time and money spent performing emergency patching.
  • In certain cases, before the original patch is released virtual patching could have the risk mitigation.
  • While virtual patching offers many advantages to the organization, it also has limitations such as:
  • Virtual patching will not be able to address all possible ways, or all of the possible locations, in which an exploit can occur as a result of a particular vulnerability.
  • Development of countering exploitation for each security issue due to rapidly discovered new vulnerabilities
  • While virtual patching serving as a compensating control to delay the patch cycle, the organization always need to fix vulnerabilities to prevent the associated risks.
  • While a virtual patch can avert an immediate crisis, the virtual patch cannot eliminate inherent defects in an application program that is poorly developed.

Hence, a successful implementation of a virtual patching solution provides an additional layer of security to the organization's IT infrastructure which helps to reduce the risk of many critical security vulnerabilities that cannot be resolved due to various dependencies.

Thursday, July 16, 2020

Is Microsoft Windows User Account Control (UAC) a Security Feature?

User Account Control (UAC) helps mitigate the impact of malware.

Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.

Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels.

A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.

Policy setting "User Account Control: Admin Approval Mode for the Built-in Administrator account" controls the behavior of Admin Approval Mode for the built-in Administrator account.
  • Enabled The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
  • Disabled (Default) The built-in Administrator account runs all applications with full administrative privilege.
Refer the reference [2] for more information on policy settings.

The UAC User Experience

When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.

Is UAC secure?

UAC is not a security feature. It’s a convenience feature that acts as a forcing function to get software developers to get their act together [4].

There’s a control panel that lets you specify how often you want to be prompted by UAC. You can set any of four levels:
  1. Always notify
  2. Notify only when apps try to change settings, use the secure desktop
  3. Notify only when apps try to change settings, don’t use the secure desktop
  4. Never notify

Although it looks like there are four settings, in a theoretical sense, there really are only two settings.
  1. Always notify
  2. Never notify
The reason why all the other options collapse into Meh is that the Notify only when apps try to change settings option can be subverted by any app simply by injecting a thread into Explorer and doing its dirty work there. Since Explorer is a program that the setting allows to elevate silently, this lets you perform a silent elevation from any thread that has thread injection rights into Explorer (which is pretty much any program running at medium integrity level or higher) [5].

UACMe [3]

UACMe [3] helps defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. Relying on UAC on Windows 7 and Windows 10, however, is not enough. Attackers can use tools such as UACMe to gain access to a system.

Reference:

[1] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
[2] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings
[3] https://github.com/hfiref0x/UACME
[4] https://channel9.msdn.com/
[5] https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105

Wednesday, July 15, 2020

SigRed (CVE-2020-1350) Registry Workaround

Security researchers at Check Point discovered a critical security flaw in Microsoft DNS servers. The flaw allows remote code execution attacks which leads to the total compromise of the server. The DNS server role is often bundled in Enterprise Domain Controllers in corporate environments. Hence, the exploitation allows an unauthenticated, remote attacker to gain domain administrator privileges and seize complete control of an organization's IT infrastructure. The flaw is named 'SigRed' by Check Point and assigned the CVE-2020-1350 with a CVSS base score of 10. The flaw is wormable, meaning a single exploit of the issue can trigger a chain reaction that allows attacks to spread from one computer to another.

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

Note You must restart the DNS Service for the registry change to take effect.

    The Default (also max) Value = 0xFFFF
    The Recommended Value = 0xFF00 (255 bytes less than the max)

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.

Reference:
[1] https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
[2] https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Tuesday, July 7, 2020

Cracking Passwords with John the Ripper

John the Ripper (JtR) is a password cracking tool originally produced for UNIX-based systems. It was designed to test password strength, brute-force encrypted (hashed) passwords, and crack passwords via dictionary attacks.

The tool comes in both GNU-licensed and proprietary (Pro) versions. An enhanced “jumbo” community release has also been made available on the open-source GitHub repo.

JtR works in three different ways.
  1. Dictionary attack
  2. Brute-force attack
  3. Rainbow tables: A pre-computed list of password hashes (derived from commonly set passwords) is compared against an existing data dump to find the correct password in its plaintext form.It should be noted that this approach will be ineffective when password hashes are salted and salt values are too large, all of which increases the overall complexity.
JtR provides at least three modes along with an “external” mode, which is basically letting a user define a customized mode via a configuration file.
  • Single crack mode: JtR creators recommend running this mode first as it’s considered the quickest. Single crack mode uses information from UNIX passwd files -- users' full names, usernames, etc. -- as present in GECOS fields within UNIX passwd/shadow files to “guess” passwords. This can be helpful in cases when a user has set a password for an account based on commonly available information or phrase in the username (e.g. admin:password, john:john123).
  • Wordlist mode: This mode relies on the user providing a text file with a list of passwords, ideally one per line and no duplicates.
  • Incremental mode: JtR’s equivalent of brute-force is the most powerful cracking mode, but is so time consuming that for a password complex enough, it may never be able to complete in practical course of time and never terminate.
Usage Examples:

Example 01:
Now, let's assume you've got a password file, "mypasswd", and want to crack it. The simplest way is to let John use its default order of cracking modes:

	john mypasswd

This will try "single crack" mode first, then use a wordlist with rules, and finally go for "incremental" mode.

If you've got some passwords cracked, they are stored in $JOHN/john.pot. The john.pot file is not meant to be human-friendly. You should be using John itself to display the contents of its "pot file" in a convenient format:

	john --show mypasswd

If the account list gets large and doesn't fit on the screen, you should, of course, use your shell's output redirection.

You might notice that many accounts have a disabled shell. You can make John skip those in the report. Assuming that the disabled shell is called "/etc/expired", the command would be:

	john --show --shells=-/etc/expired mypasswd

or shorter, but will also match "/any/path/expired":

	john --show --shells=-expired mypasswd

or if you also want to ignore some other shell, say "/etc/newuser":

	john --show --shells=-expired,newuser mypasswd

To check if any root (UID 0) accounts got cracked:

	john --show --users=0 mypasswd

or to check for cracked root (UID 0) accounts in multiple files:

	john --show --users=0 *passwd* *.pwd

To display the root (username "root") account only:

	john --show --users=root mypasswd

And finally, to check for privileged groups:

	john --show --groups=0,1 mypasswd

4. You might prefer to manage the cracking modes manually. It is wise to start with "single crack" mode:

	john --single mypasswd

or since the GNU-style double dashes are optional and since option names can be abbreviated for as long as they remain unambiguous:

	john -si mypasswd

You should not abbreviate options in scripts which you would want to work with future versions of John since what is unambiguous now might become ambiguous with the addition of more options.

If you have more files to crack, it is preferable to load them at the same time:

	john --single passwd1 passwd2

or even:

	john --single *passwd* *.pwd

This way, John will run faster and might even crack more passwords than it would if you ran it on each password file separately.

5. To catch weak passwords not derived from readily available users' personal information, you should proceed with cracking modes demanding more processor time. First, let's try a tiny wordlist with word mangling rules enabled:

	john --wordlist=password.lst --rules mypasswd

or abbreviating the options:

	john -w=password.lst -ru mypasswd

Then proceed with a larger wordlist, also applying the mangling rules:

	john --wordlist=all.lst --rules mypasswd

If you've got a lot of spare disk space to trade for performance and the hash type of your password files is relatively slow, you may use John's "unique" utility to eliminate any duplicate candidate passwords:

	john --wordlist=all.lst --rules --stdout | unique mangled.lst
	john --wordlist=mangled.lst mypasswd

If you know that your target hash type truncates passwords at a given length, you may optimize this even further:

	john --wordlist=all.lst --rules --stdout=8 | unique mangled8.lst
	john --wordlist=mangled8.lst mypasswd

Alternatively, you may simply use huge.lst available on Openwall wordlist collection CDs. It has word mangling rules pre-applied for the most common languages and it has any duplicates purged.

Depending on target hash type, the number of different salts (if applicable), the size of your wordlist, rules, and processor performance, wordlist-based cracking may take anywhere from under a second to many days.

You do not have to leave John running on a (pseudo-)terminal. If running John on a Unix-like system, you can simply disconnect from the server, close your xterm, etc. John will catch the SIGHUP ("hangup" signal) and continue running. Alternatively, you may prefer to start it in the background right away:

	john --wordlist=all.lst --rules mypasswd &

Obviously, the "&" is specific to Unix shells and will not work on most other platforms.

You may further enhance this by specifying a session name:

	john --session=allrules --wordlist=all.lst --rules mypasswd &

This ensures that you won't accidentally interfere with the instance of John running in the background if you proceed to start other sessions.

To view the status of a running session, use:

	john --status

for the default session or:

	john --status=allrules

for any other session. This works for both interrupted and running sessions. To obtain the most up-to-date information from a running session on a Unix-like system, send a SIGHUP to the appropriate "john" process.

Any interrupted sessions may be continued with:

	john --restore

or:

	john --restore=allrules

Finally, to make John have less impact on other processes, you should set the option "Idle = Y" in the configuration file.

To only crack accounts with a "good" shell (in general, the shell, user, and group filters described above work for all cracking modes as well):

	john --wordlist=all.lst --rules --shells=sh,csh,tcsh,bash mypasswd

Like with all other cracking modes, it is faster to crack all the files you need cracked simultaneously:

	john --wordlist=all.lst --rules passwd1 passwd2

You can crack some passwords only. This will try cracking all root (UID 0) accounts in all the password files:

	john --wordlist=all.lst --rules --users=0 *passwd*

Alternatively, you may wish to not waste time cracking your very own passwords, if you're sure they're uncrackable:

	john --wordlist=all.lst --rules --users=-root,solar *passwd*

Sometimes it is useful to split your password hashes into two sets which you crack separately, like:

	john --wordlist=all.lst --rules --salts=2 *passwd*
	john --wordlist=all.lst --rules --salts=-2 *passwd*

This will make John try salts used on two or more password hashes first and then try the rest. Total cracking time will be almost the same, but you will get some passwords cracked earlier, which is useful, for example, for penetration testing and demonstrations to management. Similarly, you may check all password hashes with a small wordlist, but only those that you can check faster (with "--salts=2") with a larger one. With large numbers of password hashes and/or with a highly non-uniform distribution of salts, it may be appropriate to use a threshold larger than 2 with "--salts" (sometimes even values as high as 1000 will do).

Note that the default wordlist rules include ":" (a no-op - try words as they are in the list) on the first line. If you already ran through a wordlist without using rules, and then decided to also try the same wordlist with rules, you'd better comment this line out.

6. The most powerful cracking mode in John is called "incremental" (not a proper name, but kept for historical reasons). You can simply run:

	john --incremental mypasswd

or:

	john -i mypasswd

This will use the default "incremental" mode parameters, which are defined in the configuration file's section named either [Incremental:ASCII] (for most hash types) or [Incremental:LM_ASCII] (for Windows LM hashes). By default, the [Incremental:ASCII] parameters are set to use the full printable ASCII character set (95 characters) and to try all possible password lengths from 0 to 13 (if the current hash type has a lower maximum password length, incremental mode's length limit is reduced accordingly). [Incremental:LM_ASCII] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves being limited to 7 characters each.

In some cases it is faster to use some other pre-defined incremental mode parameters and only crack simpler passwords, from a limited character set. The following command will try 10 different characters only, passwords from "0" to "99999999999999999999" (in an optimal order):

	john -i=digits mypasswd

Of course, you can use most of the additional features demonstrated above for wordlist mode with "incremental" mode as well. For example, on a large-scale penetration test, you may have John crack only root (UID 0) accounts in a set of password files:

	john -i -u=0 *.pwd

7. If you've got a password file for which you already have a lot of passwords cracked or obtained by other means, and the passwords are unusual, then you may want to generate a new charset file, based on character frequencies from that password file only:

	john --make-charset=custom.chr mypasswd

Then use that new file with "incremental" mode.

If you've got many password files from a particular country, organization, etc., it might be useful to use all of them for the charset file that you then use to crack even more passwords from these files or from some other password files from the same place:

	john --make-charset=custom.chr passwd1 passwd2
	[ Configure your custom "incremental" mode now. See below. ]
	john -i=custom passwd3

You can use some pre-defined or custom word filters when generating the charset file to have John consider some simpler passwords only:

	john --make-charset=my_alpha.chr --external=filter_alpha mypasswd

If your "pot file" got large enough (or if you don't have any charset files at all), you might want to use it to generate a new set of main charset files:

	makechr

where "makechr" is a script that invokes "john --make-charset=..." with varying filenames, for all of the external mode word filters defined in the configuration file. In this example, John will overwrite the charset files with new ones that are based on your entire $JOHN/john.pot (John uses the entire "pot file" if you don't specify any password files).

8. Finally, you might want to e-mail all users with weak passwords to tell them to change their passwords. (This is not always a good idea, though, since lots of people do not check their e-mail or ignore such messages, and the messages can be a hint for crackers.) Edit the "mailer" script supplied with John: the message it sends and possibly the mail command (especially if the password file is from a different machine). Then run:

	mailer mypasswd
Reference:
[1] https://www.openwall.com/john/doc/EXAMPLES.shtml

Friday, June 19, 2020

Lessons to Learn from Recent Cyber Attacks in Australia

Multiple IT network infrastructures that belong to the Austrailian government and private sector organizations have been targeted by a large-scale cyber attack seeking to disrupt the work of the government as well as the operations of the essential service providers.

Australian Cyber Security Centre (ACSC) has revealed the tactics, techniques and procedures (TTPs) identified during the investigation carried out by them.

This advisory aims to share the TTPs with the industry peers to increase the awareness and to take necessary precautionary actions against the emerging threat landscape.

Attackers have leveraged number of initial access vectors including:
  • Remote code execution vulnerability in unpatched versions of Telerik UICVE-2019-18935
  • Deserialisation vulnerability in Microsoft Internet Information Services (IIS) (Reference 03)
  • icrosoft SharePoint vulnerabilityCVE-2019-0604
  • Remote code execution vulnerability in Citrix Application Delivery Controller and Citrix GatewayCVE-2019-19781
Further the attackers have also used various spearphishing techniques such as:
  • Links to credential harvesting websites
  • Emails with links to malicious files, or with the malicious file directly attached
  • Links prompting users to grant Office 365 OAuth tokens to the actor
  • Use of email tracking services to identify the email opening and lure click-through events.
Whenever possible attackers have migrated to legitimate remote accesses using stolen credentials to avoid/minimize the detection of presence of attackers through security monitoring solutions. When the access is obtained, attackers have primarily used HTTP/HTTPS traffic to conduct the command and control.

Recommendations:

As key mitigation techniques, below recommendations have been proposed:
  • All the internet facing operating systems, applications and devices need to be patched with latest security updates.
  • Applying multifactor authentication to all internet-accessible remote access services.

Additionally the below listed recommendations shall also be implemented:
  • Apply necessary controls to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
  • Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
  • Operating system and application hardening. For example configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
  • Restrict administrative privileges based on the least privilege principle.
  • Maintaining regular backups (daily, weekly) of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months.

In addition to the above, it is essential to enable logs including operating system logs ( Microsoft Windows event logs), web server logs (Access log, error logs, SSL Logs) and internet proxy logs at least for internet accessible servers and applications in order to help digital forensic investigations.
Reference:
[1] https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
[2] https://www.cyber.gov.au/threats/advisory-2020-004-telerik
[3] https://www.cyber.gov.au/threats/advisory-2020-006-active-exploitation-vulnerability-microsoft-internet-information-services
[4] https://www.cyber.gov.au/publications/essential-eight-explained
[5] https://www.cyber.gov.au/publications/windows-event-logging-and-forwarding

Thursday, June 18, 2020

Analysing Windows Event Logs collected in CSV Format

Recently I wanted to analyze Microsoft Windows server logs collected as CSV files. Logs in default evtx format were not available for the required period and they were extracted from the SIEM as cvs files.

I had to face a challenge of analyzing 20gb logs span across six days. I didn't have enough computation resources to open them through a text editor or import to a Excel/Calc due to the file sizes. Therefore I decided to evaluate them with the use of Ubuntu 18.04 PC.

As the very first step I extracted useful contents based of Event IDs using following commands into individual text files.

$ grep -i "EventID=4625" <log_cvs_file_names> | awk -F"","" '{print $5 "\n"}' > Failed_logins_4625.txt
$ grep -i "EventID=4624" <log_cvs_file_names> | awk -F"","" '{print $5 "\n"}' > Logon_4624.txt

Some of the useful event IDs to check when evaluating logs for suspicious activities are listed below with a star mark.

Event ID    What it means
---------------------------------------
*4624    Successful account log on
*4625    Failed account log on
*4634    An account logged off
*4648    A logon attempt was made with explicit credentials
*4647    User initiated logoff
*4778    RDP Session Reconnect (A session was reconnected to a Window Station)
*4779    RDP Session Disconnect (A session was disconnected from a Window Station)
*1102    Audit log was cleared. This can relate to a potential attack
*4720    A user account was created
*4722    A user account was enabled
*4723    An attempt was made to change the password of an account
*4725    A user account was disabled
*4738    A user account was changed
*4740    A user account was locked out
*4767    A user account was unlocked
*4782    Password hash an account was accessed
*4697    A service was installed in the systems
*4688    A new process has been created
*4689    A process has exited
*5140    A network share object was accessed
*4672: Special privileges assigned to new logon

4800     Locked (The workstation was locked)
4801    Unlocked (The workstation was unlocked)
4670    Permissions on an object were changed
4719    System audit policy was changed.
4964    A special group has been assigned to a new log on
4728    A user was added to a privileged global group
4732    A user was added to a privileged local group
4756    A user was added to a privileged universal group
4735    A privileged local group was modified
4737    A privileged global group was modified
4755    A privileged universal group was modified
4772    A Kerberos authentication ticket request failed
4777    The domain controller failed to validate the credentials of an account.
4616    System time was changed
4657    A registry value was changed
4697    An attempt was made to install a service
4698, 4699, 4700, 4701, 4702    Events related to Windows scheduled tasks being created, modified, deleted, enabled or disabled
4946    A rule was added to the Windows Firewall exception list
4947    A rule was modified in the Windows Firewall exception list
4950    A setting was changed in Windows Firewall
4954    Group Policy settings for Windows Firewall has changed
5025    The Windows Firewall service has been stopped
5031    Windows Firewall blocked an application from accepting incoming traffic
5152, 5153    A network packet was blocked by Windows Filtering Platform
5155    Windows Filtering Platform blocked an application or service from listening on a port
5157    Windows Filtering Platform blocked a connection
5447    A Windows Filtering Platform filter was changed

Once the logs pertaining to selected event IDs are extracted the process was simple as I was left with set of logs files with the size of few MBs.

While going through them when a suspicious event is detected, I analyzed the original logs around the identified timestamps to further dig down in to the incident.

Some of the useful tips I used to trace suspicious activities are also listed below.

Successful RDP sessions the login type would be Type 10. However for failed RDP login attempts the type would be 3. Useful Queries when searching for failed attempts on Windows logs CSV.
$ grep "192.168.64.189" <log_file_name> |grep -i "EventID=4625" | awk -F"","" '{OFS="  |  "}{print $5 "\n\n"}' > Failed_logins_192.168.64.189.txt

To check successful logoffs from IP Address 192.168.13.90.
$ grep "192.168.13.90" <log_file_name> | grep -i "EventID=4647/4634" | awk -F"","" '{print $5}'

Check for account session parameters. Trace account activity.
$ grep "Logon ID:  0x653$F7CF" <log_file_name> | awk -F"","" '{print $5 "\n"}'

Usefull OIDs when using snmpwalk

When conducting reconnaissance activities to discover the IP address details of public facing network devices which has SNMP enabled, snmpwalk will be a very useful tool.

If you run the below command, it will give you a verbose output with all the available details.
$ snmpwalk -v 2c -c public <IP_Address>

Every piece of information an SNMP Agent serves out, and every type of trap that it supports, is associated with a unique identifier known as an OID (Object Identifier).OID is a system created by the ITU and ISO organizations for international standardization of Data. It isn’t only used for network monitoring or SNMP, it is a standard used for all sorts of data.

If you want specific details, you will have to use specific OIDs. Some of the useful OIDs have been described below in more details.

To discover the remote network device operating system details
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.47.1.1.1.1.2

To discover the network interface IP addresses
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.4.20.1.1

To discover the interface names (strings)
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.31.1.1.1.1.1

To discover more details relating to device identifications
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.1.4.0

Friday, June 12, 2020

Download Youtube Playlists in Ubuntu

I wanted to download youtube playlists and I decided to use youtube-dl on my Ubuntu instance. I thoguht of writing this article considering that some of the facts I found are useful for you also.

youtube-dl is a command-line program to download videos from YouTube.com and a few more sites. It requires the Python interpreter, version 2.6, 2.7, or 3.2+, and it is not platform specific.

To download a playlist, simply run the following command. Where “playlist_url” is the URL of the playlist that you want to download.

#youtube-dl -cit <playlist_url>

In order to download the playlist, I used the below command.

#youtube-dl -cit 'https://www.youtube.com/watch?v=_7OwE7twvfQ&list=PLPw0KKt6G-I9LjQ58tZon1w-UUdI1gNz0'

Alternatively, you can just use the playlist ID:

#youtube-dl -cit PLPw0KKt6G-I9LjQ58tZon1w-UUdI1gNz0

Some of the useful switches when using youtube-dl to download contents.

-i, --ignore-errors    Continue on download errors, for example to skip unavailable videos in a playlist
--geo-bypass        Bypass geographic restriction via faking X-Forwarded-For HTTP header (experimental)
--playlist-start NUMBER          Playlist video to start at (default is 1)
--playlist-end NUMBER            Playlist video to end at (default is last)
-r, --limit-rate RATE            Maximum download rate in bytes per second (e.g. 50K or 4.2M)
-R, --retries RETRIES            Number of retries (default is 10), or "infinite".
-f, --format FORMAT              Video format code, see the "FORMAT SELECTION" for all the info
-x, --extract-audio              Convert video files to audio-only files (requires ffmpeg or avconv and ffprobe or avprobe)
--audio-format FORMAT            Specify audio format: "best", "aac", "flac", "mp3", "m4a", "opus", "vorbis", or "wav"; "best" by default; No effect without -x
--audio-quality QUALITY          Specify ffmpeg/avconv audio quality, insert a value between 0 (better) and 9 (worse) for VBR or a specific bitrate like 128K (default 5)


In a shell, & is a special character, advising the shell to start everything up to the & as a process in the background. To avoid this behavior, you can put the URL in quotes.

These days YouTube videos have different resolutions, you first need to check available video formats of a given YouTube video. For that run youtube-dl with “-F” option. It will show you a list of available formats.

#youtube-dl -F <video_url>

Its output will be like:

Setting language
 BlXaGWbFVKY: Downloading video webpage
 BlXaGWbFVKY: Downloading video info webpage
 BlXaGWbFVKY: Extracting video information
Available formats:
37      :       mp4     [1080x1920]
46      :       webm    [1080x1920]
22      :       mp4     [720x1280]
45      :       webm    [720x1280]
35      :       flv     [480x854]
44      :       webm    [480x854]
34      :       flv     [360x640]
18      :       mp4     [360x640]
43      :       webm    [360x640]
5       :       flv     [240x400]
17      :       mp4     [144x176]

Now among the available video formats, choose one that you like. For example, if you want to download it in MP4 version and 1080 pixel, you should use:

#youtube-dl -f 37<video_url>

If you just want to download the audio from a YouTube video, you can use the -x option to simply extract the audio file from the video.

#youtube-dl -x <video_url>

The default file format is Ogg which you may not like. You can specify the file format of the audio file in the following manner:

#youtube-dl -x --audio-format mp3 <video_url>

If you want to update youtube-dl, you can use the below command. However pip should be installed in your Utube instance.

#sudo pip install --upgrade youtube_dl

The above steps will install latest version of youtube-dl that can be checked using youtube-dl --version. As of now the output of youtube-dl --version is:

I hope this article helped you to download YouTube videos on Ubuntu. If you have questions or suggestions, please drop a comment below.

Sunday, May 31, 2020

Using WMIC to communicate with remote hosts

We can manager user accounts on a Windows computer using wmic commands. You can find commands for various operations below.

WMIC can collect a list of the currently running processes similar to what you’d see in “Task Manager” using the following command:
#wmic process list

Note that some of the WMIC built-ins can also be used in “brief” mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:
#wmic process list brief

Start an Application
#wmic process call create "calc.exe"

Terminate an Application
#wmic process where name="calc.exe" call terminate

Change Process Priority
#wmic process where name="explorer.exe" call setpriority 64

Get List of Process Identifiers
#wmic process where (Name='svchost.exe') get name,processid

Find a specific Process
#wmic process list brief find "cmd.exe"

You can collect a listing of the environment variables (including the PATH) with this command:
#wmic environment list


OS/System Report HTML Formatted
#wmic /output:c:os.html os get /format:hform

Products/Programs Installed Report HTML Formatted
#wmic /output:c:product.html product get /format:hform

Turn on Remoted Desktop Remotely
#Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1

Get Server Drive Space Usage Remotely
#WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV

Get PC Serial Number
#wmic /node:<ID Address> bios get serialnumber

Get PC Product Number
#wmic /node:"HOST" baseboard get product

Find stuff that starts on boot
#wmic STARTUP GET Caption, Command, User

Reboot or Shutdown
#wmic os where buildnumber="2600" call reboot

Get Startup List
#wmic startup list full

Information About Harddrives
#wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Information about os
#wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm

Information about files
#wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:filedetails.txt

The following global switches are available:
/NAMESPACE           Path for the namespace the alias operate against.
/ROLE                Path for the role containing the alias definitions.
/NODE                Servers the alias will operate against.
/IMPLEVEL            Client impersonation level.
/AUTHLEVEL           Client authentication level.
/LOCALE              Language id the client should use.
/PRIVILEGES          Enable or disable all privileges.
/TRACE               Outputs debugging information to stderr.
/RECORD              Logs all input commands and output.
/INTERACTIVE         Sets or resets the interactive mode.
/FAILFAST            Sets or resets the FailFast mode.
/USER                User to be used during the session.
/PASSWORD            Password to be used for session login.
/OUTPUT              Specifies the mode for output redirection.
/APPEND              Specifies the mode for output redirection.
/AGGREGATE           Sets or resets aggregate mode.
/AUTHORITY           Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>]    Usage information.



Use Case Examples 01:
Use of WMIC to query remote servers to get the hardware serial numbers.

In order to run against ab entire subnet and output to a text document, I used the below approach. This helps me to verify the inventory of computers.

I placed the IP list after node: node:ip1,ip2,ip3, or sometime used a text file when the list is so large with a file node:@file:

#wmic /node:@nodes.txt /user:administrator /password:mypassword /output:out.csv bios get serialnumber /format:csv

Use Case Example 02:
While investigating suspicious behaviours recorded on windows computers, I have some times seen entries shown as below which suspicious

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c start c:\windows\system32\<processname>.exe"

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c del c:\windows\system32\<processname>.exe"


























Saturday, May 30, 2020

Searching Through /var/log Folder

To check for all user logins and logsouts
#last -f wtmp

Wtmp is a file on the Linux, Solaris, and BSD operating systems that keeps a history of all logins and logouts. On Linux systems, it is located at /var/log/wtmp. Various commands access wtmp to report login statistics, including the who and lastb commands

To check for failed login attempts

#last -f btmp
btmp logs failed attempts into your system. In theory this could mean someone is trying to brute force passwords. You can empty this file but should not remove it since software could crash when it expects the file to be there.

Using ausearch
Searching for user ssh login attempts on the audit logs located in audit log folder.
# ausearch --input <filename> -i | grep -i sshd | grep -i USER_AUTH
USER_AUTH is triggered when a user-space authentication attempt is detected.
  • -i,--interpret            Interpret results to be human readable
  • -if,--input                 Specify the file name rather than default audit file
  • -a,--event <Audit event id>    search based on audit event id
  • -gi,--gid <Group Id>        search based on group id
  • -ui,--uid <User Id>        search based on user id
  • --session <login session id>    search based on login session id

TTY ports are direct connections to the computer such as a keyboard/mouse or a serial connection to the device. PTS connections are SSH connections or telnet connections.

Some of the usefull Audit record types are listed below.
Audit Record Types:
  • ADD_USER    Triggered when a user-space user account is added.
  • CRED_ACQ    Triggered when a user acquires user-space credentials.
  • CRED_DISP    Triggered when a user disposes of user-space credentials.
  • CRED_REFR    Triggered when a user refreshes their user-space credentials.
  • CRYPTO_KEY_USER    Triggered to record the cryptographic key identifier used for cryptographic purposes.
  • CRYPTO_LOGIN    Triggered when a cryptographic officer login attempt is detected.
  • CRYPTO_LOGOUT    Triggered when a crypto officer logout attempt is detected.
  • DEL_GROUP    Triggered when a user-space group is deleted
  • DEL_USER    Triggered when a user-space user is deleted
  • SYSTEM_RUNLEVEL    Triggered when the system's run level is changed.
  • SYSTEM_SHUTDOWN    Triggered when the system is shut down.
  • USER_LOGIN    Triggered when a user logs in.
  • USER_LOGOUT    Triggered when a user logs out.
  • USER_START    Triggered when a user-space session is started.

Regex with gedit
To check for any post requests in the web log files on a given date. Below regex can be used with gedit.
At lease one work shoudl match: ^.*(21/May/2020|POST).*$
Both word should match: ^(?=.*21/MAY/2020)(?=.*POST).*$

Reference:
RedHat Audit record type can be found on:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types

Wednesday, January 29, 2020

Poking a hole through a firewall

Allowing highly critical network services such as Oracle (1521/tcp), MySQL (3306/tcp), MSSQL (1433/tcp) through firewalls to untrusted network are similar to poking a hole through a firewall.

For example, leaving the Oracle Listener port 1521 open to untrusted networks, allow the database to connect to the Internet or the Internet to connect with the database. This could introduce significant security vulnerabilities that hackers are likely to exploit. Hackers could enable even more port openings through the firewall, create multithreaded operating system server problems, and enable access to crucial information on databases behind the firewall.

If the database listener services are running without passwords or with weak credentials, then hackers can probe for critical details about the databases on which it is listening. These details include trace and logging information, banner information, and database descriptors and service names, enabling malicious and damaging attacks on the target databases.

When it comes to database traffic, it is always recommended to encrypt network traffic when transmitting over untrusted networks. For example you may  utilize Oracle Advanced Security to encrypt network traffic between clients, databases, and application servers.

Further I recommend to harden the host operating system of the database server by disabling all unnecessary operating system services. Many UNIX and Windows services are not necessary for most deployments. Such services include FTP, TFTP, TELNET, and so forth. For each disabled service, be sure to close both the UDP and TCP ports. Leaving either type of port enabled leaves the operating system vulnerable.

Finally It is generally not acceptable to allow all source addresses to access your server management ports (22 for Linux SSH and 3389 for Windows RDP) or database (1433 for SQL Server, 1521 for Oracle, and 3306 for MySQL). Be as specific as practical about who can reach these ports. When it is impractical to define source IP addresses for network management, you might consider another solution like a remote access VPN as a compensating control to allow the access required and protect your network.