Friday, June 19, 2020

Lessons to Learn from Recent Cyber Attacks in Australia

Multiple IT network infrastructures that belong to the Austrailian government and private sector organizations have been targeted by a large-scale cyber attack seeking to disrupt the work of the government as well as the operations of the essential service providers.

Australian Cyber Security Centre (ACSC) has revealed the tactics, techniques and procedures (TTPs) identified during the investigation carried out by them.

This advisory aims to share the TTPs with the industry peers to increase the awareness and to take necessary precautionary actions against the emerging threat landscape.

Attackers have leveraged number of initial access vectors including:
  • Remote code execution vulnerability in unpatched versions of Telerik UICVE-2019-18935
  • Deserialisation vulnerability in Microsoft Internet Information Services (IIS) (Reference 03)
  • icrosoft SharePoint vulnerabilityCVE-2019-0604
  • Remote code execution vulnerability in Citrix Application Delivery Controller and Citrix GatewayCVE-2019-19781
Further the attackers have also used various spearphishing techniques such as:
  • Links to credential harvesting websites
  • Emails with links to malicious files, or with the malicious file directly attached
  • Links prompting users to grant Office 365 OAuth tokens to the actor
  • Use of email tracking services to identify the email opening and lure click-through events.
Whenever possible attackers have migrated to legitimate remote accesses using stolen credentials to avoid/minimize the detection of presence of attackers through security monitoring solutions. When the access is obtained, attackers have primarily used HTTP/HTTPS traffic to conduct the command and control.

Recommendations:

As key mitigation techniques, below recommendations have been proposed:
  • All the internet facing operating systems, applications and devices need to be patched with latest security updates.
  • Applying multifactor authentication to all internet-accessible remote access services.

Additionally the below listed recommendations shall also be implemented:
  • Apply necessary controls to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
  • Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
  • Operating system and application hardening. For example configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
  • Restrict administrative privileges based on the least privilege principle.
  • Maintaining regular backups (daily, weekly) of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months.

In addition to the above, it is essential to enable logs including operating system logs ( Microsoft Windows event logs), web server logs (Access log, error logs, SSL Logs) and internet proxy logs at least for internet accessible servers and applications in order to help digital forensic investigations.
Reference:
[1] https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
[2] https://www.cyber.gov.au/threats/advisory-2020-004-telerik
[3] https://www.cyber.gov.au/threats/advisory-2020-006-active-exploitation-vulnerability-microsoft-internet-information-services
[4] https://www.cyber.gov.au/publications/essential-eight-explained
[5] https://www.cyber.gov.au/publications/windows-event-logging-and-forwarding

Thursday, June 18, 2020

Analysing Windows Event Logs collected in CSV Format

Recently I wanted to analyze Microsoft Windows server logs collected as CSV files. Logs in default evtx format were not available for the required period and they were extracted from the SIEM as cvs files.

I had to face a challenge of analyzing 20gb logs span across six days. I didn't have enough computation resources to open them through a text editor or import to a Excel/Calc due to the file sizes. Therefore I decided to evaluate them with the use of Ubuntu 18.04 PC.

As the very first step I extracted useful contents based of Event IDs using following commands into individual text files.

$ grep -i "EventID=4625" <log_cvs_file_names> | awk -F"","" '{print $5 "\n"}' > Failed_logins_4625.txt
$ grep -i "EventID=4624" <log_cvs_file_names> | awk -F"","" '{print $5 "\n"}' > Logon_4624.txt

Some of the useful event IDs to check when evaluating logs for suspicious activities are listed below with a star mark.

Event ID    What it means
---------------------------------------
*4624    Successful account log on
*4625    Failed account log on
*4634    An account logged off
*4648    A logon attempt was made with explicit credentials
*4647    User initiated logoff
*4778    RDP Session Reconnect (A session was reconnected to a Window Station)
*4779    RDP Session Disconnect (A session was disconnected from a Window Station)
*1102    Audit log was cleared. This can relate to a potential attack
*4720    A user account was created
*4722    A user account was enabled
*4723    An attempt was made to change the password of an account
*4725    A user account was disabled
*4738    A user account was changed
*4740    A user account was locked out
*4767    A user account was unlocked
*4782    Password hash an account was accessed
*4697    A service was installed in the systems
*4688    A new process has been created
*4689    A process has exited
*5140    A network share object was accessed
*4672: Special privileges assigned to new logon

4800     Locked (The workstation was locked)
4801    Unlocked (The workstation was unlocked)
4670    Permissions on an object were changed
4719    System audit policy was changed.
4964    A special group has been assigned to a new log on
4728    A user was added to a privileged global group
4732    A user was added to a privileged local group
4756    A user was added to a privileged universal group
4735    A privileged local group was modified
4737    A privileged global group was modified
4755    A privileged universal group was modified
4772    A Kerberos authentication ticket request failed
4777    The domain controller failed to validate the credentials of an account.
4616    System time was changed
4657    A registry value was changed
4697    An attempt was made to install a service
4698, 4699, 4700, 4701, 4702    Events related to Windows scheduled tasks being created, modified, deleted, enabled or disabled
4946    A rule was added to the Windows Firewall exception list
4947    A rule was modified in the Windows Firewall exception list
4950    A setting was changed in Windows Firewall
4954    Group Policy settings for Windows Firewall has changed
5025    The Windows Firewall service has been stopped
5031    Windows Firewall blocked an application from accepting incoming traffic
5152, 5153    A network packet was blocked by Windows Filtering Platform
5155    Windows Filtering Platform blocked an application or service from listening on a port
5157    Windows Filtering Platform blocked a connection
5447    A Windows Filtering Platform filter was changed

Once the logs pertaining to selected event IDs are extracted the process was simple as I was left with set of logs files with the size of few MBs.

While going through them when a suspicious event is detected, I analyzed the original logs around the identified timestamps to further dig down in to the incident.

Some of the useful tips I used to trace suspicious activities are also listed below.

Successful RDP sessions the login type would be Type 10. However for failed RDP login attempts the type would be 3. Useful Queries when searching for failed attempts on Windows logs CSV.
$ grep "192.168.64.189" <log_file_name> |grep -i "EventID=4625" | awk -F"","" '{OFS="  |  "}{print $5 "\n\n"}' > Failed_logins_192.168.64.189.txt

To check successful logoffs from IP Address 192.168.13.90.
$ grep "192.168.13.90" <log_file_name> | grep -i "EventID=4647/4634" | awk -F"","" '{print $5}'

Check for account session parameters. Trace account activity.
$ grep "Logon ID:  0x653$F7CF" <log_file_name> | awk -F"","" '{print $5 "\n"}'

Usefull OIDs when using snmpwalk

When conducting reconnaissance activities to discover the IP address details of public facing network devices which has SNMP enabled, snmpwalk will be a very useful tool.

If you run the below command, it will give you a verbose output with all the available details.
$ snmpwalk -v 2c -c public <IP_Address>

Every piece of information an SNMP Agent serves out, and every type of trap that it supports, is associated with a unique identifier known as an OID (Object Identifier).OID is a system created by the ITU and ISO organizations for international standardization of Data. It isn’t only used for network monitoring or SNMP, it is a standard used for all sorts of data.

If you want specific details, you will have to use specific OIDs. Some of the useful OIDs have been described below in more details.

To discover the remote network device operating system details
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.47.1.1.1.1.2

To discover the network interface IP addresses
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.4.20.1.1

To discover the interface names (strings)
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.31.1.1.1.1.1

To discover more details relating to device identifications
$ snmpwalk -v 2c -c public <IP_Address> iso.3.6.1.2.1.1.4.0

Friday, June 12, 2020

Download Youtube Playlists in Ubuntu

I wanted to download youtube playlists and I decided to use youtube-dl on my Ubuntu instance. I thoguht of writing this article considering that some of the facts I found are useful for you also.

youtube-dl is a command-line program to download videos from YouTube.com and a few more sites. It requires the Python interpreter, version 2.6, 2.7, or 3.2+, and it is not platform specific.

To download a playlist, simply run the following command. Where “playlist_url” is the URL of the playlist that you want to download.

#youtube-dl -cit <playlist_url>

In order to download the playlist, I used the below command.

#youtube-dl -cit 'https://www.youtube.com/watch?v=_7OwE7twvfQ&list=PLPw0KKt6G-I9LjQ58tZon1w-UUdI1gNz0'

Alternatively, you can just use the playlist ID:

#youtube-dl -cit PLPw0KKt6G-I9LjQ58tZon1w-UUdI1gNz0

Some of the useful switches when using youtube-dl to download contents.

-i, --ignore-errors    Continue on download errors, for example to skip unavailable videos in a playlist
--geo-bypass        Bypass geographic restriction via faking X-Forwarded-For HTTP header (experimental)
--playlist-start NUMBER          Playlist video to start at (default is 1)
--playlist-end NUMBER            Playlist video to end at (default is last)
-r, --limit-rate RATE            Maximum download rate in bytes per second (e.g. 50K or 4.2M)
-R, --retries RETRIES            Number of retries (default is 10), or "infinite".
-f, --format FORMAT              Video format code, see the "FORMAT SELECTION" for all the info
-x, --extract-audio              Convert video files to audio-only files (requires ffmpeg or avconv and ffprobe or avprobe)
--audio-format FORMAT            Specify audio format: "best", "aac", "flac", "mp3", "m4a", "opus", "vorbis", or "wav"; "best" by default; No effect without -x
--audio-quality QUALITY          Specify ffmpeg/avconv audio quality, insert a value between 0 (better) and 9 (worse) for VBR or a specific bitrate like 128K (default 5)


In a shell, & is a special character, advising the shell to start everything up to the & as a process in the background. To avoid this behavior, you can put the URL in quotes.

These days YouTube videos have different resolutions, you first need to check available video formats of a given YouTube video. For that run youtube-dl with “-F” option. It will show you a list of available formats.

#youtube-dl -F <video_url>

Its output will be like:

Setting language
 BlXaGWbFVKY: Downloading video webpage
 BlXaGWbFVKY: Downloading video info webpage
 BlXaGWbFVKY: Extracting video information
Available formats:
37      :       mp4     [1080x1920]
46      :       webm    [1080x1920]
22      :       mp4     [720x1280]
45      :       webm    [720x1280]
35      :       flv     [480x854]
44      :       webm    [480x854]
34      :       flv     [360x640]
18      :       mp4     [360x640]
43      :       webm    [360x640]
5       :       flv     [240x400]
17      :       mp4     [144x176]

Now among the available video formats, choose one that you like. For example, if you want to download it in MP4 version and 1080 pixel, you should use:

#youtube-dl -f 37<video_url>

If you just want to download the audio from a YouTube video, you can use the -x option to simply extract the audio file from the video.

#youtube-dl -x <video_url>

The default file format is Ogg which you may not like. You can specify the file format of the audio file in the following manner:

#youtube-dl -x --audio-format mp3 <video_url>

If you want to update youtube-dl, you can use the below command. However pip should be installed in your Utube instance.

#sudo pip install --upgrade youtube_dl

The above steps will install latest version of youtube-dl that can be checked using youtube-dl --version. As of now the output of youtube-dl --version is:

I hope this article helped you to download YouTube videos on Ubuntu. If you have questions or suggestions, please drop a comment below.