Essential Event Log Configurations to be Corelated

Considering Windows audit event logging, there are plenty of guides available in the Internet to follow. Most of the event configurations would overlap. However, we have to consider the most optimal and practical implementation based on our business case, server capability, security requirements & experience.

    1) Microsoft audit policy recommendations
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

    2) What event ID's to monitor for AD compromise (This is a good example to show that if we already collect these events, we would be able to monitor them in SIEM)
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

    3) Collection of event log configurations (The site contains cheat sheets for other log functionalities such as Sysmon too. If we like to cover MITRE ATT&CK techniques, that is also possible)
    https://www.malwarearchaeology.com/cheat-sheets

If we go through the above guides, we would understand that apart from the Security audit log, we can utilize several other default log files (RDP, Powershell, SMB) and external log files such as Sysmon logs, are helpful in covering the full picture.  Some of the event logs are more useful in a AD and some are more useful in a File server. Therefore, start with simple but proper security audit log configuration(e.g. CIS or Microsoft) first and get into the process. Then integrate other log files into the collection. Understand the practical issues in implementation such as log file size. Then look into the monitoring and visualization. SIEM may have a set of default use cases which is now useful after proper log configuration. If not, with your experience and business requirement, a new use case can be defined.

For Linux audit log
    1) Audit configuration rule compilation by Florian Roth. The rule set is commented and can be used as a guide to understand the required audit configurations.
    https://github.com/Neo23x0/auditd

For other Applications
    1) Consider logs such as Apache access log, MySQL or even email logs. Security team should go through the log and check whether the log is rich enough and have all the necessary data required in auditing perspective. If not, it should be improved before forwarding to the SIEM for monitoring and alert generation.

Read More

Event Log Retention Requirements as mandated by Major Compliance Regulations

On September 20th, 2016, Digital Edge released an article on Log Management Laws and Regulations. Below is a little "Cheat Sheet" on the Event Log Retention Requirements as mandated by major compliance regulations:

Regulation	Retention Requirement
HIPAA	7 years
PCI DSS	1 year
SOX	7 years
ISO 27001	3 years
FISMA	3 years
GPG 13	3+ months
NERC CIP	3 years
GLBA	6 years
DoDI 8500.2	5 years
NIST	3 years

Read More

Remove PostgreSQL in Ubuntu 18.04

Once I was using PostgreSQL and when I no longer need to keep the installation, I wanted to remove it completely. 

So I used the command listed below to remove the PostgreSQL.

#sudo apt-get --purge remove postgresql  

Even though the un-installation was successful, when I go to login there's still a "PostgreSQL" user. I tried running sudo deluser PostgreSQL but all I get is

/usr/sbin/deluser: The user `PostgreSQL' does not exist.

In order to verify the existence of the user, I checked the passwd file.

cat /etc/passwd | grep -i postgre
postgres:x:1001:1001:PostgreSQL:/opt/ManageEngine/OpManager/pgsql:/bin/sh

Then only I realized that the Login Name and User Name are not the same. So I tried removing the user "postgres" using the command below and it was successful. 

sudo deluser postgres

 

 

 

Read More

Why / Why Not Virtual Patching

 While the goal of many organizations is to maintain operating systems and other business application software are always up to date with latest security patches, realities impede the progress in being able to quickly address a vulnerability before a malicious adversary can be taken advantage.

There are many factors that complicate the ability to mitigate a given vulnerability once it has been identified. These factors include:

• Obsolete/legacy applications being used by the organization.
• Application dependencies that can caused the functional errors when being patched. Therefore, proper testing is required before applying a patch to the software or operating system in a application system and to address issues that can be introduced by the patch.
• Operational delays due to lack of resources and expertise within the organization to allocate for vulnerability management.

Therefore, the patch response time vary greatly due to the above given circumstances.

In a situations where traditional patches are not feasible, a virtual patch can be utilized to reduce the likelihood of a successful cyber attack. It helps to mitigate vulnerabilities in a separate layer, where you get to fix problems in applications without making alteration to the application directly. A virtual patch deals with the process or method of fixing problems by altering or eliminating vulnerabilities by controlling the inputs and outputs to and from the applications.

The virtual patching solution helps organizations to:

• Mitigates the risk of an exploit quickly, until an effective, permanent patch can be tested and released by the application vendor for vulnerabilities in operating systems and business applications.
• Maintain normal patching cycle without interrupting operations, if a vulnerability arises midway between scheduled patch releases.
• Reduces or eliminates time and money spent performing emergency patching.
• In certain cases, before the original patch is released virtual patching could have the risk mitigation.
• While virtual patching offers many advantages to the organization, it also has limitations such as:
• Virtual patching will not be able to address all possible ways, or all of the possible locations, in which an exploit can occur as a result of a particular vulnerability.
• Development of countering exploitation for each security issue due to rapidly discovered new vulnerabilities
• While virtual patching serving as a compensating control to delay the patch cycle, the organization always need to fix vulnerabilities to prevent the associated risks.
• While a virtual patch can avert an immediate crisis, the virtual patch cannot eliminate inherent defects in an application program that is poorly developed.
  

Hence, a successful implementation of a virtual patching solution provides an additional layer of security to the organization's IT infrastructure which helps to reduce the risk of many critical security vulnerabilities that cannot be resolved due to various dependencies.

Read More

Is Microsoft Windows User Account Control (UAC) a Security Feature?

User Account Control (UAC) helps mitigate the impact of malware.

Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.

Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels.

A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.

Policy setting "User Account Control: Admin Approval Mode for the Built-in Administrator account" controls the behavior of Admin Approval Mode for the built-in Administrator account.

• Enabled The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
• Disabled (Default) The built-in Administrator account runs all applications with full administrative privilege.

Refer the reference [2] for more information on policy settings.

The UAC User Experience

When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.

Is UAC secure?

UAC is not a security feature. It’s a convenience feature that acts as a forcing function to get software developers to get their act together [4].

There’s a control panel that lets you specify how often you want to be prompted by UAC. You can set any of four levels:

1. Always notify
2. Notify only when apps try to change settings, use the secure desktop
3. Notify only when apps try to change settings, don’t use the secure desktop
4. Never notify

Although it looks like there are four settings, in a theoretical sense, there really are only two settings.

1. Always notify
2. Never notify

The reason why all the other options collapse into Meh is that the Notify only when apps try to change settings option can be subverted by any app simply by injecting a thread into Explorer and doing its dirty work there. Since Explorer is a program that the setting allows to elevate silently, this lets you perform a silent elevation from any thread that has thread injection rights into Explorer (which is pretty much any program running at medium integrity level or higher) [5].

UACMe [3]

UACMe [3] helps defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. Relying on UAC on Windows 7 and Windows 10, however, is not enough. Attackers can use tools such as UACMe to gain access to a system.

Reference:
[1] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
[2] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings
[3] https://github.com/hfiref0x/UACME
[4] https://channel9.msdn.com/
[5] https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105

Read More

SigRed (CVE-2020-1350) Registry Workaround

Security researchers at Check Point discovered a critical security flaw in Microsoft DNS servers. The flaw allows remote code execution attacks which leads to the total compromise of the server. The DNS server role is often bundled in Enterprise Domain Controllers in corporate environments. Hence, the exploitation allows an unauthenticated, remote attacker to gain domain administrator privileges and seize complete control of an organization's IT infrastructure. The flaw is named 'SigRed' by Check Point and assigned the CVE-2020-1350 with a CVSS base score of 10. The flaw is wormable, meaning a single exploit of the issue can trigger a chain reaction that allows attacks to spread from one computer to another.

To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

TcpReceivePacketSize

Value = 0xFF00

Note You must restart the DNS Service for the registry change to take effect.

    The Default (also max) Value = 0xFFFF
    The Recommended Value = 0xFF00 (255 bytes less than the max)

After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.

Reference:

[1] https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

[2] https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

Read More

Cracking Passwords with John the Ripper

John the Ripper (JtR) is a password cracking tool originally produced for UNIX-based systems. It was designed to test password strength, brute-force encrypted (hashed) passwords, and crack passwords via dictionary attacks.

The tool comes in both GNU-licensed and proprietary (Pro) versions. An enhanced “jumbo” community release has also been made available on the open-source GitHub repo.

JtR works in three different ways.

1. Dictionary attack
2. Brute-force attack
3. Rainbow tables: A pre-computed list of password hashes (derived from commonly set passwords) is compared against an existing data dump to find the correct password in its plaintext form.It should be noted that this approach will be ineffective when password hashes are salted and salt values are too large, all of which increases the overall complexity.

JtR provides at least three modes along with an “external” mode, which is basically letting a user define a customized mode via a configuration file.

• Single crack mode: JtR creators recommend running this mode first as it’s considered the quickest. Single crack mode uses information from UNIX passwd files -- users' full names, usernames, etc. -- as present in GECOS fields within UNIX passwd/shadow files to “guess” passwords. This can be helpful in cases when a user has set a password for an account based on commonly available information or phrase in the username (e.g. admin:password, john:john123).
• Wordlist mode: This mode relies on the user providing a text file with a list of passwords, ideally one per line and no duplicates.
• Incremental mode: JtR’s equivalent of brute-force is the most powerful cracking mode, but is so time consuming that for a password complex enough, it may never be able to complete in practical course of time and never terminate.

Usage Examples:

Example 01:

Now, let's assume you've got a password file, "mypasswd", and want to crack it. The simplest way is to let John use its default order of cracking modes:

	john mypasswd

This will try "single crack" mode first, then use a wordlist with rules,
and finally go for "incremental" mode.

If you've got some passwords cracked, they are stored in $JOHN/john.pot. The john.pot file is not meant to be human-friendly. You should be using John itself to display the contents of its "pot file" in a convenient format:

	john --show mypasswd

If the account list gets large and doesn't fit on the screen, you should, of course, use your shell's output redirection.

You might notice that many accounts have a disabled shell. You can make John skip those in the report. Assuming that the disabled shell is called "/etc/expired", the command would be:

	john --show --shells=-/etc/expired mypasswd

or shorter, but will also match "/any/path/expired":

	john --show --shells=-expired mypasswd

or if you also want to ignore some other shell, say "/etc/newuser":

	john --show --shells=-expired,newuser mypasswd

To check if any root (UID 0) accounts got cracked:

	john --show --users=0 mypasswd

or to check for cracked root (UID 0) accounts in multiple files:

	john --show --users=0 *passwd* *.pwd

To display the root (username "root") account only:

	john --show --users=root mypasswd

And finally, to check for privileged groups:

	john --show --groups=0,1 mypasswd

4. You might prefer to manage the cracking modes manually. It is wise to start with "single crack" mode:

	john --single mypasswd

or since the GNU-style double dashes are optional and since option names can be abbreviated for as long as they remain unambiguous:

	john -si mypasswd

You should not abbreviate options in scripts which you would want to work with future versions of John since what is unambiguous now might become ambiguous with the addition of more options.

If you have more files to crack, it is preferable to load them at the same time:

	john --single passwd1 passwd2

or even:

	john --single *passwd* *.pwd

This way, John will run faster and might even crack more passwords than it would if you ran it on each password file separately.

5. To catch weak passwords not derived from readily available users' personal information, you should proceed with cracking modes demanding more processor time. First, let's try a tiny wordlist with word mangling rules enabled:

	john --wordlist=password.lst --rules mypasswd

or abbreviating the options:

	john -w=password.lst -ru mypasswd

Then proceed with a larger wordlist, also applying the mangling rules:

	john --wordlist=all.lst --rules mypasswd

If you've got a lot of spare disk space to trade for performance and the hash type of your password files is relatively slow, you may use John's "unique" utility to eliminate any duplicate candidate passwords:

	john --wordlist=all.lst --rules --stdout | unique mangled.lst
	john --wordlist=mangled.lst mypasswd

If you know that your target hash type truncates passwords at a given length, you may optimize this even further:

	john --wordlist=all.lst --rules --stdout=8 | unique mangled8.lst
	john --wordlist=mangled8.lst mypasswd

Alternatively, you may simply use huge.lst available on Openwall wordlist collection CDs. It has word mangling rules pre-applied for the most common languages and it has any duplicates purged.

Depending on target hash type, the number of different salts (if applicable), the size of your wordlist, rules, and processor performance, wordlist-based cracking may take anywhere from under a second to many days.

You do not have to leave John running on a (pseudo-)terminal. If running John on a Unix-like system, you can simply disconnect from the server, close your xterm, etc. John will catch the SIGHUP ("hangup" signal) and continue running. Alternatively, you may prefer to start it in the background right away:

	john --wordlist=all.lst --rules mypasswd &

Obviously, the "&" is specific to Unix shells and will not work on most other platforms.

You may further enhance this by specifying a session name:

	john --session=allrules --wordlist=all.lst --rules mypasswd &

This ensures that you won't accidentally interfere with the instance of John running in the background if you proceed to start other sessions.

To view the status of a running session, use:

	john --status

for the default session or:

	john --status=allrules

for any other session. This works for both interrupted and running sessions. To obtain the most up-to-date information from a running session on a Unix-like system, send a SIGHUP to the appropriate "john" process.

Any interrupted sessions may be continued with:

	john --restore

or:

	john --restore=allrules

Finally, to make John have less impact on other processes, you should set the option "Idle = Y" in the configuration file.

To only crack accounts with a "good" shell (in general, the shell, user, and group filters described above work for all cracking modes as well):

	john --wordlist=all.lst --rules --shells=sh,csh,tcsh,bash mypasswd

Like with all other cracking modes, it is faster to crack all the files you need cracked simultaneously:

	john --wordlist=all.lst --rules passwd1 passwd2

You can crack some passwords only. This will try cracking all root (UID 0) accounts in all the password files:

	john --wordlist=all.lst --rules --users=0 *passwd*

Alternatively, you may wish to not waste time cracking your very own passwords, if you're sure they're uncrackable:

	john --wordlist=all.lst --rules --users=-root,solar *passwd*

Sometimes it is useful to split your password hashes into two sets which you crack separately, like:

	john --wordlist=all.lst --rules --salts=2 *passwd*
	john --wordlist=all.lst --rules --salts=-2 *passwd*

This will make John try salts used on two or more password hashes first and then try the rest. Total cracking time will be almost the same, but you will get some passwords cracked earlier, which is useful, for example, for penetration testing and demonstrations to management. Similarly, you may check all password hashes with a small wordlist, but only those that you can check faster (with "--salts=2") with a larger one. With large numbers of password hashes and/or with a highly non-uniform distribution of salts, it may be appropriate to use a threshold larger than 2 with "--salts" (sometimes even values as high as 1000 will do).

Note that the default wordlist rules include ":" (a no-op - try words as they are in the list) on the first line. If you already ran through a wordlist without using rules, and then decided to also try the same wordlist with rules, you'd better comment this line out.

6. The most powerful cracking mode in John is called "incremental" (not a proper name, but kept for historical reasons). You can simply run:

	john --incremental mypasswd

or:

	john -i mypasswd

This will use the default "incremental" mode parameters, which are defined in the configuration file's section named either [Incremental:ASCII] (for most hash types) or [Incremental:LM_ASCII] (for Windows LM hashes). By default, the [Incremental:ASCII] parameters are set to use the full printable ASCII character set (95 characters) and to try all possible password lengths from 0 to 13 (if the current hash type has a lower maximum password length, incremental mode's length limit is reduced accordingly). [Incremental:LM_ASCII] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves being limited to 7 characters each.

In some cases it is faster to use some other pre-defined incremental mode parameters and only crack simpler passwords, from a limited character set. The following command will try 10 different characters only, passwords from "0" to "99999999999999999999" (in an optimal order):

	john -i=digits mypasswd

Of course, you can use most of the additional features demonstrated above for wordlist mode with "incremental" mode as well. For example, on a large-scale penetration test, you may have John crack only root (UID 0) accounts in a set of password files:

	john -i -u=0 *.pwd

7. If you've got a password file for which you already have a lot of passwords cracked or obtained by other means, and the passwords are unusual, then you may want to generate a new charset file, based on character frequencies from that password file only:

	john --make-charset=custom.chr mypasswd

Then use that new file with "incremental" mode.

If you've got many password files from a particular country, organization, etc., it might be useful to use all of them for the charset file that you then use to crack even more passwords from these files or from some other password files from the same place:

	john --make-charset=custom.chr passwd1 passwd2
	[ Configure your custom "incremental" mode now. See below. ]
	john -i=custom passwd3

You can use some pre-defined or custom word filters when generating the charset file to have John consider some simpler passwords only:

	john --make-charset=my_alpha.chr --external=filter_alpha mypasswd

If your "pot file" got large enough (or if you don't have any charset files at all), you might want to use it to generate a new set of main charset files:

	makechr

where "makechr" is a script that invokes "john --make-charset=..." with varying filenames, for all of the external mode word filters defined in the configuration file. In this example, John will overwrite the charset files with new ones that are based on your entire $JOHN/john.pot (John uses the entire "pot file" if you don't specify any password files).

8. Finally, you might want to e-mail all users with weak passwords to tell them to change their passwords. (This is not always a good idea, though, since lots of people do not check their e-mail or ignore such messages, and the messages can be a hint for crackers.) Edit the "mailer" script supplied with John: the message it sends and possibly the mail command (especially if the password file is from a different machine). Then run:

	mailer mypasswd

Reference:

[1] https://www.openwall.com/john/doc/EXAMPLES.shtml

Read More