tag:blogger.com,1999:blog-66909943373952446412024-02-21T11:27:43.112-05:00Paul Melson's BlogBlog about information security and other random topicsPaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.comBlogger218125tag:blogger.com,1999:blog-6690994337395244641.post-28787686537548994582020-10-06T14:05:00.001-05:002020-10-06T14:13:29.118-05:00Analysis of MaliciousMacroMSBuild & Cobalt Strike Stager<p>On October 4, 2020 I came across an interesting malware sample. The payload is a Cobalt Strike Beacon stager, and the initial loader was built using MaliciousMacroMSBuild Generator, or M3G.</p><p>Here's a look at the first stage code, which is a VBA macro intended for insertion into an Office document:<br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfF-mwuZLozIfXf43fT7kTTLGWXPWQv1r12JK4FQn6ENBytlqc-p-46oJ4tPruoElXX0sfXeuJ_rOQ94SLNXZosxIkvGC5s-IEK8aQjPDFhkepCs7mbXj7OVYfh3CpXaAEQtATNKAM6pI/s303/stage1_func1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="303" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfF-mwuZLozIfXf43fT7kTTLGWXPWQv1r12JK4FQn6ENBytlqc-p-46oJ4tPruoElXX0sfXeuJ_rOQ94SLNXZosxIkvGC5s-IEK8aQjPDFhkepCs7mbXj7OVYfh3CpXaAEQtATNKAM6pI/w400-h330/stage1_func1.png" width="400" /></a></div><p></p><p>The first two functions are fairly straightforward. </p><p style="margin-left: 40px; text-align: left;">1. <span style="font-family: courier;">sBinToSt</span>r takes a binary typed object and converts it to a string object</p><p style="margin-left: 40px; text-align: left;">2. <span style="font-family: courier;">decodeBase64</span> takes a base64 encoded string, decoded it to binary, and uses <span style="font-family: courier;">sBinToStr</span> to convert it to text</p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdGOirLrRLOvVjmhJDVE6WH2quW5tQh0tC9WTTgWluZjdyafY2DckWbk2urZ9-zL6x7YFwvzMdU6Nm9hrkTwFdV6lsJFqvbrCFaD_VZ9a6TG8pyh2IvumiuQ5lOgFvmR1otfAhbysDwLE/s517/stage1_func3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="517" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdGOirLrRLOvVjmhJDVE6WH2quW5tQh0tC9WTTgWluZjdyafY2DckWbk2urZ9-zL6x7YFwvzMdU6Nm9hrkTwFdV6lsJFqvbrCFaD_VZ9a6TG8pyh2IvumiuQ5lOgFvmR1otfAhbysDwLE/w400-h334/stage1_func3.png" width="400" /> </a></div><div class="separator" style="clear: both; text-align: center;"> </div>The last seven functions (in order of appearance in the file) are also
mostly straightforward, with only some simple replacement obfuscation
used to hide potentially problematic static strings:<p style="margin-left: 40px; text-align: left;">1. The first three functions are VBA triggers to attempt to launch the macro when the containing Office document is opened or when macros are enabled.</p><p style="margin-left: 40px; text-align: left;">2. <span style="font-family: courier;">StrRev</span> takes a string as an argument and reverses the order of the characters in the string.</p><p style="margin-left: 40px; text-align: left;">3. <span style="font-family: courier;">FileExists</span> takes a string argument, checks to see if a file & path matching the content of that string exists, and returns a Boolean true or false.</p><p style="margin-left: 40px; text-align: left;">4. <span style="font-family: courier;">WhereIs</span> takes no argument, and uses <span style="font-family: courier;">FileExists</span> to look for path locations for preferred versions of the .NET Framework, and returns the first matched path.</p><p style="margin-left: 40px; text-align: left;">5. <span style="font-family: courier;">Delay</span> takes a string as an argument and running loop until the current time matches the argument passed. </p><p style="margin-left: 40px; text-align: left;"><br /></p><p style="margin-left: 40px; text-align: left;"></p><p style="text-align: left;">This function is where the fun begins:</p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYFbMtQuRuuVDvjlcAo6HV0S6ydjGyz9P5m3BIGjQGlUwd9UaV2aM_aS2nGBqW6esuP-OnBatOG2UYCleE2uN1QrYx6_qLSGMsWzOltpuPNiuYGqN-4yGhJURZ_mP8mPic9BcWxqRoGrM/s1275/stage1_func2.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="603" data-original-width="1275" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYFbMtQuRuuVDvjlcAo6HV0S6ydjGyz9P5m3BIGjQGlUwd9UaV2aM_aS2nGBqW6esuP-OnBatOG2UYCleE2uN1QrYx6_qLSGMsWzOltpuPNiuYGqN-4yGhJURZ_mP8mPic9BcWxqRoGrM/w640-h302/stage1_func2.png" width="640" /></a></div><p></p><p style="text-align: left;">The function <span style="font-family: courier;">hdJQbniHq</span> takes no arguments. It builds a base64 encoded string using multiple rounds of concatenation & string reversing. It opens a new file object at <span style="font-family: courier;">%USERPROFILE%\Downloads\WikiUpdate.csproj</span>, then decodes the large string containing the payload with the <span style="font-family: courier;">decodeBase64</span> function, and writes the output to a file. It then calls the <span style="font-family: courier;">Delay</span> function for a random number of seconds. Next it creates a new COM server application with the CLSID "<span style="font-family: courier;">{9BA05972-F6A8-11CF-A442-00A0C90A8F39}</span>" which is then used to call <span style="font-family: courier;">Document.Application.ShellExecute</span> and run <span style="font-family: courier;">msbuild.exe</span> to execute the contents of <span style="font-family: courier;">WikiUpdate.csproj</span> with the .NET Framework location found by <span style="font-family: courier;">WhereIs</span> as an argument.<br /></p><p style="text-align: left;"> </p><p style="text-align: left;">OK, now that we understand how the macro loader works, let's see what's in the WikiUpdate.csproj payload:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivaAiK_87YiPo1sEUBES9SzcBABidKKiz_ZAKtm_gCOY4l5-TrZnQBaBNXBKRNlMU-mfUa4Thv0DJR9j5CxMzzB2_nYqy5T73hgrEAZdwm4FsgiLSOmN9RpyCiT0OOGLHOlNAI1WIUYN8/s1346/stage2_func1.png.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="562" data-original-width="1346" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivaAiK_87YiPo1sEUBES9SzcBABidKKiz_ZAKtm_gCOY4l5-TrZnQBaBNXBKRNlMU-mfUa4Thv0DJR9j5CxMzzB2_nYqy5T73hgrEAZdwm4FsgiLSOmN9RpyCiT0OOGLHOlNAI1WIUYN8/w640-h269/stage2_func1.png.png" width="640" /></a></div><p></p><p>What we can see here is the default M3G shellcode template Visual Studio project file. When run with <span style="font-family: courier;">msbuild.exe</span>, it will launch <span style="font-family: courier;">C:\Windows\System32\searchprotocolhost.exe</span> and inject the shellcode into the new running processes. </p><p> The base64 string can be decoded and visually inspected:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBCQp9Kt5gVciHzsckPMX2Cb_1MpB9UBrEgD1vNy_h2ykkTpRZsTWL9O4hX4IYkzW41m-zJze_MgdUqGGOBohjcmOOWZjx0UhuqmrOd7ybBkmGens4tqf-5mMxgMrriXBy7PmQqIIcbag/s1260/stage2_2.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="1260" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBCQp9Kt5gVciHzsckPMX2Cb_1MpB9UBrEgD1vNy_h2ykkTpRZsTWL9O4hX4IYkzW41m-zJze_MgdUqGGOBohjcmOOWZjx0UhuqmrOd7ybBkmGens4tqf-5mMxgMrriXBy7PmQqIIcbag/w640-h211/stage2_2.png" width="640" /></a></div><br /> <p></p><p></p><p>An IP address, User-Agent string, and URI path can all be plainly seen. Those familiar with shellcode stagers will immediately recognize this as an x64 Cobalt Strike stager.<br /></p><p></p><p>Loading the shellcode into a debugger, we can see the Windows function calls in order:<br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMkCNJwlwaZ9uJtWkYAkAOX6ydMBFbHUDB0GbeKgUCUjqx3lkzQAX0GGWLkMRkyHxvNnxhlYCsFMUWDMKPj4fjE9aRDJU9VGTtdEa3L5Kay0qLY7ZINGEYcDB5z-4M2YhrWPndbg8k-I8/s1358/stage2_3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1358" data-original-width="559" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMkCNJwlwaZ9uJtWkYAkAOX6ydMBFbHUDB0GbeKgUCUjqx3lkzQAX0GGWLkMRkyHxvNnxhlYCsFMUWDMKPj4fjE9aRDJU9VGTtdEa3L5Kay0qLY7ZINGEYcDB5z-4M2YhrWPndbg8k-I8/w264-h640/stage2_3.png" width="264" /></a></div>Confirmed, Cobalt Strike HTTP stager which pulls down and executes the payload at <span style="font-family: courier;">http://10.10.10.20:8004/x4Bo</span>. <br /><p> </p><p> <br /></p>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-92129088421722616372019-10-18T11:33:00.001-05:002021-01-09T12:10:18.783-05:00BSides Augusta 2019My PowerShell hunting presentation from <a href="https://bsidesaugusta.org/" target="_blank">BSides Augusta</a> 2019.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/pY-xTjJl-yw" width="560"></iframe>
PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-68061784982316887662019-10-18T11:31:00.004-05:002019-10-18T11:31:28.870-05:00BSides Augusta 2018This is the presentation I gave at <a href="https://bsidesaugusta.org/" target="_blank">BSides Augusta</a> 2018 on the <a href="https://twitter.com/ScumBots" target="_blank">@ScumBots</a> project. The GitHub repo for this project is located at <a href="https://github.com/pmelson/narc/" target="_blank">https://github.com/pmelson/narc/</a>.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/elUL5Vo1_1g" width="560"></iframe>
PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-36083813006696915972018-07-27T10:26:00.002-05:002018-07-27T10:26:57.810-05:00BSides Augusta 2017This is my talk from <a href="https://bsidesaugusta.org" target="_blank">BSides Augusta</a> 2017. I can't say enough good things about the caliber of speakers and the concentration of defender / Blue Team talks at their event. It has become one of my favorite cons.<br />
<br />
<iframe width="560" height="315" src="https://www.youtube.com/embed/TL5m9962WNs" frameborder="0" allowfullscreen></iframe>
<br />
PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-11797497575191870652017-02-08T12:03:00.001-05:002017-02-08T12:08:46.397-05:00BSides Augusta 2016Last fall, as promised, I made a return trip to <a href="http://www.securitybsides.com/w/page/104917204/BSidesAugusta%202016" target="_blank">BSides Augusta</a> to talk about malware analysis, the <a href="http://viper.li/" target="_blank">Viper Framework</a>, and threat intelligence. <br />
<br />
Here's the talk:<br />
<iframe width="560" height="315" src="https://www.youtube.com/embed/AWrjDBkqmtw" frameborder="0" allowfullscreen></iframe>
<br />
Also like last year, I released <a href="https://github.com/pmelson/viper-scripts" target="_blank">more code</a> for using Viper and VirusTotal as shown in the presentation.<br />
<br />
PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com2tag:blogger.com,1999:blog-6690994337395244641.post-21725656202904996122015-09-19T10:11:00.000-05:002015-09-19T10:36:42.003-05:00BSides Augusta TalkEarlier this month I had the privilege of speaking at <a href="http://www.securitybsides.com/w/page/92419092/BSidesAugusta%202015" target="_blank">BSides Augusta</a>. I gave a lightning talk on working with the <a href="http://viper.li/" target="_blank">Viper Framework</a> for static analysis.<br />
<br />
Here's the talk:<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/jIcvI1HQsRM" width="560"></iframe>
<br />
I also released the <a href="https://github.com/pmelson/viper-scripts" target="_blank">module and API scripts</a> I wrote for the talk.<br />
<br />
I cannot say enough about the talent and quality technical content in the <a href="http://www.irongeek.com/i.php?page=videos/bsidesaugusta2015/mainlist" target="_blank">BSides Augusta talks</a>. This is easily a "Top 5" defensive security event. I seriously have no idea how I managed to sneak into this speaker lineup. Definitely going back next year. <br />
<br />
<br />PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-86062822229415781322013-08-20T07:54:00.004-05:002013-08-20T07:57:43.324-05:00BSides Detroit PresentationIn June I gave a presentation at BSides Detroit entitled, "Broke, Note Broken: An Effective Information Security Program With a $0 Budget." Here's the video:<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/7uuHC6UO3DI?list=UUrCKIuoas-WJiKKom14YSpA" width="560"></iframe>
<br />
I have teased the BSides Detroit organizers that they ought to rename their conference to ASides Detroit because, unlike other BSides events, it doesn't coincide with another security conference, and also because it is has the best content and activities of any security conference in Detroit. If you're in Michigan or the Great Lakes region at all, I recommend making plans to attend next year. I'll be there.<br />
<br />
Also, here are some other upcoming security-related events taking place in Michigan:<br />
<br />
<ul>
<li><a href="http://grrcon.org/" target="_blank">GrrCON</a> (Sep 12-13, Grand Rapids)</li>
<li><a href="http://mi4n6.blogspot.com/" target="_blank">mi4n6</a> meeting (Sep 19, Livonia)</li>
<li><a href="https://events.esd.org/MichiganCyberSummit2013.aspx" target="_blank">Michigan Cyber Summit</a> (Oct 25, Novi) </li>
</ul>
<br />
<br />PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-17737924631493113262012-10-13T00:21:00.004-05:002012-10-13T09:04:19.854-05:00GrrCON 2012 Forensics Challenge Walkthrough<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">This is a walk-through of the GrrCON 2012 Forensics Challenge that was designed by Jack Crook (<a href="https://twitter.com/jackcr" target="_blank">@jackcr</a>). Special thanks to Jack for making it so much fun and challenging!</span><br />
<span style="font-family: inherit;"></span><br />
<ul>
<li><span style="font-family: inherit;">You can read about the challenge <a href="http://grrcon.org/events-training/events/" target="_blank">here</a>.</span></li>
<li><span style="font-family: inherit;">You can download the challenge files from the links <a href="http://michsec.org/2012/09/misec-meetup-october-2012/" target="_blank">here</a>.</span></li>
<li><span style="font-family: inherit;">You can watch Jack's MiSec presentation on the challenge <a href="http://www.youtube.com/watch?v=wWwzVp0pBrg" target="_blank">here</a>.</span></li>
</ul>
<br />
<span style="font-family: Courier New, Courier, monospace;">1. How was the attack delivered?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Open out.pcap in Wireshark, find first TCP session, and follow the TCP stream.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Oh, look! A file that ends in *.doc.exe, that can't be good! Note the "MZ" file magic number and "This program cannot be run in DOS mode" text -- sure signs that this is a Win32 executable file.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNoVGkFy_0s1nGIhwWcploM_0Yn5dPwG6vKuhbW6yByuzbGv8HpNlilnYdYAuGRgOsEYU3G5QC4EI3QP2njIdltf6w5j6sFiy_dMNvMVkjR5zMR_Frml1ZW60nrBCbGc0mH5Chlj_g-YU/s1600/blog1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Courier New, Courier, monospace;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNoVGkFy_0s1nGIhwWcploM_0Yn5dPwG6vKuhbW6yByuzbGv8HpNlilnYdYAuGRgOsEYU3G5QC4EI3QP2njIdltf6w5j6sFiy_dMNvMVkjR5zMR_Frml1ZW60nrBCbGc0mH5Chlj_g-YU/s1600/blog1.jpg" width="320" /></span></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;">Answer: HTTP download of http://66.32.119.38/tigers/BrandonInge/Diagnostics/swing-mechanics.doc.exe</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">2. What time was the attack delivered?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">In Wireshark, find the HTTP GET request ACK packet from the stream we just looked at. In the Frame section of the packet, locate the timestamp.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_mRK1EOT99VJZh_KyQKphdo09LKgwlVcurOWd-5nPv4C19HbgaQCOXdbUm1_tyDq-yT-iM093gISVuoYO2ycEUGXPlgyjefegobOpOj-sv5ZhK5bidUJkIy1RMgt6jOLPZelLtweX1z4/s1600/blog2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_mRK1EOT99VJZh_KyQKphdo09LKgwlVcurOWd-5nPv4C19HbgaQCOXdbUm1_tyDq-yT-iM093gISVuoYO2ycEUGXPlgyjefegobOpOj-sv5ZhK5bidUJkIy1RMgt6jOLPZelLtweX1z4/s1600/blog2.jpg" width="320" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: Apr 27, 2012 22:00:59</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">3. What was that name of the file that dropped the backdoor?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Looking at the same HTTP GET request in Wireshark, what was the name of the file from the URL?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: swing-mechanics.doc.exe</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">4. What is the ip address of the C2 server?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">In Wireshark, clear the current TCP stream filter, and browse through the packets. As the HTTP session with the malware dropper ends, we see a new outbound connection to TCP port 443 from our victim. The destination address is the command & control (C2) server for our back door.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb9YU2dqy9zVD-n5i24ZXtvP9dsN8z8fol4R8w0lyIkk-6JgQE95oz6p85kp4dXOJDpRoE-NHB9DEIBOm6iaL4RvrH1ryKckmcGSkUBNxDf1pm6pMpLKuh-237Vqd59OZFnqefuXy4UIA/s1600/blog3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb9YU2dqy9zVD-n5i24ZXtvP9dsN8z8fol4R8w0lyIkk-6JgQE95oz6p85kp4dXOJDpRoE-NHB9DEIBOm6iaL4RvrH1ryKckmcGSkUBNxDf1pm6pMpLKuh-237Vqd59OZFnqefuXy4UIA/s1600/blog3.jpg" width="320" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: 221.54.197.32</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">5. What type of backdoor is installed?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Run foremost to extract the Win32 EXE file we found in the first question: </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">foremost -t exe out.pcap</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguu20xBp3bM6UPwrufbHeCofWWv7f6e0ZwZ7FFCK5Imq3f0TZEUW8XTRmcgvYkWuK78qYp6IUim0Tq_zS9ZIPqkpuh2TaJ4DePs3DkGiMid764qgAj7Xx8id9l5BWMNH22EDICbmZ58dU/s1600/blog4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguu20xBp3bM6UPwrufbHeCofWWv7f6e0ZwZ7FFCK5Imq3f0TZEUW8XTRmcgvYkWuK78qYp6IUim0Tq_zS9ZIPqkpuh2TaJ4DePs3DkGiMid764qgAj7Xx8id9l5BWMNH22EDICbmZ58dU/s1600/blog4.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Foremost will create an output directory with a subdirectory named 'exe' that should contain our backdoor. Now upload the file to VirusTotal. You should see that VirusTotal has already scanned this file. When I did it on 10/6, the last scan date was 9/28, the first day of GrrCON. :)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNtOglVTe2JPKFuTTw42gQZ9nuwYNGzxAveQQ-gm5XpYKmcdKns6Lv2GPbqP5HUTqs33oSjQcZTkhNBfC860BE9VUwlVUcE3a08CAZeyvwhIjKrzo66UgHtUQJnQIntjU8a0SKSZ0NWZA/s1600/blog5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNtOglVTe2JPKFuTTw42gQZ9nuwYNGzxAveQQ-gm5XpYKmcdKns6Lv2GPbqP5HUTqs33oSjQcZTkhNBfC860BE9VUwlVUcE3a08CAZeyvwhIjKrzo66UgHtUQJnQIntjU8a0SKSZ0NWZA/s1600/blog5.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Answer: Poison Ivy</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">6. What is the mutex the backdoor is using?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">This is the first answer to the challenge you have to work hard for. In order to do this the right way, you must use the memory dump to identify which process initiated the connection to the C2 server, then use its PID to find the base address and memory range, then use that to match any mutexes for that range. (You can cheat here and Google search Poison Ivy mutexes and see if any of them are present in the mutantscan output, too, but as I said, that's cheating. :)) </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">First, find the process that's connecting to the C2 from question #5. </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">vol.py -f memdump.img connscan |grep 221.54.197.32</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmK5pz_8hcpUoiCyYef4wtKoD5pb2Zy0vtMh9K_5sueWz_UONVOUmiXAmLarzjLoNB97uw8NsifPcm1VuZccoLpJTYgtWifzy0PhucGUkwo5mg68bMP6UqBAItyCDxK3C4OrhaKEB6-OY/s1600/blog6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmK5pz_8hcpUoiCyYef4wtKoD5pb2Zy0vtMh9K_5sueWz_UONVOUmiXAmLarzjLoNB97uw8NsifPcm1VuZccoLpJTYgtWifzy0PhucGUkwo5mg68bMP6UqBAItyCDxK3C4OrhaKEB6-OY/s1600/blog6.jpg" width="320" /></a></div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<span style="font-family: Courier New, Courier, monospace;">We see it's the process at PID 1096. So now we need find out what process it is and, more importantly, it's base address and memory range.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">vol.py -f memdump.img psscan |grep 1096</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtTY8ae7zbZfe0SyiszZOKegp8CWj3SK5H-B7KeOsa6ewkinUtRzBOFmmViIca3E4RxID_adMloEqzRdWzNkk86fyWHbnrGgWGzcHOmcX2KTCNz1fbTIOCoQ9M0Mo-uwWEmkWVsbCDWsg/s1600/blog7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtTY8ae7zbZfe0SyiszZOKegp8CWj3SK5H-B7KeOsa6ewkinUtRzBOFmmViIca3E4RxID_adMloEqzRdWzNkk86fyWHbnrGgWGzcHOmcX2KTCNz1fbTIOCoQ9M0Mo-uwWEmkWVsbCDWsg/s1600/blog7.jpg" width="320" /></a></div>
<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Uh-oh, that's explorer.exe, isn't it? Process injecting basterds! The base address of our pwned process is 0x0214a020. Any mutexes we find in that range are of interest to us.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">vol.py -f memdump.img -s mutantscan |grep 0x0214</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAyawCJc-X0b0MO8hq387PTd_Qlrln7RDziYKaL7pHbGsTw2YsJDdVFvWy4nwDpc6oZciJ-a4qT5jGAbdGk6X14NseypwZ9ZwA4KDoqqHFo5mUc2DhNbrWdzpa0xzqTC3cmJciiT4jWEk/s1600/blog8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAyawCJc-X0b0MO8hq387PTd_Qlrln7RDziYKaL7pHbGsTw2YsJDdVFvWy4nwDpc6oZciJ-a4qT5jGAbdGk6X14NseypwZ9ZwA4KDoqqHFo5mUc2DhNbrWdzpa0xzqTC3cmJciiT4jWEk/s1600/blog8.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">There happens to be a funny-looking mutex close to our base address. It's not a guarantee that this is the answer we're looking for, but a quick Google search for "Poison Ivy mutex" validates the finding.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: ")!VoqA.I4"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">7. Where is the backdoor placed on the filesystem?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">To answer this question, we'll examine the SleuthKit file (compromised.timeline) that Jack was kind enough to include in this challenge. We'll start by looking around the time that the backdoor was downloaded (4/27/12, 22:00:59) in question #2 and working forward. Also, we'll want to look
for any files that are the same size as the one we extracted from the
pcap file with foremost (8,192 bytes) in question #5.</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><i>(Note: If you got stuck here at GrrCON because you assumed that the filesystem time and the packet capture time were perfectly in sync, you learned the most valuable lesson there is in DFIR. There is always drift in timestamps between sources. Unfortunately, you learned it the hard way.)</i> </span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyYrXOjbgJD45Bp7e2ZIF1Sdqkkdw4dz4H8BRzQYnUc7pdqH85nnuKKKvMxY13r7m6V6gW1rvstk3P77CyqYdDMUHN-cNuLswUjqc2J5zrTNnOxAVHzdefcEqMPnEqjf1DsuJc610Bq4w/s1600/blog9.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyYrXOjbgJD45Bp7e2ZIF1Sdqkkdw4dz4H8BRzQYnUc7pdqH85nnuKKKvMxY13r7m6V6gW1rvstk3P77CyqYdDMUHN-cNuLswUjqc2J5zrTNnOxAVHzdefcEqMPnEqjf1DsuJc610Bq4w/s1600/blog9.jpg" width="320" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;"></span>
<span style="font-family: Courier New, Courier, monospace;">At 21:59:20 on 4/27/12, we find the prefetch temp file for the swing-mechanics.doc.exe file, and immediately after it, another file that matches the size of that file from our pcap being written to c:\windows\system32\svchosts.exe. </span><br />
<br />
<i><span style="font-family: Courier New, Courier, monospace;">(Note: There is a svchost.exe file in %systemroot%\system32 on WinXP and Win7, but there is no svchosts.exe, another clue that this is not legit.)</span></i><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: C:\WINDOWS\system32\svchosts.exe</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">8. What process name and process id is the backdoor running in?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Now, if you got this far, but cheated at question #6 instead of doing the work, you may have run the volatility pslist module, saw svchost.exe, and given the wrong answer. Oops! Cheaters never prosper. We already know that the right answer is explorer.exe and its PID is 1096.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: explorer.exe 1096</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">9. What additional tools do you believe were placed on the machine?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Back to where we left off in question #7. Keep working forward in the SleuthKit timeline, and...</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0vVnVi4D5eEb8hKCg03FPTsA590zzX0MdvtML1zw8eBF2BIxwIblHWYe2Ggc4ndvZLnGEaXXJfzmefIACHraSPoAukTh05xGRPhIGb0uEm4VU07UgRFc9TgiFIm_-usyJwBauVrbX_JI/s1600/blog10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0vVnVi4D5eEb8hKCg03FPTsA590zzX0MdvtML1zw8eBF2BIxwIblHWYe2Ggc4ndvZLnGEaXXJfzmefIACHraSPoAukTh05xGRPhIGb0uEm4VU07UgRFc9TgiFIm_-usyJwBauVrbX_JI/s1600/blog10.jpg" width="320" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;">That's weird. Prefetch files indicate a program launch. Somebody ran net.exe, ipconfig.exe, and ping.exe. Likely our attacker testing network connectivity. ;-) But wait! There's more!</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq-0E_sJppfZfDr24k7m5urf6XqdwWOatRGNYbIWGYd6TCc38s2orkGq7jfHkQ5GXzEuYZsPxdx8Nny3iIMnrUVze6U0zskeeyHyKOxRqWNz-D3s_NqOUizIBla5kACTUndhyINIyBQyc/s1600/blog11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq-0E_sJppfZfDr24k7m5urf6XqdwWOatRGNYbIWGYd6TCc38s2orkGq7jfHkQ5GXzEuYZsPxdx8Nny3iIMnrUVze6U0zskeeyHyKOxRqWNz-D3s_NqOUizIBla5kACTUndhyINIyBQyc/s1600/blog11.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">One thing DFIR will do to you is make you something of an expert on the names of files and folders that live within C:\WINDOWS, and, well, this doesn't look right for a lot of reasons. And when we see a file named sysmon.exe (which normally is in \WINDOWS\system32) created in this folder, and it's the same size as our binary from question <span style="font-family: Courier New, Courier, monospace;">#</span>5 (8,192 bytes), we know we're looking at more bad stuff. So in addition to a backup copy of our backdoor, there is a text file of some kind and four additional executables named f.txt, g.exe, p.exe, r.exe, and w.exe.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">You can also find the handles to these files in memory with volatility as well:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">vol.py -f memdump.img filescan |grep -i svchosts.exe</span><br />
<span style="font-family: Courier New, Courier, monospace;">vol.py -f memdump.img filescan |grep -i systems</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjYomG1-XhHN3HE7fyZlDpIFeAJ9OrenWA18s_9af_MUpqghP46jOuGoNsuK93g4JrM1elz5ANQmfgWeMjfipwfp6u9p9DUmz18h8lw1YCLvcuZ9hQ3MGABdFzdWmt9LyPK1Rx9phkC2s/s1600/blog12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjYomG1-XhHN3HE7fyZlDpIFeAJ9OrenWA18s_9af_MUpqghP46jOuGoNsuK93g4JrM1elz5ANQmfgWeMjfipwfp6u9p9DUmz18h8lw1YCLvcuZ9hQ3MGABdFzdWmt9LyPK1Rx9phkC2s/s1600/blog12.jpg" width="320" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;">Answer: g.exe, p.exe, r.exe, w.exe, and sysmon.exe</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">10. What directory was created to place the newly dropped tools?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: C:\WINDOWS\system32\systems</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">11. How did the attacker escalate privileges?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">We can assume from the work we did in #9 and #10, that those binaries aren't copies of calc.exe, so likely one of those was used for privilege escalation. </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">It would be great if we could extract them from the memory image, but since we didn't see them when we used the volatility psscan module, our chances aren't very good. Maybe we can find the command syntax that was used and get an idea of which tool was used to do what?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">vol.py -f memdump.img cmdscan</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhezmc91aTL2DpYEarn0rvk_D9fa1J9MEJM0j_ozhyphenhyphen9kCEaVE3eY3SbsQ5K89sp0VbhpCkmpUCf9NjSTo0fh5nwZEVriQfsYqVHLZIcLUKdMVp7Av8oqKvZftNEZchZgv66N1tkBRbmTqU/s1600/blog13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhezmc91aTL2DpYEarn0rvk_D9fa1J9MEJM0j_ozhyphenhyphen9kCEaVE3eY3SbsQ5K89sp0VbhpCkmpUCf9NjSTo0fh5nwZEVriQfsYqVHLZIcLUKdMVp7Av8oqKvZftNEZchZgv66N1tkBRbmTqU/s1600/blog13.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Well, that looks like an FTP command mixed in with Jack creating the memory dump we're analyzing, which is interesting, but not what we're looking for. Yet.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><i>(Note: There's a good point to be made here about how by gathering the evidence, evidence was also destroyed. In the process of copying down and running mdd, Jack also overwrote most of the cmd.exe history that we are interested in for this question.)</i></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">So, no easy win to be had here. Maybe we can find what we're looking for in strings. We'll use strings and the volatility strings module to pull all of the strings >5 in length out of our memory image and see if we can find anything in there. By looking at the SleuthKit timeline file, we see that w.exe was the first of the suspicious binaries to be launched first, so we'll look for that in particular.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">strings -n 5 -t o memdump.img >strings.txt</span><br />
<span style="font-family: Courier New, Courier, monospace;">vol.py -f memdump.img strings -s strings.txt >vol-strings.txt</span><br />
<span style="font-family: Courier New, Courier, monospace;">grep w\.exe vol-strings.txt</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxB0ibU4mjoSznPxqyRMbZ6MV8IdwG0-KiMeGtaMSrhj0Xxi1UgcSOkIDg1dO18ar-EbowxYM8SAn8AJUf-qr7wwp2msbgi4lFgVIte5SAjxOIeCGDSRRmBOE-32aO498IGxKfzpanyZk/s1600/blog14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxB0ibU4mjoSznPxqyRMbZ6MV8IdwG0-KiMeGtaMSrhj0Xxi1UgcSOkIDg1dO18ar-EbowxYM8SAn8AJUf-qr7wwp2msbgi4lFgVIte5SAjxOIeCGDSRRmBOE-32aO498IGxKfzpanyZk/s1600/blog14.jpg" width="320" /></a></div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Bingo! Those command line arguments are the username, domain name, NTLM hash, and program to run for a pass the hash attack tool of some sort. So now our attacker is running cmd.exe as Administrator. Possibly for the whole COMPANY-A domain. </span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">If this is your network, this is where you excuse yourself to put on clean shorts.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: pass-the-hash attack</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">12. What level of privileges did the attacker obtain?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">See above.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: Administrator</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">13. How was lateral movement performed?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Once we understand that the attacker has become COMPANY-A\Administrator on what is probably an Active Directory domain controller, they can go wherever they want. Let's look for hostnames that aren't dc01.company-a.com and see if they did anything interesting there.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">grep -i \.company-a\.com vol-strings.txt</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAKxqLhEfekv4J5_LrfK4IPH3EbhVgBFQaNTPyNVZ-5yuuZVHX6JizubZ9f0bD_RlBA182rjHFLSR9n7DWlBCUmP2YYW0M44aRMBhbu1HbizowfhKnnHYnGsqwtpY2TjHUSGmQTDjHwoI/s1600/blog15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAKxqLhEfekv4J5_LrfK4IPH3EbhVgBFQaNTPyNVZ-5yuuZVHX6JizubZ9f0bD_RlBA182rjHFLSR9n7DWlBCUmP2YYW0M44aRMBhbu1HbizowfhKnnHYnGsqwtpY2TjHUSGmQTDjHwoI/s1600/blog15.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">In addition to our own hostname, we see the following:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">dc01.company-a.com</span><br />
<span style="font-family: Courier New, Courier, monospace;">res-lab02.company-a.com</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">If we look back to when we ran the volatility connscan plugin for question #6, we saw a bunch of NetBIOS and LDAP connections to 172.16.150.10, which is dc01.company-a.com. That's pretty much a tell-tale sign that dc01 is the COMPANY-A domain controller. Which means our attacker is in fact a domain admin, and can pivot freely onto dc01 and anything else he wants. Maybe he'll do something like map a drive later. Who knows?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: Credential re-use as Administrator</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">14. What was the first sign of lateral movement?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Now that I think of it, was there anything from 172.16.150.10 in the pcap file?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">ssldump -n -r out.pcap</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ-SuUpXzC0ypYa4MfS3P4WuPxkrfNHRQQGbt_r9s_uywxMM18ExBN3PE3-3CBuFFWybMT65LXwgA7MAvmSLCCJylJdroprpD1B4QBKH3sjV_9JBqk2trjd8lhBV7BweUxqSWk3O82GyI/s1600/blog16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ-SuUpXzC0ypYa4MfS3P4WuPxkrfNHRQQGbt_r9s_uywxMM18ExBN3PE3-3CBuFFWybMT65LXwgA7MAvmSLCCJylJdroprpD1B4QBKH3sjV_9JBqk2trjd8lhBV7BweUxqSWk3O82GyI/s1600/blog16.jpg" width="320" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;">You can do this in Wireshark, too, but one trick I wanted to show off is ssldump's ability to summarize all of the TCP sessions in a pcap file. Oh, and it looks like dc01 is also phoning home to the C2 server. Hope you packed two pair of clean shorts.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: Well, I saw the C2 traffic from dc01 in the pcap file before any of the other evidence, so that's my answer. </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><i>(Note: I think the login to the domain controller as Administrator from a workstation, which came first, should also be caught by the security ops team if they are monitoring the security EventLog on the domain controllers. (Which they should be!))</i></span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">15. What documents were exfiltrated?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">For this one, we had to wander around in the vol-strings.txt file we made to put the pieces together:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">less vol-strings.txt</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5hkMHmO5Cgx96KM7PE87pQJSdZHt52j3XiCjEpeWBMRXh5rDsa90Ffcat9w5YupGX5Xo7gKUTcloPs8euIPQMgewoZHKSA7RcLbdqLhPGIRsmbLtX2YdiTwJ-qD3p1fo1bZERNcxZI7M/s1600/blog17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5hkMHmO5Cgx96KM7PE87pQJSdZHt52j3XiCjEpeWBMRXh5rDsa90Ffcat9w5YupGX5Xo7gKUTcloPs8euIPQMgewoZHKSA7RcLbdqLhPGIRsmbLtX2YdiTwJ-qD3p1fo1bZERNcxZI7M/s1600/blog17.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVuJ8uC6AYQOEGxd3z8qQqKS-7mh8oeGvp0ZFqgTiufWHPafmZyBc4hVtdwHv1g3cGLvUJRaKb7OkaMqYIDzfRyn3z0EQrRh6n42KngdNSSa3XkIYQMa-ZBsynLZvzuW_XdY6Q_kxB5hY/s1600/blog18.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVuJ8uC6AYQOEGxd3z8qQqKS-7mh8oeGvp0ZFqgTiufWHPafmZyBc4hVtdwHv1g3cGLvUJRaKb7OkaMqYIDzfRyn3z0EQrRh6n42KngdNSSa3XkIYQMa-ZBsynLZvzuW_XdY6Q_kxB5hY/s1600/blog18.jpg" width="320" /></a></div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">So I admit, this is a bit of a guess, but all of this looks suspicious to me. Here we have a set of files that look like the kinds of things we would want to exfiltrate. Then not that far away, we have a net use mapping a drive to dc01, then making a local directory named "1" (if you look around some more, you discover it's C:\WINDOWS\system32\systems\1). After that, the files from the shared drive are copied to that folder, and that folder is compressed in a rar file and password protected. Then an FTP command is made. That looks like data exfiltration to me.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: confidential1.pdf, confidential2.pdf, confidential3.pdf</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><i>(Note: You will see later that I'm close, but managed to miss about half of the files.)</i></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">16. How and where were the documents exfiltrated?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: FTP to 66.32.119.38</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">17. What additionl steps did the attacker take to maintain access?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Unless I missed something (which is actually quite likely), we already talked about this in question #14.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: Installed Poison Ivy RAT on dc01</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">18. How long did the attacker have access to the network?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">So, there are two possible answers Jack is looking for. There's the cynical defeatest answer, "Clearly as long as he wanted." Or there's the specific answer whereby we look at the time from the start of the first C2 connection to the end of the data exfiltration. For that, we fire up Wireshark:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoBZ9nky8te1sQhCDK4bJ-9PM6vx8tLEn6tfBGtsDC7tZnB_bjh5XSWfEt6zYAuCSAOXMwjRGrq6XwqbIwDk1we3G2j6Fp2bvKgYfB6swAEekx0pY3X0lykQKxqiMG3ipHExFgVmPtjmk/s1600/blog19.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoBZ9nky8te1sQhCDK4bJ-9PM6vx8tLEn6tfBGtsDC7tZnB_bjh5XSWfEt6zYAuCSAOXMwjRGrq6XwqbIwDk1we3G2j6Fp2bvKgYfB6swAEekx0pY3X0lykQKxqiMG3ipHExFgVmPtjmk/s1600/blog19.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgroaGTJDO4YHsfdqHQ6Fkw2jjBG6yRAXaLBS6iszIL4XMk_ei3zMDW0jNw-r_lhZyld40FhiuTcu467rqukzJRbnG9ZCCOmImio9HclAuA647Nkoy18m2ciBHUiK5sV-Jpreb4bGGxIew/s1600/blog20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgroaGTJDO4YHsfdqHQ6Fkw2jjBG6yRAXaLBS6iszIL4XMk_ei3zMDW0jNw-r_lhZyld40FhiuTcu467rqukzJRbnG9ZCCOmImio9HclAuA647Nkoy18m2ciBHUiK5sV-Jpreb4bGGxIew/s1600/blog20.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">The first screen is the first packet of the first C2 connection, when our attacker actually got control of the first victim system. The second screen has the filter tcp.flags.fin == 1 applied to prove a point. The last packets in the pcap file are ACKs for the C2 connections to both 172.16.150.20 and 172.16.150.10 (res-lab01 and dc01 respectively). The FTP connections complete at 22:13:26, but the C2 goes on, likely past the end of the file.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: 12 minutes, 21 seconds (or indefinitely)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">19. What is the secret code inside the exfiltrated documents?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">To get at the secret documents, we need to recreate our own copy of the encrypted rar file used for exfiltration, then decrypt it, extract the files, and view them. Fortunately, we already know everything we need to get this done.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">First, extract the rar file from the pcap.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">foremost -t rar out.pcap</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTen58zeXVKzBPclbNwJiwyGjQfFJC-t1r3CtAA1xFkjzAc1BFZ8w7M1ABKeDadAfLhlsyIsIu9ZCsgI2lAulZXuf0AJmdNZxyVzlxe-sL36y0Dam54Vx4VuReramcC2l1lFQ6-NWnvAk/s1600/blog21.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTen58zeXVKzBPclbNwJiwyGjQfFJC-t1r3CtAA1xFkjzAc1BFZ8w7M1ABKeDadAfLhlsyIsIu9ZCsgI2lAulZXuf0AJmdNZxyVzlxe-sL36y0Dam54Vx4VuReramcC2l1lFQ6-NWnvAk/s1600/blog21.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Now, extract the files. We'll need the password, but we caught that in the volatility strings we sifted through for question #15.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">unrar x -pqwerty 00002134.rar</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHmb3FO84dJLMFI-8jJwSmv_vs8hgetWCK11Dc4YIfLNR0bb0lgmVfisjZOl_x9gYW4rBCbjFKHWlIoIe0ndRlgQlgv9jqoKuvvdjNRynXPpgaSQJR2shQ9IV1NPe6P80cZky-FW7gFgA/s1600/blog22.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHmb3FO84dJLMFI-8jJwSmv_vs8hgetWCK11Dc4YIfLNR0bb0lgmVfisjZOl_x9gYW4rBCbjFKHWlIoIe0ndRlgQlgv9jqoKuvvdjNRynXPpgaSQJR2shQ9IV1NPe6P80cZky-FW7gFgA/s1600/blog22.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Note the bottom of the screenshot there. Jack's got an evil sense of humor. Those aren't even PDFs! But that is in fact an OpenOffice file.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-vRTE21V43Xb-mTrX6QyFv3i0h23H5v16xuUDcs3eGCDmwwWSc8NUAPvmPe3p2vLFApmGPcGfqwy2qu6XtJIfqq1jAwd88Wm_jwH4o4LU-rulWokI-QNgI8jEuqkhtv19DwJcoz3z0bM/s1600/blog23.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-vRTE21V43Xb-mTrX6QyFv3i0h23H5v16xuUDcs3eGCDmwwWSc8NUAPvmPe3p2vLFApmGPcGfqwy2qu6XtJIfqq1jAwd88Wm_jwH4o4LU-rulWokI-QNgI8jEuqkhtv19DwJcoz3z0bM/s1600/blog23.jpg" width="320" /></a></div>
<br />
<span style="font-family: Courier New, Courier, monospace;">Answer: 76bca1417cb12d09e74d3bd4fe3388e9</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">20. What is the password for the backdoor?</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Whilst reading the article we Googled for about Poison Ivy mutexes for question #6, we also learned that Poison Ivy doesn't typically use packers or cryptors, and that the C2 server and password are coded in the binary file. I wonder if they'll stick out like a sore thumb...</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">strings 00000002.exe</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjWQTBeUU4fD4HSzDZ70QocimbyN53LRchusLoNdFcHkS76ehPZpoHdSZCMygHZHI738nhe3SdkbPYlEU4BNU0cjoWIIa1X6cC1tmcvNZ46YdJrCVidBApIepARJsHiKPkCJvDJ3bHwsk/s1600/blog24.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjWQTBeUU4fD4HSzDZ70QocimbyN53LRchusLoNdFcHkS76ehPZpoHdSZCMygHZHI738nhe3SdkbPYlEU4BNU0cjoWIIa1X6cC1tmcvNZ46YdJrCVidBApIepARJsHiKPkCJvDJ3bHwsk/s1600/blog24.jpg" width="320" /></a></div>
<br />
<span style="font-family: 'Courier New', Courier, monospace;">We totally recognize that IP address as the C2 server from question #4. You'll never guess Jack's favorite baseball team.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Answer: tigers</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: inherit;">If you made it this far, thanks for reading. Hope you liked it. Oh, and your reward for reading the whole thing: In case you didn't catch it, this challenge is essentially a mirror of the attack on RSA that led to the theft of their token seed data files in 2011. When I made that realization, it gave me lulz. Jack, you're the man! :)</span><br />
<br />
<span style="font-family: inherit;">One more bonus! Even though it wasn't one of the challenge answers, here's the spear-phish that started the whole thing:</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Brandon,</span><br />
<span style="font-family: Courier New, Courier, monospace;">I have been watching you swing for the last few weeks. I believe I have come up with a major break through in your mechanics. If these adjustments are made I believe you will be back up in the bigs and batting .280 within no time. Please review the attached document before our next hitting session. Here</span><br />
<span style="font-family: Courier New, Courier, monospace;">Regards,</span><br />
<span style="font-family: Courier New, Courier, monospace;">Lloyd McClendon</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-43717032552231507362011-10-26T19:57:00.004-05:002011-10-26T20:32:26.455-05:00SIEM Market ReduxRoughly a year and a half ago, Rocky DeStefano and I had <a href="http://pmelson.blogspot.com/2010/05/twitter-killed-blog-star.html">a conversation about the SIEM market</a> in which he predicted mass acquisitions. It took longer than he originally guessed, but...<div><br /></div><div><ol><li><a href="http://www.hp.com/hpinfo/newsroom/press/2010/101022a.html">HP Completes Acquisition of ArcSight</a></li><li><a href="http://techcrunch.com/2011/06/23/solarwinds-buys-network-security-company-trigeo-for-35-million-in-cash/">SolarWinds Buys TriGeo for $35M</a></li><li><a href="http://q1labs.com/content/press-details/ibm-to-acquire-q1-labs-to-drive-greater-security-intelligence/120.aspx">IBM to Acquire Q1 Labs</a></li><li><a href="http://www.mcafee.com/us/about/mcafee-nitrosecurity.aspx">McAfee to Acquire NitroSecurity</a></li></ol><div><br /></div></div><div>I'll throw another one out there - after more than 2 years of steady <a href="http://tech.fortune.cnn.com/2011/04/28/is-splunk-heading-towards-ipo-really-the-next-oracl">speculation of a Splunk IPO</a>, they <a href="http://www.splunk.com/view/SP-CAAAGCY">hired David Conte as CFO</a> fresh from his setting up the <a href="http://www.storagenewsletter.com/news/mergeracquisition/imation-completes-acquisition-ironkey">sale of IronKey to Imation</a>. Expect Splunk to be acquired in 2012, or at least try really hard.</div><div><br /></div><div><br /></div>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com2tag:blogger.com,1999:blog-6690994337395244641.post-60336810353115865582011-05-13T13:52:00.003-05:002011-05-13T14:22:05.605-05:00GrrCON: West Michigan Security ConferenceThe Grand Rapids chapter of ISSA has announced a new event called GrrCON. It's a 1-day security conference that will be held in Grand Rapids, MI in September 2011. This will be one to keep an eye on over the next month or so as they get the speaker line-up solidified. I expect some cool talks and even a few surprises!<br /><br />Website: <a href="http://www.grrcon.org/">http://www.grrcon.org/</a><br />Twitter: <a href="http://twitter.com/#%21/GrrCON">@GrrCON</a><br />LinkedIn Events: <a href="http://www.linkedin.com/groups/GrrCON-3904620?mostPopular=&gid=3904620">GrrCON 2011</a>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-57493414422791122682010-10-09T22:11:00.003-05:002015-09-19T10:36:57.447-05:00Information Security for Business Majors<i>Update: Sorry, this really sucks. Somebody started giving a near exact copy of this presentation in an educational setting without crediting my work. I have taken it down. It's old content, anyway, and probably shouldn't be taught in college.</i>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com1tag:blogger.com,1999:blog-6690994337395244641.post-3531271721924506932010-05-20T20:44:00.006-05:002010-05-20T20:54:19.888-05:00The SIEM Market Discussion ContinuesBill Roth of LogLogic <a href="https://www.blogger.com/comment.g?blogID=6690994337395244641&postID=1925549441643153356">commented</a> on my <a href="http://pmelson.blogspot.com/2010/05/twitter-killed-blog-star.html">Twitter exchange</a> with Rocky DeStefano of Visible Risk where we talked about LogLogic's announcement that they were discounting their SIEM product. I then wrote a reply, and it got a little long. So I made it a blog post instead.<br /><br /><blockquote>Rocky, Paul:<br />The ClueTrain Manifesto calls markets "conversations", so here goes.....<br /><br />I think you're falling into a the trap of "conventional wisdom". First off, the basic assumption that the world falls neatly into the SIEM categorization is just plain false. I stand by LogLogic's model....it all starts with log management as the crucial piece, without that key use cases like network forensics are not even possible. Second, the notion that dropping the price is bad is just plain weird. Is LogLogic dropping the price to sell more? Sure we are. Are we dropping the price to take market share? Sure we are. Are we seeing a great response? Sure we are. Since when is saving people money a bad thing?<br /><br />And we're always interested in a podcast. :)<br /><br />Bill Roth, EVP<br />LogLogic</blockquote><br /><br /><p>Hi Bill,<br /><br />Thanks for the comment! And thanks for participating in the dialogue. I think it's awesome that LogLogic is out front and engaging on its business decisions. Very refreshing!<br /><br />As to your point about log management being that crucial initial component of a SIEM implementation, I agree completely. Log management has also developed as its own market segment as well, independent of SIEM. But I don't need to tell you that. :-)<br /><br />On the topic of LogLogic's decision to discount its SIEM product, I didn't mean - and I don't believe Rocky did either - that charging less for SIEM is bad, or even a bad business move.<br /></p><p><br /></p><p>That said, I do believe that for some significant portion of potential customers log management is a commodity technology. However, from my own experience and from everything I've seen to date, SIEM is not a commodity technology, and I'm not convinced it will be. As such, I don't see price as a strong competitive differentiator in the SIEM market. </p><p><br /></p><p>Following the recent recession, where IT capital budgets still haven't caught up to the (hopefully sustained) economic upturn, I imagine the feedback on LogLogic's price cut has been positive, and that you'll see some SIEM sales where you wouldn't have but for the discount. But in the mid- to long-term, I have my doubts as to whether there is any meaningful gain in market share to be had for LogLogic - or any SIEM vendor for that matter - simply by competing on price with other SIEM vendors.<br /><br />Let's be frank, if price were a big piece of why companies choose a particular SIEM, Cisco MARS would have the lion's share of the market and ArcSight would be folding. Instead, it's the other way around.</p><p><br /></p>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-19255494416431533562010-05-20T08:17:00.006-05:002010-05-20T08:55:17.552-05:00Twitter Killed the Blog StarI've been really busy both in my personal and professional life for the past year or so, with no signs of slowing down soon. But I have to acknowledge that the main reason my blog posts have fallen off is Twitter. Now, all of the ideas that I have that I might have developed and expanded into a blog post are prematurely evaluated for length. If they can be abbreviated to a couple of 140-character haikus or less, they go on Twitter. Which means they never grow up to be blog posts. They're like the high school dropouts of ideas.<br /><br />But every once in a while, a Twitter exchange becomes so interesting that, despite the compressed and fleeting nature of Twitter, it turns into something worthy of framing. The other night, Rocky DeStefano of Visible Risk and I had an exchange on SIEM that I thought the wider world might find interesting. The background to the conversation is <a href="http://www.visiblerisk.com/blog/2010/5/17/loglogic-discounts-siem.html">this post</a> from Rocky's blog about the recent announcement from LogLogic that they were discounting their SIEM product, and then <a href="http://blog.loglogic.com/2010/05/yes_we_lowered_our_prices_on_our_security_event_manager_appliances.php">this responding blog post</a> from LogLogic.<br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">The LogLogic response ->> <a href="http://bit.ly/bAQSZO" class="tweet-url web" rel="nofollow" target="_blank">http://bit.ly/bAQSZO</a> to my discounting SIEM Post ( <a href="http://bit.ly/aiW3kB" class="tweet-url web" rel="nofollow" target="_blank">http://bit.ly/aiW3kB</a> )<br /></span></span><span class="meta entry-meta" data="{}"> <span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14265017886"> <span class="published timestamp" data="{time:'Wed May 19 01:47:30 +0000 2010'}">8:47 PM May 18th</span></a> </span><span style="font-size:78%;">via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span> <br /><br /><span style="font-weight: bold;">rockyd</span><br /></span><span class="status-content"><span class="entry-content">I need to noodle on the LogLogic response more. I appreciate the conversation, I think I may see the opposite end of the customer spectrum.</span> <br /></span> <span style="font-size:78%;"><span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14265903396"> <span class="published timestamp" data="{time:'Wed May 19 02:02:59 +0000 2010'}">9:02 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span> </span></span></span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content"><br /></span></span></span><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> I think you nailed the issue. If you *NEED* SIEM, you won't compromise features/functionality for capital cost savings.</span> <br /></span> <span style="font-size:78%;"><span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14266080121"> <span class="published timestamp" data="{time:'Wed May 19 02:06:04 +0000 2010'}">9:06 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><span style="font-size:78%;"><br /></span><br /><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> If Cisco couldn't make "Free SIEM With Purchase" work, it's not ever going to work.</span></span><span class="meta entry-meta" data="{}"><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14266152781"><span class="published timestamp" data="{time:'Wed May 19 02:07:20 +0000 2010'}">9:07 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><span style="font-size:78%;"><br /></span><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> let's be honest how could they possible respond any differently than they did? time for a podcast on the subject ?</span><br /> </span> <span style="font-size:78%;"><span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14268588893"> <span class="published timestamp" data="{time:'Wed May 19 02:50:00 +0000 2010'}">9:50 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span> </span></span></span><span style="font-size:78%;"><br /></span><br /><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> They could just fess up. "We're shipping log management appliances, but SIEM isn't moving. So we put it on clearance sale." :-)</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14268757347"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14268757347"><span class="published timestamp" data="{time:'Wed May 19 02:52:53 +0000 2010'}">9:52 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> I think with Gartner's SIEM MQ being released, we're about to see another round of SIEM casualties as VC pulls out.</span> <br /></span> <span style="font-size:78%;"><span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14268838859"> <span class="published timestamp" data="{time:'Wed May 19 02:54:18 +0000 2010'}">9:54 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span> </span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> There has to be quickening soon, there is way too much of the same thing in the market.</span> </span> <span class="meta entry-meta" data="{}"> <br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14269048296"> <span class="published timestamp" data="{time:'Wed May 19 02:57:56 +0000 2010'}">9:57 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span><br /><br /><span style="font-weight: bold;">pmelson</span><br /></span><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> Right. I've been thinking about the key SIEM differentiators and I've only got three.</span></span><span class="meta entry-meta" data="{}"><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14269232082"><span class="published timestamp" data="{time:'Wed May 19 03:00:58 +0000 2010'}">10:00 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> which three?</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14269548458"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14269548458"><span class="published timestamp" data="{time:'Wed May 19 03:06:14 +0000 2010'}">10:06 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> Like - Sources, Scalability, Analytical Usage, Correlation / Statistical Evaluation, and getting Intelligent information out?</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14269687323"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14269687323"><span class="published timestamp" data="{time:'Wed May 19 03:08:35 +0000 2010'}">10:08 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span> </span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> 1) performance/scalability 2) UI and drill-down 3) supported sources.</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14269631277"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14269631277"><span class="published timestamp" data="{time:'Wed May 19 03:07:38 +0000 2010'}">10:07 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span> </span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> there are some others like context of Host, Vuln, Registry, Applications and Users that lead you towards more advanced usage</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14269752195"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14269752195"><span class="published timestamp" data="{time:'Wed May 19 03:09:42 +0000 2010'}">10:09 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> OK, so asset data model(s) makes 4, pre-defined content is 5? That's still not a lot.</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14270095949"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14270095949"><span class="published timestamp" data="{time:'Wed May 19 03:15:29 +0000 2010'}">10:15 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> each is several years of development and refinement with customers.</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14271080451"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14271080451"><span class="published timestamp" data="{time:'Wed May 19 03:32:33 +0000 2010'}">10:32 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> this comes down to a compliance check box sale versus a security team needing to integrate a tool into their process.</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14271258013"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14271258013"><span class="published timestamp" data="{time:'Wed May 19 03:35:35 +0000 2010'}">10:35 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> Agree. But a handful of differentiators == a handful of potential market leaders. Time to thin the herd. Again.</span> <br /></span> <span style="font-size:78%;"><span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14271669803"> <span class="published timestamp" data="{time:'Wed May 19 03:42:32 +0000 2010'}">10:42 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/pmelson" rel="nofollow">pmelson</a> now I see where you're headed. BTW I think you'll see 3 more acqusitions by end of year.</span> <br /></span> <span style="font-size:78%;"><span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14271826341"> <span class="published timestamp" data="{time:'Wed May 19 03:45:21 +0000 2010'}">10:45 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >rockyd</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">I was thinking about creating a "vegas odds" website for SIEM Quickending and donate some portion of the funds to HFC.</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14271948549"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/rockyd/status/14271948549"><span class="published timestamp" data="{time:'Wed May 19 03:47:34 +0000 2010'}">10:47 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span> </span></span><br /><br /><span style="font-weight: bold;font-family:arial;" >pmelson</span><br /><span class="status-body" style="font-family:arial;"><span class="status-content"><span class="entry-content">@<a class="tweet-url username" href="http://twitter.com/rockyd" rel="nofollow">rockyd</a> A SIEM futures market? Very DARPA!</span> </span> <span class="meta entry-meta" data="{}"> <a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14272058803"> </a><br /><span style="font-size:78%;"><a class="entry-date" rel="bookmark" href="http://twitter.com/pmelson/status/14272058803"><span class="published timestamp" data="{time:'Wed May 19 03:49:37 +0000 2010'}">10:49 PM May 18th</span></a> <span>via <a href="http://www.tweetdeck.com/" rel="nofollow">TweetDeck</a></span></span></span></span><br /><br />So there, for your parsing and edification, some thoughts on the SIEM product space, the recent Gartner MQ for SIEM, and the near-term ramifications of Gartner's paper on the market.<br /><br />Also, if you aren't already, you should be reading <a href="http://www.visiblerisk.com/blog/">Rocky's blog</a>, especially if you're interested in SIEM and security ops. Rocky's a guru in this space, and in addition to his blog he has already put together some <a href="http://www.visiblerisk.com/podcast/2010/4/12/episode-001-advanced-persistent-threat.html">great podcasts</a> since launching his latest venture, Visible Risk.PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com1tag:blogger.com,1999:blog-6690994337395244641.post-72171981184110452212010-04-14T22:20:00.002-05:002010-04-14T22:24:40.932-05:00Snort Signatures for New Koobface VariantThe first rule is actually how we caught the first incident. The binary is served on non-standard HTTP ports via fast-flux servers. It's a signature we've had in place for years.<br /><br /><span style="font-family: courier new;">alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg: "LOCAL .exe file download on port other than 80"; flow:established; content: "GET"; depth:4; content: ".exe"; nocase; classtype:misc-activity; sid:9000160; rev:1;)</span><br /><br />And these are designed to catch the bot HTTP checkins we've seen so far. This is likely to be more of a whack-a-mole effort as we've already seen the checkin URL format change once.<br /><br /><span style="font-family: courier new;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Koobface action=fbgen checkin"; flow:to_server,established; content:"POST"; content:"/.sys/?</span><br /><span style="font-family: courier new;">action=fbgen"; nocase; classtype:trojan-activity; sid:9000220; rev:1;)</span><br /><br /><span style="font-family: courier new;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Koobface go.js checkin"; flow:to_server,established; content:"POST"; content:"/go.js?"; nocase; classtype:trojan-activity; sid:9000221; rev:1;)</span>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com4tag:blogger.com,1999:blog-6690994337395244641.post-88261854482452865302010-01-22T12:30:00.006-05:002010-01-23T13:42:20.272-05:00Security Metrics and Data VisualizationI've just finished compiling the security incident handler case statistics for 2009. This is the second year in a row that I've used the same set of metrics, and having two years worth of data has led to some interesting observations about security trends within my employer's environment. <br /><br />One set of statistics that may be of interest to the general Internet public is the volume of malware cases that we have worked over the past two years.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_ZSDw4wDNIWyf5UUOJHQ4vTtH2F2tsJ4wA1nC8qtFkucfUmRvQyS_laFFC7Icly32e4IFw865eKSDEnXpBEE2FC-HAZ4lWnJcDQIfpDSShyphenhyphenmGjjF8Mqj-KqFTjbOPxc4x9EyWYKEhUD4/s1600-h/malware.JPG"><img style="cursor: pointer; width: 400px; height: 112px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_ZSDw4wDNIWyf5UUOJHQ4vTtH2F2tsJ4wA1nC8qtFkucfUmRvQyS_laFFC7Icly32e4IFw865eKSDEnXpBEE2FC-HAZ4lWnJcDQIfpDSShyphenhyphenmGjjF8Mqj-KqFTjbOPxc4x9EyWYKEhUD4/s400/malware.JPG" alt="" id="BLOGGER_PHOTO_ID_5429621124456085954" border="0" /></a><br /><br />There are a couple of things worth pointing out in this graph. The first, and perhaps most obvious one, is that there is a drop-off in malware related cases in 2009. Surely, that can't be right? It is, but it's due to implementing some new security technologies in December of 2008. In fact, those countermeasures reduced the number of malware cases we handled in 2009 by roughly 65% compared to 2008. I want to say two things about this. First, this demonstrates the effectiveness of the preventative countermeasures that we employed and confirms the value of those countermeasures. Notice that I'm not saying that it proves ROI. But the bottom line is that <span style="font-style: italic;">it was worth it</span>. The second thing I want to point out about that decline, however, is that it's just a decline. <span style="font-style: italic;">It did not eliminate the problem</span>. In fact, in 2009 we saw malware chip away at other defenses that were highly effective only two years before. And I suspect that, if we do nothing else about it, that those levels will begin to rise in 2010 and regain the same level of frequency we saw in 2008 if not higher. There's a hint of that in the graph towards the end of 2009.<br /><br />The next thing I want to point out about this graph is the peak frequency. It is consistent. Every three months, there is a spike in malware incidents in our environment. I would love to see statistics from other companies or the Internet at large to see if this is an Internet-wide pattern. I suspect that it is. Despite the new countermeasures, despite the decrease in order of magnitude, the spikes occur like clockwork every third month. That leads me to believe two things. First, I believe that this pattern is driven externally since it didn't deviate, even when our environment changed significantly. Second, I believe that this is no accident. The vendors that produce malware/botnet "kits" are responsible for introducing most of the new exploits and anti-detection capabilities that we see on a regular basis. Their stuff is used more widely than custom malware as well. Therefore, this leads me to believe that there is one large group responsible for the majority of the malware in the wild, and they're on a 90-day release cycle. I've got no intelligence data to support this, but I have a hard time believing that this pattern repeats itself, without exception, for two years straight out of pure coincidence.<br /><br />Bottom line, this is the kind of useful information that trend analysis can give you, and why metrics are worth gathering and analyzing.<div><br /></div><div><br /></div>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com1tag:blogger.com,1999:blog-6690994337395244641.post-64531187835250440352009-12-28T15:09:00.013-05:002009-12-29T22:37:45.441-05:00Malware Analysis Toolkit for 2010Back in 2008 I posted a list of the tools I use for doing malware analysis. The tools I use have changed over time, and rather than just talk about a couple of recent additions, I decided I'd put a current complete list up with links. This is by no means a comprehensive list of malware analysis tools, it's just what I like and use.<br /><br /><span style="font-weight: bold;">Platform</span><br /><ul><li>VMWare Workstation</li><li>The "vulnerable stuff:"<br /></li><ul><li>Windows XP<br /></li><li>Internet Explorer 7/8</li><li>Firefox</li><li>Acrobat Reader</li><li>Flash Player</li></ul></ul><span style="font-weight: bold;">General Tools</span><br /><ul><li><a href="http://www.cygwin.com/">Cygwin</a></li><li>Perl</li><li>Python<br /></li><li><a href="http://www.hhdsoftware.com/">Hex Editor Neo</a></li><li><a href="http://www.slavasoft.com/hashcalc/index.htm">HashCalc</a></li><li><a href="http://www.izarc.org/">IZArc</a><br /></li></ul><span style="font-weight: bold;">Analysis Tools</span><br /><ul><li><a href="http://labs.idefense.com/software/malcode.php">SysAnalyzer / iDEFENSE MAP</a><br /></li><li><a href="http://www2.gmer.net/">GMER / catchme</a><br /></li><li><a href="http://labs.idefense.com/software/malcode.php">Multipot</a><br /></li><li><a href="http://www.online-solutions.ru/en/products/osam-autorun-manager.html">OSAM</a></li><li><a href="http://free.antivirus.com/hijackthis/">HijackThis</a></li><li><a href="http://www.mlin.net/StartupCPL.shtml">Startup Control Panel</a></li><li><a href="http://labs.idefense.com/software/malcode.php">HookExplorer</a></li><li><a href="http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx">Sysinternals Suite</a></li><li><a href="http://www.scanit.net/rd/tools/03">ProcL</a></li><li><a href="http://labs.idefense.com/software/malcode.php">sniff_hit</a></li><li><a href="http://www.wireshark.org/">Wireshark</a> (run on "Host OS" outside VM)<br /></li></ul><br /><span style="font-weight: bold;">Binary Tools</span><br /><ul><li><a href="http://www.mandiant.com/mrc">Mandiant Red Curtain</a></li><li><a href="http://www.ollydbg.de/">OllyDbg 1.10</a><br /></li><li><a href="http://www.openrce.org/downloads/browse/OllyDbg_Plugins">Various OllyDbg plugins</a><br /></li><li><a href="http://www.peid.info/">PEiD</a></li><li><a href="http://www.rdgsoft.8k.com/">RDG Packer Detector</a></li><li><a href="http://code.google.com/p/pefile/">pefile</a> / <a href="http://handlers.dshield.org/jclausing/packerid.py">packerid.py</a><br /></li><li><a href="http://vault.reversers.org/ImpRECDef">ImportREC</a></li></ul><span style="font-weight: bold;">JavaScript & HTTP Tools</span><br /><ul><li><a href="http://blog.didierstevens.com/programs/spidermonkey/">SpiderMonkey (Didier Stevens mod)</a></li><li><a href="http://pmelson.blogspot.com/2008/01/30-second-malware-gathering-tool.html">ieget.sh script</a></li><li><a href="http://pmelson.blogspot.com/2009/11/reversing-javascript-shellcode-step-by.html">crap2shellcode.pl</a></li><li><a href="http://console2.mozdev.org/">Console2 Firefox plugin</a></li><li><a href="http://noscript.net/">NoScript Firefox plugin</a><br /></li></ul><span style="font-weight: bold;">PDF & Flash Tools</span><br /><ul><li><a href="http://blog.didierstevens.com/programs/pdf-tools/">pdf-parser.py</a></li><li><a href="http://www.accesspdf.com/pdftk/">pdftk</a><br /></li><li><a href="http://www.swftools.org/">SWFTools</a></li><li><a href="http://www.sothink.com/product/flashdecompiler/">Sothink SWF Decompiler</a></li></ul><span style="font-weight: bold;">Web Sites as Tools</span><br /><ul><li><a href="http://wepawet.iseclab.org/">Wepawet</a></li><li><a href="http://www.virustotal.com/">VirusTotal</a></li><li><a href="http://www.cwsandbox.org/">CWSandbox</a></li><li><a href="http://camas.comodo.com/">Comodo Instant Malware Analysis</a></li><li><a href="http://malwaredatabase.net">Malware Database</a><br /></li><li><a href="http://www.malwareurl.com/">MalwareURL</a><br /></li></ul>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com1tag:blogger.com,1999:blog-6690994337395244641.post-33211437983587113852009-11-18T19:14:00.005-05:002010-05-18T21:35:21.573-05:00ArcSight Logger VS Splunk<span style="font-style: italic;">You are here because you are searching for information on Splunk vs. ArcSight Logger. I actually wrote this post months before posting it, but sat on it for reasons that may become apparent as you read on.</span><br /><br />If you want to hear me talk about my experience with Logger 4.0 through the beta process and beyond, you can check out <a href="http://www.youtube.com/ArcSightVideo#p/u/2/Suzn1_omYuE">the video case study</a> I did for ArcSight. In short, Logger is good at what it does, and Logger 4.0 is fast. Ridiculously fast.<br /><br />But that's not what I want to talk about. I want to talk about the question that's on everyone's mind: ArcSight Logger vs. Splunk?<br /><br />Comparing features, there's not a strong advantage in either camp. Everybody's got built-in collection based on file and syslog. Everybody's got a web interface with pretty graphs. The main way Logger excels here is in its ability to natively front-end data aggregation for ArcSight's ESM SIEM product. But if you've already got ESM, you're going to buy Logger anyway. So that leaves price and performance as the remaining differentiators.<br /><br />Splunk can compete on price, especially for more specialized use cases where Logger needs the ArcSight Connector software to pick up data (i.e. Windows EventLog via WMI, or database rows via JDBC). And if you don't care about performance, implying that your needs are modest, Splunk may be cheaper for you for even the straightforward use cases because of the different licensing model that scales downward. So for smaller businesses, Splunk scales down. <br /><br />For larger businesses, Logger scales up. For example, if you need to add storage capacity to your existing Logger install, and you didn't buy the SAN-attached model, you just buy another Logger appliance. You then 'peer' the Logger appliances, split or migrate log flows, and continue to run search & reporting out of the same appliance you've been using, across all peer data stores. With Splunk? You buy and implement more hardware on your own. And pay for more licenses.<br /><br />My thinking on performance? Logger 4.0 is a Splunk killer, plain and simple. To analogize using cars, Splunk is a Ford Taurus for log search. It gets you down the road, it's reliable, you can pick the entry model up cheap, and by now you know what you're getting. Logger 4.0, however, is a <a href="http://en.wikipedia.org/wiki/Pagani_Zonda#Zonda_Roadster_F">Zonda F</a> with a Volvo price tag.<br /><br />To bring the comparison to a fine point, I'd like to share a little story with you. It's kind of gossipy, but that makes it fun. <br /><br />When ArcSight debuted Logger 4.0 and announced its GA release at their Protect conference last fall, they did a live shoot-out of a Logger 7200 running 4.0 with a vanilla install of Splunk 4 on comparable hardware and the same Linux distro (CentOS) that Logger is based on. They performed a simple keyword search in Splunk across 2 million events, which took just over 12 minutes to complete. That's not awful. But that same search against the same data set ran in about 3 seconds on Logger 4.<br /><br />This would be an interesting end to an otherwise pretty boring story if it weren't for what happened next. Vendors other than ArcSight - partners, integrators, consultants, etc. - participate in their conference both as speakers and on the partner floor. One of these vendors, an integrator of both ArcSight and Splunk products, privately called ArcSight out for the demo. His theory was that a properly-tuned Splunk install would perform much better. Now, it's a little nuts (and perhaps a little more dangerous) to be an invited vendor at a conference and accuse the conference organizer of cooking a demo. But what happened next is even crazier. ArcSight wheeled the gear up to this guy's room and told him that if he could produce a better result during the conference that they would make an announcement to that effect.<br /><br />Not one to shy away from a technical challenge, this 15-year infosec veteran skipped meals, free beer, presentations, more free beer, and a lot of sleep to tweak the Splunk box to get better performance out of it. That's dedication. There's no doubt in my mind that he wanted to win. Badly. I heard from him personally at the close of the conference that not only did he not make significant headway, but that all of his results were worse than the original 12 minute search time.<br /><br />You weren't there, you're just reading about it on some dude's blog, so the impact isn't the same. But that was all the convincing I needed.<br /><br />But if you need more convincing; we stuffed 6mos of raw syslog from various flavors of UNIX and Linux (3TB) into Logger 4 during the beta. I could keyword search the entire data set in 14 seconds. Regex searches were significantly worse. They took 32 seconds.PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com3tag:blogger.com,1999:blog-6690994337395244641.post-54295670004433305182009-11-09T11:26:00.028-05:002009-12-05T07:38:37.759-05:00Reversing JavaScript Shellcode: A Step By Step How-ToWith more and more exploits being written in JavaScript, <a href="http://blogs.pcmag.com/securitywatch/2009/02/acrobat_reader_0day_attack_in_1.php">even some 0-day</a>, there is a need to be able to reverse exploits written in JavaScript beyond de-obfuscation. I spent some time this weekend searching Google for a simple way to reverse JavaScript shellcode to assembly. I know people do it all the time. It's hardly rocket science. Yet, I didn't find any good walk-throughs on how to do this. So I thought I'd write one.<br /><br />For this walk-through, I'll start with JavaScript that has already been extracted from a PDF file and de-obfuscated. So this isn't step 1 of fully reversing a PDF exploit, but for the first several steps, check out Part 2 of <a href="http://pmelson.blogspot.com/2009/10/two-for-one-talk-malware-analysis-for.html">this slide deck</a>.<br /><br />What you'll need:<br /><ol><li>A safe place to play with exploits (I'll be using an image in VMWare Workstation.)</li><li>JavaScript debugger (I highly recommend and will be using Didier Stevens' modified SpiderMonkey.)</li><li>Perl</li><li>The crap2shellcode.pl script, which you'll find further down in this post</li><li>A C compiler and your favorite binary debugger<br /></li></ol><br />I'll be using one of the example Adobe Acrobat exploits from the aforementioned slides for this example. You can grab it from <a href="http://www.milw0rm.org/exploits/8569">milw0rm</a>.<br /><br /><span style="font-weight: bold;">Step 1 - Converting from UTF-encoded characters to ASCII</span><br />Most JavaScript shellcode is encoded as either UTF-8 or UTF-16 characters. It would be easy enough to write a tool to convert from any one of these formats to the typical \x-ed UTF-8 format that we're used to seeing shellcode in. But because of the diversity of encoding and obfuscation showing up in JavaScript exploits today, it's more reliable to use JavaScript to decode the shellcode.<br /><br />For this task, you need a JavaScript debugger. Didier Stevens' SpiderMonkey mod is a great choice. Start by preparing the shellcode text for passing to the debugger. In this case, drop the rest of the exploit, and then wrap the unescape function in an eval function:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqoIS4eTPpTYPaIoP70TgrxzeLF2-9v0XtVZMhTkxRjdwJf-oNxxQoCyT0eZAYbwaTG0-KsH3nO-pgjrO4EcDXVXSuJrOz4eocCUJaXPDX3wU7lYk4hz1imfiOV0iD68uVK0D7VkwKPPw/s1600/code.JPG"><img style="cursor: pointer; width: 389px; height: 125px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqoIS4eTPpTYPaIoP70TgrxzeLF2-9v0XtVZMhTkxRjdwJf-oNxxQoCyT0eZAYbwaTG0-KsH3nO-pgjrO4EcDXVXSuJrOz4eocCUJaXPDX3wU7lYk4hz1imfiOV0iD68uVK0D7VkwKPPw/s400/code.JPG" alt="" id="BLOGGER_PHOTO_ID_5408968877264886418" border="0" /></a><br /><br />Now run this code through SpiderMonkey. SpiderMonkey will create two log files for the eval command, the one with our ASCII shellcode is eval.001.log.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgq4AGPGIhyphenhyphenyqRaz7VmYUIBdIaVIjD71kTAXJxEGybeGsu067n_ndR3jO-P5G8_V8__oRBUG00WoHQ3DIKYeqZ38yaHUiTeRIEiqLjLGruxhM9pelkkM_Chf4S6LzKdAYK8Wj1YngUBEw/s1600/blog_1.jpeg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 173px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgq4AGPGIhyphenhyphenyqRaz7VmYUIBdIaVIjD71kTAXJxEGybeGsu067n_ndR3jO-P5G8_V8__oRBUG00WoHQ3DIKYeqZ38yaHUiTeRIEiqLjLGruxhM9pelkkM_Chf4S6LzKdAYK8Wj1YngUBEw/s400/blog_1.jpeg" alt="" id="BLOGGER_PHOTO_ID_5405080748620492498" border="0" /></a><br /><br /><span style="font-weight: bold;">Step 2 - crap2shellcode.pl</span><br />This is why I wrote this script, to take an ASCII dump of some shellcode and automate making it debugger-friendly.<br /><br /><br /><span style="font-family:courier new;">---cut---</span><br /><pre><br />#!/bin/perl<br />#<br /># crap2shellcode - 11/9/2009 Paul Melson<br />#<br /># This script takes stdin from some ascii dump of shellcode<br /># (i.e. unescape-ed JavaScript sploit) and converts it to<br /># hex and outputs it in a simple C source file for debugging.<br />#<br /># gcc -g3 -o dummy dummy.c<br /># gdb ./dummy<br /># (gdb) display /50i shellcode<br /># (gdb) break main<br /># (gdb) run<br />#<br /><br />use strict;<br />use warnings;<br /><br />my $crap;<br />while($crap=<stdin>) {<br /> my $hex = unpack('H*', "$crap");<br /><br /> my $len = length($hex);<br /> my $start = 0;<br /><br /> print "#include <stdio.h>\n\n";<br /> print "static char shellcode[] = \"";<br /><br /> for (my $i = 0; $i < length $hex; $i+=4) {<br /> my $a = substr $hex, $i, 2;<br /> my $b = substr $hex, $i+2, 2;<br /> print "\\x$b\\x$a";<br /> }<br /> print "\";\n\n";<br />}<br /><br />print "int main(int argc, char *argv[])\n";<br />print "{\n";<br />print " void (*code)() = (void *)shellcode;\n";<br />print " code();\n";<br />print " exit(0);\n";<br />print "}\n";<br />print "\n";<br /><br /><br /></pre><br /><span style="font-family:courier new;">--paste--</span><br /><span style="font-family:courier new;"></span><br />The output of passing eval.001.log through crap2shellcode.pl is a C program that makes debugging the shellcode easy.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0OBLvNKgY4_UGY-aeNfMDaPjiJu_J6jAmlqThQilq4kFH9Hsa-hPTvNG83xwET1aRAWmsObM4NAS-_BZuRo4RAF5Phtz8axL66anGMo4SC-2HDRqd0N0t64ajv-ejOi342cS-0UJ5TnA/s1600/blog_2.jpeg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 190px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0OBLvNKgY4_UGY-aeNfMDaPjiJu_J6jAmlqThQilq4kFH9Hsa-hPTvNG83xwET1aRAWmsObM4NAS-_BZuRo4RAF5Phtz8axL66anGMo4SC-2HDRqd0N0t64ajv-ejOi342cS-0UJ5TnA/s400/blog_2.jpeg" alt="" id="BLOGGER_PHOTO_ID_5405080843246326354" border="0" /></a><br /><br /><span style="font-weight: bold;">Step 3 - View the shellcode/assembly in a debugger</span><br />First we have to build it. Since we know that this shellcode is a Linux bindshell the logical choice for where and how to build is Linux with gcc. Similarly, we can use gdb to dump the shellcode. For Win32 shellcode, we would probably pick Visual Studio Express and OllyDbg. Just about any Windows C compiler and debugger will work fine, though.<br /><br /><span style="font-weight: bold;"></span>To build the C code we generated in step 2 with gcc, use the following:<br /><br /><span style="font-family:courier new;">gcc -g3 shellcode.c -o shellcode</span><br /><br />The '-g3' flag builds the binary with labels for function stack tracing. This is necessary for debugging the binary. Or at least it makes it a whole lot easier.<br /><br />Now open the binary in gdb, print *shellcode in x/50i format, set a breakpoint at main(), and run it.<br /><br /><span style="font-family:courier new;">$ gdb ./shellcode</span> <span style="font-family:courier new;"><br />(gdb) display /50i shellcode</span> <span style="font-family:courier new;"><br />(gdb) break main</span> <span style="font-family:courier new;"><br />(gdb) run</span><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJu7ZmyjHjpE-Hqu2KfW24CvY3ig3pAaHwg4_Ko0iY6A1Kb3hvJepUGzTTADxNy7JJEqqXP4nuuNGyNWJrmJ6J8jnupvRyolOHcGcUeoj9Sb0GFiEIXxB-D9JoAY0RhFhx6LFn8MMmTfw/s1600/blog_3.jpeg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 188px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJu7ZmyjHjpE-Hqu2KfW24CvY3ig3pAaHwg4_Ko0iY6A1Kb3hvJepUGzTTADxNy7JJEqqXP4nuuNGyNWJrmJ6J8jnupvRyolOHcGcUeoj9Sb0GFiEIXxB-D9JoAY0RhFhx6LFn8MMmTfw/s400/blog_3.jpeg" alt="" id="BLOGGER_PHOTO_ID_5405080932285278306" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Qs3P0zBmloW56R8DU8Q1fmQGoPVFTAA0RsOzx0Z_tjNze6H2k9ry5LFRcWzoDN9HcQgqO8dHncoOj16jDFqaAEBgmd3tJ7soIm0USzM_cvZL93MTh0xHeleKL80rRJAM3lSX3ikk4qA/s1600/blog_3.jpeg"><br /></a>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com2tag:blogger.com,1999:blog-6690994337395244641.post-53500192215306675152009-10-18T15:10:00.002-05:002010-06-01T20:25:15.139-05:00Two-For-One Talk: Malware Analysis for EveryoneThese two mini-talks were originally going to be blog posts, but I needed a speaker for this month's ISSA meeting. So I volunteered myself. Here are the slides.<div style="width: 425px; text-align: left;" id="__ss_2266872"><a style="font: 14px Helvetica,Arial,Sans-serif; display: block; margin: 12px 0pt 3px; text-decoration: underline;" href="http://www.slideshare.net/pmelson/twoforone-talk-malware-analysis-for-everyone" title="Two-For-One Talk: Malware Analysis for Everyone">Two-For-One Talk: Malware Analysis for Everyone</a><object style="margin: 0px;" height="355" width="425"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=issatwo-for-onetalk-091018144619-phpapp02&stripped_title=twoforone-talk-malware-analysis-for-everyone"><param name="allowFullScreen" value="true"><param name="allowScriptAccess" value="always"><embed src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=issatwo-for-onetalk-091018144619-phpapp02&stripped_title=twoforone-talk-malware-analysis-for-everyone" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" height="355" width="425"></embed></object><div style="font-size: 11px; font-family: tahoma,arial; height: 26px; padding-top: 2px;">View more <a style="text-decoration: underline;" href="http://www.slideshare.net/">presentations</a> from <a style="text-decoration: underline;" href="http://www.slideshare.net/pmelson">pmelson</a>.</div></div>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-4153387785792170032009-09-23T22:07:00.020-05:002009-12-30T07:46:23.456-05:00Queries: Excel vs. ArcSightSince ArcSight ESM 4.0, reports and trends have been based on queries. Considering that ESM runs on top of Oracle, a query in ESM is exactly what you think it is. Queries are an extremely flexible way to get at event data. But as the name implies, they go against the ARC_EVENT_DATA tablespace, and therefore you can't use them to build data monitors or rule conditions, since those engines run against data prior to insertion into the database.<br /><br />Anyway, I've got a story about how cool queries are. And about how much of an Excel badass I am. And also about how queries are still better. Last month, I got a request from one of our architects who was running down an issue related to client VPN activity. Specifically, he wanted to know how many remote VPN users we had over time for a particular morning. Since we feed those logs to ESM, I was a logical person to ask for the information.<br /><br />So I pulled up the relevant events in an active channel and realized that I wasn't going to be able to work this one out just sorting columns. So, without thinking, I exported the events and pulled them up in Excel. So here's the Excel badass part:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4t4rR5TCTR0zVhFblhokqmj7pgn8SV17_r3oqb6VGMuB1xBzZBY1Cn3wd70Lh5aRUfWgry9lA_ipqkzoRfL6gsE3IXi-TdyClLtzAO7fwsxFVzVg8FQGXnH9m_L-RxCrOFjp8IaF8pY8/s1600-h/xl2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 200px; height: 121px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4t4rR5TCTR0zVhFblhokqmj7pgn8SV17_r3oqb6VGMuB1xBzZBY1Cn3wd70Lh5aRUfWgry9lA_ipqkzoRfL6gsE3IXi-TdyClLtzAO7fwsxFVzVg8FQGXnH9m_L-RxCrOFjp8IaF8pY8/s200/xl2.JPG" alt="" id="BLOGGER_PHOTO_ID_5384873908922475410" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsTiNURy1TQ66dg3SWc4p9b0317FvfXUU3H6iOPmwqm-Fy-xxvkNUp1XOYtB3xmBv6c37QPFiYcqM4yUWlTHWma_nYzCXAQh_ew7JNtoy_KgInp_ajsH54clBtGXjYgWXnWlun5ggdXkw/s1600-h/xl1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 16px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsTiNURy1TQ66dg3SWc4p9b0317FvfXUU3H6iOPmwqm-Fy-xxvkNUp1XOYtB3xmBv6c37QPFiYcqM4yUWlTHWma_nYzCXAQh_ew7JNtoy_KgInp_ajsH54clBtGXjYgWXnWlun5ggdXkw/s320/xl1.JPG" alt="" id="BLOGGER_PHOTO_ID_5384870189767048610" border="0" /></a><br />If you want to copy it, here it is:<br />=SUM(IF(FREQUENCY(MATCH(A2:A3653,A2:A3653,0),MATCH(A2:A3653,A2:A3653,0))>0,1))<br /><br />So A is the column that usernames are in. This formula uses the MATCH function to create a list of usernames and then the FREQUENCY function to count the unique values in the match lists. You need two MATCH lists to make FREQUENCY happy because it requires two arguments, hence the redundancy. It took about an hour for me to put it together, most of that was spent finding the row numbers that corresponded to the time segment borders.<br /><br />But as I finished it up and sent it off to the requesting architect, I thought, there must be an easier way. And of course there is. So here's how you do the same thing in ESM using queries:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCUyYtE8VYt3m1E6whNOQ77ZuGrI-5gEgrMaulv4UaBJ6v-biOuJSyVOs6_AnGAyDe17cNmJY7VZjrVkc4c8okDoMvT7oTtGzU5cnTUPfMm_M3uvpDY3fSKFrbAzAlJOG1LU5zIHHn9cs/s1600-h/qry1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 232px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCUyYtE8VYt3m1E6whNOQ77ZuGrI-5gEgrMaulv4UaBJ6v-biOuJSyVOs6_AnGAyDe17cNmJY7VZjrVkc4c8okDoMvT7oTtGzU5cnTUPfMm_M3uvpDY3fSKFrbAzAlJOG1LU5zIHHn9cs/s320/qry1.JPG" alt="" id="BLOGGER_PHOTO_ID_5421009002606294226" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-TdGfEyQ5_aI12td4lULBlDUQ7sUWnL4XUZBY_5mYfoGPEPPqjX9MEYJMkvr1e2YoB8mpdDvYrZpRZmejJ7jtx__0Jyo0FLa4Wl_oupbbOA3Ss0_OS6ZLy1e_edliPRON_NDVadbZuFU/s1600-h/qry2.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 164px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-TdGfEyQ5_aI12td4lULBlDUQ7sUWnL4XUZBY_5mYfoGPEPPqjX9MEYJMkvr1e2YoB8mpdDvYrZpRZmejJ7jtx__0Jyo0FLa4Wl_oupbbOA3Ss0_OS6ZLy1e_edliPRON_NDVadbZuFU/s320/qry2.JPG" alt="" id="BLOGGER_PHOTO_ID_5421009249566650690" border="0" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipePZ9nvmOkMbutch8y_Y-VtfuzF06IMLvGehleLgZ9tb8aHNu42qTJgxVPSHZzOXtRGGzSAByvoAMgGucVAkxQu0r8Ds21pMGqWg8bxRptXz3E3A8XLxsfqVhpS1K940_VdfDb6a7uh8/s1600-h/qry3.JPG"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 163px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipePZ9nvmOkMbutch8y_Y-VtfuzF06IMLvGehleLgZ9tb8aHNu42qTJgxVPSHZzOXtRGGzSAByvoAMgGucVAkxQu0r8Ds21pMGqWg8bxRptXz3E3A8XLxsfqVhpS1K940_VdfDb6a7uh8/s320/qry3.JPG" alt="" id="BLOGGER_PHOTO_ID_5421009490021103138" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />So, it's just EndTime with the hour function applied, and TargetUserName with the count function applied, and the Unique box (DISTINCT for the Oracle DBA's playing at home) checked. And then on the Conditions tab you create your filter to select only the events you want to query against. That's it.<br /><br />Once the query is created, just run the Report Wizard and go. All told, it's about 90 seconds to the same thing with a query and report that it took an hour to do in Excel.<br /><br /><div style="text-align: left;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqjr4EsTC3xlpbxGddbP26IpAUsB0fEX75Q2HtKuM1U1Ye5js-bbdIVOlfR0R-imibn-vTaH0nk6ons6YAZTfSQ3nIhyYeLFuv8nhmZX6UXb4KYbXDGSsOvQ3WMmoAhegeUm26_YhJgvE/s1600-h/rpt1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 158px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqjr4EsTC3xlpbxGddbP26IpAUsB0fEX75Q2HtKuM1U1Ye5js-bbdIVOlfR0R-imibn-vTaH0nk6ons6YAZTfSQ3nIhyYeLFuv8nhmZX6UXb4KYbXDGSsOvQ3WMmoAhegeUm26_YhJgvE/s320/rpt1.JPG" alt="" id="BLOGGER_PHOTO_ID_5384886568468884258" border="0" /></a></div>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-63040413789477017102009-09-20T23:24:00.003-05:002009-09-25T22:05:58.238-05:00The 'Cyberwarfare' ProblemLast week I attended ArcSight's annual user conference in Washinton DC. More about that in a later post. During the conference, ArcSight hosted a panel discussion on cyberwarfare. In DC, where many of ArcSight's biggest customer are based, this is a hot topic, and there will be a lot of time spent discussing it and a lot of money spent on defending against it, maybe.<br /><br />What struck me about the panel discussion were two comments, both made by <a href="http://csis.org/expert/james-andrew-lewis">James Lewis</a>, one of the panelists, and a director at the Center for International and Strategic Studies. At one point, Mr. Lewis invoked Estonia as an example of state-sponsored cyberwarfare, and made the comment that, "the Russians are tickled that they got away with it." Not ten minutes later, an audience member asked a question about retaliation against cyber-attacks. Mr. Lewis responded to the question by pointing out the problem of attribution. That is, from the logs that the victim systems generated, the IP address(es) recorded can't reliably be used to identify the actual individual(s) responsible for the attack.<br /><br />Now, I don't intend to pick on James Lewis. It just so happened that one person on the panel expressed the paradox of cyberwarfare. The attribution problem is a big problem for all outsider attacks, not just cyberwarfare. A decade ago, security analysts were calling it "the legal firewall" because US-based hackers would first hack computers in China, Indonesia, Venezuela, or another country that doesn't openly cooperate with US law enforcement, and then hack back into the US from there, causing an investigative barrier that would hinder or prevent an investigation being able to get back to the attacker's actual location.<br /><br />So knowing that there's a very real problem with being able to identify the source country for Internet-based attacks, it stands to reason that using the same limited forensic data to not only identify the actual source of an attack, but to determine that it is in fact state-sponsored, and not, say, <a href="http://www.forbes.com/2008/05/14/cyberattacks-terrorism-estonia-tech-security08-cx_ag_0514attacks.html">a grassroots attack armed by a teenager</a>, is a stretch. And for that reason, the question of cyberwarfare is an open one. Until a government actually comes forward and claims responsiblity for an attack, it's unprovable.<br /><br />So as the government spends $100M on cyberdefense over the next six months, it's important to try and answer the question, "What is the military actually defending against?" At the very least, it's fair to say nobody knows for certain.PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com1tag:blogger.com,1999:blog-6690994337395244641.post-54102442636172708122009-08-12T15:57:00.004-05:002009-08-12T16:22:18.810-05:00Inbox 3Teguh writes,<br /><br /><blockquote>Hi Paul,<br />could you give some guide to administering logger? i searched thru<br />google, but found nothing significant. How to(s) and tutorial would be enough i<br />guess. Does it have to have syslog server for the logger to be able to read data<br />from?<br />Thanks..<br /></blockquote><br />The documentation for Logger is available from ArcSight's download center. Only registered customers have access, but I assume that if you've got a Logger box, that generally qualifies you.<br /><br />With regard to your second question, yes Logger has a syslog server. It actually has a few. In Logger nomenclature these are "receivers." Logger supports UDP and TCP syslog, FTP and SSH file pull, NFS and CIFS remote filesystem. Logger also supports some ArcSight-specific receivers including a SmartMessage receiver for events forwarded from ESM and CEF-over-syslog (OK, ArcSight wouldn't agree that this is specific to their products, but despite the C standing for Common, CEF is anything but. At least right now.)<br /><ol><li>Configuring Logger to act as a syslog server is pretty straightforward.<br /></li><li>From the web interface, navigate to Configuration, Event Input/Output.<br /></li><li>On the "Receivers" tab, click the Add button.<br /></li><li>Name your connector and set the type as "UDP Receiver" then click Next.<br /></li><li>The defaults for Compression Level and Encoding are fine. Select the IP address you want the listener to reside on, and set the port number. The default syslog server port is UDP/514.<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSOLsQkJphPRvrR6z7Kdpluu7P8x2AuovD5Xpnz0mlNMsnT8SsRU4yjMUoEu5uySDolgPTEf7ZKM7lLkdWdUgWB7Me67CeUG1BZsb8RuVHDXVO6Hw1WUbAz8QXLIUaUxie3RcD3EIaTcI/s1600-h/logger.JPG"><img id="BLOGGER_PHOTO_ID_5369190174418025138" style="DISPLAY: block; MARGIN: 0px auto 10px; WIDTH: 200px; CURSOR: hand; HEIGHT: 110px; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSOLsQkJphPRvrR6z7Kdpluu7P8x2AuovD5Xpnz0mlNMsnT8SsRU4yjMUoEu5uySDolgPTEf7ZKM7lLkdWdUgWB7Me67CeUG1BZsb8RuVHDXVO6Hw1WUbAz8QXLIUaUxie3RcD3EIaTcI/s200/logger.JPG" border="0" /></a> </li><li>Click Save. </li><li>On the "Receivers" tab, click the little no-smoking image next to the new receiver to enable it.<br /></li></ol>PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-86575716991448244012009-06-23T12:47:00.005-05:002009-06-23T13:03:39.115-05:00Nobody Sells Laptops for The Price of SilverIf you haven't already, I recommend that you take 20 minutes and read "<span style="font-weight: bold;">Nobody Sells Gold for the Price of Silver</span>" by Cormac Herley and Dinei Florencio. (<a href="http://research.microsoft.com/pubs/80034/nobodysellsgoldforthepriceofsilver.pdf">PDF Link</a>) This is an excellent analysis of the research into and press coverage of the underground economy. It's a fascinating read, and they make a cogent argument that the underground economy is more myth than reality. I don't want to say more because it will ruin it for you.<br /><br />Now I have an excercise for you. First, read the Herley/Florencio article. Then, read <a href="http://www.schneier.com/blog/archives/2009/06/fraud_on_ebay.html">Bruce Schneier's experiences with trying to sell a laptop on eBay</a>. Now think about the implications of the "Ripper Tax" on eBay. Now ask yourself why you haven't already sold any stock you own in eBay.PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com0tag:blogger.com,1999:blog-6690994337395244641.post-58267443714643855212009-06-18T22:22:00.009-05:002009-06-19T15:50:52.231-05:00PCI-DSS and Encrypting Card NumbersOK, I'm about to do something dumb and talk about cryptography and cryptanalysis. I'm an expert in <span style="font-style: italic;">neither</span> of these things. But despite the fact that somebody smarter than me should be telling you this, you're stuck with me, and I think I have a point. So here goes.<br /><br />I had a bit of an "A-ha!" moment earlier today around PCI-DSS, specifically requirement 3.4 from v1.2 of the standard. Here's the relevant language from that requirement:<br /><br /><blockquote>3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches:<br /><ul><li>One-way hashes based on strong cryptography</li><li>Truncation</li><li>Index tokens and pads (pads must be securely stored)</li><li>Strong cryptography with associated key-management processes and procedures</li></ul></blockquote>The bottom line is that this requirement fails to provide adequate protection to card numbers. Here's why.<br /><br />Truncation and tokenized strings with pads have limited use cases. In the case of truncating card numbers, PCI-DSS recommends only storing the last 4 digits of the card number. You wouldn't choose truncation for a program that validates a card number because there would be too great a potential for false matches. It would only be helpful for including in receipts, billing statements, and for use in validating a customer identity in conjunction with other demographic information. Database tokens only provide adequate protection in environments where there is a multi-user or multi-app security model, and if there are flaws in the applications that have access to the pads, then your data is pwned.<br /><br />So for the sake of maximum versatility and security, you're likely (or your software vendor is likely) to opt for hashing or encryption. But you still have a serious problem. While one-way hashes like SHA and block ciphers like AES can provide good protection to many forms of plaintext, credit cards aren't one of them. That's right, the problem isn't actually in the way you encrypt credit card numbers, it's that credit card numbers make for lousy plaintext to begin with.<br /><br />Take for example the following row of data from my hypothetical e-commerce application's cardholder table:<br /><br />LNAME,FNAME,CTYPE,EXP,HASH,LASTFOUR<br />Melson,Paul,DISCOVER,06/2009,e4b769607856a2f30b57fd26079dfefb,1111<br /><br />In this case, we have what we need to use the card, except the card number is hashed with MD5. (Ignore what you know about MD5 collisions for a moment, since this problem also exists for SHA or any other method of encrypting the card number.) If we calculate the possible number of values that could be on the other side of that hash, it would be 10^16, or about 10,000 trillion for the 16-digit card number. That's roughly twice as many possibilities as an 8-character complex password (96^8), which is an acceptable keyspace size, but also completely doable for a tool like John The Ripper.<br /><br />But if you know credit card numbers, then you've already realized that it's even worse than that. The first 4-6 digits of the card number are a misnomer in calculating keyspace. There aren't 1 million actual possible values. Since that row from my e-commerce app's database told me the card issuer, I know within 4-5 guesses the first two to four digits of the card number, and the last four are right there as well for inclusion on statements, etc. In this case, since it's a Discover card, we already know that the card number is 6011XXXXXXXX1111. Now we've cut the possible values we must guess in half, from 10^16 down to 10^8, which is a mere 100 million possibilities. There are other clever things we can do if it's encrypted with a stream cipher like RC4 or FISH, because we know the beginning and end values of the plaintext. But guess what? It's cheaper and easier to brute-force it even if lousy crypto is used. Even on the scale of millions of records. Even with salting, it's still worth it to brute-force the middle digits.<br /><br />But wait, there's more! As if publicly known prefix values weren't enough, credit card numbers are also designed to be self-checking. That is to say, the numbers contain something like a checksum that, when a known algorithm is applied to the 7-digit account number, 3 digits of which we know from our last-four field, can be used to validate the card number. This was designed as an anti-fraud mechanism that would allow cards to be checked without a need to communicate with a clearinghouse. But this algorithm allows us to only generate valid account numbers, combined with partially-known prefixes, to reduce the keyspace significantly. And since this is a known algorithm I can (and someone already has) very easily write a tool that combines a brute-force password cracker with a credit card generator.<br /><br />The bottom line is that, because of the already-partially-known nature of credit card numbers, simply encrypting card numbers inside a database or extract file is insufficient protection. The PCI Security Standards Council should revisit this requirement and modify it to, at the very least, require symmetric-key block ciphers and disallow stream ciphers and one-way hashes. But even then, I suspect, encrypted card numbers will be at risk. Certainly row-level encryption of card numbers should not qualify for "safe harbor" when it comes to breach notification laws.<br /><br />PS - Extra credit if you crack the full card number from the hash above and post it below.PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com3tag:blogger.com,1999:blog-6690994337395244641.post-31368368550238690162009-06-11T18:56:00.003-05:002009-06-11T19:11:51.042-05:00From The Inbox 2<a href="http://pmelson.blogspot.com/2007/09/arcsight-user-conference.html#comments">lmran writes</a>:<br /><br /><blockquote>Hi Paul,<br />Do you know any reason why ArcSight ESM does not support the Cisco MARS? Right now, all my firwalls send the syslog feeds into Cisco MARS and I'm trying to set the Cisco MARS to send thoes raw feeds data to ArcSight local connector but I just found out that ArcSight does not support the Cisco MARS. Thanks in ADV for any info reading this subject.<br /></blockquote><br />Starting in 4.x, MARS can forward events to another remote syslog listener. ArcSight has a syslog connector. So you ought to be able to forward events from MARS to ArcSight via syslog assuming MARS doesn't change the format of the log events too much. Even if MARS does mangle the event format, ArcSight will still receive them, but then most or all of the event will be parsed into the CEF Name field and categorization and prioritization won't be accurate.<br /><br />If you are unable to upgrade your MARS appliance to 4.31 or later (I think that's the rev you need), another option would be to use a syslog-ng server out front. It supports forwarding events by source to other syslog servers. You could use this to send the stuff you want in ESM to ArcSight's syslog Connector and the stuff you want in MARS to MARS.<br /><br />Or, you could do the environmentally conscious thing and unplug then recycle your MARS appliance. ;-)PaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.com1