admin | July 1, 2021, 10:34 p.m.
Section 1: Basic Concepts
1. Using your own words, define and provide one example for each of the following terms:
v Worm:
A type of malware where the code can replicate itself independently and send complete working copies of itself to other systems by using network protocols, email attachments, etc. Worms may also contain payloads that damage host systems by tampering with host data but even the replication mechanism can be malicious due to its use of system and network resources.
An example of this would be the Morris worm, which exploited vulnerabilities in network protocols to propagate itself. Its main malicious effects were caused by a bug in the worm code, which lead to systems being reinfected multiple times. Each reinfection would start a new system process on the host, using up an increasing share of system resources until the system became unresponsive.
v Trojan:
A type of software that appears to have a useful purpose to a user, which motivates them to install it on their system. However, the software also performs tasks that are hidden from the user and that may be malicious.
An example of this would be Clickbot.A trojan that was hidden within an Internet Explorer plugin. Once the plugin was installed, this trojan hijacked the system to automatically click on online ads without the user’s consent.
v Ransomware:
A type of malware that makes user systems or data unavailable to the user or makes an unauthorized copy of sensitive, confidential data. Ransomware intends to blackmail the users into paying a sum of money to either restore access or prevent the release of such data.
An example of this would be the CryptoLocker ransomware which once executed on a computer, encrypted local and network files that the infected system had access to. It then displayed a message on the infected machine that offered to decrypt the files once a payment was made and threatened to delete the decryption key if payment was not made by a certain deadline.
v Adware:
A type of software that generates ads that are displayed within a software’s user interface. Adware is not necessarily malicious, especially when used in a limited and unobtrusive manner with the user’s consent as a way to recoup development costs for legitimately useful software. Malicious adware hijacks the use of third-party software such as web browsers in an obtrusive way by occupying space in the user interface and by reporting user data without the user’s content.
Fireball is an example of malicious adware which changed the default search engine in web browsers and tracked web traffic on infected systems on behalf of a digital marketing firm without the user’s consent.
2. Using your own words, explain Cross-Site Scripting (XSS). Describe two ways to defend against XSS.
A Cross-Site
Scripting attack occurs when a malicious attacker introduces a script into a
victim’s web browser by mixing their script with other interactive content and
scripts delivered by a website visited by the victim. This script has a high-risk
potential since the code delivered by a website is trusted by the victim’s web browser
and can complete any action that could be normally completed in a typical web
browsing session.
One way to prevent Cross-Site Scripting attacks is by disabling client-side scripts, which can be done by the user configuring their browsers to disable such scripts or by having websites run scripts that are executed on their servers rather than on the client systems (while accepting the trade-off in responsiveness). Another main countermeasure is to encode any data that can be inputted by the user through a website’s forms, so that code entered by a malicious attacker has certain characters replaced by other characters that cannot be interpreted as code by web browsers.
3. Provide three specific IOC for two of the following malware families:
v Dridex
(Source: Talos Intelligence Threat Roundup for July 10 to July 17, 2020)
1. The <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE registry key on the infected system has a value name of trkcore.
2. The malware established communication with the domain name pastebin[.]com.
3. The malware established communication with the IP address 104[.]23[.]99[.]190.
v Ryuk
(Source: FBI Flash MC-000103-MW 02-MAY-19)
1. Presence of encrypted files that have the tag “Hermes” followed by an encrypted key at the end of the file.
2. Presence of either of the two folders on infected Windows systems:
· "C:\users\Public\sys"
· "C:\Documents and Settings\Default User\sys.
3. Creation of a mutex file with the names “efkrm4tgkl4ytg4”, “FakeMutex”.
4. Decode the following:
51 58 5a 77 63 69 42 71 59 6d 56 34 49 53 42 44 65 58 4a 75 5a 6e 49 67 59 6d 68 6e 65 58 5a 68 63 69 42 6e 64 58 49 67 5a 6d 64 79 59 32 59 67 62 47 4a 6f 49 47 64 69 59 6e 67 67 5a 32 49 67 64 48 4a 6e 49 47 64 31 64 6d 59 67 65 6e 4a 6d 5a 6d 35 30 63 69 77 67 64 6d 46 77 65 57 68 78 64 6d 46 30 49 47 35 68 62 43 42 6c 63 6d 5a 69 61 47 56 77 63 6d 59 67 5a 33 56 75 5a 79 42 31 63 6e 6c 6a 63 6e 45 67 62 47 4a 6f 49 48 5a 68 49 47 78 69 61 47 55 67 62 6d 46 6d 61 6e 4a 6c 4c 67 3d 3d
Decode from hex:
QXZwciBqYmV4ISBDeXJuZnIgYmhneXZhciBndXIgZmdyY2YgbGJoIGdiYnggZ2IgdHJnIGd1dmYgenJmZm50ciwgdmFweWhxdmF0IG5hbCBlcmZiaGVwcmYgZ3VuZyB1cnljcnEgbGJoIHZhIGxiaGUgbmFmanJlLg==
The two == at the end made me suspect base64.
Decode from base64:
Avpr jbex! Cyrnfr bhgyvar gur fgrcf lbh gbbx gb trg guvf zrffntr, vapyhqvat nal erfbheprf gung urycrq lbh va lbhe nafjre.
Looks really similar to plaintext, just slightly rotated.
Decode from ROT13 (Rotation 13):
Nice work! Please outline the steps you took to get this message, including any resources that helped you in your answer.
5. Using your own words, explain the difference between encoding, encrypting, and hashing.
Encoding refers to the process of representing data in another format for purposes other than keeping the data secret such as increasing usability/transportability. The conversion algorithm is publicly available, meaning it can be easily reversed.
Encryption is the process of changing the data format using a confidential conversion algorithm that is known only to the sender and the intended recipient. The purpose of encryption is to keep data secret while it is being transferred over insecure communication channels.
Hashing refers to the process of taking an arbitrary message as an input to a hashing algorithm and obtaining a fixed-length output. Any slight change in the input message results in a drastic change in the output (even if the length of the output stays the same), meaning that hashing allows for message authenticity to be confirmed.
6. In as much detail as possible, describe two ways a computer residing in a public space is susceptible to compromise.
v DNS Spoofing: The objective of this attack is to send incorrect DNS data into the DNS resolver cache of the target system, which causes the target system to navigate to IP addresses specified by the attacker. This attack can be carried out under the assumption that the attacker has gained access to the same network as the target computer, whether by being on the same public open Wi-fi network or by brute-forcing the access credentials to a private network. DNS spoofing itself is done through a program such as Ettercap that can generally be used to configure the redirection of the target’s traffic through your machine before sending it to the gateway (man-in-the-middle attack). The additional functionality of the Ettercap allows you to also change the entries in the DNS tables accessed by the target system to resolve domain names into IP addresses. By changing these DNS entries, you can now forward the target to replica copies of popular websites such as Facebook, Google, etc. This allows for multiple malicious activities to be attempted against a target, whether by hosting links that download trojans onto the target machine or capturing login credentials that are entered into the replica website, since the user believes mistakes the replica website for the actual online service they are trying to access. These credentials can instead be forwarded to the attacker.
v Malicious peripherals: Computers in public spaces are uniquely vulnerable since access to them is not controlled, i.e. any individual could gain access to the actual physical computer and plug in a peripheral such as a USB. This can be done without immediately arousing suspicion or can be done through a third-party by leaving USBs loaded with malicious files in a public space adjacent to the computer (e.g. parking lot). Studies have found that unsuspecting individuals coming across a dropped USB drive often pick them up and plug them into a machine out of curiosity or a desire to reunite the lost peripheral with their owner. Attacks can then proceed by having the unsuspecting user click on an innocuous image or file that is hiding an executable. This executable can then install a rootkit that makes the actual malicious payload undetectable such as a backdoor, keylogger, or virus. A subtler way to achieve computer compromise is to connect a malicious peripheral that appears to be innocuous such as a Thunderbolt dongle but in fact contains firmware that contains malicious software. Once plugged into the public computer this malicious software could update drivers for peripheral devices such as keyboard, web cam etc., giving the attacker control over these devices. This attack exploits the fact that most firmware for peripheral devices is unsigned, meaning no source authenticity verification takes place before peripheral firmware is updated.
7. Using your own words, define malware persistence and provide examples of two different techniques in which malware can remain persistent.
Malware persistence is the ability of malware to remain on a target system and continue to operate even after the system reboots or logs off, eliminating the need for external reinfection or reactivation.
One way that malware achieves this is by modifying the registry keys of the host system and adding itself to the list of services that are executed by the system upon boot-up or login.
Another persistence technique is by using DLL search order hijacking, which takes advantage of the fact that many Windows programs need to load DLLs (a type of file that performs common tasks needed by many applications, thereby acting as a shareable system resource and eliminating the need to rewrite the same code for different applications). Applications look for these files from the same folder the application itself is located in and malware takes advantage of this by giving itself the same name as a DLL needed by an application and saving itself in the location that an application expects it to be in. The application can then trigger the execution of the malware that is masked as a DLL file. The malware only needs to make sure to execute the actual DLL file requested to ensure that the application executes as expected by the user, thereby avoiding any suspicion of malicious behavior.
Section 2: Scenarios
1. You receive an email from CompanyX inviting you to attend an upcoming webinar. When you click on the included link, your browser shows you an HTTP 404 page. However, you immediately become concerned that the email was not officially from CompanyX and you may have just been phished. When checking your logs to verify what happened, you notice that your "404 page" is reported as having an HTTP 200 response code. Why might this be the case?
An attacker forwarded you a link to a functional website that is displaying a replica HTTP 404 page result. The 200 response code shows that you loaded the website successfully but a website can be created to visually perfectly match what a user would expect to see when seeing a legitimate HTTP 404 page in their browser. This can be done because the HTTP code and CSS styles that are used by a browser when displaying an actual HTTP 404 page can be inspected by any user.
2.
Provide a brief overview of the
following Windows event IDs.
a) 4719
b) 4657
c) 4756
Describe each in relation to how they may be considered suspicious and/or indicators of compromise.
Example: Windows event ID 4720 relates to user account creation. Creation of an account named “admin_Joseph” may be considered suspicious enough to warrant investigation for potential network breach if there are no employees within in the organization by the name of “Joseph”.
a) Windows event ID 4719 relates to audit policy changes. The audit policy determines what type of system events are being logged. Changing the audit policy may be an attempt by malware to prevent the logging of an event that is associated as an indicator of compromise with this malware, making the malware harder to detect.
b) Windows event ID 4657 relates to registry key value modifications. This type of event can be considered suspicious since malware often makes changes to registry key values as part of an attempt to maintain persistence within the system.
c) Windows event ID 4756 relates to changes in the member list of a security-enabled universal group. Members in this group are granted access to resources in any trusting domain and the addition of new members can be a sign of a malicious escalation of privilege.
3. Assume you’re acting in a cybersecurity analyst role and you’re investigating suspicious activity for your client involving an IP address located in Switzerland. When performing a reputation check for the IP address, various online resources you've checked have come back "clean" and there were no obvious detections that this IP address currently is or was associated with malicious activity. However, you are seeing clear indicators of compromise from an endpoint, which includes post-infection activity to the aforementioned “clean” IP address. Describe how you would handle this situation, given the conflicting information you’ve encountered. Explain why you might not be seeing a malicious reputation for the Swiss IP.
The first step would be to continue gathering as much information as possible about the possible activity and then consider the most likely explanations for the behavior. By gathering all possible information about the extent of the activity (including whether other hostile or friendly hosts were involved), it becomes easier to eliminate certain explanations and focus on a smaller group of plausible explanations. It is likely that at this stage that several explanations are still plausible but that the explanations with the lowest severity have been eliminated. It is also likely that all the remaining plausible scenarios will have similar containment and remediation steps that will be based on company guidelines or industry publications such as NIST’s Computer Security Incident Handling Guide.
A malicious
reputation for the Swiss IP address may be absent because attackers regularly
compromise or find other means to access hosts with previously “clean” IP
addresses. This is part of their strategy to minimize the detection of
compromises and gain additional time to conduct post-exploitation activities.
4. Review the following firewall log entries. For each entry, investigate and determine if it would represent a threat to a client’s environment. Provide as much detail and reasoning as possible to support your decision.
a) Dec 04 22:37:28 hostname1 date=2018-12-04 a5 [local4.notice] date=2018-12-04 time=22:37:28 devname=firewall2 device_id=FGT11111 log_id=55556 type="utm" subtype="virus" eventtype="botnet" level="warning" vd="root" msg="Botnet C&C Communication." action="blocked" sessionid=3220555553 srcip=192.168.30.8 srcname="CFO-Laptop" dstip= 103.208.86.69 srcport=5364 dstport=80 proto=6 direction="outgoing" virus="AmmyRAT" dtype="ip-reputation" ref=" https://fortiguard.com/encyclopedia/botnet/7630421" virusid=4318 crscore=50 crlevel="critical"
Based on this firewall log, it appears there was an outgoing TCP connection from a friendly host to an external, hostile IP that was blocked. The log shows that the connection was blocked because the external IP address was linked to a botnet malware called ‘AmmyRAT’ and thus the type of communication as a whole was classified as “Botnet C&C Communication” by the firewall. This alert indicates there is a clear threat to the client since a laptop owned by senior management (the Chief Financial Officer) appears to already be infected by malware that is attempting to establish contact with a C&C server. Steps should be taken to immediately contain and remediate this infection.
b) 10.22.16.100|local7|notice|notice|bd|2019-08-17|10:34:12|logver=56| timestamp=1560087289 tz="UTC-4" devname="ACM-FWINT" devid="FG9H6B4194540535" vd="root" date=2019-08-17 time=09:34:49 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1560087289 srcip=10.10.90.72 srcport=65048 srcintf="V832_INSIDE" srcintfrole="lan" dstip=5.255.86.125 dstport=8080 dstintf="INF01_OUT" dstintfrole="wan" sessionid=1556783465 proto=6 action="deny" policyid=0 policytype="policy" service="TCP-8080" dstcountry="Netherlands" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
This firewall log shows that an outgoing TCP connection from a LAN network to an external IP address was blocked. This TCP communication was possibly a web browser on a friendly host trying to open an external HTTP webpage. This external IP address does appear to be in the Netherlands, but there are no alerts that are associated with this IP address. The firewall log has a “notice” level, meaning there no explicit warnings that are associated with blocking of this connection. There appears to be no NAT taking place as well and since the communication was blocked, no data was sent. This appears to be a normal type of communication (albeit an unencrypted one over HTTP) that was blocked because of a default blocking policy in place in the firewall for any connections that the firewall does not have an existing state entry. This state may have also expired since the connection was originally established. There does not appear to be a threat to the client’s environment.
5. You suspect your network has been breached – explain how you would investigate to determine the full extent of the compromise.
v Gather initial information on the involved host and identify the baseline state of the host and its connections to other systems. What has changed to cause a breach to be suspected?
v Gather threat intelligence on external suspicious IPs by consulting with internal resources to understand if previous communication had occurred with the potentially breached system, whether communication had occurred with other friendly systems, and what the nature of these communications was. The goal of this step is to begin to identify any suspicious patterns. The next step would be to perform OSINT of the suspected external threats by consulting with IP/domain registrations and investigating the external IP address’ reputation. Any artifacts discovered on a breached system such as files would also be researched (including by searching online for any mentions of its cryptographic MD5 hash) and submitted for behavioral analysis (if not on an internal VM tool like the Cuckoo sandbox, then by submitting the file to VirusTotal instead).
v Thoroughly investigate the communication between the friendly host and the external IP by gathering PCAP data, performing packet analysis, and generating statistics from session data.
v The analysis in the previous step is repeated between as many pairs of friendly hosts and hostile hosts that are connected to the original primary friendly and hostile host. This will allow for the identification of any other systems that may be compromised but were not detected by the initial alert.
6. Review the log sample below. Utilizing Linux command line tool(s), build one search string to output all lines in this log file that contain both this source IP and destination IP.
10.10.10.1.log|local0|alert|alert|81|2017-09-03|18:41:11|id=firewall| sn=C1CED4CDCS65 time="2017-09-03 22:41:11 UTC" fw=40.111.145.23 pri=1 c=32 m=609 msg="ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt" sid=5605 ipscat=WEB-ATTACKS ipspri=1 dur=0 n=189 src=196.52.84.47:40954 dst=10.10.10.144:80 fw_action="allow"
grep -e '\<10.10.10.144\>' -e '\<196.52.84.47\>' 10.10.10.1.log
7. The server that hosted your vulnerability scanner was replaced last week, and you imported all of your previous configurations to the new server. When you next run the vulnerability scan, there are only 20 results; much fewer than the usual thousands. What does this indicate to you? How would you proceed?
Based on the fact that the only system environment change relates to the server replacement (and that no changes were made in the configurations), this would indicate that the vulnerabilities are still present but something is now preventing the vulnerability scanner from picking up the previously identified vulnerabilities that are still present. I would consult with the documentation for my vulnerability scanner and identify any straightforward resolution paths such as verifying the port list used by the vulnerability scanner was correct. If the issue persists, I would proceed by escalating my search for resolutions to the wider web, consulting my co-workers, and contacting the technical support staff of the scanner’s vendor (if this is not an open-source scanner).
8. You have a vulnerability scan of multiple subnets scheduled to run at 9pm each Thursday night. Each week, you also get emailed alerts noting that system 10.66.2.85 has crashed, starting at 10:47pm Thursday night and continuing for the next hour. What does this indicate to you? How would you proceed?
This indicates that the vulnerability scan is causing the system to crash. While there may be several explanations for this, scans are designed to be run in as safe a manner as possible, implying that there are severe vulnerabilities present that could be exploited by malicious attackers. My immediate actions would be to ensure the system 10.66.2.85 is fully current with all the latest software patches and to then review and remediate all identified vulnerabilities for that system, especially all vulnerabilities ranked as critical or as being of high importance.
I find answers for questions nobody else has time to answer and to help me remember, I write them dowm here!