Thursday, August 18, 2022

Remotely managing Sysmon configuration through Graylog Sidecar

Introduction:

Sysmon is a tool from Microsoft that can help with collecting better logs (compared to default Windows logs) regarding the system. The logs can be very helpful for detection of malicious behavior. Sysmon get's installed as a service and a driver usually along with whatever configuration file you provided. 

It can be kinda annoying to update sysmon configuration as sysmon doesn't come with a remote management system. If you have group of PC's that need different configuration, it can be a bit annoying to go push that out. 

There are some options for updating sysmon configs. 

  • You could setup a scheduled task that runs a script to look for a new config and does update. 
  • You can also use EDR tools that you may already have in place to run scripts or commands to update sysmon. 
  • You can utilize one of the Windows remote management features such as remote powershell. 
  • Ansible would work too. It would let you update sysmon config based on groups as Ansible lets you put machines into groups.
Some of the issues you may have with update methods above is 
  • problem with managing different group of PC's 
  • updates not being pushed out as soon as possible 
  • having to open up ports/services on Windows that you'd rather not.

I decided to go with Graylog sidecar for managing configuration. Graylog sidecar is usually used to manage configuration for log shippers (Beats for example) but it can be adapted to manage sysmon configuration as well!! Sidecar runs as an agent that will connect to Graylog server to get sysmon config updates. 

Tools:

Graylog & sysmon, obviously.

You need graylog server installed. You can technically use graylog sidecar without using graylog to store your windows or sysmon logs.

I'm using an admin account for the POC but use whatever the appropriate account is for your requirements.

Setting up sidecar:

We'll manually set this up first but you can deploy sidecar agent and sysmon, and install both at the same time by creating a package or an initial installation script.

First, we'll need to create a sidecar token.


Go to the sidecars page, create a new token.



Next, on Windows host, download and install sidecar agent


By default, Sidecar files are located at: C:\Program Files\Graylog\sidecar

After installation, run the following commands (as admin) to install graylog as a service and start the service:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

(you can do all of this automatically if you build a package for your organization)

The host should show up on Sidecar overview page



Setting up sysmon support on Windows host:

Now that sidecar connection works fine, we need to setup sysmon. I'm placing sysmon executable at C:\Program Files\Graylog\sidecar\sysmon64.exe (make sure its lower case or at least the case matches the sidecar.yml config file)

Next, we need to edit sidecar.yml file to allow the use of sysmon64.exe (again, you can build a package and include sidecar.yml file that already supports this)

Here's what I have in the config file:


Restart the graylog sidecar service to ensure that it starts up again and sidecar.yml config file doesnt have any errors:


Next, we'll need to install sysmon w/ initial configuration (do this during initial graylog sidecar agent installation)


Now we can setup sysmon configuration in sidecar to do updates.

Setting up sysmon sidecar configuration in Graylog:

Go to collection configuration page in Graylog and click Create Log Collector button.



Create something that looks like this:


We're using foreground execution since we just need to execute the command to update sysmon config and exit.

The update command is sysmon -c CONFIG_FILENAME so we're using -c "%s", %s is the filepath of our config, when it's written to the disk.

Default template can be used to use a default config but I'm leaving it empty here.

Next on Collection configuration page, click Create Configuration


Name your configuration and add the xml config content.

You can create and add more configurations for different systems you may have.

Pushing configuration to a host:

Go to the sidecar Administration page


Check Sysmon and select the right sysmon configuration and apply the configuration.


Graylog webui may say the update failed but you can click the host you updated and click Show details to see more:


Above you can see that the configuration updated without an issue. 

You can also confirm the update by looking at event id 16 from sysmon in your SIEM or Event Viewer like below



Building initial installation package recommendations:

Your initial sidecar agent package should do the following:

  • Drop sysmon executable in the sidecar folder
  • Sidecar.yml file needs to contain path for sysmon executable in the allowed files
  • Install sysmon with whatever initial configuration you'd like to use
If you build an installation package yourself, you don't have to do all the stuff manually above...

Once you deploy sidecar agent + sysmon initially, you can remotely manage the sysmon configuration through Graylog sidecar UI.

Links/Resources:

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

https://www.graylog.org/

https://www.graylog.org/features/sidecar

https://github.com/Graylog2/collector-sidecar/releases

https://docs.graylog.org/docs/sidecar

https://github.com/olafhartong/sysmon-modular

https://github.com/SwiftOnSecurity/sysmon-config

https://github.com/LaresLLC/SysmonConfigPusher - I came across this after finishing this write up...

Wednesday, July 20, 2022

Screenshotting/scanning domains from certstream with littleshot to find interesting content

Introduction:

Certstream is a great service which provides updates from Certificate Transparency Log, which has info regarding certs being issued from several providers.

Certstream data has been used in the past for detection of malicious sites or phishing sites. There are several links in the resources section about certstream usage.

Littleshot is a tool similar to urlscan and urlquery(RIP) which I wrote a while ago because I wanted to be able to screenshot a ton of sites and collect metadata regarding them. (It's here: https://github.com/BoredHackerBlog/littleshot) I realized having yara scan html body would be cool so I added that feature as well later on. There is also a branch that uses tor for connections. It's not the most optimized project and error handling isn't the best but it's good enough for my purposes.

You can also put newly registered domains through littleshot as well but I've decided not to do that for now.

Goals:

- Take certstream domains and scan them with littleshot

- Utilize yara rules to look for interesting pages

- Send some metadata to Humio (littleshot by default doesn't do this) for either alerting, dashboarding, or just searching.

- Ensure that there is caching of domains from certstream to avoid rescanning domains

Tech stack:

I'm hosting everything on vultr. (Here's a ref link if you'd like to try vultr for your projects: https://www.vultr.com/?ref=8969054-8H)

- Littleshot

-- caddy - reverse proxy

-- flask - webapp

-- redis - job queue

-- python-rq - job distribution/workers

-- mongodb - store json documents/metadata

-- minio - store screenshots

- Certstream + python - Im getting certstream domains and doing filtering and cache lookup with python

- Memcached - Caching. I wanna avoid scanning the same domain twice for a while so i'm using memcached

Setup:

The diagram below shows the setup I have going.


I get data from certstream and I'm using some filtering to ensure that I don't scan certain domains.

Once the keyword based filtering is done, I check the domain against memcached to ensure that it hasn't been scanned before in the past 48 hours.

If the domain wasnt scanned in the past 48 hours, I queue to be scanned with littleshot.

When littleshot worker does the scan, it sends taskid, domain, title, and yara matches to Humio (besides just doing normal littleshot things).

Certstream_to_littleshot script - https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/certstream_to_littleshot.py

Yara rules (these aren't the best. you should probably write your own based on your needs) - https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/rules.yar

Worker code to support sending data to Humio - https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/worker.py


Interesting stuff I came across:

- Lots of wordpress and nextcloud/owncloud sites and general stuff people self-host
- Carding forum?

- Argo CI/CD without auth?
- Piracy site


No phishing sites or C2 with at least my yara rules.

Here are the yara hits in Humio (ignore abc,xyz, that was me testing Humio API):



What I would do differently with more time and resources (with this project and with littleshot):

- Better error handling - Current error handling is meh
- Get rid of mongodb and replace it with opensearch or graylog maybe? - Opensearch and graylog are great when it comes to searching.
- Potentially having a indicator list built into littleshot?
-- Currently tagging is based on yara rules but there are many ways to detect maliciousness, such as hash or URLs.
- Enrichment of data like urlscan does
- Better webui - the webui is pretty shit. idk enough html/css/javascript
- Better logging. There is logging of results but no logging of anything else (queries, crashes, etc...)
- Redirect detection & tagging. Some domains do redirect to legitimate login pages.


Resources & similar projects:

https://github.com/ninoseki/uzen - ninoseki github has really cool projects. This one is very similar to littleshot actually.
https://github.com/InfosecExtra/StreamshotY - littleshot fork that someone hooked up with certstream. It has a refreshing page of screenshots too like urlscan.


(if the blog post formatting looks odd, it's because Blogger editor interface hates me)

Wednesday, July 13, 2022

Building a honeypot network with inetsim, suricata, vector.dev, and appsmith

I wanted to learn a bit more about data engineering, databases, app building, managing systems, and so on so I decided to work on a small honeypot network as a project. I was partially inspired by Greynoise and AbuseIPDB, I use both of those a lot. I wanted to get this project done in about a week so this is a small project which isn't too scalable. I ended up learning things so it's fine.

My goals:

- Use Suricata to see what type of signatures are triggered based on the incoming traffic from the internet
- Save all the Suricata logs to disk in a central place so I can go back and search all the data or reingest the data.
- Send logs to Humio for searching, dashboarding, and potentially alerting purposes
- Have a webapp for searching for an IP
-- Webapp should show the signatures the IP has triggered, first time the IP was seen, last time the IP was seen, and number of times it was seen triggering signatures.

My tech stack:

- Sensors & databases are hosted on Vultr w/ Ubuntu
- Obviously Suricata for detecting attack attempt type
- Inetsim - this is not the best (i'm letting the attackers know I'm not running any real services, it's just inetsim, assuming attackers manually go look at the scan results) but it'll do for this project
- Zerotier - all sensors are connected to a zerotier network, it just makes networking, moving data around, and management easier
- Vector.dev - I'm using vector.dev to move data around
- Humio - it's for log storage and search, just like ELK or Splunk
- rinetd - I'm actually not running inetsim on all the sensors, I'm just forwarding all the traffic from sensors to one host running inetsim (it's good enough for this project)
- Redis - pubsub. I'm putting alerts into redis and letting python grab them and put the data in postgresql
- Postgresql - to store malicious IP, signature, and timestamp
- Appsmith - to make webui app (usually i'd use flask...)

Networking:

Network kinda looks like this w/ Zerotier:

Sensors are exposed to the internet, servers aren't. rinetd takes in sensor traffic from the internet and forwards it to inetsim. inetsim is bound to zerotier IP address.


Logging:

The flow for logs kinda looks like this:

Vector on all the sensors reads eve.json, sends the data to vector on the ingest server.
Vector on the ingest server does multiple things. It'll save data to disk, send the data to humio, the alerts will get geoip info added, then it'll go to redis, python will ingest data from redis then put it into postgres.

postgres stores malicious IP, suricata signature, and timestamp.



Python script being used to process redis data and add data to postgres: https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/process_redis.py


Webapp

I used AppSmith for the webapp. AppSmith allows you to build a webapp and connect it to integrations it supports with little to no coding. 

For webapp, I just have an input field and some queries running based on the input. It looks like this:




What would I do different if I had more time and resources:
- I'd probably setup a more realistic honeypots or have honeypot profiles
- Put honeypot software on the sensor itself instead of doing rinetd
- Ship logs through the internet (not zerotier)
- Do geoip enrichment on the sensor itself
- Store alert data in opensearch or some cloud hosted database that I don't have to maintain?
- Add health monitoring for sensor, pipeline, etc..
- Better deployment and update (of software and suricata signatures) potentially through ansible?

There are probably many other things that can be done differently or more efficiently.


Resources/links:

Saturday, March 5, 2022

Quick analysis of stealer malware sent via discord

Introduction:

Just a quick analysis of malware sent via discord...

I got the malicious file from someone who received the file via Discord from a trusted account (which was compromised...)


Analysis:

Hash: 4f709e1c6951bbd65d03a9f44961e0ae

Original filename:Fruit_of_the_ace_v3.11.99.exe

The file looked like nodejs binary

pdb string: C:\Users\runneradmin\AppData\Local\Temp\pkg.3d5278e5642d39a96bc8ed09\node\out\Release\node.pdb


I started by analyzing the file locally but didn't get anywhere quickly so I moved to hatching triage for analysis.

Results: https://tria.ge/220220-wnqp3sbeh6


Here's the process list:


The executable drops and starts temp.ps1, which contains code to hide the window.


Once the window is hidden, it seems to download and execute MachineMania.exe which is a python executable file made with pyinstaller. Argument provided to the machinemania.exe during executing is a discord webhook.

Looking through Triage and file access I see the following:


It appears to be looking for applications listed above but I'm not sure if it actually does anything if the apps are installed.


Network traffic kinda looks like this:

It looks like there is a connection to OneDrive. I was pretty sure that's where the MachineMania.exe was being downloaded from but I didn't see much in the pcap or Triage output.

I went back to debugger and found the exact OneDrive link in the memory which is hosting MachineMania.exe



Looking at MachineMania.exe:

Hash: 725918a6ae94e864908946ebb5e98dee

This is pyinstaller file. 

I analyzed that file in Triage but I replaced discord webhook with webhook.site webhook

https://tria.ge/220220-ycs26scgdr/behavioral1

File interaction looks a bit different in analysis of this file. Unlike the original file, this file only looks at Chrome folder.



The webhook requests look kinda like this:



It appears to be only looking at Chrome. 


To further analyze the file, I started to decompile the pyinstaller file to see what it has inside of it.

I used this to extract the files: https://github.com/extremecoders-re/pyinstxtractor

I found the following files to be interesting


discordwebhook content looks like it's just doing POST request.

I wasn't able to get anything out of chrome.pyc file but it appears to be backed with pyarmor.


Additionally, while doing some analysis of the original file in debugger I also saw this:



I'm not really sure about what other capabilities the original file has. There is probably more but I mostly looked at the dropped pyinstaller/machinemania.exe file. I'm not sure about how nodejs code can be packed as executable.


Conclusion

Based on limited and quick analysis, it looks like compromised account will share the exe file.

original exe file will download and execute file from onedrive

onedrive file will steal data and send it to discord via webhook.

to me, the onedrive file only seems to be stealing chrome saved passwords and nothing else.


Similar sample: https://twitter.com/GlitchyPSI/status/1439674473515569154

https://www.virustotal.com/gui/file/60e75541c4b4130151fb2b80f04cd699ba0e66bf6c4ec364127e93a38dccefa9/relations

Check the Execution Parents. There are a lot of node binaries and filenames usually look like names of games.

Sunday, December 12, 2021

notes/links about log collection, storage, and searching

Introduction

Just some notes about log collection, storage, and searching.

I just want to be able to store some log data for a long time and do searches on it later in the future, once in a while. I'm not trying to produce a report with the data or do alerting or transport the logs securely.

One of my use cases is collecting network data and storing that for a long time and maybe searching for a specific domain or IP in the future that could've been related to a security incident. 

Similar for incoming http traffic. I'd like to see if someone tried to access a specific URI a really long time ago. (maybe when vuln related to that URI wasn't public at the time)

(leaving out elasticsearch-based things, splunk, and cloud-based services)

notes/links should help w/ research if anyone else is trying to do the same thing as me


Gathering & shipping logs:

For Windows Event Logs:

- fluentbit - https://docs.fluentbit.io/manual/pipeline/inputs/windows-event-log

- fluentd - https://docs.fluentd.org/input/windows_eventlog

- nxlog - https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog

- winlogbeat - https://www.elastic.co/downloads/beats/winlogbeat-oss

- promtail - https://grafana.com/docs/loki/latest/clients/promtail/scraping/#windows-event-log


- Windows event forwarding - https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection WEF sends logs from all the hosts to one collector host

For other text file based logs (linux, webapp, etc..)

- all the tools above

- vector - https://vector.dev/components/

- filebeat - https://www.elastic.co/downloads/beats/filebeat-oss

- rsyslog - https://www.rsyslog.com/

- syslog-ng - https://www.syslog-ng.com/products/open-source-log-management/

- logstash - https://www.elastic.co/downloads/logstash-oss


some of the tools listed above can take in forwarded events (syslog, logtash/beats, etc) from other products and tools as well. 


- kafka - https://kafka.apache.org/ another option for just getting logs from various sources and forwarding them to some other place


input/output, sources/sinks:

- kafka - https://cwiki.apache.org/confluence/display/KAFKA/Ecosystem

- vector - https://vector.dev/components/

- fluentbit - https://docs.fluentbit.io/manual/pipeline/inputs 

https://docs.fluentbit.io/manual/pipeline/outputs

- fluentd - https://docs.fluentd.org/input

https://docs.fluentd.org/output

- logstash - https://www.elastic.co/guide/en/logstash/current/input-plugins.html

https://www.elastic.co/guide/en/logstash/current/output-plugins.html

- rsyslog - https://www.rsyslog.com/plugins/


Log processing:

You may want to process the data to drop certain events or append data to some events. For example, for network data, you may want to use a filter that adds geoip info. You may also want to rename fields.

Many of the collectors and shippers listed above already have some ability to modify or parse the log data. 

Some of the tools are calling these plugins/modules filter or processing or transformer. You may also be able to write your own plugins or some code (some tools above support Lua) to change the logs before output part happens.

Depending on the type of processing you may want to do, you may need to output the logs into a different format that your application understands then process it and put it back into the pipeline for the next step or storage.

For kafka, I found faust (https://faust.readthedocs.io/en/latest/) but there are other libraries too for python and other langs.


Log storage:

The output part in almost all the tools listed above can send data to various places where logs can be index and/or stored. 

You can always store logs to disk on one host w/ compression (obviously searching this is not very fun). Files can also be stored in the cloud. Everything pretty much has s3 output support.

For files stored on disk, many of the tools will allow you to select format such as text, json, etc..

Tools such as logrotate can be used to move, compress, or delete the logs (https://linux.die.net/man/8/logrotate)

cron job/scheduled tasks and some scripts can always be used to move, compress, or delete files as well. 

For being able to easily store and search logs, there is Grafana Loki - https://www.boredhackerblog.info/2021/11/collecting-unifi-logs-with-vector-and.html

Grafana Loki is somewhat similar to elasticsearch or splunk and you can use Grafana webui to query the data.

While doing more research, I came across clickhouse (which is also supported by some of the tools above) (https://clickhouse.com/) Clickhouse can store json data and you can do sql queries on that data. 

I also came across cloki, which is using clickhouse but emulating loki (https://github.com/lmangani/cloki)

The backend is a clickhouse database and you push logs into loki emulator, just like you'd push logs into loki. cloki also supports the same query language as loki and will work with grafana loki connector.


Log search:

Searching the logs depends on how they're stored obviously. For uncompressed or compressed logs, tools such as grep or zgrep or ripgrep (https://github.com/BurntSushi/ripgrep) can be used for searching.

On Windows, there are a few tools that can be used to search and/or query logs. Fileseek (https://www.fileseek.ca/) can be used to search a bunch of files. There is Logfusion (https://www.logfusion.ca/) as well which can be used to read log files.

There is also Log Parser Lizard (https://lizard-labs.com/log_parser_lizard.aspx) which can be used to query log files and even save queries and produce charts or reports.

Files can also be loaded into python w/ pandas for searches, complex searches, or statistical analysis. Pandas supports loading various file types. (https://pandas.pydata.org/docs/reference/io.html)

Finally, if you end up using loki or cloki, grafana can be used to do queries. Grafana also has connectors/plugins for other database/log storage systems. 


Sample logs:

To play with any of the tools above without making changes in production env, you can use sample logs or data sources.

https://github.com/logpai/loghub - github repo that links to several sample logs

https://www.secrepo.com/ - logs related to security. there are some network traffic logs in there

https://www.sec.gov/dera/data/edgar-log-file-data-set.html - EDGAR log files

https://log-sharing.dreamhosters.com/ - various log files

https://www.logs.to/ - log generator (various types)

https://github.com/mingrammer/flog - log generator

https://certstream.calidog.io/ - certificate transparency logs

http://www.hivemq.com/demos/websocket-client/ / broker.mqttdashboard.com - If you want to grab MQTT demo data. I'm pretty sure people are using this for free for their projects too...



ps: i'm not an engineer or an observability expert. Implementation of various tools above varies and may have impact on resource usage.

Friday, November 26, 2021

Collecting Unifi logs with Vector and Grafana Loki

Introduction

This post just discusses sending unifi logs to grafana loki and utilizing vector.dev/vector agent.

Typically for log collection I would utilize something like Beats (filebeat, winlogbeat) and Logstash. Logstash unfortunately, in my experience, uses too much memory and CPU resources so I decided to search for an alternative. I came across vector.dev, fluentd, and fluentbit. Vector.dev seemed to be easy to install, configure, and use so I decided to give that a try.  

For log storage and search, I would normally use Elasticsearch & Kibana, Opensearch, Graylog, or Humio. Humio would be hosted in the cloud and anything that's Elasticsearch or Elasticsearch-based would also require too much memory and CPU resources. I found Grafana Loki and decided to try that. It seems relatively lightweight for my needs and runs locally. Also I saw a Techno Tim video on Loki recently.

Logs will be stored with Loki and I'll use Grafana to connect to Loki and use it to query and display the data.

Vector and Grafana Loki will be running on a NUC w/ Celeron CPU w/ 4GB RAM so having something that runs on Pi (grafana has an article where they run grafana loki on a pi) is nice.

Design

Unifi controller has an option to send logs to a remote system so that's what I'll be using to send logs. It will send syslog (udp) to an IP address. 

Vector has sources, transforms, and sinks. Source is input/data source, transforms can apply various operations to the data, such as filtering or renaming fields, and sink is basically the output. I will be just using source and sink. Source in this case will be syslog. Vector will listen on a port for syslog messages. Sink will be Loki since that's where the logs will be stored.

I'll have one VM running vector and the same VM will be running Grafana UI and Loki using docker-compose.

Unifi Controller Syslog -> (syslog source) Vector (Loki sink) -> Loki <- Grafana WebUI

I am not using doing any encryption in transit or using authentication for loki, it is an option.

Setup

I have an Ubuntu 20.04 server w/ docker and docker-compose installed.

Grafana Loki

Grafana docker tutorial shows how to set up grafana loki with docker-compose: https://grafana.com/docs/loki/latest/installation/docker/ 

I removed promtail container from my configuration.

Here's the configuration I'm using:

https://gist.github.com/BoredHackerBlog/de8294818027d450ecc2aed9c94c5260

Create a new loki folder and grafana folder as docker will mount.

Download https://raw.githubusercontent.com/grafana/loki/v2.4.1/cmd/loki/loki-local-config.yaml and place it in loki folder and rename the file to local-config.yaml. Change the configuration if needed.

No need to download and place anything in the grafana folder.

Run docker-compose up -d to start grafana and loki.

Grafana webui is running on port 3000 and default creds are admin/admin.

Go to configuration and add loki as the data source. docker-compose file refers to that container as loki so it'll be at http://loki:3100.




Vector

Now Vector needs to be setup.

I'm setting it up by just following their quickstart guide.

I ran: curl --proto '=https' --tlsv1.2 -sSf https://sh.vector.dev | bash

Default config file is located at ~/.vector/config/vector.toml

Here's my config for syslog source and loki sink:

https://gist.github.com/BoredHackerBlog/de8294818027d450ecc2aed9c94c5260

I modified the syslog port to be 1514 so I can vector as a non-privileged user and I also changed mode to udp.

For loki sink, label is required but your label key value can be anything you prefer. I could have done labels.system = "unifi" and it would work just fine.

Once configuration is done, the following command can be ran to start vector: vector --config ~/.vector/config/vector.toml

Unifi controller

In unifi controller settings, remote logging option is under Settings -> System -> Application Configuration -> Remote Logging

Here's what my configuration looks like:

Click Apply to apply changes and the logs should flow to vector and into loki.




!!!

no logs in grafana query

I did have a weird issue where logs didnt show up in grafana query but would show up when i do live query.

I ran "sudo timedatectl set-timezone America/New_York" to update my timezone and that fixed the issue. (or it didn't but i think it did because queries did show results after i ran this)

!!!

Saturday, April 10, 2021

Creating a malware sandbox for sysmon and windows event logs with virtualbox and vmexec

Introduction

I was doing some research around detection related to maldoc/initial access. Usually, I've seen malicious Word or Excel documents and in some cases compressed files containing Word document, Excel document, script, or an executable. In a lot of cases LOLBIN/LOLBAS are abused. You can see this this happening a lot of sandbox (anyrun, VT dynamic, hatching triage, etc..) outputs as well.

I came across some guidance around blocking some LOLBIN/LOLBAS files with Windows Firewall to prevent some of the initial compromise activity. There multiple scripts and blog posts related to this. Essentially, Windows Firewall rules are added to prevent some of the executables from connecting to the internet.

Scripts/Blogs:

https://daniel.streefkerkonline.com/2017/10/24/mitigate-commodity-malware-attacks-with-windows-firewall-rules/

https://call4cloud.nl/2020/07/the-windows-firewall-rises/

https://gist.github.com/ricardojba/ecdfe30dadbdab6c514a530bc5d51ef6#file-windows_hardening-cmd-L497

https://gist.github.com/jaredhaight/e88b4323adce06395dace501841d3075#file-windows_hardening-cmd-L108


I also saw posts where Olaf Hartong was discussing data from sandbox related to malware and LOLBIN/LOLBAS usage and rundll32 as well.

https://twitter.com/olafhartong/status/1359235339332780034

https://twitter.com/olafhartong/status/1361415502447267842


I thought it would be interesting to collect data on my own and have my own dataset to play with. I also wanted the ability to test malware in an environment where some hardening was applied, such as mentioned in the blog posts and scripts above. In addition to that, I wanted to have the ability to have an EDR agent or AV agent in the same sandbox to see what it collects or alerts on in it's management console. I ended up writing vmexec to help me with this.

vmexec is similar to cuckoo sandbox and cape sandbox but it doesn't get any information back from the VM's. It just puts the executable in the VM and executes it. When you upload the sample, you can pick a VM or use any available VM and set how long the VM will run for after the sample is uploaded. It uses virtualbox for VM's and just like cuckoo or cape, you need to have an agent inside the VM.

https://github.com/BoredHackerBlog/vmexec


Design

I'll be using Windows 10 VM with various logging enabled and sysmon installed. I'm using sysmon-module rules (https://github.com/olafhartong/sysmon-modular). 

For forwarding logs, I'll be using winlogbeat OSS. (https://www.elastic.co/downloads/beats/winlogbeat-oss) I'm using OSS version because I'll be using Opendistro for elasticsearch elastic and kibana containers. (https://opendistro.github.io/for-elasticsearch/)

Since I'll be running malware, I'll have to have a second VM for routing the malicious traffic but it's not required if you're okay with threat actors potentially seeing your connections. You can always set up the sandbox VM in a way it doesn't route any traffic as well.

The network and VM design kinda looks like this:



Setup

Getting all the packages and dependencies:

  1. Install Ubuntu 20.04 (although pretty much any Linux OS should work)
  2. Install Docker (https://get.docker.com/)
  3. Install docker-compose (https://docs.docker.com/compose/install/)
  4. Install Virtualbox (https://linuxize.com/post/how-to-install-virtualbox-on-ubuntu-20-04/)
  5. Make sure python3 and python3-pip are installed
    1. Might have to run apt install python3 python3-pip
  6. Install python packages
    1. Run the commands below:
      1. pip3 install flask
      2. pip3 install flask-sqlalchemy
      3. pip3 install flask-admin
  7. Download vmexec https://github.com/BoredHackerBlog/vmexec
    1. if you have git installed you can run:
      1. git clone https://github.com/BoredHackerBlog/vmexec

Getting Elastic and Kibana up and running:

I'm using a docker-compose file for elastic and kibana. 

research@workstation13:~/elk$ cat docker-compose.yml

version: '3'

services:

  odfe-node1:

    image: amazon/opendistro-for-elasticsearch:1.13.1

    container_name: odfe-node1

    environment:

      - discovery.type=single-node

      - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping

      - "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM

    ulimits:

      memlock:

        soft: -1

        hard: -1

      nofile:

        soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems

        hard: 65536

    volumes:

      - odfe-data1:/usr/share/elasticsearch/data

    ports:

      - 9200:9200

    networks:

      - odfe-net

  kibana:

    image: amazon/opendistro-for-elasticsearch-kibana:1.13.1

    container_name: odfe-kibana

    ports:

      - 5601:5601

    expose:

      - "5601"

    environment:

      ELASTICSEARCH_URL: https://odfe-node1:9200

      ELASTICSEARCH_HOSTS: https://odfe-node1:9200

    networks:

      - odfe-net


volumes:

  odfe-data1:


networks:

  odfe-net:


In the docker-compose.yml file shown above, the data is being stored in odfe-data1 volume. When you take down the containers and bring them up again, the data will not go away. 

Additional information about opendistro for elastic docker container and settings can be found here: https://opendistro.github.io/for-elasticsearch-docs/docs/install/docker/

Cd into the directory that contains the docker-compose.yml file and run docker-compose up -d to start containers in the background. To take down the containers, you can run docker-compose down from the same directory.

Once you bring up the containers, elastic will be running on port 9200 and kibana will be on 5601.


Setting up Windows 10 Sandbox

  1. Create a Windows 10 VM in virtualbox
  2. Disable updates
  3. Disable antivirus
  4. Disable UAC
  5. Disable anything else that's not needed
  6. Install whatever applications you need, such as a pdf reader or Office
    1. If you're using Office (Word or Excel), ensure to allow macros to run automatically (https://support.microsoft.com/en-us/topic/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6)
  7. Install Python 3+
  8. Copy agent.py from vmexec project into the VM (do not run it yet)
These should help with disabling of some things: https://github.com/BoredHackerBlog/LogDetectionLab/blob/main/change_sec_config.bat

https://github.com/BoredHackerBlog/loggingstuff/blob/main/loggingstuff.bat

Setting up logging and log forwarding:
  1. Download sysmon and install Sysmon with sysmon-module rules (see the loggingstuff.bat link above)
  2. Enable process auditing and powershell logging (https://redblueteam.wordpress.com/2020/02/08/enable-command-line-and-powershell-audit-for-better-threat-hunting/)
  3. Download and install winlogbeat oss
    1. configure winlogbeat oss to forward logs to 192.168.56.1, which is where elastic will be running once we create host-only adapter


After the base VM is setup, there are some network modifications that are needed.

You will need to create a host-only adapter without dhcp server enabled.

Enable the second NIC on the VM and attach it to host-only adapter.

Set the first NIC/adapter to NAT or internal network or whatever else. I have mine setup to internal network going to my router.

Finally, turn on the VM, set a static IP for the adapter in Windows. Since my vboxnet0 host-only adapter is using 192.168.56.1/1 I set my IP to 192.168.56.2.

Reboot the VM, login and run agent.py and take a snapshot while the VM is running. Note the IP address, snapshot name, and VM name.

Setting up vmexec
in app.py, just search for #CHANGEME and modify the settings there.

You'll want to add your VM like this:

db.session.add(VMStatus(name="winVM",ip="10.0.0.178",snapshot="Snapshot2", available=True))

name is the name you gave your VM in virtualbox, IP is the static IP that was assigned, and snapshot is the snapshot you're utilizing.


Usage

To start using vmexec, you need the docker containers for elastic and kibana running (cd into the directory with your docker-compose.yml file and type docker-compose up -d), you need your router VM up and running. You can just start the VM. Finally, you need to start vmexec. cd into the vmexec directory and type flask run -h 0.0.0.0 (if you want to remotely access the web server) the web server will be running on port 5000.

the webui looks like this:


You can select and upload a file, select a specific VM from the dropdown menu (optional), and change the VM run time and click the submit button.


You can access kibana on port 5601 via web browser. Make sure to setup your index pattern. It should be winlogbeat-*.


In kibana you can search for the executable file that was ran and look at surrounding events. With sysmon-modular rules, you can also match events with mitre framework.




Modifying the project

Modifying the project is easy depending on your needs. Agent.py can be modified easily if you would like to upload files to specific location or execute/open them in a certain way. There could be code added in vm_process function as well if additional steps need to be taken before running the VM or the file or after.


Resources

https://cuckoosandbox.org/

https://github.com/kevoreilly/CAPEv2

https://github.com/BoredHackerBlog/capev2-virtualbox-install

https://github.com/BoredHackerBlog/vmexec

https://www.docker.com/

https://opendistro.github.io/for-elasticsearch/

https://www.elastic.co/downloads/beats/winlogbeat-oss

https://github.com/olafhartong/sysmon-modular

https://www.virtualbox.org/