segunda-feira, 14 de maio de 2018

Analyzing apps table with osquery - Something weird with GotoMeeting


We were doing some test and queries using Facebook osquery to create some packs and noticed something not common when analyzing apps table.

osquery> SELECT name, bundle_short_version, bundle_version, bundle_identifier FROM apps WHERE name LIKE '%gotomeeting%';

+------------------------+----------------------+----------------+-------------------------+
| name                   | bundle_short_version | bundle_version | bundle_identifier       |
+------------------------+----------------------+----------------+-------------------------+
| GoToMeeting.app        | 8.24.0.8569          | 8569           | com.logmein.GoToMeeting |
| GoToMeeting (8404).app | 8.21.0.8404          | 8404           | com.logmein.GoToMeeting |
| GoToMeeting (8473).app | 8.22.0.8473          | 8473           | com.logmein.GoToMeeting |
| GoToMeeting (8557).app | 8.23.0.8557          | 8557           | com.logmein.GoToMeeting |
| GoToMeeting (8569).app | 8.24.0.8569          | 8569           | com.logmein.GoToMeeting |
| GoToMeeting (8625).app | 8.25.0.8625          | 8625           | com.logmein.GoToMeeting |
| GoToMeeting (8679).app | 8.26.0.8679          | 8679           | com.logmein.GoToMeeting |
| GoToMeeting (8789).app | 8.27.0.8789          | 8789           | com.logmein.GoToMeeting |
+------------------------+----------------------+----------------+-------------------------+

osquery> 

As you can see, multiples version of GotoMeeting were found. Analyzing a bit we noticed that main GotoMeeting application was pointing to an old version (in red) and not current one (in green).

osquery> SELECT name, bundle_short_version, bundle_version, bundle_identifier FROM apps WHERE name LIKE '%gotomeeting%';

+------------------------+----------------------+----------------+-------------------------+
| name                   | bundle_short_version | bundle_version | bundle_identifier       |
+------------------------+----------------------+----------------+-------------------------+
| GoToMeeting.app        | 8.24.0.8569          | 8569           | com.logmein.GoToMeeting |
| GoToMeeting (8404).app | 8.21.0.8404          | 8404           | com.logmein.GoToMeeting |
| GoToMeeting (8473).app | 8.22.0.8473          | 8473           | com.logmein.GoToMeeting |
| GoToMeeting (8557).app | 8.23.0.8557          | 8557           | com.logmein.GoToMeeting |
| GoToMeeting (8569).app | 8.24.0.8569          | 8569           | com.logmein.GoToMeeting |
| GoToMeeting (8625).app | 8.25.0.8625          | 8625           | com.logmein.GoToMeeting |
| GoToMeeting (8679).app | 8.26.0.8679          | 8679           | com.logmein.GoToMeeting |
| GoToMeeting (8789).app | 8.27.0.8789          | 8789           | com.logmein.GoToMeeting |
+------------------------+----------------------+----------------+-------------------------+

osquery> 

If you look into Mac Applications we have:



Clicking to open GotoMeeting it'll open version 8.24.



Some questions:

- Is something wrong in my Mac or it's a real problem ? (hope so , because if it isn't, this is a huge attack surface)
- Why main Application is not pointing to correct version ?
- Why they keep all old binaries version ?

Could someone test and validate more ?  I didn't have another Mac to validate this or with GotoMeeting installed since very long time ago.

Happy Hunting.

BlueOps Team


segunda-feira, 20 de novembro de 2017

Aumentando visibilidade nos endpoints com Facebook OSQUERY


Nas últimas semanas fizemos 3 apresentações introdutórias sobre OSQueryKolide Fleet e Elastic Stack, sendo Roadsec PRO SP, Roadsec Encerramento SP e na BHack em Belo Horizonte com o título "Threat Hunting e Visibilidade em endpoint com o Facebook OSQUERY".

A ideia dessa palestra foi mostrar o poder e a visibilidade de endpoint que a ferramenta OSQuery proporciona,  aproveitando também para dar uma rápida introdução a ferramentas auxiliares que ajudam no gerenciamento e alertas para melhor automação.

"Você responderia rapidamente quais versões de software suas estações / servidores estão utilizando? E quais portas estão em escuta? Ou Últimos usuários ou softwares recentemente adicionados a máquina? Pensando neste ponto cego existente na grande maioria das organizações, vamos apresentar o projeto OSQuery criado pelo facebook, e sua integração com a Elastic Stack, aumentando assim a visibilidade dos seus dispositivos, ajudando assim seus analistas terem respostas quase imediatas sobre qualquer pergunta relacionada aos dispositivos bem como dashboards e alertas para um monitoramento proativo."

Para resumir, o OSQuery permite realizar consultas(queries) no seu sistema operacional e de tudo que tem nele (softwares, registros, configurações, patches, portas em escuta, processos rodando entre diversas outras coisas). Os resultados aparecem divididos em tabelas tal qual ocorre nos bancos de dados SQL. A enorme gama de consultas e as combinações de queries com join, sort, etc... permitem obter informações detalhadas de cada endpoint, quase que instantaneamente. O que é perfeito para threat hunting em endpoints.

OSQuery é, como quase tudo que utilizamos, um software opensource, criado e mantido por engenheiros do Facebook. Um dos pontos interessantes é que ele é multiplataforma com suporte para Windows, Mac, Linux e FreeBSD.

Com intuito de um compartilhamento inicial sobre o assunto, abaixo estão os slides e demos que utilizamos, onde cobrimos tópicos como:

- osqueryi
- queries
- distributed queries
- discovery queries
- schedule / packs
- FIM (file integrity monitoring)
- Process Events
- kolide fleet
- elastic stack



Segue as duas demos com na narração meio gripada =)

osqueryi



Kolide Fleet



Pretendemos fazer posts mais específicos com os assuntos, bem como queries interessantes, monitoramentos de ameaças de momento, dicas e resolução de problemas. Adicionaremos o osquery também nos cursos de defesa do BlueOps pois o conteúdo oferecido pela ferramenta agrega valores em diversas grades dos treinamentos.

Happy Detection!

Blue Team Operations (BlueOps)

segunda-feira, 28 de agosto de 2017

SRW ( Snort Rules Week ) - Edição 1

Muito tempo atrás em meu blog pessoal eu postava updates que o projeto EmergingThreat e VRT (Sourcefire) fizeram em suas regras, com alguns comentários e dicas, alguns casos até com payloads caso fosse possível. Como estamos reestruturando a idéia, honeypots e laboratórios, nessa primeira edição basicamente postaremos uma visão geral dos updates baseado no sid_changes.log do pulledpork em um Sensor que será demo e atualizado hoje..
Explicando o que é o PulledPork, em resumo é uma ferramenta de atualização e gerenciamento de regras para Suricata / Snort IDS. Seu código pode ser analisado e estudado em https://github.com/shirkdog/pulledpork.

New Rules


    APP-DETECT HTTPTunnel proxy outbound connection detected (1:43565)
    BROWSER-FIREFOX Mozilla Firefox Javascript contentWindow in an iframe exploit attempt (1:43706)
    BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt (1:43643)
    BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt (1:43644)
    BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt (1:43651)
    BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt (1:43652)
    BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (1:43642)
    BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (1:43672)
    BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt (1:43673)
    BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43656)
    BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43657)
    BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43658)
    BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (1:43659)
    BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (1:43664)
    BROWSER-IE Microsoft Internet Explorer 11 CMarkup GetMarkupTitle use-after-free attempt (1:43665)
    BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt (1:43648)
    BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (1:43635)
    BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (1:43636)
    BROWSER-IE Microsoft Internet Explorer GDI VML gradient size heap overflow attempt (1:43622)
    BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (1:43598)
    BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (1:43599)
    BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (1:43550)
    BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (1:43551)
    BROWSER-IE Microsoft Internet Explorer type confusion attempt (1:43579)
    BROWSER-IE Microsoft Internet Explorer type confusion attempt (1:43580)
    BROWSER-PLUGINS HP Photo Creative ActiveX clsid access attempt (1:43607)
    BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (1:43537)
    BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (1:43538)
    BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43701)
    BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43702)
    BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43703)
    BROWSER-PLUGINS McAfee FreeScan information disclosure ActiveX clsid access attempt (1:43704)
    BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (1:43605)
    BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (1:43606)
    BROWSER-PLUGINS Ultra Crypto Component ActiveX clsid access attempt (1:43649)
    BROWSER-PLUGINS Ultra Crypto Component ActiveX clsid access attempt (1:43650)
    ET CNC Ransomware Tracker Reported CnC Server TCP group 159 (1:2404716)
    ET CNC Ransomware Tracker Reported CnC Server UDP group 159 (1:2404717)
    ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 (1:2405067)
    ET CNC Shadowserver Reported CnC Server Port 40669 Group 1 (1:2405068)
    ET CNC Shadowserver Reported CnC Server TCP group 49 (1:2404096)
    ET CNC Shadowserver Reported CnC Server UDP group 49 (1:2404097)
    ET CURRENT_EVENTS Disdain EK Flash Exploit M1 Aug 23 2017 (1:2024609)
    ET CURRENT_EVENTS Disdain EK Flash Exploit M2 Aug 23 2017 (1:2024610)
    ET CURRENT_EVENTS Disdain EK Flash Exploit M3 Aug 23 2017 (1:2024611)
    ET CURRENT_EVENTS Disdain EK Landing Aug 23 2017 (1:2024612)
    ET CURRENT_EVENTS Disdain EK Payload Aug 23 2017 (1:2024608)
    ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M1 (1:2024606)
    ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M2 (1:2024607)
    ET CURRENT_EVENTS Hancitor/Tordal Document Inbound (1:2024605)
    ET CURRENT_EVENTS Hancitor/Tordal Document Request (1:2024604)
    ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX (1:2024553)
    ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX M2 (1:2024602)
    ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M1 (1:2024550)
    ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M2 (1:2024551)
    ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M3 (1:2024552)
    ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt (1:2024537)
    ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B641 (1:2024534)
    ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B642 (1:2024535)
    ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B643 (1:2024536)
    ET CURRENT_EVENTS Possible Maldoc Downloader Aug 18 2017 (1:2024600)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 19 2016 (1:2024560)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 07 2016 (1:2024568)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 13 2016 (1:2024569)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 20 2016 (1:2024570)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 27 2016 (1:2024571)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 (1:2024554)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 (1:2024555)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 (1:2024556)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 03 2017 (1:2024572)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 12 2017 (1:2024573)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017 (1:2024574)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017 (1:2024575)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 06 2017 (1:2024580)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 10 2017 (1:2024581)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 11 2017 (1:2024582)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 13 (1:2024558)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 08 2017 (1:2024579)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 8 (1:2024557)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 24 2017 (1:2024576)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 25 2017 (1:2024577)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 31 2017 (1:2024578)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 15 2016 (1:2024565)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 16 2016 (1:2024566)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 22 2016 (1:2024567)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 13 (1:2024562)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 25 (1:2024563)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 (1:2024564)
    ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sept 2 (1:2024561)
    ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017 (1:2024541)
    ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017 (1:2024542)
    ET CURRENT_EVENTS Possible Veil Powershell Encoder B641 (1:2024538)
    ET CURRENT_EVENTS Possible Veil Powershell Encoder B642 (1:2024539)
    ET CURRENT_EVENTS Possible Veil Powershell Encoder B643 (1:2024540)
    ET CURRENT_EVENTS Possible YapiKredi Bank (TR) Phish - Landing Page - Title over non SSL (1:2024583)
    ET CURRENT_EVENTS Successful Adobe Online Phish Aug 16 2016 (1:2024559)
    ET CURRENT_EVENTS Successful Interac Phish Aug 18 2017 (1:2024599)
    ET CURRENT_EVENTS Successful Mail.ru Phish Aug 10 2017 (1:2024532)
    ET CURRENT_EVENTS Successful Paypal Phish M1 Aug 14 2017 (1:2024544)
    ET CURRENT_EVENTS Successful Paypal Phish M2 Aug 14 2017 (1:2024545)
    ET CURRENT_EVENTS Successful Paypal Phish M3 Aug 14 2017 (1:2024546)
    ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Aug 17 2017 (1:2024586)
    ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Aug 17 2017 (1:2024587)
    ET CURRENT_EVENTS Successful Square Phish Nov 16 2015 (1:2024547)
    ET CURRENT_EVENTS Windows Scriptlet Invoking Powershell Likely Malicious (1:2024549)
    ET DOS CLDAP Amplification Reflection (PoC based) (1:2024584)
    ET DOS Potential CLDAP Amplification Reflection (1:2024585)
    ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (1:2024548)
    ET TROJAN DNS Query for known ShadowPad CnC 1 (1:2024588)
    ET TROJAN DNS Query for known ShadowPad CnC 10 (1:2024597)
    ET TROJAN DNS Query for known ShadowPad CnC 11 (1:2024598)
    ET TROJAN DNS Query for known ShadowPad CnC 2 (1:2024589)
    ET TROJAN DNS Query for known ShadowPad CnC 3 (1:2024590)
    ET TROJAN DNS Query for known ShadowPad CnC 4 (1:2024591)
    ET TROJAN DNS Query for known ShadowPad CnC 5 (1:2024592)
    ET TROJAN DNS Query for known ShadowPad CnC 6 (1:2024593)
    ET TROJAN DNS Query for known ShadowPad CnC 7 (1:2024594)
    ET TROJAN DNS Query for known ShadowPad CnC 8 (1:2024595)
    ET TROJAN DNS Query for known ShadowPad CnC 9 (1:2024596)
    ET TROJAN MSIL/CoalaBot CnC Activity (1:2024531)
    ET TROJAN OSX.Pwnet.A Certificate Observed (1:2024613)
    ET TROJAN Observed DNS Query to Gryphon CnC Domain / GlobeImposter Payment Domain (1:2024543)
    ET TROJAN Spora Ransomware DNS Query (1:2024603)
    ET TROJAN Win32/Datper CnC Activity (1:2024601)
    ET TROJAN [PTsecurity] Gozi/Ursnif Payload v12 (1:2024533)
    FILE-EXECUTABLE SandboxEscaper WER download attempt (1:43632)
    FILE-EXECUTABLE SandboxEscaper WER download attempt (1:43633)
    FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43638)
    FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43639)
    FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43640)
    FILE-OFFICE Microsoft Excel null pointer dereference attempt (1:43641)
    FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt (1:43698)
    FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt (1:43699)
    FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt (1:43678)
    FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt (1:43679)
    FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt (1:43674)
    FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt (1:43675)
    FILE-OTHER Aktiv Player wma file buffer overflow attempt (1:43540)
    FILE-OTHER Aktiv Player wma file buffer overflow attempt (1:43541)
    FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt (1:43623)
    FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt (1:43624)
    FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (1:43608)
    FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (1:43609)
    FILE-OTHER Node.js JS-YAML js function tag code execution attempt (1:43669)
    FILE-OTHER Node.js JS-YAML js function tag code execution attempt (1:43670)
    FILE-OTHER Oracle Outside-In JPEG2000 QCD segment processing heap buffer overflow attempt (1:43560)
    FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (1:43615)
    FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (1:43603)
    FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (1:43604)
    FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (1:43626)
    FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (1:43627)
    FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (1:43600)
    FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (1:43601)
    FILE-OTHER Xion Media Player AIFF denial of service attempt (1:43682)
    FILE-OTHER Xion Media Player AIFF denial of service attempt (1:43683)
    FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (1:43543)
    FILE-OTHER multiple vulnerabilities malformed .wav file buffer overflow attempt (1:43582)
    FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt (1:43676)
    FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt (1:43677)
    INDICATOR-COMPROMISE Juniper vSRX Application Firewall IPv6 REJECT buffer overflow attempt (1:43546)
    INDICATOR-COMPROMISE Suspicious .top dns query (1:43687)
    INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt (1:43576)
    INDICATOR-OBFUSCATION obfuscated vbscript detected (1:43707)
    INDICATOR-OBFUSCATION obfuscated vbscript detected (1:43708)
    MALWARE-CNC Andr.Trojan.Femas variant outbound connection (1:43981)
    MALWARE-CNC Andr.Trojan.Femas variant outbound connection (1:43982)
    MALWARE-CNC Android.Trojan.DroidKungFu outbound connection (1:43578)
    MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (1:43597)
    MALWARE-CNC Win.Trojan.Fareit variant outbound connection (1:43972)
    MALWARE-CNC Win32.Trojan.NeutrinoPOS connection attempt (1:43575)
    MALWARE-OTHER Win.Trojan.Nemucod variant file download (1:43684)
    MALWARE-OTHER Win.Trojan.Nemucod variant outbound connection (1:43685)
    MALWARE-OTHER Win.Trojan.NemucodAES variant outbound connection (1:43686)
    OS-LINUX Linux kernel SCTP invalid chunk length denial of service attempt (1:43692)
    POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (1:44004)
    SERVER-APACHE httpd ap_find_token buffer overread attempt (1:43587)
    SERVER-APACHE httpd mod_mime content-type buffer overflow attempt (1:43547)
    SERVER-ORACLE Oracle Reports Server information disclosure attempt (1:43660)
    SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (1:43661)
    SERVER-ORACLE Oracle Reports Servlet information disclosure attempt (1:43662)
    SERVER-OTHER Aerospike Database Server si_prop stack buffer overflow attempt (1:43561)
    SERVER-OTHER CCProxy telnet ping buffer overflow attempt (1:43542)
    SERVER-OTHER Cisco IOS DHCP denial of service attempt (1:43573)
    SERVER-OTHER HPE LoadRunner buffer overflow exploitation attempt (1:43705)
    SERVER-OTHER LAN Messenger initiation request buffer overflow attempt (1:43566)
    SERVER-OTHER Monkey HTTPD null request denial of service attempt (1:43700)
    SERVER-OTHER Oracle Database Server authentication bypass attempt (1:43581)
    SERVER-OTHER Oracle Demantra information disclosure attempt (1:43596)
    SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (1:43610)
    SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (1:43611)
    SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (1:43620)
    SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (1:43621)
    SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (1:43602)
    SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt (1:43534)
    SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt (1:43535)
    SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt (1:43536)
    SERVER-WEBAPP AlienVault Unified Security Manager authentication bypass attempt (1:43549)
    SERVER-WEBAPP Axis M3004 remote code execution attempt (1:43625)
    SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (1:43588)
    SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (1:43589)
    SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (1:43590)
    SERVER-WEBAPP Brocade Network Advisor remote code execution attempt (1:43548)
    SERVER-WEBAPP CA ArcServe information disclosure attempt (1:43544)
    SERVER-WEBAPP CA eHealth command injection attempt (1:43583)
    SERVER-WEBAPP CA eHealth command injection attempt (1:43584)
    SERVER-WEBAPP CA eHealth command injection attempt (1:43585)
    SERVER-WEBAPP CA eHealth command injection attempt (1:43586)
    SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44005)
    SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44006)
    SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44007)
    SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (1:44008)
    SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43616)
    SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43617)
    SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43618)
    SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (1:43619)
    SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (1:43545)
    SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43591)
    SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43592)
    SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43593)
    SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (1:43594)
    SERVER-WEBAPP Koha directory traversal attempt (1:43539)
    SERVER-WEBAPP Mantis Bug Tracker password reset attempt (1:43693)
    SERVER-WEBAPP Mantis Bug Tracker password reset attempt (1:43694)
    SERVER-WEBAPP Netgear Prosafe filesystem denial of service attempt (1:43595)
    SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (1:43567)
    SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (1:43568)
    SERVER-WEBAPP Oracle BPEL Process Manager directory traversal attempt (1:43577)
    SERVER-WEBAPP PHP core unserialize use after free attempt (1:43668)
    SERVER-WEBAPP Pheap edit.php directory traversal attempt (1:43653)
    SERVER-WEBAPP Pheap edit.php directory traversal attempt (1:43654)
    SERVER-WEBAPP Pheap edit.php directory traversal attempt (1:43655)
    SERVER-WEBAPP ReadyDesk upload remote code execution attempt (1:43552)
    SERVER-WEBAPP ReadyDesk upload remote code execution attempt (1:43553)
    SERVER-WEBAPP ReadyDesk upload remote code execution attempt (1:43554)
    SERVER-WEBAPP SAP Internet Transaction Server cross site scripting attempt (1:43637)
    SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt (1:43645)
    SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt (1:43646)
    SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt (1:43647)
    SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt (1:43688)
    SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt (1:43689)
    SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt (1:43690)
    SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt (1:43695)
    SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt (1:43696)
    SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt (1:43697)
    SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt                    SERVER-WEBAPP VirtualSystem VS-News-System  remote file include attempt (1:43667)
    SERVER-WEBAPP Wing FTP Server command injection attempt (1:43574)
    SERVER-WEBAPP Zavio Cam command injection attempt (1:43569)
    SERVER-WEBAPP Zavio Cam command injection attempt (1:43570)
    SERVER-WEBAPP Zavio Cam command injection attempt (1:43571)
    SERVER-WEBAPP Zavio Cam command injection attempt (1:43572)
    SERVER-WEBAPP Zenoss call home remote code execution attempt (1:43634)
    SERVER-WEBAPP phpSecurePages secure.php remote file include attempt (1:43680)
    SERVER-WEBAPP phpSecurePages secure.php remote file include attempt (1:43681)
    SQL Oracle MySQL Pluggable Auth denial of service attempt (1:43671)

Deleted Rules
    BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (1:32032)
    BLACKLIST DNS request for known malware domain somee.com - Win.Trojan.Soaphrish (1:32200)
    ET TOR Known Tor Exit Node TCP Traffic group 73 (1:2520144)
    ET TOR Known Tor Exit Node UDP Traffic group 73 (1:2520145)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 661 (1:2523320)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 662 (1:2523322)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 663 (1:2523324)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 664 (1:2523326)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 665 (1:2523328)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 666 (1:2523330)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 667 (1:2523332)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 668 (1:2523334)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 669 (1:2523336)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 670 (1:2523338)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 671 (1:2523340)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 672 (1:2523342)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 673 (1:2523344)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 674 (1:2523346)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 675 (1:2523348)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 676 (1:2523350)
    ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 677 (1:2523352)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 661 (1:2523321)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 662 (1:2523323)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 663 (1:2523325)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 664 (1:2523327)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 665 (1:2523329)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 666 (1:2523331)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 667 (1:2523333)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 668 (1:2523335)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 669 (1:2523337)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 670 (1:2523339)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 671 (1:2523341)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 672 (1:2523343)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 673 (1:2523345)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 674 (1:2523347)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 675 (1:2523349)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 676 (1:2523351)
    ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 677 (1:2523353)
    SERVER-WEBAPP Invalid HTTP Version String (1:43762)


Rule Totals
    New:-------257
    Deleted:---39
    Enabled:---29379
    Dropped:---0
    Disabled:--26706
    Total:-----56085

IP Blacklist Stats
    Total IPs:-----8908

Gerando uma estatística manual das categorias adicionadas temos:

Adicionadas:

  63     ET CURRENT_EVENTS
  63     SERVER-WEBAPP
  20     FILE-OTHER

  17     ET TROJAN  
  16     BROWSER-IE
  13     SERVER-OTHER
  11     BROWSER-PLUGINS
  10     FILE-OFFICE
   8     BROWSER-FIREFOX
   6     MALWARE-CNC

   6     ET CNC
   3     SERVER-ORACLE
   3     MALWARE-OTHER
   3     INDICATOR-COMPROMISE
   2     SERVER-APACHE
   2     INDICATOR-OBFUSCATION
   2     FILE-PDF
   2     FILE-EXECUTABLE

   2     ET DOS
   1     SQL
   1     POLICY-OTHER
   1     OS-LINUX
   1     ET EXPLOIT
   1     APP-DETECT HTTPTunnel

 
O arquivo basicamente vem demonstrando todas as regras adicionadas, o que é bem interessante quando monitoramento para ver tendências como baseado nas categorias mais atualizadas ou deletadas. Além disso é de suma importância sempre deixar o IDS atualizado, pois como podem ver regras são deletadas, por não fazerem mais sentido ou até por detecção ruim, que certamente floodará seu SOC com falsos positivos.

Lembrando que também é feito a update da lista de IP's utilizados pelo preprocessador de IP Reputation que deve ser configurado em seu snort.conf para ter o benefício dessa listagem, que até mais que as regras são bem dinâmicas.

Como citado anteriormente, esperamos nas próximas edições do SRW termos mais conteúdos derivado de análises e honeypots.
 
Happy Detection!

Threat Hunter Brasil Team 

quinta-feira, 10 de agosto de 2017

Bem vindos ao Threat Hunter Brasil



Como muitos sabem o mercado de defesa é uma área totalmente carente e sem o glamour do lado ofensivo. Com base nisso, notamos que a grande maioria dos cursos sempre visam o lado ofensivo com teste de invasão em suas diversas granularidades e opções.

A idéia do Threat Hunter Brasil é tentar diminuir essa falta de informações na área defensiva, compartilhando informações desde a base da segurança como assuntos avançados. Dentre os tópicos podemos citar:

- Protocolos

- Sistemas de proteções
   - NIDS ( Sistema detecção de intrusos de rede)
   - HIDS ( Sistema de detecção de intrusos de host)
   - WAF (Web Application Firewall)
   - VA/VS (Vulnerability Assessment / Scanning)
 
- Hardening  

- Threat Intel

- SIEM
   - Elastic Stack
   - Splunk
   - AlienVault

- Análise de eventos
   - EventID
   - Sysmon
   - Audit Linux

- Threat Hunting

- Arquitetura de Segurança

- Honeypot ou Deception tools

- Análise malwares
 

Os meios que provavelmente divulgaremos as informações serão:

- Palestras em Eventos Nacionais / Internacionais
- Postagens com assuntos do nosso dia a dia
- Cursos especializados na área defensiva, criando uma "carreira defensiva".
- Webinar e podcasts
- Artigos

Em resumo acreditamos que um sistema de monitoramento e detecção de intrusos eficiente se baseiam no seguinte fluxo :


- Entender a superfície de ataque, sendo que para isso precisamos: Critical Security Control (CSC) 1 e 2 pelo menos (inventários hardware e software), a arquitetura de rede e caminho até seus ativos  e uma análise de riscos, justamente para saber quais os pontos principais a serem protegidos.

- Com base nessa tríade, escolhemos as fontes de dados, seja para monitoramento ativo, threat hunting ou resposta a futuros incidentes.

- Após as fontes, vamos enriquecer os dados para gerar alertas com contextos, porém já armazenando as infos.

A base desse blog sempre será conteúdos de profissionais para profissionais, utlizando esse mindset citado acima e uma equipe inicial constituída de profissionais trabalhando diversos setores e resolvendo tipo de incidentes dos mais variados.

Aproveitando estamos em construção de vários treinamentos na carreira de Defesa, no menu ao lado já poderá ver alguns conteúdo que serão ministrados possivelmente em formato EaD em breve.

Siga nosso blog e Happy Hunting!