Author Archives: azeemnow.com

How to Quickly Analyze a PCAP File

 I am so excited to introduce NFPA – a Network Forensic Processing & Analysis tool! 

network_security_ediscovery_network_analysis_network_monitor_forensics_tools_pcap_forensics_packet_forensics_capture_wireshark
NFPA – Network Forensic Processing & Analysis

My purpose behind NFPA tool is to provide Cybersecurity analysts a more efficient and automated (“click & forget”) means of executing commonly-used, open-source network forensics utilities and analysis queries against a piece of network evidence (PCAP).

NFPA tool helps optimize investigations by reducing errors that are typically involved in manually processing and analyzing network-based evidence through various popular tools and command-line options. 

Using NFPA, an analyst can:

  1. quickly process case evidence through various popular tools and utilities all by a simple script execution
  2. review results from 60+ individual, multi-purpose queries pre-ran again the evidence
  3. view the native output from all of the evidence process utilities – providing the opportunity for any validation or further analysis

All of the above is organized in an easy-to-understand structure which allows the analyst to quickly find answers as well as the authoritative source of those answers. 

Here is a quick demo of NFPA in action:

A key requirement when designing NFPA was to keep dependencies as minimum as possible. I wanted to make sure I leverage a platform that is already commonly used by analysts which is pre-configured with all of the necessary tools and capabilities. This would allow analysts to instantly begin their work on investigations and not have to deal with the underlying system engineering.

To that end, here is the only dependency:

Additionally, the NFPA is built-in Bash. Which means you do not have to import any specific libraries or run a certain version. Another advantage of using Bash is that you will most likely be able to run NFPA on other Linux distributions (may need to install some purpose-built network forensic tools separately).

The first version of the tool is now available on Github. Please check it out and let me know what you think!

Tagged , , , , , , , , , ,

What your CMD command line security is missing

Here is what your should do to increase your cmd command line security
Gap in Your Command-line Security

I want to write a follow-up on my last post about chain-of-commands not properly being captured by many defensive tools. During further research and testing, I observed that built-in Windows Command line actions are also not captured.

For instance, a simple act of deleting a file from the CMD Command-line is neither captured in SYSMON or in Windows Event logs:

 CMD.EXE > del /f test_file.txt
file_del_cmd

The only event observed in SYSMON for the above action was the following:

del_file

Additionally, nothing notable was observed in Windows Event logs.

This simple act of deleting a file is a common technique used by the adversaries. This action could be done both manually or through malware. One example where this technique is used is in the case of the Robbinhood Ransomware. In this sandbox report, you can see various quite-delete operations that Robbinhood malware executes.

I understand that there are other means of extracting CMD Command-line execution content. However, many of those require digital forensics analysis.

For instance, you can review Command-line history by analyzing the memory capture using a tool such as Volatility with plugins: cmdscan, consoles or just running strings against the memory image. However, this type of analysis requires either a memory image capture or a specialized commercial solution that can scan live memory content (example). Unfortunately, most organizations do not have access to these enterprise-solutions thus their ability to hunt for such Command-line techniques becomes limited.

MITRE ATT&CK Evaluations also has an entry for this technique 9.C.4 File Deletion where you can select various technologies from the drop-down list and see how they detect this technique.

If you are collecting and hunting full CMD Commandline, I would love to hear about your feedback; especially, if the technology/method that you are using is not one of the ones tested in ATT&CK Evaluations above.

https://attackevals.mitre.org/technique_comparison.html?round=APT29&step_tid=9.C.4_T1107&vendors=


Tagged , , , , , ,

2 Work From Home Tricks That Develop Focus and Increase Productively

work from home

Reduce Distractions and Increase Focus

Due to Coronavirus (COVID-19) disease, many around the world are practicing self-quarantine (or at least they should be) and are having to work from home (WFH).

For some working from home can be challenging for many different reasons; some of which are out of their control. However, I think there are other things that you can control and one of them being phone distractions.

Without a doubt, one of the biggest culprits for creating distraction is our phones. I do not think I need to expand on why most of us have an addictive-like relationship with our phones. However, if you are interested in learning more about how mobile apps are inherently designed to hurt our focus, I’ll link a few resources at the end that will help you understand the seriousness of the situation. And as you can imagine, in the context of working from home, this type of  distracted behavior can significantly reduce our productivity, drain energy and negatively impact our work performance.

There is no shortage of articles with advice on how to effectively WFH; especially now with COVID-19. But, I want to share just a couple of practical tips that have worked for me over the years and hopefully, someone can benefit from them.

  1. Keep your phone outside of your room:
    • From personal experience, having a phone on the desk, even if it is on silent or if the screen is down, does not work. Unconsciously, it is inevitable that we are going to pick it up. It could be while you wait for a Slack response from a coworker or while we wait for Outlook to load. And before you know it, we end up mindless scrolling on things that add limited value to us completing our work.
  2. Get up and move:
    • There is significant research that suggests we should get up from sitting and move around every so often. Usually, this is not a problem when working from the office because you attend meetings, walk over to coworker’s desk, or go to the pantry (which could be on a different floor).
    • Unfortunately, when working from home, you need to think about this in advance and purposefully create situations where you have to get up and move; such as combining both of these points :)

Typically, when working, I place my phone outside of the room with a timer set for 45 minutes. By moving the phone out-of-sight and out-of-reach, I effectively eliminate possibilities for unconscious pick-ups. The result is that I can give my undivided attention to work and not becomes anxious.

Eventually, when the timer goes off, I have no choice but to get up and turn it off; gaining benefits of #2. At that time, I can quickly check if there are any urgent calls or messages that I need to respond. I then reset the timer and return to my desk.

Using this simple model, you can include other elements to the process to help develop additional habits. For instance, if you are trying to drink more water every day, you can place a water bottle next to your phone, and then every time you get up to turn off the timer, you can drink.

I have been following the above process well-before the COIVD-19 situation, and I have seen notable benefits from it. For this reason, if you are either new to WFH or have been WFH for some time, and want to increase your focus, productivity and develop healthy habits, this process is worth giving a try!

Sidenote:

The 45 minutes timer technique that I shared above is something that I started doing without much research. However, when I researched for this blog post, I discovered the Pomodoro Technique!

What is the Pomodoro Technique? aka Tomato Timer
(Pomodoro – Italian for Tomato)

Simply put:

  1. Set a timer for 25 minutes and work without interruption
  2. Take a 5 minute break (completing 1 Pomodoro)
  3. Repeat above 4 times
  4. Take a 15 minute break
  5. Start again

https://youtu.be/VFW3Ld7JO0w

There are many Pomodores Timer Apps that you can try and change configurations to your liking: (https://zapier.com/blog/best-pomodoro-apps/).

If you are interested in learning more, the Pomodoro Technique or how mobile devices are designed to develop addicted behaviors, below are some resources I recommend:

  1. Pomodoro Technique
  2. Digital Minimalism with Cal Newport
  3. Brain Hacking
  4. Digital Minimalism: Choosing a Focused Life in a Noisy World by Cal Newport 

–Thank for reading and #StayAtHomeAndStaySafe !

Tagged , , , , , ,

Who Else is Blind to Chain-of-Commands | Adversary Technique

photo-1567635102602-73000b63761a

I recently came across a technique that potentially allows the adversary to both execute and evade detection that is simple to execute, however, to my surprise, not entirely captured by detection tools (at least not by those that I have tested).

In this quick post, I will share my findings & analysis and I am interested in any feedback around options for detection.

Technique Description: The adversary executes a custom-developed, chain-of-commands that they execute together as a single command-line using Windows CMD.EXE. This execution could be achieved through malware or the adversary could manually perform it on a system under their control.

One of the key advantages of this technique for the adversary is that, as of this writing, SYSMON (10.0.4.2), and maybe even some commercial EDR solutions, do not capture such chain-of-commands as a single execution. Instead, these tools typically log this activity separately. I found nothing in the SYSMON logs or Windows native event logs that indicate that multiple commands were executed together as part of a chain.

If what I have observed in true, then I think this lack of total context makes it difficult for incident responders, threat hunters, or security monitoring professionals to identify such activity as anomalous among a large number of events. On the other hand, it allows the adversary to hide in plain sight.

Technique Use in Real Malware: One particular malware where I found this technique being used was in the RobbinHood Ransomware. In my analysis of these two samples (1, 2), this chain-of-command technique can be observed in a couple different ways. However, in one specific instance, RobbinHood uses this technique to check for network connectivity, terminates its previously-launched malicious process and subsequently deletes that same process executable quietly from the system permanently. The command itself was as follows:

ping 1.1.1.1 -n 1 -w 3000 > 
& taskkill /f /im steel.exe & Del /f /q ‘C:\Users\user\Desktop\steel.exe’

Atomic Test: To simulate the above technique, I developed this benign chain-of-commands, which essentially, first checks network connectivity by making a single ICMP ping request to a Google’s public DNS address, and then it terminates a running Chrome web browser process.

ping 8.8.8.8 -n 1 -w 3000 > Nul & taskkill /f /im chrome.exe

chain_of_command_atomic_test

Here is what I observed in SYSMON on the atomic test above:

First, you see an entry for PING.EXE portion of the chain-of-command:

ping_sysmon

Second, you see separate entry for the latter portion of the chain where the CHROME.EXE process is terminated:

taskkill_sysmon

It is evident in the SYSMON events above that both processes share the same Parent Process ID. However, while both events share the same ParentProcessID of 12120, there isn’t any explicit indication that these commands were executed together as part of a chain-of-commands. Which I believe is an important context that is missing as it would not only stick-out during Incident Response/Hunt/Monitoring; especially if the system under investigation and has no business purpose to running such chain-of-commands.

I do want to highlight that I think SYSMON is capturing what it is supposed to capture – a process creation. It captured as each process was created on the system; which was separately one at a time. The limitation appears to be at the operating system level where this data is not captured.

I look forward to feedback and how are you detecting this technique in your environments!

Reference:

MalwareReference
Trojan; possibly Big Bang APT1. https://bit.ly/2xaAVNr
2. https://bit.ly/2KBddgp
3. https://bit.ly/3cUVkFH
Raccoon Stealerhttps://bit.ly/35i8dXP
InstallCube Trojanhttps://bit.ly/2yMjmDI
GreenKit Bitcoin Mining Rootkithttps://bit.ly/3aDRI9i
TROJ_VICEPASS.A1. https://bit.ly/2y2PrHr
2. https://bit.ly/2xem5Wm

Tagged , , ,
Advertisements