-
Protecting Bash History
MITRE ATT&CK, T1562.003 - Impair Defenses: HISTCONTROL
Adversaries use a variety of tactics to evade detection and maintain their presence on a compromised system. One such technique is to impair command history logging, making it difficult for security teams to detect and analyze the actions taken by the attacker.
In this blog post, we will be discussing the MITRE ATT&CK technique T1562.003 - Impair Defenses: HISTCONTROL, which involves adversaries manipulating the HISTCONTROL environment variable to prevent the logging of certain commands in the user’s command history.
We will provide examples of how adversaries can exploit this technique and also discuss auditd rules that can be used to detect such activity. Finally, we will suggest some best practices to mitigate the risk of this technique being used against your organization.
Read more...
-
Local User Accounts
MITRE ATT&CK, T1078.003 - Valid Accounts: Local Accounts
By default, Ubuntu creates a primary user account during installation, which is a local account with administrative privileges. This account is used to perform administrative tasks on the system, such as installing software or configuring system settings. Also, System accounts are created during the installation or when specific system services are installed. These accounts are given specific privileges and permissions that allow them to perform their designated tasks, such as accessing system files or running system services.
In this post we will look at ways that adversaries can create, reactivate and re-purpose local user accounts and also discuss auditd rules that can be used to detect such activity.
Read more...
-
Systemd timers
MITRE ATT&CK, T1053.006 - Scheduled Task/Job: Systemd Timers
Red Hat started the development of systemd in 2010 and by 2015 most Linux distributions had adopted it as their default system and service manager. One of the many capabilities of systemd is its ability to use timers. Which are similar to the older cron job scheduler but with extended capabilities.
Timers can be run by system or a standard user. They can be either Monotonic meaning that they run after a specified event such as boot or they can be realtime i.e. run at specified times, just like cron. They can also be persistent with files describing their functionality or they can be transient without definition files.
In this blog post we investigate four different ways that timers can be created and executed, either by the system or a standard user. We also look for ways in which the creation and execution of these timers could be detected and reported to an Endpoint Detection and Response system and map that activity back to the MITE Attack frameworks - Scheduled Task/Job: Systemd Timers - T1053.006 definition.
Read more...
-
So who have you been talking to?
Dumping DNS queries to a log file
There are enumerable reasons why you would want to know who and when your computer has been communicating with. If we monitor and record the computers use of the Domain Name System (DNS) which is used to identify computers on the local network and the internet we would gain that knowledge. In this post we look at a way to use tcpdump to capture and log all of the DNS queries made by a computer.
Read more...
-
Input Capture: Keylogging
MITRE ATT&CK, T1056.001 - Input Capture: Keylogging
Description from ATT&CK
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.[1] Some methods include:
- Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
- Reading raw keystroke data from the hardware buffer.
- Windows Registry modifications.
- Custom drivers.
Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.[2]
Read more...
-
Disable or Modify System Firewall
MITRE ATT&CK, T1562.004 - Impair Defenses: Disable or Modify System Firewall
Description from ATT&CK
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
Read more...
-
pass Password Manager
Shared passwords
Love them or hate them, shared passwords are a fact of life. Default user accounts, database users, API keys etc. pass the “standard Unix password manager” stores each password within a directory structure of gpg encrypted files. Because gpg is used, multiple gpg id’s can be used to encrypt/decrypt the password files and due to the simple directory and file structure, git can be used to track changes and share the password repository with others.
Read more...
-
SSH Certificate Authorities
"Better" Key Management
Without good key management, no cryptographic system is secure. Full knowledge of the Who, What, When, Where, Why and How of your keys is imperative for good security. Using an SSH Certificate Authority (CA) will vastly simplify and improve the efficacy of SSH infrastructure. You will no longer have default usernames and passwords (root:toor). You will no longer have to copy everyone’s public key into every server while trying to remember whose key is whos. You will no longer be tempted to create “One key to rule them ALL” and give that key to everyone who needs it. Your key management process will be reduced to installing a CA’s public key to each system and signing users public keys.
Read more...
-
Do you have Squatters?
Unwanted house guests on the Internet ...
Typosquatting 1 is the Internets version of occupying empty buildings, without permission “Squatting“2.
In this article, we describe a process that can be conducted to determine whether or not you have squatters on your branded domains. It is a manual process and covers the basic forms of typo and TLD squatting. It is intended to be carried out as a “Proof of Concept” 3 to ascertain if you have squatters and whether a more rigorous, automated process would be of value in your broader risk management process.
The output of this process is a spreadsheet, from which you will be able to gain some basic statistics on “potential” squatting activity and a starting point for further investigatory work.
Read more...
-
.com Doppelgängers
The prevalence and control of .com look-a-like domain names
Doppelgänger domain names 1,2 are a subcategory in the larger issue of Typosquatting 3 in the Domain Name System (DNS) 4. A doppelgänger domain is typically correctly spelt but with some manipulation of the dots between host and domain name, for example, www.google.com is different from wwwgoogle.com.
The reasons for registering and running services on doppelgänger domains vary widely with either mischievous or malicious intent. It could be for a lark; to make a political statement; to embarrass or harass, or as part of a broader cyber attack strategy. In all cases, the intent is to re-direct traffic (the web, email etc.) away from the legitimate domain and to the doppelgänger domain.
Read more...
-
OS Credential Dumping
MITRE ATT&CK, T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow
In this blog post we investigate different ways to dump and decrypt Linux password files using John the Ripper which is described in the MITE Attack frameworks - Scheduled Task/Job: Systemd Timers - T1053.006 definition.
John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, “web apps” (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and “sparse bundles”, Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office’s, etc.)
Read more...
subscribe via RSS