acrypthash

A place where I can post security-related long-form thoughts, notes, and articles

End of the Year Wrap Post

Greetings fellow hackers! I hope everyone had a productive and prosperous year! This blog post is going to be pretty big and all over the place as I discuss what I have been up to over the past few months. It's been quite a ride :D. I am so grateful for this year and how much I've grown.

TLDR; DailyPay Okta breach, Malvertising and it's woes, security conferences, learning, GCP security, what's to come in 2024.

The first thing we will discuss is a security event that happen with a vendor called DailyPay. For those of you who don't know, “DailyPay is an American financial services company founded in 2015, which provides payroll services such as earned wage access.” The vendor was experiencing odd API requests coming from customer tokens (insert sweaty cat here). We started seeing notifications of odd logins and reached out. Apparently this was related to the Okta breach. Ultimately we rotated tokens, assured user logins all had 2FA (which they mostly did), and sat tight. A bit anticlimactic but we managed to avoid something bad from happening. It also taught me the value of actually calling up a vendor when you suspect something odd.

Malvertising is a TTP that is difficult for end-users to understand. It's hard to identify and easy to fall for. We work hard to train and explain these things in terms that end users can understand, but to get someone to actually remember to think with security in mind for their day to day is difficult and not realistic. For our organization, we need browser level security. We are a Google Workspace shop, so we could do some management at a browser level in Chrome, but that is limited and not ideal. ZScaler or a full fledged MDM is probably going to be the solution for us. In the past month we had an end user that fell for this TTP when they googled “Amazon” and clicked on an ad that redirected them to a phishing site. The phishing site is meant to trick you into thinking you had to call “Microsoft Support”.

I have also attended several security conferences this year! – PancakesCon (virtually) – BSides Harrisburg – BSides Philadelphia – Secure World Philadelphia – Defcon 31 – JawnCon – Cybersecurity Summit – Hardford, CT

Attending all of these conferences throughout the year has been such a fun and exciting learning experience. I've networked, learned new skills, learned lockpicking, and I have even started doing talks of my own at Penn State!

I have spent a lot of time reading whitepapers and learning the granular things that comes to writing malware and exploits. I have tested these exploits against the environment at work and have learned a lot about remediation! I've learned how to program in Python, Rust, and C! I've learned the classic VirtualAllocEx –> WriteProcessMemory and why not to use it in new malware that I write. I have learned the inner workings of process injection as well. By no means am I an expert, but my understanding in all of this has dramatically increased over the last year. I plan to continue to learn more about malware, about defense evasion methods and more.

We are Google shop and with that we inherit GCP. I am quite impressed with GCP security. There are several out of the box configs that aren't super great, but you are able to lock things down pretty easily. I had implemented things like terraform scans back when I first started, but now we are ingesting a lot of really interesting data into Datadog. With Datadog, I am able to get alerts in real-time on what our K8s are doing and so much more. We have also integrated Datadog alerting into various Slack channels.

The beginning of 2024 is going to be busy. We are deploying our new phishing campaign out to end users, I am building another IR tabletop to do by the end of January, among other things. I am actually utilizing a bit of AI into building the template for my IR tabletop. Due to CitrixBleed being so popular, I think that is what our topic is going to be about.

2024 is going to be having several major projects such as: – LLM build out for IR training and input (more to come) – 2 IR tabletops (one Citrix, the other pending) – Better coding and reverse engineering skills – New training for all employees – More blog posts that have more value

I am so excited for more blog posts and projects! LETS GO!

Incident Response: Scam Attack Against Retail Stores

Yesterday our stores experienced a scam attack via phone call claiming to be from the IT department and wanting to test refunds on high value items in order to get free money. Later in the campaign, they change story to claim they were from a VoIP provider. Unfortunately, one or two stores fell victim, but many others remained vigilant.

As a response, our security team deployed the following: – Created a war room for the few members involved. – Sent out communications to all employees involved (we have internal tools for this) – Used OSINT to investigate the phone number being used (the threat actor was dumb enough to use the same number for all attempts). – Blocked the number through our provider (though changing number is obviously very easy. This was done because it was the only number being used at the time.) – Did EDR scans on all store PCs from people that called in. Side Note – This is where communication with non tech savvy people can be difficult. During the social engineering process, the person at the register is instructed to reach a point in the process where you have to enter a credit card number. Reports from one end user claimed the that cc number was entered in automatically by the threat actor on the phone. They claimed no other assistance was given to access the PC, no mouse movement was performed, just the number entry. This does not make any sense to me. I did the following to investigate, but found zero IoCs: – full EDR scan on the endpoint – PCAP review for any malicious connections – RMM software installations – ELK log review – folder review – confirmed scheduled tasks Nothing substantial was found to show that a threat actor had accessed the PC and entered in the cc number. Personally, I think the end user reporting this claimed it happened this way to protect themselves. Regardless, nothing was found.

Through good communication and best security practices we were able to get this incident under control relatively fast. A big take away from this is going to be ACL build out for the feature that allows for the access of refunds through manual entry. Too many people seem to have access to this feature by default.

There is an obvious pattern that must be brought up so we as analysts and blue teamers can remain vigilant. Threat actors are starting to realize how easy social engineering truly is and the power that comes with it. We must keep our end users aware of these threats and train them to question the true intentions of people when something doesn't feel right. Typically when your gut questions something, you're usually right. For our team, we are going to be working closely with our help desk team over the next few weeks to improve their verification process and social skills to learn when something malicious is happening. Happy Hacking!

Status Report

It feels good to be where I am. Over the past few months, I have been running a cybersecurity internship program. Last week that finally came to an end. It was a great learning experience for both the interns and myself. We got to see a lot of cool things and I think everyone grew. Now that there aren't interns to take up my time, I have been able to dive back into my projects and research and I feel so happy again. I am really starting to wrap up some outstanding projects.

Defcon: I attend Defcon 31 this year and learned a lot! It was a great experience and I am very happy to have gone. I created a presentation for work after cleaning up all my notes and had a really learned a lot. Now, I have a list of action items that came from the conference and my talk! Things like detection engineering and actually utilizing some of the tools that I was exposed to. I think my favorite talk was the Electron app TCC vuln that was disclosed.

Some other bits and bobs:

  • Tomorrow will be one year at my company and I AM SO HAPPY. Being a security analyst is something I've come to enjoy very much.
  • I managed to break my OpenVAS install after upgrading PostgreSQL. I ended up needing to update /etc/postgresql/14/main/postgresql.conf back to my originally configured port and restart the daemon. I also had to reassign the versioning that PostgreSQL was running in, because that failed to change properly after the upgrade as well.
  • I've gotten more into detection engineering as of late. We utilize Elastalert to send detection alerts to a Slack channel that has been built. This is a nice tool that can provide me information Sentinel One can't easily notify us of.
  • While it's nothing new, I've also been doing research into the Zerologon vuln for DCs. I am going to be downloading copies of some of our DCs and testing to confirm if we our patch is actually working as it should.
  • Our web app pen test is going to be wrapping up soon, where I will get a good look at where we stand from a security perspective on our app.
  • I've gained more forensics experience with analyzing PDFs and malicious word docs that have come in via email. It hasn't been anything too flashy just yet, but still a great experience.

For the rest of year, I have some goals set that I plan on achieving: – GCP training – GREP Cert – Better detections and more coding – BSides Philadelphia – One more good write up in 2023 about something valuable I learned. – My idea is a write up on how to efficiently exploit something like PDQ after post compromise.

Latest Updates and Projects

It's been a bit since I made a blog post, so I felt it was time to write down all of my latest updates. It's been a busy but fun past few months and I am excited to share everything that I have been working on!

Projects – Google API reporting script, Google Drive API PII scraping script, web app pen testing, router hacking, detection and alerting, cloud security engineer certification and more!

Google API reporting script: https://github.com/acrypthash/Google-Workspace-2FA-Report

This was a fun one. This python script generates a report that shows me any user that doesn't have 2FA enrolled and outputs it to a file. The goal was to make it “automated”, so I have added this script to a cron job on one of my servers that runs once a month. The output is then sent to a Slack channel for me to review at a later time. It has proven to be very useful!

Google Drive API PII combing script: https://github.com/acrypthash/Google-PII/tree/main

Again, another fun one. This one is still a work in progress This python script combs a Google Workspace tenant's drives for any documents that have PII. The reason for this script was because while Google can generate a report to show a quantitative value of how many files contain PII, they can't actually tell you which documents actually contain PII. The goal of this script is to actually output the file id and location.

Web App Penetration Testing: I have been working with some new vendors over the last few weeks to make arrangements for a web app penetration test to be done against one of our websites in the upcoming month. I have been learning a lot about what to look out for in these tests, what tests are to be done and most importantly, cost. Bishop Fox (https://bishopfox.com) has been one I am most forward to working with however budget is a bit of an issue on our side. I've also like their recent release of a tester to see if your Foritgate is vulnerable to CVE-2023-27997.

There is much that I have left out of this post, but I will end in mentioning that I am working on getting my cloud security engineer certification from Google. I am excited to add this one to my security belt.

What I have been up to

I got up a little early today to work on my to do list since I have been out working on other things as of late, however I decided it was time to update my blog with a quick snippet of what I have been up to lately.

Last week I attend a cybersecurity conference in my area called SecureWorld. I had a really fun time. I sat in on a bunch of very insightful talks that ranged from a FBI agent reviewing a crypto mining case to listening in on a panel about risk and how to communicate what risks are key in a business. I had the opportunity to talk to some vendors that our company has been utilizing for some time now as well. Overall, the time and money spent to attend was well worth it.

Yesterday, I also gave a talk at Penn State on Vulnerability Management with Data Driven Defenses. I had an absolute blast. I had spent a lot of time preparing in the past few weeks, practiced the talk to my dogs, and even did a test run with my team in our daily working session meeting. The students seemed interested throughout the whole talk and I even got a shirt and food from them at the end :D. I am most definitely going to be looking into doing more talks.

For now though, I need to get back to work. I have a many items and projects that were back burnered the past few weeks that require some attention. I also have a cybersecurity intern that will be starting with me at the end of next month. Until then, back to the grind stone. LETS GO!

Impacket and Kali Purple Hello again,

I wanted to provide an update on some things related to my career that I am super grateful and excited for. Yesterday I had my first review at my place of work and the team can't be more happy with the work that I have contributed. As a rebuttal, I feel the exact same way. It has been a great experience and I am learning so much every day. Okay enough of the mooshy stuff.

I have been putting in time on Kali Linux Purple (let's call it kalip for short) and so far it's been enjoyable. For whatever reason, after I started using kalip, I was attracted to the preloaded impacket library :D. For those of you who don't know, Impacket is a collection of Python classes that provides low-level programmatic access to network protocols like TCP, UDP, SMB, and NTLM. This is where my fun started.

I did my testing based off of the assumption that the end point is in a post compromise state. We use EDR, so the assumption will be made that hook was made or AMSI patch was done to elude detection. There were four scripts of interest: impacket-smbexec

impacket-wmiexec

impacket-ntlmrelayx

impacket-samrdump

impacket-smbexec is first. After you obtain either hashes or credentials, you can run this against an endpoint and have SYSTEM access. A very useful tool. I did find that while playing with an endpoint over smbexec, I caused the session to crash wile simultaneously running ntlmrelayx. Oddly and unrelated enough, I ended up not getting ntlmrelayx to work properly even after trying SMB authentication... That will be a work in progress.

Something that I am still trying to understand is why none of this traffic from smbexec was captured when I ran wireshark. Oddly enough, the IP of my attack machine was no where in the PCAP. I even confirmed network card and network settings were correct. I still have yet to trace any IoCs, but I am curious to see if there are any.

According to ChatGPT there are some to look into: – Network traffic: Impacket-smbexec may generate unusual network traffic that can be identified through packet capture analysis. This could include requests to unusual ports, unusual protocols, or to destinations that are not typically accessed by the user or system. – Process activity: Impacket-smbexec may spawn unusual processes on the system, or may run with unusual privileges or access levels that could suggest malicious activity. – Registry changes: Impacket-smbexec may modify the Windows Registry, which can be monitored for unusual changes or activity. – File system changes: Impacket-smbexec may create or modify files on the system, which can be monitored for unusual activity.

impacket-wmiexec has definitely been the most reliable and while utilizing WMI, it helps with not being traced. I haven't done much more than directory traversal with this tool, but this could help a TA none the less. A flaw that I found with this is you are also accessing the system at whatever privilege is set for the account that is authenticating with WMI. Privilege escalation would need to be done here, but this could be a useful form of lateral movement.

I am going to loop back when I have more time to write about the last two tools and clean up what I have already written. Cheers! ^–^

Inspiration from Conferences and Other Information Outlets

This is my first post on here, but I hope to use this tool as good practice for my end goal of writing a 2600 article. This post is going to just briefly touch on some inspiration behind what is motivating me to work towards the goal I just mentioned.

The next two months are quite busy in relation to security conferences. I attended BSides Harrisburg last weekend, PancakesCON is this upcoming weekend, and next month I am going to be attending SecureWorld. As a result of attending these conferences and continuing to read things like 2600 magazine, I found myself motivated to try and contribute where I can. This will help the security community by being another source of knowledge as well as help me better articulate my writing and thought process.

A subject that I haven't seemed to see much light on is data driven defenses and prioritization for Blue Teams. By learning and understanding things like the exploit-response cycle and risk misalignment, security teams can better manage their environment vulnerabilities and create action items based on tangible data. My goal of my brief article is going to help describe this for people and what we as defenders can do by utilizing more than just a high rated CVSS score.

After I wrote this I realized that I never made a whoami post on here. I will write one in a different blog post. Cheers! ^–^