SOAR Product Research

From an engineers perspective Security Orchestration,Automation and Response(SOAR) products are incredibly enticing in that they offer the ability to automate technical aspects of your day to day work but also streamline the process involved in the decision making and triage.

API integrations:

A very appealing piece about SOAR products is that they offer API integration for which you can use to automate responses to alerts or use for alert enrichment. A lot of times I might have to connect to an API, perform the logic and get into the code so to speak in order to make something happen. The ultimate promise with SOAR is we don’t have to do this. A no code/programming experience.

Most vendors provide a list of integrations they have. Although this doesn’t exactly list out what capabilities it has it is good to know that the vendor has been developing integrations for your organizations particular product suite or covers most of it. Some vendors might not have as many capabilities or lean on community developed extensions.

Use Cases:

  • Automated Phishing investigations from alerts to purges
  • Enhance alert investigations by providing additional context data that would be manually done by a SOC analyst
  • Automate threat hunting cases by pulling data from all your disparate tools
  • Automate IOC lookups in Threat intel platforms like VirusTotal or Talo Intel
  • Automate user permissions validation and account disables
  • Automate Provisioning/Deprovisiong beyond just your Active Directory environment ie;your payroll app too
  • Automate the Malware incident response steps: Identify,investigate,Contain and remove

Chat-bot Operations:

Some of the vendors offer a chat operation to send alerts that bubble up to your team via either Microsoft’s Teams or something like a Slack group chat.

Integration lists from different SOAR vendors

Resources:

https://www.rapid7.com/info/security-orchestration-and-automation-playbook/

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-new-code-free-options-to-connect-with-Microsoft/ba-p/328730

Penetration Testing for OSCP – Guide 2

The guide touches on searching for exploits,getting/using reverse shells, escalating for Administrator accounts on Windows/Root for Linux, pivoting across networks, Attacking a windows domain, password cracking techniques, exploit testing, post root/admin actions and more.

Please follow the entire guide on my GitHub account(see link below). I can more readily and easily display Markdown files which make for a much easier conversion from my Jupyter Notebooks where I build most of my documentation.

https://github.com/DevilSquidSecOps/PentesterOps/blob/master/pentester_guide2_Shells-PrivEsc-Pivoting.md

Automated .ps1 scripts with Task Scheduler

Action Options to run a script in Task Scheduler.

  • Program/Script: Scripts%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
  • Arguments: -File .\Copy-Jobs_SB.ps1
  • Start in(path): C:\Anaconda3\Notebooks\MyScriptsTEST

Schedule Setup

Pretty simple outline in the gui. Use the “run now” buttons to verify they will actually work though when ran on a schedule.

Use Secure Strings to at least hide the plain text passwords or keys you use in your scripts. Remember that you must generate a Secure String with the account you will be using.

Also make sure to automate these scripts from a secured server. No one should be able to easily connect and read these other than yourself of the security team.

Troubleshooting non-working scripts

Trouble Shooting a service account issue. For instance you originally used an account you tested with(like your personal user admin account etc)

Use a Try/Catch block in your ps1 script in the case you can’t tell if it’s something getting caught up while Task Scheduler runs the script. This happened to me when configuring a service account for production to run the script that I had originally tested with my user account. After verifying the script ran I found out it was getting caught up in the translation of a Secure String I created with my user account. These Secure Strings need to be generated by the account that runs the script.

Try {  

<DO SOMETHING>

}
#ASSIGN VARIABLES TO THE BUILT IN EXCEPTION RESULTS PRINT THEM TO A LOG
Catch {
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
$hrresult = $_.Exception.HResult
$stacktrace = $_.Exception.StackTrace
Add-Content c:\temp\log.txt "second error message was: $ErrorMessage Failed Item was: $FailedItem `nstacktrace was: $stacktrace $hrresult"
}





Below is an example of exceptions logged that deduced my issues to the Secure String used.

Future Improvements:

  • Run automated scripts using an MSA account

Finding a Microsoft KB in a Cumulative Update

• Windows patches linked to Knowledge Base articles or MS bulletins roll up and become unavailable as a hot-fix/single update file and go into a cumulative update. This can pose an issue when your Deployment system like SCCM or BigFix no longer have the update to push to machines since they follow Microsoft’s patch catalog for which old updates get rolled up and removed. This can become an issue when your trying to force patch machines that may become vulnerable to malware that the patch can fix and you can’t readily find what patch to use since the KB originally able to fix a vulnerability is now no longer available for single update.
• Although keeping all machines up to date is best practice it can become an issue when legacy applications begin to break and when if settings allow users to delay updates it’s likely a population of un-patched machines will arise.
• Windows 10 patches are normally fixed in new versions so updating works but if you want to see if you can find a KB or MSXX-xxxx bulletin you can search the known cumulative updates
Find your Security Vulnerability Builletin:
MS17-010 – google search and go to the MS site https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 Follow it to the KB used to install on Win10 1511 x64 machines https://support.microsoft.com/eu-es/help/4013389/title you’ll find the install instructions provide KB4013198 as actual file needed.
Search for this in the MS update catalog. But you’ll have to do it by Cumulative update since this is older and rolled up.
• Go to: http://www.catalog.update.microsoft.com
o Search for “windows 10 version 1511” filter by last updated
o Look for latest cumulative update for the version and arch.
o Search for the KB installer “KB4013198” under the “Update Details” > “Package Details” using ctrl+F for quick finds


Finding the Cumulative update in BigFix so you can install it on machines.
Go to:

https://YourBesServer.domain.com > log in > Apps > Patch > use the KB patch name for the Cumulative update you found “KB4093109”


From here you can see that it is available and you can deploy it to vulnerable machines to patch for the SMB exploits.

Installing MDT 2013 for a Windows 10 2016 LTSB Deployment

Video: https://youtu.be/uuFih16LOc4

 

WINDOWS 10 DEPLOYMENT REQUIREMENTS FOR MDT AND UPGRADING FROM OLDER VERSIONS

 

MDT:

Req: (MDT) 2013 Update 2 (6.3.8330) Version 8443 is needed to support the 1607 build of Win 10 which is used for LTSB 2016

 

Upgrading: MDT 2012 needs to become MDT2013 (An in place install can be done to upgrade after the ADK version is installed)

install: https://www.microsoft.com/en-us/download/details.aspx?id=54259

 

ADK:

Req: ADK for Windows 10

Install: https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit

If ADK for Windows 8.1 or older is installed(Uninstall first)

 

For LTSB 2016 Edition of Win 10 you will need the ADK for that version known as ADK for Version 1607

 

 

CHECKING YOUR WINDOWS 10 VERSIONS

https://technet.microsoft.com/en-us/windows/release-info

-use the cmd > set command and at the top it’ll tell you your build compare it to the chart in above link




The Cerber File Encrypting Virus

Screen Shots:

CerberRansom
CerberRansom1Ran into this bad boy today. I was reviewing the code from the github dump i found  here: https://gist.github.com/hasherezade/628928248e8e6c8dae04#file-config-json-L453

I was concerned that it worked on also infecting file shares but from what I can see it doesn’t touch them. After having a user infect a computer here in our Network it looks like nothing else has been touched but all the files on her computer displaying messages like this:

Cerber Virus

Every file basically encrypted until you pay the son of aguns.

Basic Steps on handling this type of problem:

  1. Verify none of your other networked file shares have been infected and run a full virus scan of the shares just to be safe. So far I haven’t heard of Cerber jumping to any networked shares so it keeps things local to the machine which means it is mainly targeting end users. Here is a snip of Code from the above link that leads me to believe it is only keeping things local since it’s the only reference to any directories it makes:                         “folders”: [
    “:\\$recycle.bin\\”,”: \\$windows.~bt\\”,
    “:\\boot\\”,”: \\drivers\\”,
    “:\\program files\\”,”: \\program files (x86)\\”,
    “:\\programdata\\”,”: \\users\\all users\\”,
    “:\\windows\\”,”\\appdata\\local\\”,
    “\\appdata\\locallow\\”,”\\appdata\\roaming\\”,
    “\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,
    “\\public\\videos\\sample videos\\”,”\\tor browser\\
  2. Next step is to Burn the infected machine(Just re-image it) Users might ask for the files in which case they can pay the ransom if it’s that important. Something like 2 bit coins or $500 if you pay up before it doubles on you every week. One other thing users have asked me is if they can at least see the files they lost in which case your going to be taking a picture of the computer screen because there’s no safe bets I would take making any kind of digital bridge to that computer(ie: plugging in a usb stick or taking a snapshot to transfer to a usb Stick)
  3. Final step is replace the users PC and restore their files. That is if you back them up!

UPDATE:

Confirmed with Talos Security group that this is not de-cryptable as of yet




Distribute Adobe Creative Cloud Package with SCCM 2012 With Device License

So if you have had to ever do this you will first have to deal with the legal side of the software. With adobe you can order a Device or User license.

User licences are the easiest to deal with because you don’t really manage it other than give a user the license.

With a device license however we need to specifically create a package using Adobe’s Creative Cloud Packager by which we end up downloading the software we want ie: Premier,Photoshop,etc. And then we can create an MSI file from that to distribute in SCCM 2012.

So check it out I have a video for this:)

-Sorry for the Blurred parts, for security purposes

-If there are questions, post in the comments and I’ll reply.

  1. Download Creative Cloud Packager to local HD
  2. Run CC Packager and select the Option to create a package for Teams and Educational licenses(Otherwise you won’t get the Device License Option)
  3. Use the program to download and create a package of the Adobe programs you want
  4. Import it into SCCM as an application
  5. Distribute to your Device Collection as needed. The applications should afterwards run without requiring the device to sign into the Cloud




Dell OptiPlex 9010 Driver Signing Issue

Description: Dells Optiplex 9010 PCs will sometimes become unsigned and the Windows 7 Microsoft Operating system won’t use them rendering the Keyboard and Mouse useless.

Steps to Take:

You can verify this issue by checking your Device Drivers and seeing the problematic drivers(Start Menu>Right Click My Computer>Manage>Device Manager)

Quick Workaround restart your PC and spamming the F8 key to get into the Advanced Boot menu. Then choose to start with Signed Drivers ‘Disabled’. This should boot to Windows with generic drivers and the keyboard and mouse should be working again.

Now the Fix: Replace the affected drivers with good drivers. So first you will need to Copy drivers from a working PC into a share somwhere.

We will need to install the Unlocker.exe program or whatever you choose to be allowed to rename the driver files here: %windir%\System32\drivers

Rename the affected drivers to .OLD and replace them with the good drivers(Click on pic for drivers to pull). Pull the good drivers from a working PC.

dell9010

Copy and Paste the good drivers into the drivers directory and restart the PC. Walla all good:)

UPDATE: seems to have been an issue related to KB2913431

Remove the update from PCs and try to make sure it doesn’t get distrbuted via WDS or SCCM.

ref: http://answers.microsoft.com/en-us/windows/forum/windows_7-update/usb-mouse-and-keyboard-stop-working-after-i/1c7355c7-a3d4-434a-a63c-65847b2e820d

 

UPDATE: Me and a Colleague wrote a script on the process save this into a .bat file and its automated for you! Just remember to edit the part where you will enter your server-name when mapping to it to copy the files from.

@echo on
rem * Take Owner of files and make new owner the local administrators group *
takeown /f c:\windows\system32\drivers\iusb3hub.sys /a
takeown /f c:\windows\system32\drivers\iusb3xhc.sys /a
takeown /f c:\windows\system32\drivers\usbccgp.sys /a
takeown /f c:\windows\system32\drivers\usbd.sys /a
takeown /f c:\windows\system32\drivers\usbehci.sys /a
takeown /f c:\windows\system32\drivers\usbhub.sys /a
takeown /f c:\windows\system32\drivers\usbport.sys /a

rem * break inheritance, grant modify permission to the local administrators group *
icacls c:\windows\system32\drivers\iusb3hub.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\iusb3xhc.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbccgp.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbd.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbehci.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbhub.sys /inheritance:r /grant:r “Administrators”:M
icacls c:\windows\system32\drivers\usbport.sys /inheritance:r /grant:r “Administrators”:M

rem * rename the “bad” files*
ren c:\windows\system32\drivers\iusb3hub.sys iusb3hub.sysOLD
ren c:\windows\system32\drivers\iusb3xhc.sys iusb3xhc.sysOLD
ren c:\windows\system32\drivers\usbccgp.sys usbccgp.sysOLD
ren c:\windows\system32\drivers\usbd.sys usbd.sysOLD
ren c:\windows\system32\drivers\usbehci.sys usbehci.sysOLD
ren c:\windows\system32\drivers\usbhub.sys usbhub.sysOLD
ren c:\windows\system32\drivers\usbport.sys usbport.sysOLD

rem * map drive with the “good” files *
net use z: “\\YourServer\Location Of Good Driver Files”

rem * copy the “good” files to the local computer *
copy z:\iusb3hub.sys c:\windows\system32\drivers\iusb3hub.sys
copy z:\iusb3xhc.sys c:\windows\system32\drivers\iusb3xhc.sys
copy z:\usbccgp.sys c:\windows\system32\drivers\usbccgp.sys
copy z:\usbd.sys c:\windows\system32\drivers\usbd.sys
copy z:\usbehci.sys c:\windows\system32\drivers\usbehci.sys
copy z:\usbhub.sys c:\windows\system32\drivers\usbhub.sys
copy z:\usbport.sys c:\windows\system32\drivers\usbport.sys

rem * remove the drive map *
net use z: /delete

rem * reboot local computer *
shutdown -r -t 0 -f

-BolivianGene