EternalBlue: Exploit Analysis and Beyond

Similar documents
Defending Computer Networks Lecture 12: NIDS. Stuart Staniford Adjunct Professor of Computer Science

Defending Computer Networks Lecture 13: More NIDS. Stuart Staniford Adjunct Professor of Computer Science

All Your Cloud Are Belong to Us. Hunting Compromise in Azure Nate Warfield Microsoft Security Response Center

Hackveda Training - Ethical Hacking, Networking & Security

Network Traffic Exploration Application. Presented By Grant Vandenberghe. (613)

Training for the cyber professionals of tomorrow

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

James Culverhouse AusCERT General Manager Mike Holm Operations Manager Protecting Organisations from cyber threats since 1993

Lab 8: Firewalls & Intrusion Detec6on Systems

Penetration Testing with Kali Linux

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Covering the global threat landscape

WannaCryptor Ransomware Analysis

Intrusion Detection - Snort

UTM 5000 WannaCry Technote

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Reliably Determining the Outcome of Computer Network Attacks

Intrusion Detection - Snort

Anti-Virus Comparative

Snort 初探. Aphyr Lee

Cisco Advanced Malware Protection against WannaCry

Overview Intrusion Detection Systems and Practices

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

THREAT LANDSCAPE AT THE UW

Metasploit Unleashed. Class 1: Metasploit Fundamentals. Georgia Weidman Director of Cyberwarface, Reverse Space

JARGON ALERT! VULNERABILITY SCAN PENETRATION TEST RED TEAM/BLUE TEAM

Incorporating Network Flows in Intrusion Incident Handling and Analysis

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

Practice Labs Ethical Hacker

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Base64 The Security Killer

All Your Cloud Are Belong to Us

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Threat Centric Vulnerability Management

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Advanced Network Troubleshooting Using Wireshark (Hands-on)

Massive Attack WannaCry Update and Prevention. Eric Kwok KL.CSE

ANATOMY OF AN ATTACK!

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

Advanced Diploma on Information Security

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

Performance Rules Creation. Part 2: Rules Options and Techniques

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FORCEPOINT RESEARCH REPORT JOHN BERGBOM, SENIOR SECURITY ANALYST, FORCEPOINT

Reconstructing the Scene of the Crime

Outsmarting Ransomware: Hints and Tricks. Netwrix Corporation Adam Stetson System Engineer

Endpoint Protection : Last line of defense?

Open Source IDS Rules Comparison Report July 2014

Security report Usuario de Test

hidden vulnerabilities

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

Firewall Identification: Banner Grabbing

Intercepting WannaCry

SMB Analysis OPSEC 2016

CORPORATE ESPIONAGE. James McFadyen and Jacolon Walker

You can find the lab demo here:

Pre processors. Detection Engine

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

Audience. Pre-Requisites

Network Defenses KAMI VANIEA 1

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Guide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics

Network Defenses 21 JANUARY KAMI VANIEA 1

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Process Dump Analyses

Industrial Control Systems (In)Security & Suricata

The Protocols that run the Internet

Text Crossing the Streams with State Machines in IDS Signature Languages Michael Rash ShmooCon 2014 FireTalks

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Network+ Guide to Networks, Seventh Edition Chapter 2, Solutions

Defending Computer Networks Lecture 13: NIDS/HTTP. Stuart Staniford Adjunct Professor of Computer Science

NETWORK THREATS DEMAN

Snort Rules Classification and Interpretation

Defending against Polymorphic Attacks: Recent Results and Open Questions

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Security Principles SNORT - IDS

A Taste of SANS SEC 560: Adventures in High-Value Pen Testing

SCALE 15x (c) 2017 Ty Shipman

CNIT 121: Computer Forensics. 9 Network Evidence

DDoS: Coordinated Attacks Analysis

SharkFest 16. Advanced Wireshark Display Filters: How to Zoom in on the 10 Packets You Actually Need Download files from tinyurl.

Meeting 40. CEH Networking

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

McAfee Certified Assessment Specialist Network

REMINDER course evaluations are online

Phishing with Office 365. *Minecraft, also a Microsoft product

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Sachin Shetty Old Dominion University April 10, Cyber Risk Scoring and Mitigation(CRISM)

Handbook. Step by step practical hacking training

General Pr0ken File System

Writing Better Intrusion Prevention Signatures: Lessons from Auto-Signature Generation. By Christopher Jordan, CEO, Endeavor Security, Inc.

Who s Really Attacking Your!

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

IDS: Signature Detection

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

CSC 5991 Cyber Security Prac1ce

CIDSS: Common Intrusion Detection Signatures Standard

Transcription:

EternalBlue: Exploit Analysis and Beyond

WHO AM I? Emma McCall Cyber Security Analyst @ Riot Games @RiotNymia on Twitter

JUST A LITTLE HISTORY Black Market Intelligence Auc1on Approx. August 2016 No bites April 14 th 2017 Group calling themselves Shadowbrokers Equa1on Group (NSA) Tools and Exploits dumped onto GitHub

THE DUMP Overall ~35 Exploits and tools SMB SendMail Kerberos IIS Windows XP -> 10

THE DUMP Of particular note were: Fuzzbunch Exploita1on Framework DanderSpritz Command and Control Solu1on DoublePulsar Backdoor Trojan EternalBlue SMB Exploit

ETERNALBLUE Where has EternalBlue been seen? WannaCry Ransomware Adylkuzz Viral Crypto Miner Zealot - Apache Struts Lateral movement in ALL cases

JUST SOMETHING THAT POPPED UP Slight segue to look at this one: Exploit for MDaemon pre v9.5.6 v9.5.6 was Released in October 2006 Shodan check on 16 th April 2017 Lets have a closer look at that number.

ETERNALBLUE Exploit for Windows Server Message Block (SMB) Affected both versions v1 and v2 Remote Code Execu1on on vic1m machine HOW WHAT Exploita1on targeted the following services TCP 445 (Microsof Domain Service) TCP 139 (NetBIOS Session Service) THEN WHAT

ETERNALBLUE First things first: How does SMB data transfer work? WHAT HOW THEN WHAT

ETERNALBLUE First things first: How does SMB data transfer work? Data larger than SMB MaxBufferSize in Trans2 WHAT HOW THEN WHAT

ETERNALBLUE Exploits Non-Paged Pool Overflow in srv2.sys Fills NT Trans with Zeros Malformed Trans2 packet containing shellcode and Encrypted Payload WHAT HOW THEN WHAT

ETERNALBLUE Ini1al Payload: DoublePulsar Non-Persistent Customisable Process Name / Command Line Code Execu1on via.dll or raw shellcode upload WHAT HOW Ini1ally Uploaded DLLs came from 2 sources Created via Danderspritz Via Metasploit (Meterpreter) THEN WHAT

Attacker Victim Attacker

ETERNALBLUE TCP 445 On the internet? what about on your LAN?

WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

Run it. NETWORK ANALYSIS.. In a lab! hnps://medium.com/@xnymia For all your lab crea1on needs Sysinternals and Wireshark are your best friends Comparison against known good SMB traffic Look for irregulari1es and panerns in mul1ple samples Check protocol docs

NETWORK ANALYSIS

NETWORK ANALYSIS

NETWORK ANALYSIS Interes1ng Mul1plex ID

WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

DETECTION CREATION We have 4 indicators now Mul1plex ID 64/65 Mul1plex ID 81/82 Lets flex our learnings Suricata IDS Rules Snort IDS Rules alert tcp $HOME_NET any -> any any (msg:"exploit Possible ETERNALBLUE SMB Exploit Anempt Stage 1/2 - Tree Connect AndX Mul1plexID = 64 - MS17-010"; flow:to_server,established; content:" FF SMB 75 00 00 00 00 "; offset:4; depth:9; content:" 40 00 "; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-ac1vity; sid:5000074; rev:1;)

DETECTION CREATION SMB Packet 0010 <... Frame / TCP / IP Headers...> 0020 00 00 00 60 FF 53 4D 42 75 00 00 00 00 18 07 C0 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 0040 00 08 40 00 04 FF 00 60 00 08 00 01 00 35 00 00 0050 5C 00 5C 00 31 00 39 00 32 00 2E 00 31 00 36... NetBios Header SMB Structure - " FF SMB 75 00 00 00 00 " Multiplex ID - " 40 00 " SMB Content

DETECTION CREATION alert tcp $HOME_NET any -> any any (msg:"exploit Possible ETERNALBLUE SMB Exploit Anempt Stage 1/2 - Tree Connect AndX Mul1plexID = 64 - MS17-010"; flow:to_server,established; content:" FF SMB 75 00 00 00 00 "; offset:4; depth:9; content:" 40 00 "; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-ac1vity; sid:5000074; rev:1;)

WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

IMPACT IDENTIFICATION What is actually vulnerable? Run it. In lots of labs!

IMPACT IDENTIFICATION What has already been compromised? Scan the internet?

WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

MITIGATION ADVICE How can we help others mi1gate? Patching can be difficult What other op1ons can we offer? Disable SMBv1? What did Riot do? Suricata detec1ons No external SMB Firewalled Inbound SMB on worksta1ons

WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

BINARY ANALYSIS Some1mes worthwhile disassembling Simplest things right under your nose.

AND BEYOND So shits going down, what can I do? Get a lab setup Grab a sample Run it. Don t be too afraid What can I do with this data? Blogging, Twee1ng, IRC / Slack / Discord A few don'ts for good measure: Don t work in a silo, talk to people Don t run dodgy files on your main machine Be Heard

THE GANG Dan Tentler @Viss DEY! @ronindey Kevin Beaumont @GossiTheDog Emma McCall @RiotNymia

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback