Search results for Rules Variables

T3SF is a framework that offers a modular structure for the orchestration of events based on a master scenario events list (MSEL) together with a set of rules defined for each exercise (optional) and a configuration that allows defining the parameters of the corresponding platform. The main module performs the communication with the specific module (Discord, Slack, Telegram, etc.) that allows the events to present the events in the input channels as injects for each platform. In addition, the framework supports different use cases: "single organization, multiple areas", "multiple organization, single area" and "multiple organization, multiple areas". Getting Things Ready To use the framework with your desired platform, whether it's Slack or Discord, you will need to install the required modules for that platform. But don't worry, installing these modules is easy and straightforward. To do this, you can follow this simple step-by-step guide, or if you're already comfortable installing packages with pip, you can skip to the last step! # Python 3.6+ requiredpython -m venv .venv # We will create a python virtual environmentsource .venv/bin/activate # Let's get inside itpip install -U pip # Upgrade pip Once you have created a Python virtual environment and activated it, you can install the T3SF framework for your desired platform by running the following command: pip install "T3SF[Discord]" # Install the framework to work with Discord or pip install "T3SF[Slack]" # Install the framework to work with Slack This will install the T3SF framework along with the required dependencies for your chosen platform. Once the installation is complete, you can start using the framework with your platform of choice. We strongly recommend following the platform-specific guidance within our Read The Docs! Here are the links: Discord Slack Telegram WhatsApp Usage We created this framework to simplify all your work! Using Docker Supported Tags slack → This image has all the requirements to perform an exercise in Slack. discord → This image has all the requirements to perform an exercise in Discord. Using it with Slack $ docker run --rm -t --env-file .env -v $(pwd)/MSEL.json:/app/MSEL.json base4sec/t3sf:slack Inside your .env file you have to provide the SLACK_BOT_TOKEN and SLACK_APP_TOKEN tokens. Read more about it here. There is another environment variable to set, MSEL_PATH. This variable tells the framework in which path the MSEL is located. By default, the container path is /app/MSEL.json. If you change the mount location of the volume then also change the variable. Using it with Discord $ docker run --rm -t --env-file .env -v $(pwd)/MSEL.json:/app/MSEL.json base4sec/t3sf:discord Inside your .env file you have to provide the DISCORD_TOKEN token. Read more about it here. There is another environment variable to set, MSEL_PATH. This variable tells the framework in which path the MSEL is located. By default, the container path is /app/MSEL.json. If you change the mount location of the volume then also change the variable. Once you have everything ready, use our template for the main.py, or modify the following code: Here is an example if you want to run the framework with the Discord bot and a GUI. from T3SF import T3SFimport asyncioasync def main(): await T3SF.start(MSEL="MSEL_TTX.json", platform="Discord", gui=True)if __name__ == '__main__': asyncio.run(main()) Or if you prefer to run the framework without GUI and with Slack instead, you can modify the arguments, and that's it! Yes, that simple! await T3SF.start(MSEL="MSEL_TTX.json", platform="Slack", gui=False) If you need more help, you can always check our documentation here! Download T3SF

MSEL Slack

It was discovered that the Xen netback driver in the Linux kernel did not properly handle packets structured in certain ways. An attacker in a guest VM could possibly use this to cause a denial of service (host NIC availability).(CVE-2022-3643) It was discovered that the virtual terminal driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory).(CVE-2023-3567) It was discovered that the universal 32bit network packet classifier implementation in the Linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-3609) It was discovered that the network packet classifier with netfilter/firewall marks implementation in the Linux kernel did not properly handle reference counting, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-3776) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly handle table rules flush in certain circumstances. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code.(CVE-2023-3777) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly handle rule additions to bound chains in certain circumstances. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code.(CVE-2023-3995) It was discovered that the netfilter subsystem in the Linux kernel did not properly handle PIPAPO element removal, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code.(CVE-2023-4004) Bing-Jhong Billy Jheng discovered that the Unix domain socket implementation in the Linux kernel contained a race condition in certain situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-4622) Budimir Markovic discovered that the qdisc implementation in the Linux kernel did not properly validate inner classes, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-4623) Alex Birnberg discovered that the netfilter subsystem in the Linux kernel did not properly validate register length, leading to an out-of- bounds write vulnerability. A local attacker could possibly use this to cause a denial of service (system crash).(CVE-2023-4881) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly handle removal of rules from chain bindings in certain circumstances, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code.(CVE-2023-5197) Gwangun Jung discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-31436) Ross Lagerwall discovered that the Xen netback backend driver in the Linux kernel did not properly handle certain unusual packets from a paravirtualized network frontend, leading to a buffer overflow. An attacker in a guest VM could use this to cause a denial of service (host system crash) or possibly execute arbitrary code.(CVE-2023-34319) It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle L2CAP socket release, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-40283) Kyle Zeng discovered that the networking stack implementation in the Linux kernel did not properly validate skb object size in certain conditions. An attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-42752) Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did not properly calculate array offsets, leading to a out-of-bounds write vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-42753)

Microsoft is deprecating Defender Application Guard for Office and the Windows Security Isolation APIs, and it recommends Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control as an alternative. [...]

Application Guard Defender Application Security Isolation

It was discovered that Open vSwitch did not correctly handle OpenFlow rules for ICMPv6 Neighbour Advertisement packets. A local attacker could possibly use this issue to redirect traffic to arbitrary IP addresses.

Advertisement packets handle OpenFlow Neighbour Advertisement OpenFlow rules

Malware Analysis of Remcos RAT: Exploitaion and Detection ExplainedExecutive SummarySHA256 hash:2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3fRemcos is a commercially available Remote Access Tool (RAT) marketed for legitimate use in surveillance and penetration testing. However, it has been leveraged in various unauthorized hacking initiatives. When deployed, Remcos establishes a backdoor, allowing comprehensive remote control over the affected system. The tool is a product of BreakingSecurity, a company specializing in cybersecurity solutions.Hackers are getting smarter by using tricks like hiding their code and adding fake code, which makes it harder for security experts to figure out how their attacks work. They're using things like image files and compression to disguise their activities.YARA signature rules are attached in Appendix A. Malware sample and hashes have been submitted to VirusTotal for further examination.High-Level Technical SummaryRemcos is an advanced remote access tool that breaks into computers using a series of hidden codes, starting with a malicious file which can be delivered from mail or dropper. It cleverly disguises its next steps within an image file, and then uses another DLL to make sure it stays on the computer even after it's restarted. Remcos can record keystrokes to steal passwords and other private information, which it logs into a file. It stays in contact with the hacker's server to send out this stolen information and to get new orders, allowing the hacker to keep a close watch and control over the infected computer.Malware CompositionThis composition of remcos consists of the following components:2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3fEmbedded_Remcos.exeIn a C# dropper, there's a sneaky way that malware developers are hiding bad code. They put this code inside the InitializeComponent() method. This method is normally used just for setting up how the app looks, like buttons and menus. But now, it's being used to hide something harmful. The tricky part is that this bad code looks just like regular setup code, so it's hard to spot. It's like hiding something bad inside something good, so people don't notice it.This makes it hard to find and fix the problem. It's a clever trick by hackers, and it shows how they can use parts of an app we usually trust to do sneaky things.It is extracting a byte array from a resource, possibly a file or other data embedded in the application and generating another byte array from a hard coded string.The code is setting up a user interface for a form and then performing an operation on a data resource (“SHP”) using a generated key.The _data before the encryption looks like this.The for loop processes the Data_ array in a complex way. It goes through each byte of Data_ and modifies it based on a calculation involving both Data_ and KeyGen.The calculation inside the loop involves bitwise XOR (^), addition, and modulo operations. It appears to be some form of data manipulation or encryption/decryption, where Data_ is being altered using the KeyGen byte array.First, a MethodBase object named methodBase is assigned the value kb. The MethodBase class in C# is part of the reflection namespace and is used to discover information about methods (like constructors and other methods) at runtime.Then, an array of objects named array is created and initialized with string values. This array includes this.VC, this.VR, and the literal string “Boilerplate”. VC and VR are private string fields of the class, initialized to “57775972” and “6C7978”, respectively. Therefore, the array contains these two strings along with “Boilerplate”.Finally, the Invoke method on methodBase is called, passing obj and array as arguments. This means the method represented by methodBase is being executed with obj as the target and the string array as the parameters.Before the inoke there was binary loaded successfully in modules.And if look closely it in kb.Fullname it is calling dr,hA.wP method in Ben dll.Ben DLLBy adding breakpoint after loading from module we catch the debugger.The code performs image processing, uses reflection to invoke a method, and dynamically loads an assembly from a byte array. This kind of operation is typical in applications that need to manipulate images, dynamically execute code, and potentially load plugins or modules at runtime.Sleep for 16secnew MemoryStream(array2): This creates a new MemoryStream object using array2 as its buffer. array2 is assumed to be a byte array (byte[]) that contains data compressed using the GZip algorithm. The MemoryStream is a stream based on a memory buffer, allowing for reading from and writing to memory.new GZipStream(…): This creates a new GZipStream object. The GZipStream class is used to compress and decompress data in the GZip data format. In this case, it's constructed with the previously created MemoryStream and the CompressionMode.Decompress. This indicates that the GZipStream should be used for decompression, i.e., to decompress the data contained in array2.It's part of a process involving dynamic loading and reflection. It reads and possibly processes data from a MemoryStream, uses that data to load an assembly or access its contents, and then retrieves a specific type from that assembly.Rd is designed to dynamically load a .NET assembly from a byte array, denoted as u0020. It employs a nested, infinite loop structure with a switch statement for control flow. Initially, it attempts to load the assembly using Assembly.Load(u0020). The code's flow is influenced by the result of global::dr.hA.EV(), a method call whose purpose is unclear. If EV() returns a non-null value, the method exits the loop prematurely via a go to statement. The method's coding style, characterized by unconventional variable naming and complex looping, suggests a potential for obfuscation, possibly to conceal the actual functionality or make reverse-engineering more challenging.ReactionDiffusionAfter loading assembly we get a new binary in modules with the name of ReactionDiffusion.Then it disposes the “memorystream” which means the work of the memory stream is done here. Probably it will now move on to the next binary.After that it also dispose the gzip stream which was used to get the binary.Now let's track where it would go next in ReactionDiffusion. If we investigate the object where it is pointing its type show us the destination namespace and class.Since there were no method calls from previous binary. So, we created break point at constructor at it hit exact on it.There was nothing useful in ReactionDiffusion there, maybe it was all decoy code. Let's see what next the Ben binary does, in case 8 it gets bitmap from resources.RS MethodThe RS method in C# is designed to retrieve a Bitmap image from resources using reflection and obfuscated code patterns. It starts by declaring a ResourceManager to access embedded resources, using a dynamically constructed resource name from the first-string parameter, u0020. This parameter, along with a similarly named second parameter, is used in a nested, infinite loop structure with a switch statement. Bitmap is obtained by the method global::dr.hA.rY, which likely extracts the image from the resources. The control flow includes checks with global::dr.hA.EV() and global::dr.hA.m3(), whose purposes are unclear, but they seem to influence the flow and decision-making within the method. The use of obfuscated names (like u0020) and complex control flow suggests an intent to mask the code's functionality or purpose.Loading the assembly from byte arrayIt defines a private static method named Rd that takes a byte array u0020 as its parameter.It initializes an integer variable num with the value 1.Inside an infinite loop (for (;;)), the code performs the following actions: a. It declares a variable num2 and assigns it the value of num. b. It enters another loop (for (;;)). c. Within the inner loop, there is a switch statement with two cases:Case 1:It attempts to load an assembly using Assembly.Load(u0020), where u0020 represents the byte array passed as a parameter to the method.If the assembly is successfully loaded, it sets num2 to 0.It then checks whether global::dr.hA.EV() is not null. If it's not null, the code proceeds to the Block_1 label.If global::dr.hA.EV() is null, it effectively exits the loop and returns the loaded assembly.Default case:If none of the cases match, it returns the assembly variable, which would have been assigned earlier in the code. d. The Block_1 label is used to indicate the point where the code should continue if global::dr.hA.EV() is not null. It doesn't contain any specific code logic in the provided snippet.TyroneIt looks like another binary is coming. Another DLL loaded in modules with the name Tyrone.Invoking AJBqklj3Jn from tyorne { YcMqTyPiynJnoycycL.MhMHeAYqAZ6AJWSu3o}This is more obfuscated than previous binaries.Checking for the presence of a named mutex, which may be used by malware for synchronization or coordination purposes. “wnmJOXavioKPdkNYG”It tried to open but since if there is no mutex it goes to exception. If it exists it will end itself in second line.Creating MutexIt creates a new Mutex object with the name “wnmJOXavioKPdkNYG”. Mutexes are synchronization primitives used to control access to shared resources among multiple threads or processes.This was all to get path of appdata and then append it with “EiHjExP.exe”.“C:UsersusernameAppDataRoamingEiHjExP.exe”Check if not there Copy it.Change Directory PermissionIt adds access control entries to the directorySecurity object using the MhMHeAYqAZ6AJWSu3o.PR6qMi9p2U method. These entries seem to define permissions for specific file system rights (e.g., Read, ReadAndExecute, Delete, Write, etc.) with different access control types (e.g., Allow, Deny). The permissions are set for various inheritance flags and propagation flags, which determine how permissions are inherited by child objects.It removes “currentuser” security to change file and write permission.As you can see the permission are denied nowRemcos is doing this because it makes it safe from being changed or deleted from disc.Then it gets a base64 encoded text fetched from modules of this tyrone binary with this code.I decode this string from https://www.base64decode.org/ and it turns out that it is xml.There is code for decoding also in the remcos.Then this function is called to play with Microsoft Security. This function decodes the text which was fetched from module.It then creates a new process, assign a new stratinfo with it and give file name “powershell” which it gets from the module. In arguments of process, it gives @”Add-MpPreference -ExclusionPath “”C:UsersshaddyAppDataRoamingEiHjExP.exe”””Set process's window hidden.Windows ExclusionIt will be added to the exclusion but keep in mind that I was running it from admin, if not performing analysis from admin it will be able to add since so far there was not privilege escalation performed.Path.GetTempFileName(); it will return a string that represents a unique temporary file name. This file name is generated using a combination of a temporary directory path and a unique identifier, making it highly unlikely to clash with other temporary files in the system.It gets the identity of current user, exe path to update the xml. In the breakpoint it is updating the xml and saving it in text variable.The clean xml code.PersistenceAfter that it is writing all xml in tmp file.It then loads the command of scheduling task from modules and sets startupinfo of process. Process is executed with window style hidden, Filename “schtask.exe” and with following arguments.@”/Create /TN “”UpdatesEiHjExP”” /XML “”C:UsersshaddyAppDataLocalTemptmp66E3.tmp”””This command appears to be creating a new scheduled task with the name “UpdatesEiHjExP” and configuring it using an XML file located at “C:UsersshaddyAppDataLocalTemptmp66E3.tmp.”It is triggering the exe after every system restarts.Then it deletes the tmp file.After that it loads new assembly “xF7siMsac” from its resource manager.It is injecting this final binary and executing it. Let's see its injection inside process hacker.Another binary which is extracted and DE obfuscated from resources.Remcos / 5thstageAfter saving the binary from u0020 it looks exactly like client agent built from the original remcos agent from hxxps://breakingsecurity.net/remcos/. The logo is also the same, but its signature was not present in any online threat intelligence.https://www.virustotal.com/gui/search/f55fc4f4e1bcbe957d20750f56cd98869c717c18c14c8b6d42698557b254ad51This final stage was developed in c++ language. And before analysis when we perform strings filter there was something linking to remcos, this pattern comes almost in every remcos rat.Now let's start the debugger to look more into it. We can see some more identifications.It starts with calling GetAddrInfoW API which is pointing to rungmotors20.ddns.net:60247.GetAddrInfoW is a Windows API function that is used for network operations. It's part of the Windows Sockets (Winsock) API and is typically called to resolve network addresses or to perform name resolution, converting a hostname like a domain or a URL into an IP address that can be used to establish network connections.If running from admin privileges, it creates a directory [C:\ProgramData\remcos] using CreateDirectoryW API.CreateDirectoryW is a function in the Windows API that is used to create a new directory. The W at the end of CreateDirectoryW indicates that this function uses wide characters (Unicode), as opposed to CreateDirectoryA, which uses ANSI characters.After creating Directory, it creates file with name logs.dat using CretaeFileW api.There are privileges check also it is handling both cases smoothly. It is just paths which it used separately.While executed from admin it uses [ C:\ProgramData\remcos folder]. It creates thread and that thread in loop performs these steps.If executed from normal permission, it uses [C:\Users\username\Local\VirtualStore\ProgramData\remcos\logs.dat]It sets its mark on the system in registry. It sets exepath, licence and time for thread.Patching TLSAll traffic was encrypted so we must check what is being sent. There was TLS check which was on in our client rate.Since we cannot see what it is sending to server, because of TLS flag is on. It will send all the traffic encrypted. After patching this, we can analyze the traffic.After finding the check I was able to turn off the TLS and see all the traffic clearly. It was sending the device identification after every few seconds to server.This was sample data that rat was sending.$ KRemoteHost||DESKTOP-002IHON/shaddy||US||Windows 10 Enterprise (64 bit)||||8588939264||4.9.2 Pro||C:ProgramDataremcoslogs.dat||C:UsersshaddyDesktop5thstage.exe||||5thstage.exe — PID: 3308 — Module: 5thstage.exe — Thread: Main Thread 6232 — x32dbg [Elevated]||1||47||48556593||1||rungmotors20.ddns.net||Rmc-ZT6SIL||0||C:UsersshaddyDesktop5thstage.exe||12th Gen Intel(R) Core(TM) i7–12700KF||Exe||||Clipboard and Process recordingInside the thread it was performing three major activities because the one who built it, he/she only want to record clipboards, records keylogging and setting some registries. It records all the clipboards data inside the same logs.dat file. Only it appends [Text copied to clipboard] at initial and [End of clipboard] at end.It also keeps recording the process which spawns, its architecture, its user access and all the keystrokes also.Rules & IOCsYara Rulesrule remcos_pro_4_9_2{meta:author = “Osama Ellahi”description = “Remcos RAT 4.9.2 pro version from breakpoint”strings:$string_match1 = “© by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED” ascii fullword$string_match2 = “tRemcos v” ascii fullword$string_match3 = “BreakingSecurity.net” ascii fullword$string_match4 = “4.9.2 Pro” ascii fullword$string_match6 = “[Text pasted from clipboard]” ascii fullword$string_match7 = “[End of clipboard]” ascii fullword$string_match8 = “[End of clipboard]” ascii fullword$string_match9 = “[Text copied to clipboard]” ascii fullword$string_match11 = “Offline Keylogger Started” ascii fullword$string_match12 = “Offline Keylogger Stopped” ascii fullword$string_match13 = “Online Keylogger Started” ascii fullword$string_match14 = “Online Keylogger Stopped” ascii fullword$string_match15 = “Remcos restarted by watchdog!” ascii fullword$string_match16 = “Watchdog module activated” ascii fullword$string_match17 = “Watchdog launch failed!” ascii fullword$string_match18 = “[Chrome StoredLogins not found]” ascii fullword$string_match19 = “[Chrome StoredLogins found, cleared!]” ascii fullword$string_match20 = “[Chrome Cookies not found]” ascii fullword$string_match21 = “[Chrome Cookies found, cleared!]” ascii fullword$string_match22 = “[Firefox StoredLogins not found]” ascii fullword$string_match23 = “[Firefox Cookies not found]” ascii fullword$string_match24 = “[Firefox cookies found, cleared!]” ascii fullword$string_match25 = “[Firefox StoredLogins Cleared!]” ascii fullword$string_match26 = [IE cookies not found] ascii fullword$string_match27 = [IE cookies cleared!] ascii fullword$string_match28 = [Cleared browsers logins and cookies.] ascii fullword$string_paths1 = “\AppData\Local\Google\Chrome\User Data\Default\Cookies” ascii fullword$string_paths2 = “\AppData\Roaming\Mozilla\Firefox\Profiles\” ascii fullword$string_paths3 = “Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” ascii fullword$string_paths4 = “Software\Microsoft\Windows\CurrentVersion\Run\” ascii fullword$string_paths5 = = “\AppData\Local\Google\Chrome\User Data\Default\Login Data” ascii fullword$string_paths6 = “Software\Microsoft\EventSounds\Sounds” ascii fullword$string_paths7 = “System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm” ascii fullword$string_commands1 = “CreateObject(”WScript.Shell”).Run ”cmd /c ””” ascii fullword$string_commands2 = “CreateObject(”Scripting.FileSystemObject”).DeleteFile(Wscript.ScriptFullName)” ascii fullword$string_commands3 = “\AppData\Local\Google\Chrome\User Data\Default\Login Data” ascii fullword$string_commands4 = “/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f” ascii$string_url1 = “http://geoplugin.net/json.gp" ascii fullword$string_url2 = “rungmotors20.ddns.net” ascii fullwordcondition:uint16(0) == 0x5a4d and filesize < 600KB and filesize >200KBand(any of ($string_url*)or3 of ($string_paths*)or5 of ($string_match*))}Callback URLsURL: rungmotors20.ddns.net Port: 60247URL: hxxp://geoplugin.net/json.gp Port: 443IOC1stSHA256 —2e5c4d023167875977767da513d8889f1fc09fb18fdadfd95c66a6a890b5ca3f2ndMD5 —3125f77575829f3b710f5a15912dec20 *stage2.dllSHA256 —1cc58fba1d1b4c7e0b9d752ea7f03fa3c312ae2fc53796d5b3acea98e6ea3c0e *stage2.dll3rdSHA256 —d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5 *stage3.dllMD5 —579197d4f760148a9482d1ebde113259 *stage3.dll4thSHA256 —c5928572e371b0a5d3109d0a7431ca9e064216beb858f04dc8d0140ccaf44b84 *Tyrone.dllMD5 —dd76e11ff9b96efdcf3cd377126c8d96 *Tyrone.dll5thSHA256 —f55fc4f4e1bcbe957d20750f56cd98869c717c18c14c8b6d42698557b254ad51 *5thstage.malMD5 —dc05d4f2864dfafa9b91e8e0d79840e3 *5thstage.malReferenceshttps://www.joesandbox.com/analysis/1339230/0/htmlhttps://www.jaiminton.com/reverse-engineering/remcos#part-2-decompiling-binaryUnfolding Remcos RAT- 4.9.2 Pro was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

ascii fullword Detection Explained Explained Executive

Security headers play a crucial role in enhancing the security of your web applications by providing an additional layer of protection against various types of attacks. In this guide, we will walk through the process of implementing essential security headers on a Microsoft IIS 10 server.Prerequisites- Administrative access to the IIS server.- Basic understanding of web server configuration.Step 1: Accessing IIS Manager1. Launch Internet Information Services (IIS) Manager on your server.2. In the Connections pane, select your server.Step 2: Configuring Strict-Transport-Security (HSTS) HeaderHSTS ensures that your web application is accessed over HTTPS only.1. Select the site you want to secure.2. In the Features View, double-click on HTTP Response Headers.3. On the right-hand side, click Add under the Actions pane.4. Set the Name to `Strict-Transport-Security` and the Value to `max-age=31536000; includeSubDomains`.5. Click OK to save the configuration.Step 3: Implementing Content-Security-Policy (CSP) HeaderCSP mitigates the risk of Cross-Site Scripting (XSS) attacks by defining a set of rules for resource loading.1. In IIS Manager, select your site.2. Double-click on HTTP Response Headers.3. Click Add in the Actions pane.4. Set the Name to `Content-Security-Policy` and configure the Value based on your application's requirements.default-src ‘self'; script-src ‘self' https://cdnjs.cloudflare.com; style-src ‘self' https://fonts.googleapis.com; img-src ‘self' data:; object-src ‘none'; upgrade-insecure-requests; block-all-mixed-content;5. Click OK to save.Step 4: Setting X-Frame-Options HeaderX-Frame-Options prevents your site from being embedded within an iframe, reducing the risk of Clickjacking attacks.1. Select your site in IIS Manager.2. Navigate to HTTP Response Headers.3. Click Add in the Actions pane.4. Set Name to `X-Frame-Options` and Value to `SAMEORIGIN` or `DENY` depending on your needs.5. Click OK to apply the changes.Step 5: Configuring X-Content-Type-Options HeaderX-Content-Type-Options prevents browsers from interpreting files as a different MIME type.1. Select your site.2. Go to HTTP Response Headers.3. Click Add.4. Set Name to `X-Content-Type-Options` and Value to `nosniff`.5. Click OK to save the configuration.Step 6: Applying Referrer-Policy HeaderThe Referrer-Policy dictates the extent of information included in the `Referer` header.1. Choose your site in IIS Manager.2. Access HTTP Response Headers.3. Click Add.4. Set Name to `Referrer-Policy` and Value to `strict-origin-when-cross-origin` or choose a suitable policy.5. Click OK to save.Step 7: Enforcing Permissions-Policy HeaderPermissions-Policy provides granular control over browser features.1. Select your site.2. Navigate to HTTP Response Headers.3. Click Add.4. Set Name to `Permissions-Policy` and configure the Value based on your application's requirements.geolocation=(self), microphone=(), camera=()5. Click OK to apply the changes.ConclusionCongratulations! You've successfully implemented essential security headers on your Microsoft IIS server. Regularly review and update these headers to adapt to evolving security best practices.By following these steps, you significantly enhance the security posture of your web application, providing a safer environment for your users and protecting against common web vulnerabilities.Linkedin:- sandeepvishwakarma1For personalize training Contact : sv110040@gmail.comImplementation of Security headers in Microsoft IIS Server was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

IIS Manager IIS Server Response Headers Security headers

Unmasking NjRAT: A Notorious Remote Access Trojan Part2Credit : Pedro Henrique Andrade ( https://playgroundai.com/post/clmwrdcjh03ims601z3a9d99d )In the first part of this blog series, we discussed how the malware NjRAT is built , its capabilities and more.In this blog we will continue our discussion by looking into few of the functions this notorious remote access trojan (RAT) offers and how it infects and controls its victims' computers. We will also learn how to detect this malware from our systems.Lets start with continuing the review of C&C command/features offered by the RAT.We see the RAT downloading a file named “pass.exe” from Dropbox and starts the downloaded file as a new process. Upon executing the process “pass.exe” it creates a text file named “pass.txt” in temp directory and this is sent back to the threat actor. However , the malicious file is now disabled from Dropbox at the time of this analysis hence no further investigation was performed on this.downloading and executing pass.exeFurther we see the malware has capability to handle Zip data stream. Where it receive data and store it to temp directory and executes it after unzipping the file.Has capability to add extra plugin's into existing one to extend the features.Has capability for screen capture and sending it back to C&C server.Further we see a command “un” this is interesting as we see 3 sub command for this , where “un” stands for uninstall but each sub command perform different functions.Uninstall command with 3 different functionsThe “~” sub commands executes a function OK.UNS() which first removes all the modification's done by the malware like persistence , registry changes etc.. and self deletes and terminates the running process. This is the Clean up job so that no trace of the malware is left on the disk.Next we see the sub command “!” where fist a function OK.pr(0) is executes (we will discuss this later in this blog) and end the process , no clean up is performed. Sub command “@” spawn's a new process of the malware and kills the current process.OK.pr() FunctionFunction OK.pr(int i) is used to protect the malware process from being terminated by setting the ProcessBreakOnTermination flag to 1. This flag determines whether a system debug break occurs when the process terminates abnormally. If the flag is set to 1 then the computer will crash with blue screen of death if the malware process is killed. ( if someone try to kill the process then the system would crash and they need to restart the machine , due to multiple persistence mechanisms the malware will spawn up again)Hence , as we observed above, value “0” is passed during the execution of uninstall command.We also see the RAT has capability to update itself with new code .Updating CapabilityWe see that the NjRAT has also capability to be a key-logger and store the entered keystrokes with process name and date so that the threat actor can view where the key's were entered.Key-logger CapabilityFurther reviewing the main function , we see one more thread being started where a function mgr.protect is being passed.New thread starting for Malware protectionIn function mgr.protect we see that the malware tries to see if any of the following process are running and if yes then kills itself to prevent detection. - taskmgr- processviewer- processhacker- process explorerAnd we also see that the function ok.pr(1) is being executed , which sets the ProcessBreakOnTermination flag to 1. As discussed earlier this flag when set will make computer crash with blue screen of death if the malware process is killed.Preventing detection mechanisms.At last in the main function we see registry persistence being achieved by adding it under both current user and local machine.Registry persistenceBelow are few of the IOC's observed after detonating the malware in a sandbox environment. We are not discussing them in details as we already know how the malware functions.Registry , firewall rule change and adding file to C:WindowsFew of the IOC's observed in SIEMData sent to attacker C&C on successful detonationAbove is a image of the fist data pack sent to attacker C&C on successful detonation and below is one of the communication sample between C&C server and the infected host.201.ll|'|'|SGFjS2VkXzIwOTNFMkJD|'|'|DESKTOP-MJJ9KE5|'|'|jae|'|'|23-11-22|'|'||'|'|Win 10 ProSP0 x64|'|'|No|'|'|im523|'|'|..|'|'|UHJvY2VzcyBNb25pdG9yIC0gU3lzaW50ZXJuYWxzOiB3d3cuc3lzaW50ZXJuYWxzLmNvbQA=|'|'|164.inf|'|'|SGFjS2VkDQowLnRjcC5ldS5uZ3Jvay5pbzoxODgwMQ0KV2luRGlyDQpNaWNyb3NvZnQgc3lzdGVtLmV4ZQ0KVHJ1ZQ0KRmFsc2UNCkZhbHNlDQpGYWxzZQ0KRmFsc2UNCkZhbHNlDQpGYWxzZQ0KRmFsc2U=Network IOC'sIOC'sb02c3cc8be9da55c745c60521c8dc3d2c0a1494cfc8127b6785b58496a77938318.158.249.7518.192.31.1653.125.102.393.125.223.1343.124.142.205hxxps[:]//dl.dropboxusercontent[.]com/s/p84aaz28t0hepul/Pass.exe?dl=0pass.exe ( under temp directory )Microsoft System.exe ( under C:Windows , validated the hash )DetectionExperimental Sigma RuleConclusionIn these series of blogs we have discussed the techniques , methods used by NjRAT even though its not devastating , but this can be leveraged to cause more harm to a environment. I am still learning to write detection rules , so the write detection rules are still crude.Thank you for your time!Unmasking NJRAT: A Deep Dive into a Notorious Remote Access Trojan Part2 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Henrique Andrade Pedro Henrique

In an era where cybersecurity threats are rampant, securing your web server is of utmost importance. Apache, one of the most widely used web servers, provides a robust platform for hosting websites and applications. In this article, we will delve into the implementation of security headers in Apache to enhance the security posture of your server and protect against various web-based attacks.Why Security Headers?Security headers are HTTP response headers that provide an additional layer of security by instructing the browser on how to behave when interacting with your website. They help mitigate common security vulnerabilities and protect against attacks such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Clickjacking.PrerequisitesBefore we proceed, make sure you have:1. A working Apache server.2. Administrative access to your server.Enabling Mod HeadersApache's `mod_headers` module is essential for manipulating HTTP headers. Ensure that the module is enabled by running the following commands:sudo a2enmod headerssudo systemctl restart apache2Configuring Security Headers1. X-Content-Type-OptionsThe `X-Content-Type-Options` header prevents browsers from interpreting files as a MIME type other than what is declared by the server. Insert the subsequent line into your Apache configuration file:Header always set X-Content-Type-Options “nosniff”2. X-Frame-OptionsProtect your site against clickjacking attacks by setting the `X-Frame-Options` header. This header restricts the loading of a webpage in an iframe. Include the subsequent line in your configuration:Header always set X-Frame-Options “SAMEORIGIN”3. Content Security Policy (CSP)CSP is a powerful header that helps prevent XSS attacks by defining a set of rules for content sources. Create a robust CSP policy according to your website's needs. For example:Set the Content-Security-Policy header to “default-src ‘self'; script-src ‘self' https://trusted-scripts.com; style-src ‘self' https://trusted-styles.com" for all requests.4. X-XSS-ProtectionEnable the browser's built-in XSS protection by adding the following line:Header always set X-XSS-Protection “1; mode=block”5. Strict Transport Security (HSTS)HSTS ensures that your website is only accessible over HTTPS, reducing the risk of man-in-the-middle attacks. Include the following in your configuration:Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”Testing Your ConfigurationAfter implementing these security headers, it's crucial to validate your configuration. Online tools like [SecurityHeaders.com](https://securityheaders.com) can analyze your website's headers and provide recommendations for improvement.ConclusionBy implementing security headers in your Apache server, you significantly enhance your website's resilience against a variety of web-based attacks. Regularly audit and update your security headers to adapt to evolving security threats. Remember that security is an ongoing process, and staying proactive is key to maintaining a secure web presence.Linkedin:- sandeepvishwakarma1For personalize training Contact : sv110040@gmail.comImplementation of Security headers in Apache Server was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Apache Server

Kaisen Linux is a distribution dedicated for IT professional based on Debian GNU/Linux. Large tools are integrated for diagnostics, rescue system and networks, lab creation and many more!

Service that scans your Infrastructure as Code for common vulnerabilities. Aspect Information Tool name IaC Scan Runner Docker image xscanner/runner PyPI package iac-scan-runner Documentation docs Contact us xopera@xlab.si Purpose and description The IaC Scan Runner is a REST API service used to scan IaC (Infrastructure as Code) package and perform various code checks in order to find possible vulnerabilities and improvements. Explore the docs for more info. Running This section explains how to run the REST API. Run with Docker You can run the REST API using a public xscanner/runner Docker image as follows: # run IaC Scan Runner REST API in a Docker container and # navigate to localhost:8080/swagger or localhost:8080/redoc$ docker run --name iac-scan-runner -p 8080:80 xscanner/runner Or you can build the image locally and run it as follows: # build Docker container (it will take some time) $ docker build -t iac-scan-runner .# run IaC Scan Runner REST API in a Docker container and # navigate to localhost:8080/swagger or localhost:8080/redoc$ docker run --name iac-scan-runner -p 8080:80 iac-scan-runner Run from CLI To run using the IaC Scan Runner CLI: # install the CLI$ python3 -m venv .venv && . .venv/bin/activate(.venv) $ pip install iac-scan-runner# print OpenAPI specification(.venv) $ iac-scan-runner openapi# install prerequisites(.venv) $ iac-scan-runner install# run IaC Scan Runner REST API(.venv) $ iac-scan-runner run Run from source To run locally from source: # Export env variables export MONGODB_CONNECTION_STRING=mongodb://localhost:27017export SCAN_PERSISTENCE=enabledexport USER_MANAGEMENT=enabled# Setup MongoDB$ docker run --name mongodb -p 27017:27017 mongo# install prerequisites$ python3 -m venv .venv && . .venv/bin/activate(.venv) $ pip install -r requirements.txt(.venv) $ ./install-checks.sh# run IaC Scan Runner REST API (add --reload flag to apply code changes on the way)(.venv) $ uvicorn src.iac_scan_runner.api:app Usage and examples This part will show one of the possible deployments and short examples on how to use API calls. Firstly we will clone the iac scan runner repository and run the API. $ git clone https://github.com/xlab-si/iac-scan-runner.git$ docker compose up After this is done you can use different API endpoints by calling localhost:8000. You can also navigate to localhost:8000/swagger or localhost:8000/redoc and test all the API endpoints there. In this example, we will use curl for calling API endpoints. Lets create a project named test. curl -X 'POST' 'http://0.0.0.0/project?creator_id=test' -H 'accept: application/json' -d '' project id will be returned to us. For this example project id is 1e7b2a91-2896-40fd-8d53-83db56088026. For example, let say we want to initiate all check expect ansible-lint. Let's disable it. curl -X 'PUT' 'http://0.0.0.0:8000/projects/1e7b2a91-2896-40fd-8d53-83db56088026/checks/ansible-lint/disable' -H 'accept: application/json' Now when project is configured, we can simply choose files that we want to scan and zip them. For IaC-Scan-Runner to work files are expected to be a compressed archives (usually zip files). In this case response type will be json , but it is possible to change it to html.Please change YOUR.zip to path of your file. curl -X 'POST' 'http://0.0.0.0:8000/projects/1e7b2a91-2896-40fd-8d53-83db56088026/scan?scan_response_type=json' -H 'accept: application/json' -H 'Content-Type: multipart/form-data' -F 'iac=@YOUR.zip;type=application/zip' That is it. Extending the scan workflow with new check tools At certain point, it might be required to include new check tools within the scan workflow, with aim to provide wider coverage of IaC standards and project types. Therefore, in this subsection, a sequence of required steps for that purpose is identified and described. However, the steps have to be performed manually as it will be described, but it is planned to automatize this procedure in future via API and provide user-friendly interface that will aid the user while importing new tools that will become part of the available catalogue that makes the scan workflow. Figure 16 depicts the required steps which have to be taken in order to extend the scan workflow with a new tool. Step 1 – Adding tool-specific class to checks directory First, it is required to add a new tool-specific Python class to the checks directory inside IaC Scan Runner's source code: iac-scan-runner/src/iac_scan_runner/checks/new_tool.py The class of a new tool inherits the existing Check class, which provides generalization of scan workflow tools. Moreover, it is necessary to provide implementation of the following methods: def configure(self, config_filename: Optional[str], secret: Optional[SecretStr]) def run(self, directory: str) While the first one aims to provide the necessary tool-specific parameters in order to set it up (such as passwords, client ids and tokens), another one specifies how the tool itself is invoked via API or CLI and its raw output returned. Step 2 – Adding the check tool class instance within ScanRunner constructor Once the new class derived from Check is added to the IaC Scan Runner's source code, it is also required to modify the source code of its main class, called ScanRunner. When it comes to modifications of this class, it is required first to import the tool-specific class, create a new check tool-specific class instance and adding it to the dictionary of IaC checks inside def init_checks(self). A. Importing the check tool class from iac_scan_runner.checks.tfsec import TfsecCheck B. Creating new instance of check tool object inside init_checks """Initiate predefined check objects""" new_tool = NewToolCheck() C. Adding it to self.iac_checks dictionary inside init_checks self.iac_checks = { new_tool.name: new_tool, … } Step 3 – Adding the check tool to the compatibility matrix inside Compatibility class On the other side, inside file src/iac_scan_runner/compatibility.py, the dictionary which represents compatibility matrix should be extended as well. There are two possible cases: a) new file type should be added as a key, together with list of relevant tools as value b) new tool should be added to the compatibility list for the existing file type. compatibility_matrix = { "new_type": ["new_tool_1", "new_tool_2"], … "old_typeK": ["tool_1", … "tool_N", "new_tool_3"] } Step 4 – Providing the support for result summarization Finally, the last step in sequence of required modifications for scan workflow extension is to modify class ResultsSummary (src/iac_scan_runner/results_summary.py). Precisely, it is required to append a part of the code to its method summarize_outcome that will look for specific strings which are tool-specific and can be used to identify whether the check passed or failed. Inside the loop that traverses the compatible checks, for each new tool the following structure of if-else should be included: if check == "new_tool": if outcome.find("Check pass string") > -1: self.outcomes[check]["status"] = "Passed" return "Passed" else: self.outcomes[check]["status"] = "Problems" return "Problems" Contact You can contact the xOpera team by sending an email to xopera@xlab.si. Acknowledgement This project has received funding from the European Union's Horizon 2020 research and innovation programme under Grant Agreement No. 101000162 (PIACERE). Download Iac-Scan-Runner

IaC Scan Runner REST Scan Runner

Yet another tool - why? Existing tools don't really "understand" code. Instead, they mostly parse texts. DeepSecrets expands classic regex-search approaches with semantic analysis, dangerous variable detection, and more efficient usage of entropy analysis. Code understanding supports 500+ languages and formats and is achieved by lexing and parsing - techniques commonly used in SAST tools. DeepSecrets also introduces a new way to find secrets: just use hashed values of your known secrets and get them found plain in your code. Under the hood story is in articles here: https://hackernoon.com/modernizing-secrets-scanning-part-1-the-problem Mini-FAQ after release :) Pff, is it still regex-based? Yes and no. Of course, it uses regexes and finds typed secrets like any other tool. But language understanding (the lexing stage) and variable detection also use regexes under the hood. So regexes is an instrument, not a problem. Why don't you build true abstract syntax trees? It's academically more correct! DeepSecrets tries to keep a balance between complexity and effectiveness. Building a true AST is a pretty complex thing and simply an overkill for our specific task. So the tool still follows the generic SAST-way of code analysis but optimizes the AST part using a different approach. I'd like to build my own semantic rules. How do I do that? Only through the code by the moment. Formalizing the rules and moving them into a flexible and user-controlled ruleset is in the plans. I still have a question Feel free to communicate with the maintainer Installation From Github via pip $ pip install git+https://github.com/avito-tech/deepsecrets.git From PyPi $ pip install deepsecrets Scanning The easiest way: $ deepsecrets --target-dir /path/to/your/code --outfile report.json This will run a scan against /path/to/your/code using the default configuration: Regex checks by the built-in ruleset Semantic checks (variable detection, entropy checks) Report will be saved to report.json Fine-tuning Run deepsecrets --help for details. Basically, you can use your own ruleset by specifying --regex-rules. Paths to be excluded from scanning can be set via --excluded-paths. Building rulesets Regex The built-in ruleset for regex checks is located in /deepsecrets/rules/regexes.json. You're free to follow the format and create a custom ruleset. HashedSecret Example ruleset for regex checks is located in /deepsecrets/rules/regexes.json. You're free to follow the format and create a custom ruleset. Contributing Under the hood There are several core concepts: File Tokenizer Token Engine Finding ScanMode File Just a pythonic representation of a file with all needed methods for management. Tokenizer A component able to break the content of a file into pieces - Tokens - by its logic. There are four types of tokenizers available: FullContentTokenizer: treats all content as a single token. Useful for regex-based search. PerWordTokenizer: breaks given content by words and line breaks. LexerTokenizer: uses language-specific smarts to break code into semantically correct pieces with additional context for each token. Token A string with additional information about its semantic role, corresponding file, and location inside it. Engine A component performing secrets search for a single token by its own logic. Returns a set of Findings. There are three engines available: RegexEngine: checks tokens' values through a special ruleset SemanticEngine: checks tokens produced by the LexerTokenizer using additional context - variable names and values HashedSecretEngine: checks tokens' values by hashing them and trying to find coinciding hashes inside a special ruleset Finding This is a data structure representing a problem detected inside code. Features information about the precise location inside a file and a rule that found it. ScanMode This component is responsible for the scan process. Defines the scope of analysis for a given work directory respecting exceptions Allows declaring a PerFileAnalyzer - the method called against each file, returning a list of findings. The primary usage is to initialize necessary engines, tokenizers, and rulesets. Runs the scan: a multiprocessing pool analyzes every file in parallel. Prepares results for output and outputs them. The current implementation has a CliScanMode built by the user-provided config through the cli args. Local development The project is supposed to be developed using VSCode and 'Remote containers' feature. Steps: Clone the repository Open the cloned folder with VSCode Agree with 'Reopen in container' Wait until the container is built and necessary extensions are installed You're ready Download Deepsecrets

Deepsecrets ruleset Understands Code

An arbitrary file write vulnerability has been discovered in Nessus, which allows an authenticated, remote attacker to perform a denial of service condition on affected installations. This vulnerability has been assigned with CVE-2023-6062, and a severity rating was added. Nessus has released patches to fix this vulnerability and has urged its users to patch them […] The post Nessus Vulnerability Let Attackers Alter Rules Variables appeared first on Cyber Security News.

Alter Rules Attackers Alter Nessus Vulnerability Rules Variables