All posts by be4sec

DFIR Problems in the Cloud

As more and more companies are starting to use cloud because of ease of deployment and integration with business needs and due to its scalability, the pandemic and changing business models forced usage of it more.

From IT perspective, cloud usage provides a lot of convenience. With using cloud, companies can pay for only the resources they need and scale up or down to meet their needs easily. With this scalability, they do not need to guess future usage and butgeting it. Additionally, while it takes days or weeks to implement a new server, it only takes a few minutes to get a new one in cloud and it saves on expenses like cabling, staff, broad network access and data center. Cloud also provides a global infrastructure and high availability for systems easily.

Because of reasons above and more, it is very understandable why cloud market will keep growing in next years and the expectations are the market will have more than $800 billion in value in 2025. However, this convenience causes different problems and challenges on the security, incident response and digital forensics side.

Separation of Responsibilities in the Cloud

Security is difficult in cloud for customers because the cloud customer does not have access and responsibility of all the systems those need to be secured. So, it is crucial to know shared responsibility models of the cloud.

As the content of this article, we do not go into the description of what these cloud services are one by one.

Challenges of Security

This shared responsibility model shown above, makes security, incident response and digital forensics more difficult. It is not enough to know the organization’s assets only, security teams need to work together with cloud security provider’s (CSP) security teams. For all types of models, the organization’s teams will not have access and control on data, OS, storage, network traffic, or etc. The difficulties are not these only. Most of the organizations are using hybrid clouds and more than one CSP. This means, systems are distributed between different data centers and locations and teams need data from these different systems in different CSP and structures.

The distributed multi CSP structures causes difficulties to collect data during an incident. So, investigation real-time incidents in the cloud becomes more difficult. One of the reasons of this situation is the access rights; in all types of cloud service model, the incident handler and forensic analyst has limited access and control over data. And the other can be differences in the operational details and procedures in different CSPs. Also, with using different CSPs, and according to the CSP’s structure, logs can be stored as distributed across different servers and locations. This situation also creates difficulties investigation an incident. A correlation an activity between different CSPs is challenging due to lack of interoperability. Time stamps of the logs and time correlation will contribute to this challenging too.

Many new items can be added to this technical challenges list. However, there is also legal side of using cloud. As CSPs distributed their structure in different location all over the world, customers can face some legal issues. Data collection, protection and governance laws change according to the region that the servers located in. It creates a challenges to standardize processes. This differences can also reflect on SLAs.

We can easily increase the items that challenging security teams on cloud like; having experiences in handling cloud environments for admins, gathering and knowledge of cloud investigation and forensics tools, international communication, privacy concerns, unknown location of data, data volatility, time and timestamp synchronization, log format differences, etc.

Apple Delays CSAM Detection Plans

Before, we posted about Apple’s CSAM detection plans and worries about this process of customers that it could be weaponized against users’ privacy. Apple now temporarily pausing the process because of these worries of the customers.

Apple announced this delay on its Child Safety website as; “Update as of September 3, 2021: Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.

CSAM detection was one of new features that Apple announced in August. Normally, the changes were planned to go live with iOS 15 and macOS Monterey later this year in US. Despite the delay, it seems like the company has not given up on its plan. The date of going live of CSAM detection is not yet known.

How to Download Windows 11 ISO

Windows 11 was made available for users with Insider. Microsoft released the Windows 11 ISO file for test users today.

To test Windows 11 with the Insider program, users had to update from Windows 10 build 21354. Windows 11, which is still in beta, has finally been released. It is expected that the new version will be available to all users by the end of this year.

How to download ISO

  • Click here and login with the insider account.
  • Choose “Windows 11 Insider Preview (Beta Channel) 22000.132
  • You can use this downloaded ISO file on your virtual environment or to create a bootable USB

*Please do not trust to any third party download sites and download the file from Microsoft’s site.

Requirements

This new operating system may not work on all systems, so it is important to check the requirements for Windows 11.

  • Processor: 1 gigahertz (GHz) or faster with two or more cores on a compatible 64-bit processor or system on a chip (SoC).
  • RAM: 4 gigabytes (GB) or greater.
  • Storage: 64 GB* or greater available storage is required to install Windows 11.
    • Additional storage space might be required to download updates and enable specific features.
  • Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
  • System firmware: UEFI, Secure Boot capable.
  • TPM: Trusted Platform Module (TPM) version 2.0.
  • Display: High definition (720p) display, 9″ or greater monitor, 8 bits per color channel.
  • Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features.
    • Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.

Please visit here for more information about the requirements.

AT&T Data Breach?

ShinyHunters claiming that they have the database of AT&T including sensitive information of more than 70 million customers. With a post they shared, threat actors demand 200k$ for this database. They shared this post a few days after a threat actor sold information about T-Mobile customers. T-Mobile has confirmed the data breach, however a relationship between these two events has not yet been determined.

According to the example records that ShinyHunters shared, database is including these information of the customers;

  • Name and surname
  • Addresses
  • Postal code
  • Birthday
  • e-mail addresses
  • Social security numbers

AT&T claimed that the aforementioned information is not related with their systems and refused the breach.

Both AT&T and T-Mobile, have been marred by several security incidents in the recent past.

CSAM Detection on Apple Devices and Privacy

Apple announced new features for limiting the spread of Child Sexual Abuse Material (CSAM) in the U.S. “The Messages app will use on-device machine learning to warn about sensitive content, while keeping private communications unreadable by Apple” says Apple.

Source: https://www.apple.com/child-safety/

New Features Against CSAM

Apple is introducing new child safety features in three areas. First, as we told upper, is an on-device machine learning used in Messages app. The Messages app will inform parents and also children when receiving or sending sexual explicitly photos.

The other feature is against spreading CSAM online. “To help address this, new technology in iOS and iPadOS will allow Apple to detect known CSAM images stored in iCloud Photos. This will enable Apple to report these instances to the National Center for Missing and Exploited Children (NCMEC)” says Apple. Apple claims that this feature is designed with user privacy in mind. With this feature, system performs an on-device scan with a hash database of known CSAM materials provided by NCMEC and other child safety organizations.

With another technology called threshold secret sharing, if a user’s account crosses a threshold of known child abuse imagery, the cryptographic technology allow Apple to interpret the contents and disables the user’s account.

What About Privacy?

After the announcement, Edward Snowden tweeted “if they can scan for kiddie porn today, they can scan for anything tomorrow.” Also researchers claim that Apple create a backdoor on its devices and Messages app will no longer provide end-to-end encryption.

The changes apple announced are extremely disappointing. As Edward Snowden said, if they can scan photos today, it means they can scan anything one day and this situation showing us privacy for users will be much more difficult day by day.

Threat Hunting III – Pyramid of Pain

As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them.

The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube video for presenting it.

Pyramid of Pain

This pyramid classifies the IoCs and with going up the pyramid, IoCs help us more to detect the suspicious. Also, as we go up, it is harder to obtain these IoCs. Now, lets check these IoC types shortly;

Hash Values: A hash value is a unique identifies of the data. In theory, the hash value of each data is expected to be unique to itself. So, it gets easier to identify a data, file with its hash value. As an example, you can see below the hash values (both md5 and sha256) of openvpn.exe.

Hash values of openvpn.exe

Hash values are at the bottom of the pyramid because it is very easy to change a file’s hash value and if you do not have the newly changed hash, that means you cannot detect this file anymore.

IP Addresses: IP blacklists still used by many different products, however it is also easy to change the IP address for an attacker. So, it is again does not help much to detect an adversary.

Domain Names: Everyday we can see that attackers can obtain new domain names very fast and can continue their attacks with ever changing domain names.

Network/Host Artifacts: These are the clues that adversaries left on the pc or network. These can be registery keys, processes, user agent strings, etc. Surely, to obtain such information, a forensic analysis need to be done in compromised pcs or networks.

Tools: Adversaries have their favorite tool to attacks, like pentesters have. It is important to know the tool that your enemy using and if you are good at detecting these tools, you can easily detect the attack or this situation forces the attackers use some other tools. This situation will slow down the attack and will save your time.

TTPs: Tactics, techniques and procedures are the patterns of activities or methods of a specific threat actor. As you all know, you can find all TTPs in the Mitre’s website and they are the most valuable data to identify an attack. If you know the TTPs of your enemy, it means you know what to check for a possible attack and mitigate.

Importing Module in Powershell

Modules are typically work in Powershell directly. “Get-Module” command can be used to see imported modules.

“Get-Module -ListAvailable” command show the modules available.

For the additional modules we want to use, we should import them first. Once we import the module, we can use its all commands anymore. We will add PowerSploit as example. PowerSploit project is a project no longer supported but sometimes we may want to use its capabilities. For importing, we firstly download the package from here. After downloading the module, we need to copy it to one of the module folders in PC. There are different module locations and we can see them with “$Env:PSModulePath” command.

We create a folder called PowerSploit and copy all files here from the downloaded package.

“Import-Module PowerSploit” command will install the module and all its commands will be available for us to use.

“Get-Command -Module PowerSploit” command can list all commands of this module.

“Get-Help <command>” command will show you the usage of the commands.

Subdomain Enumeration

Subdomain enumeration is an information gathering technique. It can be used to define the all sites opened to the internet in a company. In large organizations, it is very common to have some forgotten websites that having vulnerabilities or some sensitive data. So, subdomain enumeration also important for bug bounty.

The first technique is searching for passive dns information. There are a lot of ways to search for dns information however it should also be noted that the DNS information of closed servers may remain in the cache.

DNSdumpster.com: can give archive information about the domain also with some additional information like geolocation, nmap port scan, visualization of the domain mapping, and HTTP responses to check whether the site is alive or not.

crt.sh: is another interesting tool for searching for SSL certificates used by a domain and its subdomains.

Virustotal: When you search a domain in virustotal, it gives you all subdomains and additional information about the domain.

Other technique is automated.

amass: has a lot of options showing subdomains and things associated with it.

Sublist3r: Sublister lists subdomains of a domain, meanwhile it has a bruteforce module. Domain wordlists can be used with this module called subbrute.

#sublist3r -v -d facebook.com

Zone Identifier Commands

With Zone Identifier, we can say whether a file downloaded from internet or not.

A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and cannot be opened directly.

Via powershell, we can find Zone Identifiers of a file;

PS C:\Progs\Forensics> Get-Content -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream zone.identifier

PS C:\Progs\Forensics> Get-Item -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream *

How To Remove Zone Identifier

For several reasons, you may choose to delete zone.identifiers. It is very easy to do it. Just right click the file and click “Unblock” tick in “Properties > General” menu.

If you want to remove multiple files, it is still easy. Just navigate to folder including files you want to remove with Powershell and type;

dir .* | Unblock-File

This will clear zone identifier from this folder.

Searching for IoC with Redline

Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline.

In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example.

We will go on with “Create an IOC Search Collector” menu in the main page of Redline. For doing this, we browse the folder that including IoCs we want to search in the PC. We have only one IoC here but if you have more IoCs in the folder, you will see all of them in “Indicators” tab.

Then we create a folder for IoC Collector and after clicking “Next” button, we show this folder. Redline creates the IoC Collector in this folder. We will now use RunRedlineAudit.bat file with the command line. Once the bat file finishes running, it will create a folder called “Sessions” and save outputs to this folder in the same directory.

Just run the “RunRedlineAudit.bat” file and wait for finishing. Then, open the “Sessions” folder. Each IoC sweep placed in its own folder calle “AnalysisSessionX”. This was our first sweep, so we click on “AnalysisSession1” folder. Our IoC report will be in “AnalysisSession1.mans” file. So, we click on this file, and it will take some time it generates the report.

When IoC report generated, we can see it on Redline tool, “IOC Reports” tab. As you can see in the screenshot, our WinSCP Indicator IoC got hits. When we click on it, we can see why this IoC got hit. Here, our IoC catch the file with its MD5 hash value and file name. With clicking on “View Details” button, we can see more details about the hit.