Month: May 2018

Posted on

Common malware registry keys

Malware developers commonly program the code behind malware to perform malicious actions on targeted systems for nefarious purposes. One particular activity used by malware developers and their malware programs is to modify the contents of the targets host such as the registry in a Windows system architecture. The reason behind this is to protect the malware’s execution during the system reboot process to ensure persistence access on the host.

The registry on Windows systems is used as a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the registry.

Some common registry keys used my malware can be found below:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup=”C:\windows\start menu\programs\startup”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup=”C:\windows\start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
“Whatever”=”c:\runfolder\program.exe”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”

Posted on

Example of Indicators of Compromises (IOCs)

Indicators of Compromises (IOCs) are pieces of forensic information used in cyber security to identify patterns, or for identifying common links across disparate patterns to understand if a breach of cyber security has occurred. Some examples of IOCs can be found below:

  • Unusual Outbound Network Traffic

    • Check your network logs for traffic which may show outbound connections from source addresses, connecting to unknown destination addresses for which shouldn’t be taking place, e.g. a local UK pnly business and its application server connecting to destination addresses outside the UK.

  • Anomalies in Privileged User Account Activity

    • Privileged user accounts should be tightly controlled, monitored and audited. Typically these user accounts are used for special purposes, e.g. root access to a system to check log files. In this example, if the same privileged user account was exporting customer PCI data logs used by the system, this could be a indication.

  • Geographical Irregularities

    • See example for Unusual Outbound Network Traffic above.

  • Log-In Red Flags

    • Are there failed login events involving non-existent user accounts over consecutive login attempts.

  • Increases in Database Read Volume

    • Is there a surge in the database read volumes in comparison to normal or typical database reads. Monitoring significant increases in the amount of database reads, could indicate that database information is being modified by a threat.

  • HTML Response Sizes

    • Normal HTTP response sizes are relatively small depending on the use case. However if the HTML response size is significant, this could be a result of a SQL injection attack, e.g. testing for blind SQL vulnerabilities.

  • Large Numbers of Requests for the Same File

    • Particular files can be accessed frequently over a finite amount of time such as log files, however sensitive backup log files containing securely stored customer data with significant access requests could be an indicator.

  • Mismatched Port-Application Traffic

    • Typically DNS traffic is transmitted over port 53 (TCP/UDP), however if there is activity showing DNS traffic through common open ports such as TCP port 80, this usually is an anomaly (unless the network has been configured this way, although this approach should not be recommended).

  • Suspicious Registry or System File Changes

    • The registry is used by the system for storing registry keys (settings for system files, applications, etc.) and typically the registry only changes when called upon for system changes such as software installs, etc. However malware has known behavior in changing the registry by adding registry keys to maintain persistent configuration during system reboots.

  • Unusual DNS Requests

    • See Mismatched Port-Application Traffic above.

  • Unexpected Patching of Systems

    • Patching systems is and should be an encouraged activity to secure weaknesses in software, applications and systems against against vulnerabilities. Patching is typical within a change management process, however are there cases in which a system could be undergoing excessive patching activities, such as being configured to be more restricted and hardened by a hacker with privileged user account access.

  • Mobile Device Profile Changes

    • Enterprises commonly use BYOD and manages this accordingly with policies and management platforms to install mobile profiles to control mobile activity. However is there indication that profiles are being installed to mobiles with relaxed profile settings.

  • Bundles of Data in the Wrong Place

    • Data-at-rest and data-in-transit should be controlled and monitored appropriately. Data should be used for its intended purpose and should not be used in unexpected ways, e.g. is there sensitive customer data being copied to non-approved cloud storage environments or removable drives.

  • Web Traffic with Unhuman Behavior

    • A typical behavior witnessed by users is accessing single or multiple web pages over time. Sometimes there can be a large number of web pages requested by the user. However is there activity showing excessive or continious access requests to web resources across short periods of time, e.g. company intranet portal with significant Get requests over a couple of minutes.

  • Signs of DDoS Activity

    • Are network traffic logs showing multiple connections from disparate source IP addresses targeting critical assets over a consecutive and short period of time. In some cases, DDoS activity can be sustained for long periods of time depending on the attack methodology.

Posted on

Understanding the Snort alert log

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.

Below is an example event from the Snort alert file from /var/log directory:

[**] [1:2403478:40303] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90 [**]
[Classification: Misc Attack] [Priority: 2]
05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]

The alert log entry can be broken down as the following:

[**] [1:2403478:40303]
The Detection mechanism, Signature ID (SID) and signature revision. The SID (the middle number) has information about most of the signatures. The revision is minor release version of the signature.

If the SID is less than 1000000, this is a SourceFire signature (https://www.snort.org/rule_docs). If the SID is between 1000000 and 2000000, this is a snort community rule. If the SID is between 2000000 and 3000000, this is an Emerging Threats signature (https://emergingthreats.net). Lastly, if the SID is any other range, it will be a custom signature.

ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90
This is one example of a Snort signature. In this case, the Emerging Threat (ET) from the CINS Active Threat Intelligence – Sentinel IPS engine, and has detected a bad IP classification based on poor IP reputation (widely reported and blocked IPs).

[Classification: Misc Attack] [Priority: 2]
The classification of the signature, in this case the signature is classed as an miscellaneous attack with a priority of 2. Snort priorities range from 0 (lowest priority) up to 10 (highest priority.

05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
The month/day and timestamp of the signature event followed by the source IP address with port number, to the destination port number. Example denotes XX.XX.XX.XX as the IP address and :xx as the port number.

TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
The IP header for the signature event. Displays the Time-to-Live (TTL), Type of Service (TOS), identifier (ID), the IP length (IpLen) and the datagram length – inclusive of headers and payload (DgmLen).

******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
The IP header flags (S for SYN), the IP sequence ID (seq), Acknowledgement (ACK), sequence window (Win) and the TCP length (TcpLen).

[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]
The signature reference for further information.