Posts

Posted on

Common malware registry keys

Malware developers commonly program the code behind malware to perform malicious actions on targeted systems for nefarious purposes. One particular activity used by malware developers and their malware programs is to modify the contents of the targets host such as the registry in a Windows system architecture. The reason behind this is to protect the malware’s execution during the system reboot process to ensure persistence access on the host.

The registry on Windows systems is used as a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the registry.

Some common registry keys used my malware can be found below:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup=”C:\windows\start menu\programs\startup”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup=”C:\windows\start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
“Whatever”=”c:\runfolder\program.exe”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”

Posted on

Example of Indicators of Compromises (IOCs)

Indicators of Compromises (IOCs) are pieces of forensic information used in cyber security to identify patterns, or for identifying common links across disparate patterns to understand if a breach of cyber security has occurred. Some examples of IOCs can be found below:

  • Unusual Outbound Network Traffic

    • Check your network logs for traffic which may show outbound connections from source addresses, connecting to unknown destination addresses for which shouldn’t be taking place, e.g. a local UK pnly business and its application server connecting to destination addresses outside the UK.

  • Anomalies in Privileged User Account Activity

    • Privileged user accounts should be tightly controlled, monitored and audited. Typically these user accounts are used for special purposes, e.g. root access to a system to check log files. In this example, if the same privileged user account was exporting customer PCI data logs used by the system, this could be a indication.

  • Geographical Irregularities

    • See example for Unusual Outbound Network Traffic above.

  • Log-In Red Flags

    • Are there failed login events involving non-existent user accounts over consecutive login attempts.

  • Increases in Database Read Volume

    • Is there a surge in the database read volumes in comparison to normal or typical database reads. Monitoring significant increases in the amount of database reads, could indicate that database information is being modified by a threat.

  • HTML Response Sizes

    • Normal HTTP response sizes are relatively small depending on the use case. However if the HTML response size is significant, this could be a result of a SQL injection attack, e.g. testing for blind SQL vulnerabilities.

  • Large Numbers of Requests for the Same File

    • Particular files can be accessed frequently over a finite amount of time such as log files, however sensitive backup log files containing securely stored customer data with significant access requests could be an indicator.

  • Mismatched Port-Application Traffic

    • Typically DNS traffic is transmitted over port 53 (TCP/UDP), however if there is activity showing DNS traffic through common open ports such as TCP port 80, this usually is an anomaly (unless the network has been configured this way, although this approach should not be recommended).

  • Suspicious Registry or System File Changes

    • The registry is used by the system for storing registry keys (settings for system files, applications, etc.) and typically the registry only changes when called upon for system changes such as software installs, etc. However malware has known behavior in changing the registry by adding registry keys to maintain persistent configuration during system reboots.

  • Unusual DNS Requests

    • See Mismatched Port-Application Traffic above.

  • Unexpected Patching of Systems

    • Patching systems is and should be an encouraged activity to secure weaknesses in software, applications and systems against against vulnerabilities. Patching is typical within a change management process, however are there cases in which a system could be undergoing excessive patching activities, such as being configured to be more restricted and hardened by a hacker with privileged user account access.

  • Mobile Device Profile Changes

    • Enterprises commonly use BYOD and manages this accordingly with policies and management platforms to install mobile profiles to control mobile activity. However is there indication that profiles are being installed to mobiles with relaxed profile settings.

  • Bundles of Data in the Wrong Place

    • Data-at-rest and data-in-transit should be controlled and monitored appropriately. Data should be used for its intended purpose and should not be used in unexpected ways, e.g. is there sensitive customer data being copied to non-approved cloud storage environments or removable drives.

  • Web Traffic with Unhuman Behavior

    • A typical behavior witnessed by users is accessing single or multiple web pages over time. Sometimes there can be a large number of web pages requested by the user. However is there activity showing excessive or continious access requests to web resources across short periods of time, e.g. company intranet portal with significant Get requests over a couple of minutes.

  • Signs of DDoS Activity

    • Are network traffic logs showing multiple connections from disparate source IP addresses targeting critical assets over a consecutive and short period of time. In some cases, DDoS activity can be sustained for long periods of time depending on the attack methodology.

Posted on

Understanding the Snort alert log

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.

Below is an example event from the Snort alert file from /var/log directory:

[**] [1:2403478:40303] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90 [**]
[Classification: Misc Attack] [Priority: 2]
05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]

The alert log entry can be broken down as the following:

[**] [1:2403478:40303]
The Detection mechanism, Signature ID (SID) and signature revision. The SID (the middle number) has information about most of the signatures. The revision is minor release version of the signature.

If the SID is less than 1000000, this is a SourceFire signature (https://www.snort.org/rule_docs). If the SID is between 1000000 and 2000000, this is a snort community rule. If the SID is between 2000000 and 3000000, this is an Emerging Threats signature (https://emergingthreats.net). Lastly, if the SID is any other range, it will be a custom signature.

ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90
This is one example of a Snort signature. In this case, the Emerging Threat (ET) from the CINS Active Threat Intelligence – Sentinel IPS engine, and has detected a bad IP classification based on poor IP reputation (widely reported and blocked IPs).

[Classification: Misc Attack] [Priority: 2]
The classification of the signature, in this case the signature is classed as an miscellaneous attack with a priority of 2. Snort priorities range from 0 (lowest priority) up to 10 (highest priority.

05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
The month/day and timestamp of the signature event followed by the source IP address with port number, to the destination port number. Example denotes XX.XX.XX.XX as the IP address and :xx as the port number.

TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
The IP header for the signature event. Displays the Time-to-Live (TTL), Type of Service (TOS), identifier (ID), the IP length (IpLen) and the datagram length – inclusive of headers and payload (DgmLen).

******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
The IP header flags (S for SYN), the IP sequence ID (seq), Acknowledgement (ACK), sequence window (Win) and the TCP length (TcpLen).

[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]
The signature reference for further information.

Posted on

Create Executable Python Script with PyInstaller

PyInstaller for Python can be used to create a standalone executable from a Python script.

To create the executable, Python must be installed on the local host. Python can be obtained from here. Currently as of 2018, there is Python versions 2 and 3 available to download.

Before proceeding with the environment setup, test that the pip libraries have been installed with your Python installation with the following command in the Python interpreter:

pip

This will show the command results for the pip command. For any errors with running the pip command, pip may need to be downloaded and installed manually.

Next step is to install PyInstaller. This is done by using the following command within the Python interpreter:

pip install pyinstaller

For PyInstaller on Windows environments, PyWin32 might be required and can be found here

To test Python is running in your environment, test your Python script with the following command:

python your_script.py

Once PyInstaller has been installed, within your Python script directory, the following command can be used with your Python script to create the standalone executable:

pyinstaller --onefile .py

For any other issues with installing or running pip, PyInstaller or Python scripts, you may need to set up your PATH environment variables within your operating system.

Posted on

Programming Languages

Python
Paradigm: Object-oriented, imperative, functional, procedural, reflective
Typing discipline: Duck, dynamic, strong

Ruby
Paradigm: Multi-paradigm: Object-oriented, imperative, functional, reflective
Typing discipline: Duck, dynamic, strong

C
Paradigm: Imperative (procedural), structured
Typing discipline: Static, weak, manifest, nominal

C++
Paradigm: Multi-paradigm: procedural, functional, object-oriented, generic
Typing discipline: Static, nominative, partially inferred

C#
Paradigm: Structured, imperative, object-oriented, event-driven, task-driven, functional, generic, reflective, concurrent
Typing discipline: Static, dynamic, strong, safe, nominative, partially inferred

Perl
Paradigm: Multi-paradigm, functional, imperative, object-oriented (class-based), reflective, procedural, event-driven, generic
Typing discipline: Dynamic

Java
Paradigm: Multi-paradigm: object-oriented (class-based), structured, imperative, generic, reflective, concurrent
Typing discipline: Static, strong, safe, nominative, manifest

PHP
Paradigm: Imperative, functional, object-oriented, procedural, reflective
Typing discipline: Dynamic, weak

Posted on

Installing Tk on Windows for Python

ActiveTcl is a precompiled distribution of the open source Tcl language. Tcl includes the Tk extension libraries for Python.

  • Install the “ActiveTcl” distribution from ActiveState – Link
  • Download the Community Edition of ActiveTcl for Windows
  • Run and complete the installer for the Community Edition of ActiveTcl for Windows
  • After the installer completes, assuming the default directory was used for installation, verify ActiveTcl has installed correctly by opening a Command Prompt window and typing C:\ActiveTcl\bin
  • An on-screen Tcl window will be displayed. This can be closed and confirms successful installation of ActiveTcl.
Posted on

Connecting PyCharm (Python IDE) to GitHub via Token Authentication

  1. Open PyCharm
  2. Click “Settings”, “Version Control” and then “GitHub” menu item
  3. Leave “Host” as default: github.com
  4. Leave “Auth Type” as default: token
  5. Enter your GitHub authentication token in to the input box. For guidance on creating GitHub tokens, please see Link
  6. Click the “Test” button to test the Github authentication channel
  7. For successful authentication connections, a display message will be shown. Click “Ok” to close.

    8. PyCharm will now be authenticated to your GitHub account using your personal access token, and will be ready for version control development for your Python projects.