Week 2 – Advanced Windows Security Course
Week 1 is behind us and we covered some great material! It has already been a real eye opener to see how easy it is to gain access to a machine and extract information from it. Last week we covered
- Windows 10/Windows Server 2016 – Platform Security and Internals
- Attacks on Credentials & Prevention Solutions
Now we are onto week2 and we’ve got two great topics to cover
We’ve already seen that you must actively monitor your servers. Applocker and Sysmon together are a great combination. Applocker blocks unwanted software and Sysmon will inform you when someone is running something unusual
Monitoring network usage by process
You’d probably think let’s start with Task Manager, Resource Monitor or Netstat. However these don’t actually capture the mapping of network traffic to process for all of the processes. Wireshark or Microsoft Network Monitor is capturing at a level lower, so it will capture all network traffic but has no understanding of which process is generating that traffic.
Another tool is NetworkMiner from NetResec which is a great tool but it is more for creating copies of any files transferred over http/https and saving them for later analysis.
The built in tool logman performs event tracing, and as we saw in Week1 a default Windows 10 machine has around 1000 event providers so there is an enormous amount of data that we could collect, and yes this can include private/secure information like passwords transmitted over HTTPS.
logman start SessionName -p Microsoft-Windows-Winsock-AFD -o SessionName.etl -ets
This will start a trace and the -ets will keep the session open, so doesn’t save or schedule the trace, just starts it and keeps it running.
logman stop SessionName.ets
This will stop the session and save the output file we gave it in the -o parameter earlier. Reading the etl file requires the use of tracerpt
tracerpt SessionName.etl -o SessionName.txt
We now have a text file that contains xml. We can search this xml file for ipaddress:port and then see the process ID that is making that communication request.
This is a bit cumbersome, so let’s find a better tool…
Monitoring network stack (stackwalk)
XPerf can be used to monitor the network stack. It is an amazing tool but you do need to know what to search for in order to not get overwhelmed.
xperf -providers -K
This gives you the list of flags that are available for you to trace
xperf -on NETWORKTRACE+LOADER+PROC_THREAD -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -MaxFile 256 -FileMode Circular
This starts a trace for network traffic, thread activity and file loading activity, we set the buffersize to 1MB and the number of buffers we want to use for tracing. We ensure the file won’t be bigger than 256MB and we’ll overwrite earlier events when we run out of room.
xperf -stop -d network1.etl
This stops the trace and writes out the event trace log file. Note that this trace log can include sensitive information including passwords in clear text!
xperf -i network1.etl -o network1.txt -a dumper
Creates a more readable format that you can open in notepad and search there or use findstr to search it from the command line.
findstr /I TcpSend network1.txt
Remote Network Monitoring
Install Remote Packet Capture Protocol on the host that you want to monitor, and then you can use a tool like Wireshark to connect to that remote host and monitor its network traffic. In Wireshark from the Capture menu choose Options. In the Capture Interfaces dialog click the Manage Interfaces button, and select the Remote Interfaces tab.
Building a network visibility map
nmap can be used to create a network visibility map, i.e. which IPs are live on the network.
nmap -sn 10.10.10.1/24
To give a list of hosts that are responding
nmap -iL <filename>
To read the file and only portmap the hosts in the file
Port scanning techniques
We can use nmap to scan which ports are open on a given host. We have two different port scanning techniques.
nmap -sS 10.10.10.200
To run a stealth scan, i.e. a half port scan, i.e. SYN, SYN ACK, RST sequence to not actually make a connection. However it can get false positives in certain cases. It is very fast though!
nmap -sT 10.10.10.200
To run a connect scan, i.e. a full part scan, i.e. SYN, SYN ACK, ACK, RST
nmap -sV 10.10.10.200
To run a version scan, i.e. it tries to actually work out what is running behind each port
nmap -sS -O 10.10.10.200
To discover the OS running on the host. This is not very accurate but together with -sV you can typically work out which OS you’re dealing with
Cain & Abel is an old tool but it can be used for sniffing, including injection of certificates, ARP poisoning, DNS spoofing, etc.
Active sniffing: ARP cache poisoning and DNS spoofing
Using a Linux machine running ettercap you can edit etter.dns to create whatever DNS records you like.
ettercap -T -Q -M arp -P dns_spoof /10.10.10.250/ //
To launch an ARP cache poisoning attack against the host 10.10.10.250 and give it our answers instead of the normal DNS server answers. DNSSEC can be used to avoid these kinds of DNS spoofing attacks. In Group Policy we can create Name Resolution Policy to enforce certain domains needing DNSSEC before the DNS answer is accepted.
Within DNS Manager, right click on the zone you’d like to sign, from DNSSEC choose Sign the Zone. Customize Zone Signing Parameters, For Key Signing Key (KSK which signs the records) set the roll over period appropriately and choose your algorithm. For Zone Signing Key (ZSK which signs the keys) set the roll over period appropriately and choose your algorithm. Choose NSEC3, generate and use salt of length, to ensure that a query for an unknown record returns the next secure record, but a hash of it so that it cannot be used for zone walking.
For privately generated certificates (e.g. a partner) you can add Trust Points in DNS manager where you can import the public key for your partner’s secure zone(s)
You cannot use nslookup to test DNSSEC queries, you can however use Resolve-DnsName from PowerShell
When your KSK rolls over you have to ensure you give the updated key to any Trust Points who relies on that key.
SMB Relay attack
Let’s assume we have a machine wanting to talk to say a file server over NetBIOS (shortname or ip address). The server sends a challenge and the workstations encrypts this challenge with the hash and the file server (who knows the hash) can validate that this is correct. However the workstation has no idea if the server that sent it the challenge was actually the file server! It could just as easily be a rogue machine, who in turn forwards your answer to the server you did want to talk to and authenticates as you! It can even forward the encrypted challenge to a totally different machine and authenticate as you too!!!
Just disable NetBIOS everywhere! Be aware of WPAD which can also be used to direct traffic through a rogue host but even worse it can ask for authentication which would provide it with the user’s encrypted challenge!
Ensure that SPNs are configured for service accounts so that Kerberos can be used. Consider turning on the setting ‘Require SPN target name validation’ but be aware that it would pretty much limit access to domain joined servers.
Consider turning on SMB Signing. There is up to 15% network performance impact so test whether the performance impact is a concern before wider adoption.
Web traffic architecture
When we’re looking at malware that is listening or web traffic we need to understand the Windows architecture a bit better. Windows has two modes of execution, kernel mode and user mode. Kernel mode is for anything that accesses hardware directly, user mode always relies on kernel mode software to abstract the hardware. In the case of web traffic there is a kernel mode driver called http.sys which has as configuration a set of bindings. Each binding tells the driver where to forward that web traffic to. In the case of IIS this is svchost.exe running the Word Wide Web Publishing Service and the Windows Process Activation Service. This reads ApplicationHost.config and sends the traffic to the appropriate instance of w3wp.exe. The bindings can also be used for non-IIS processes though, including svchost.exe running winrm, or malware running via things like rundll32.exe!
netsh http show servicestate
Shows the bindings currently configured for http.sys. You can analyse this output to make sure that every port and url listened to is what you expect.
Detection of Malicious Code
Use autoruns to see what software is hooked where to ensure it starts automatically. E.g. on logon, when running Explorer, Internet Explorer, etc. The great thing about the tool (aside from it showing you what is being loaded) is that you can get it to verify signatures and to submit file hashes to VirusTotal to see if any scanners show this file as malicious. It isn’t extensible so a lot of 3rd party software isn’t included.
When you’re using autoruns to then check how the malware is hooked, just remember that the options to hide all Windows or all Microsoft entries may sometimes pick up malware too (as long as the metadata pretends to be Microsoft)
There is another tool from bleepingcomputer.com called Farbar Recovery Scan Tool. It isn’t the best tool in the world, but it produces a nice text file showing what is hooked where including a lot of 3rd party software.
Analysis of Malware Samples
Process Explorer and Process Monitor are great at helping you look at what malware is doing. Process Explorer has a target icon which allows you to drag that icon over any visible window and it shows you the process who owns that window. This is great for any nagware to see what is causing the popup. Also in Process Explorer you can show the bottom view and let it display all DLLs, which then shows you any DLL that the currently selected process has loaded. You can also ask Process Explorer to verify all of the signatures. This means you can easily find DLLs that are not signed, or signed by a different company than what the file properties says it is.
If you want to further delve into how the malware works then you can use
- ILSpy a .NET decompiler, great to get some basic looking source code
- PEBrowse a tool to show which functions are imported from other DLLs and which functions are exported from this process. It gives you assembler code for a single function. Now you don’t need to be able to read assembler but you can see things like URL strings, method names, CLR runtime loading, etc.
- Resource Hacker to extract resources out of executables and DLLs (often malware includes executables within resources, you can use Notepad to see if you can find any ‘MZ ‘ strings within the executable code. If so then you may find ‘This program cannot be run in DOS mode’ This is a way to see that Resource Hacker might be useful here)
Of course sometimes the malware code is obfuscated in some way, so you can’t just read it out of a DLL or executable, however fortunately in order for the code to run it has to be decrypted at some point. In order to do this we can run procdump to create a memory dump of the process.
procdump -t -ma rundll32.exe
Create a memory dump when rundll32.exe terminates. When we get a memory dump we can use the built in windows debugger (windbg) to open that dumpfile. After loading it we can run
.loadby sos clr !dumpdomain
To show what is inside this dump. we can look through this list and then click on any resource that we believe is interesting, and you can use !savemodule with a module address to save that module out to an external file, and hey presto you have a decrypted piece of executable/dll code. You can now put this file back into ILSpy (if it is .NET code) and you’ll be able to ‘read’ the malware source code.
Implementation of Ransomware prevention
Before we can prevent ransomware we need to understand how they typically work. First a PELoader loads a resource module to evade Anti-Virus. The decrypted assembly contacts a server on the Internet to get keys, it then encrypts the files and then contacts you to let you know that you’ve been hacked. You can either
- Pay the ransom
- Remove the ransom software using autoruns, process explorer and process monitor, and then delete all of the encrypted files
To prevent ransomware you need to look at outbound firewall rules and application whitelisting. The outbound firewall rules would prevent the software from talking to the server to get the keys, and application whitelisting would prevent the malicious code from running in the first place.
Application Whitelisting (AppLocker, DeviceGuard)
Initially Microsoft provided Software Restriction Policy within GPO which was really more of a black listing tool. Thinking now is that you really ought to move to a whitelisting model. Accepting that this is easier for servers than workstations, however if you need secure machines than whitelisting what is allowed to run is a great way to boost security.
Microsoft created Applocker and DeviceGuard to allow you to totally control what can run on a machine and who can run it. DeviceGuard controls what software can be run by anyone on the machine (simple yes it can run, or no it cannot run). AppLocker then allows you to say that when you logon you can run regedit and I cannot, even if we both use the same workstation.
The high level steps to configure code integrity (Device Guard):
- Group devices into similar roles
- Use PowerShell to generate policies from Golden PCs (New-CIPolicy)
- After auditing use PowerShell to merge policies if needed (Merge-CIPolicy)
- Discover unsigned LOB apps and generate security catalogs (packageinspector.exe and signtool.exe)
- Deploy code integrity policies and catalogs
- Set the GPO setting for Deploy Code Integrity Policy
You can use CryptoPrevent for inspiration as to what else can be done, although generally AppLocker and DeviceGuard could be better options.