Monday, March 15, 2021

Making Image of A Laptop (Part 1)

1.     Description

The first step of the incident response is to image the suspicious system and get the hash of the DD image, which can prove the status of the suspicious system don’t get any modifications. Keep in mind that the less changes on the suspicious system, the better.

2.     Requirement

1)    USB sticker, 8G or greater. It will be used to boot the system with a customized Linux to make the image.

2)    USB External hard drive. Recommend 1T or greater. It will be used to save the image.

3)    PALADIN EDGE 64 (Version 8.01) ISO (https://sumuri.com/product/paladin-edge-64-bit/). The tool is available for FREE. However, it is highly recommended a donation to support the project.

4)    Rufus 3.8 or later (https://rufus.ie/)

 

3.     Make a bootable USB Sticker with Paladin Edge tool

1)    On a test laptop (not the suspicious laptop), download Paladin Edge 64-bit ISO from https://sumuri.com/product/paladin-edge-64-bit/

2)    Download Rufus from https://rufus.ie/

3)    Insert the USB sticker. Run Rufus, select the device and ISO file (Boot selection), leave other options as default setting. Click “Start” button to start making the bootable USB.


 

4.     Make DD image of the suspicious system

DD file is a disk image file and replica of a hard disk drive. It is widely used on Forensics investigation.

Keep in mind that the less changes on the suspicious system, the better.

 

1)    Shutdown the suspicious computer or make it sleep as soon as possible to maintain the environment.

2)    Find out how to boot from a USB drive on the suspicious laptop. Different laptop might have different methods.

3)    Use the ThinkPad T480s as the example:

4)    Attach the USB sticker to the system via any available USB port.

5)    Power on the system. Press F12 immediately as the Thinkpad logo appears.

6)    There should be a pop-up menu with a list of choices. Select the USB drive using the arrow key and press Enter.


 

7)    The system should now boot from the USB sticker (if not, try to disable “secure boot” on BIOS setup).


 

8)    On the screen, select the first option: “Sumuri Paladin Live Session – Forensic Mode” and press Enter.


 

9)    Wait until the OS loaded. Connect the External Hard Disk to an available USB port.

10) Click the first icon “Paladin Toolbox” 


 

11) There might be a warning about the time synchronization. Adjust the host system time if needed. Click OK button to continue.


 

12) Click “Source” dropdown list, select the Laptop’s hard drive.


 

13) Click “Image Type” dropdown list, select “DD(RAW)”


 

14) Click “Destination” dropdown list, select the External Hard drive.


 

15) Enter the label name, and click “Start”

16) After image is done. Open the .log.hashes to check the hash

17) Now you have a DD image with the hash. You can mount it as read-only hard drive to perform the forensics.

Also refer to:

1)    Making Image of a laptop – Summary (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-summary.html )

2)    Paladin Edge 64 (https://andyinmatrix.blogspot.com/2021/03/making-image-of-laptop.html )

3)    Kali Linux (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-2.html )

4)    FTK Imager (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-3.html )


Thursday, March 4, 2021

A quick check of the 0-day exploitation on Exchange Servers.

1.     Microsoft script Test-ProxyLogon.ps1

Microsoft Test-ProxyLogon.ps1 is a comprehensive script to check for signs of exploit from CVE-2021-26855, 26858, 26857, and 27065.

To use this script, your account has to be local admin of the Exchange Server and be the member of AD Group "Microsoft Exchange Security Groups" > "Organization Management".

1)    Download the script from https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1

2)    Run “exchange Management Shell” as administrator.



3)    To check all Exchange servers and save the output, run command: Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

4)    To check the local server only, run the script: .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs



5)    Review the logs.

2.     Microsoft Nmap script http-vuln-cve2021-26855.nse

This file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).

1)    Download the script https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse

2)    Copy the file to the nmap script folder. For Windows, the default location is C:\Program Files (x86)\Nmap\scripts. For MAC, the default location is /usr/local/share/nmap/scripts.

3)    Run command nmap -p <port> --script http-vuln-cve2021-26855 <target>.



3.     Microsoft Support Emergency Response Tool (MSERT)

To use the Microsoft Support Emergency Response Tool (MSERT) to scan the Microsoft Exchange Server locations for known indicators from adversaries:

1)    Download MSERT from Microsoft Safety Scanner Download – https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download.

2)    Read and accept the End user license agreement, then click Next.

3)    Read the Microsoft Safety Scanner Privacy Statement, then click Next.

4)    Select full scan.



4.     Nmap script http-vuln-exchange.nse

http-vuln-exchange.nse is a quick and dirty nmap script which can be used to find potentially vulnerable servers in your environments. (https://twitter.com/GossiTheDog/status/1366863377344126976)

1)    Download the http-vuln-exchange.nse script from https://github.com/GossiTheDog/scanning.

2)    Copy the file to the nmap script folder. For Windows, the default location is C:\Program Files (x86)\Nmap\scripts. For MAC, the default location is /usr/local/share/nmap/scripts.

3)    Run command nmap -p <port> --script http-vuln-exchange.nse <target>.



5.     Check if patch KB5000871 is installed on Exchange Server

1)    For Exchange 2010, the patch is KB5000978. Open Control panel > Add or Remove Programs, check if update KB5000978 is on the program list.

2)    For Exchange 2013 CU23, the version should be 15.00.1497.012 (or greater)

3)    For Exchange 2016 CU18, the version should be 15.01.2106.013 (or greater)

4)    For Exchange 2016 CU19, the version should be 15.01.2176.009 (or greater)

5)    For Exchange 2019 CU7, the version should be 15.02.0721.013 (or greater)

6)    For Exchange 2019 CU8, the version should be 15.02.0792.010 (or greater)

7)    Run PowerShell command: Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo}


6.     Check suspicious hashes

 

(Up to March 13, 2021) Web shell hashes:

 

1) Hashes from Microsoft (sha256):  https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

  •  b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  •  097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  •  2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  •  65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  •  511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  •  4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  •  811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  •  1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

 

2) Hashes from FireEyd (MD5): https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

  • 4b3039cf227c611c45d2242d1228a121
  • 0fd9bffa49c76ee12e51e3b8ae0609ac
  • 79eb217578bed4c250803bd573b10151

3) Hashes from Volexity (sha256): https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

  • 893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2
  • 406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928
  • 2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a

 4) Hashes from CISA (sha256): https://us-cert.cisa.gov/ncas/alerts/aa21-062a

  • 71ff78f43c60a61566dac1a923557670e5e832c4adfe5efb91cac7d8386b70e0 (zXkZu6bn.aspx)
  • ee883200fb1c58d22e6c642808d651103ae09c1cea270ab0dc4ed7761cb87368 (shell.aspx)
  • 1e0803ffc283dd04279bf3351b92614325e643564ed5b4004985eb0486bf44ee (discover.aspx)
  • c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5 (RedirSuiteServerProxy.aspx)
  • be17c38d0231ad593662f3b2c664b203e5de9446e858b7374864430e15fbf22d (Fc1b3WDP.aspx)
  • c0caa9be0c1d825a8af029cc07207f2e2887fce4637a3d8498692d37a52b4014 (discover.aspx)
  • d9c75da893975415663c4f334d2ad292e6001116d829863ab572c311e7edea77 (F48zhi6U.aspx)
  • 31a750f8dbdd5bd608cfec4218ccb5a3842821f7d03d0cff9128ad00a691f4bd (2XJHwN19.aspx)
  • d637b9a4477778a2e32a22027a86d783e1511e999993aad7dca9b7b1b62250b8 (UwSPMsFi.aspx)
  • bda1b5b349bfc15b20c3c9cbfabd7ae8473cee8d000045f78ca379a629d97a61 (E3MsTjP8.aspx)
  • 5ac7dec465b3a532d401afe83f40d336ffc599643501a40d95aa886c436bfc0f (web.config.aspx)
  • 5e09ea8b70a386f0812a8cafb94e2d2365849ce67fda42377389f18e56d860d0 (supp0rt.aspx)
  • c7e1b386b472a26a36632f4ccc25e37458546b9c864b7ef0ec5ebece5e8cc704 (uHSPTWMG.aspx)
  • 0c5fd2b5d1bfe5ffca2784541c9ce2ad3d22a9cb64d941a8439ec1b2a411f7f8 (McYhCzdb.aspx)
  • 138f0a63c9a69b35195c49189837e899433b451f98ff72c515133d396d515659 (0q1iS7mn.aspx)
  • 36149efb63a0100f4fb042ad179945aab1939bcbf8b337ab08b62083c38642ac (8aUco9ZK.aspx)
  • 508ac97ea751daebe8a99fa915144036369fc9e831697731bf57c07f32db01e8 (ogu7zFil.aspx)

Download PowerShell script ProxyLogonHashes.ps1 from https://github.com/andyinmatrix/PowerShell, modify the path of the IIS and Exchange Server and run it.

 


Check CVE-2021-24085

CVE-2021-24085 is Microsoft Exchange Server msExchEcpCanary Cross Site Request Forgery Elevation of Privilege Vulnerability

1)    Copy IIS log to other location.

2)    Use grep command to search below strings and check the outputs

grep -nr "/ecp/y.js" *.log

grep -nr "/ecp/DDI/DDIService.svc/GetList" *.log

grep -nr "/ecp/DDI/DDIService.svc/SetObject”

3)    If using windows:

findstr "\/ecp\/y.js" *.log

findstr "\/ecp\/DDI\/DDIService.svc\/GetList" *.log

findstr "\/ecp\/DDI\/DDIService.svc\/SetObject” *.log

 

Check CVE-2021-26855

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

 

1)      Check the Exchange HttpProxy log:  %PROGRAMFILES%\Microsoft\ExchangeServer\V15\Logging\HttpProxy

2)      Run PowerShell Script to check if there were any attack attempts:

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

 

3)      If attack attempts were detected, check the details on logs: %PROGRAMFILES%\Microsoft\ExchangeServer\V15\Logging

 

Check CVE-2021-26857

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

1)    Run below command to check if there were any attack attempts:

Get-EventLog-LogName Application -Source “MSExchangeUnified Messaging” -EntryType Error | Where-Object {$_.Message -like “*System.InvalidCastException*” }

2)    Exploitation of this deserialization bug will create Application events with the following properties:

·      Source: MSExchange Unified Messaging

·      EntryType: Error

·      Event Message Contains: System.InvalidCastException

Check CVE-2021-26858

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

 

1)    Log location: C:\Program Files\Microsoft\ExchangeServer\V15\Logging\OABGeneratorLog. Files should only be downloaded to the %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp directory. In case of exploitation, files are downloaded to other directories (UNC or local paths).

2)    Open command line window and run below command to check if there were any attack attempts:

findstr /snip /c:”Download failed and temporaryfile” “%PROGRAMFILES%\Microsoft\ExchangeServer\V15\Logging\OABGeneratorLog\*.log”

 

Check CVE-2021-27065

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

1)    Exchange Log: C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server

All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.

2)    Run below command to check if there were any attack attempts:

Select-String -Path “$env:PROGRAMFILES\Microsoft\ExchangeServer\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’

 

Last Activity View

According to Microsoft:

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

1)    Using Procdump to dump the LSASS process memory

2)    Using 7-Zip to compress stolen data into ZIP files for exfiltration

3)    Adding and using Exchange PowerShell snap-ins to export mailbox data

4)    Using the Nishang Invoke-PowerShellTcpOneLine reverse shell

5)    Downloading PowerCat from GitHub, then using it to open a connection to a remote server.

To check if there were any similar activities on the system:

1)    Download LastActivityView tool from https://www.nirsoft.net/utils/computer_activity_view.html

2)    Run it as administrator and check if there were “Procdump” and “7z” activities.

 

Web Shell Search

According to Microsoft: The web shells were detected had the following file names:

 

·      web.aspx

·      help.aspx

·      document.aspx

·      errorEE.aspx

·      errorEEE.aspx

·      errorEW.aspx

·      errorFF.aspx

·      healthcheck.aspx

·      aspnet_www.aspx

·      aspnet_client.aspx

·      xx.aspx

·      shell.aspx

·      aspnet_iisstart.aspx

·      one.aspx

Create a batch file and run it as administrator to search these files

dir web.aspx /s

dir help.aspx /s

dir document.aspx /s

dir errorEE.aspx /s

dir errorEEE.aspx /s

dir errorEW.aspx /s

dir errorFF.aspx /s

dir healthcheck.aspx /s

dir aspnet_www.aspx /s

dir aspnet_client.aspx /s

dir xx.aspx /s

dir shell.aspx /s

dir aspnet_iisstart.aspx /s

dir one.aspx /s

 

Compressed file Search

Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.

Create a batch file and run it as administrator to search these files

dir C:\ProgramData\*.zip /s

dir C:\ProgramData\*.rar /s

dir C:\ProgramData\*.7z /s

 

LSASS dumps Search

Check LSASS dumps on below folder:

·      C:\windows\temp\

·      C:\root\

 

[Edit on Nov 10, 2021]

CVE-2021-42321

CVE-2021-42321 only affects on-premises Microsoft Exchange servers, including those used by customers in Exchange Hybrid mode (Exchange Online customers are protected against exploitation attempts and don't need to take any further action).

If you want to check and see if any of your Exchange servers were hit by CVE-2021-42321 exploitation attempts, run the following PowerShell query on each Exchange server to check for specific events in the Event Log:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

 

Exchange Server Health Checker

The Exchange Server Health Checker script helps detect common configuration issues that are known to cause performance issues and other long running issues that are caused by a simple configuration change within an Exchange Environment. It also helps collect useful information of your server to help speed up the process of common information gathering of your server.

It could be download from https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ 

Reference:

1)    https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

2)    https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

3)    https://us-cert.cisa.gov/ncas/alerts/aa21-062a

4)    https://github.com/microsoft/CSS-Exchange/tree/main/Security

5)    https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html

6)    https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/bc-p/2183421/highlight/true

7)    https://github.com/GossiTheDog/scanning 

      https://www.bleepingcomputer.com/news/microsoft/microsoft-urges-exchange-admins-to-patch-bug-exploited-in-the-wild/amp

      https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

 

 

Tuesday, February 23, 2021

How to get the IP and the lease time from registry key

(Just for my references)

On digital forensics, sometimes you need to find out what IPs that the laptop got and when was the time it has these IPs.

Suppose you have a Windows 10 DD image, and you want to find out the IP addresses that were assigned to it and the lease time, so you can use it to search the logs (firewall, AD etc.) to find out the relevant events.

The information could be found on the registry key (Below screenshots were from a Windows 10 DD Image).
 




If the IP was permanently assigned, it could be found on HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\Parameters\Tcpip.

If it was DHCP, it could be found on 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\Tcpip\Parameters\Interfaces\{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx } 

or even easier, search “dhcpipaddress” to find the IPs.
 

There were 2 keys: LeaseObtainedTime and LeaseTerminatesTime. They were using Epoch time format.
 

You can use python3 to convert them:

matrix@matrix ~ % python3
Python 3.9.1 (default, Jan  8 2021, 17:17:43) 
[Clang 12.0.0 (clang-1200.0.32.28)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from datetime import datetime
>>> datetime.fromtimestamp(1614085226).isoformat()
'2021-02-23T08:00:26'
>>> datetime.fromtimestamp(1614161347).isoformat()
'2021-02-24T05:09:07'
>>> datetime.fromtimestamp(1614123286).isoformat()
'2021-02-23T18:34:46'
>>> datetime.fromtimestamp(1614151831).isoformat()
'2021-02-24T02:30:31'
>>> 


There are 2 other keys (T1 and T2) that related to time stamps and also have Epoch time format. They stores the time that the interface acquired the lease on its IP address.
 
The client attempts to renew its lease when the value of T1 expires and, if necessary, attempts again when the value of T2 expires. By default, T1 is equal to half of the value of Lease and T2 is equal to 7/8 (87.5%) of the value of Lease.
.