When you open a password protected zip archive using Windows Explorer (“Extract All…”); in Windows 8.x/10, the password is automatically cached in the Credentials Manager for the life of the logon session.
Let’s say you discover a host been infected with a malware that coming from a zip file that are password-protected. We can possibly try to extract cached/stored credential from Windows Credential Manager and see if it stores password for password-protected file that we’re looking for.
Steps
To view if the host contains password for file that we needed, run this cmd below (require Admin privileges):
cmdkey /list
It will show list of stored credential that are available. If your target file is not listed, probably the credential has gone (the host has been rebooted) or the file been extracted using 3rd party apps (WinRAR, 7Zip).
I’m wondering.. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it.
So… We going to leverage Excel & macro (yes. you read it right. MACRO) to automatically decode those base64 strings for us. We going to Excel-Fu out of this data.
The macro code that we’ll be using as below:
Function TextBase64Encode(strText, strCharset)
Dim arrBytes
With CreateObject("ADODB.Stream")
.Type = 2 ' adTypeText
.Open
.Charset = strCharset
.WriteText strText
.Position = 0
.Type = 1 ' adTypeBinary
arrBytes = .Read
.Close
End With
With CreateObject("MSXML2.DOMDocument").createElement("tmp")
.DataType = "bin.base64"
.nodeTypedValue = arrBytes
TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")
End With
End Function
Function TextBase64Decode(strBase64, strCharset)
Dim arrBinary
With CreateObject("MSXML2.DOMDocument").createElement("tmp")
.DataType = "bin.base64"
.Text = strBase64
arrBinary = .nodeTypedValue
End With
With CreateObject("ADODB.Stream")
.Type = 1 ' adTypeBinary
.Open
.Write arrBinary
.Position = 0
.Type = 2 ' adTypeText
.Charset = strCharset
TextBase64Decode = .ReadText
.Close
End With
End Function
To use it, first, we need to open the Splunk result that we exported earlier.
After that, press Alt-F8 to open the macro editor. Create new macro – you can give any name you want. For example, I named it “Base64“:
It will then open a new window. Paste macro code given above inside the editor:
After that, close the editor window. Just leave the Excel open.
Then, create 2 new column in the Excel sheet; column named “ASCII” and “Decoded Base64“:
We need to fill up column “ASCII” with string “ASCII” until end/bottom of your data. Let’s say you have 300 row of data in your Excel, then fill 300 of “ASCII” strings besides it.
Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. After that, type in string “ASCII” in one of the row and copy it (Ctrl-C). Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. Then paste/Ctrl + V to fill all column with string “ASCII“.
Your Excel will look something like this:
Next, we going to start decoding the base64 strings.
Again, press Ctrl + Arrow-Down to go end of column, and type the formula as below:
=TextBase64Decode(<column-string>,<column-ASCII>)
Refer example as below:
Then, again, copy column with the formula, Ctrl + Shift + Arrow-Up to select from bottom to top & paste/Ctrl + V the formula into all selected column; under “Decoded Base64“.
That’s it. We have successfully decoded all the base64 strings via Excel.
We can utilize Carbon Black Investigate feature to see if there’s any malicious npm library been installed in our environments. Here’s the query to do that:
Search for effected coa & rc library versions:
(filemod_name:\coa-2.0.3* OR filemod_name:\coa-2.0.4* OR filemod_name:\coa-2.1.1* OR filemod_name:\coa-2.1.3* OR filemod_name:\coa-3.0.1* OR filemod_name:\coa-3.1.3* OR filemod_name:\rc-1.2.9* OR filemod_name:\rc-1.3.9* OR filemod_name:\rc-2.3.9*)
Search for possible C2:
netconn_domain:pastorcryptograph[.]at
IOC:
• pastorcryptograph[.]at
• sdd.dll from coa - SHA256: f53ef1ed12f9ba49831ea33100083c9a92bc8adc6620f8a3b36a2d9ae2eb8591
• sdd.dll from rc - SHA256: 26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf
• sdd.dll - SHA256: 687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65
Recently, I encountered incident where several hosts been infected by < █████████ >. So, to investigate this incident, we received bunch of logs to be analyze; mostly Linux related logs.
I’ve been thinking.. What if the host has been successfully brute-forced? How can we identify it?
In Linux, there are several logs that we can refer that contains authentication logs for both successful or failed logins, and authentication processes. Location & names of the logs varies; depending on system type. For Debian/Ubuntu, the logs located at /var/log/auth.log. For Redhat/CentOS, the logs located at /var/log/secure.
There are 2 more logs that we can refer; – /var/log/utmp: current login state by user. – /var/log/wtmp: record of each user login/logout.
So, what if we write a script to quickly go thru those mentioned logs & identify the culprits? Probably we can find out if our host has been successfully brute-forced.
Introducing.. Break-In Analyzer – A script that analyze the log files /var/log/auth.log (for Debian based systems), /var/log/secure (for RHEL based systems), utmp/wtmp for possible SSH break-in attempts. – https://github.com/zam89/Break-In-Analyzer
The output result will be written into text file; stored into folder named output. Inside the folder will contains file named: – auth_output.log – secure_output.log – utmp_output.log – wtmp_output.log
So, you must been wondering; how can I validate these IPs? whether they are harmless or not? Well, to do that, we can use AbuseIPDB to quickly see each of IP reputation; either they’re clean or has been reported due to malicious activity.
In this example, I’m using AbuseIPDB Bulk Checker from – https://github.com/AdmiralSYN-ACKbar/bulkcheck. This tool can perform bulk checking of IPs towards AbuseIPDB website. *Just a side notes: it require API key from AbuseIPDb. You can get it for free by registering on the website. Its limited to 1000 request/IPs per day.
So, I’m checking 203 IPs that we got from Break-In Analyzer script output (after removing duplicated using Excels) on AbuseIPDB if there is any records for those IPs. After the check completed, the result shows something like this:
AbuseIPDB Bulk Checker result
If you filter out by abuseConfidenceScore (removing score 0), you’ll see there are 3 IPs that having kinda high confidence score. The higher the score, the more chances the IP marked as malicious – meaning that the IP has been reported multiple times related to malicious activities.
Next, we cross check with our Break-In Analyzer outputs to see where did these IPs located on the logs. Or you can cross check directly with your logs. To do that, run command as below:
Carbon Black query that can be use to detect if any MSHTML RCE happened (probably need to be refined more):
((process_cmdline:control.exe AND ((process_cmdline:*.inf AND process_cmdline:AppData) OR (process_cmdline:*.cpl AND process_cmdline:../)) AND -process_cmdline:*\icedrive\*) OR ((hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (parent_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR parent_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (filemod_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR filemod_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52)))
Search if any assets making connections towards IOCs (known IOCs as of 9 Sept):
netconn_domain:joxinu.com OR netconn_domain:pawevi.com OR netconn_domain:macuwuf.com