By George, lets take a good, long look at ReGeorg

-
For those following along with ATT&CK this entry is about Server Software Component: Web Shell which is now a sub-technique of T1505, specifically it is T1505.003. We can also look at T1090, which is the Command & Control technique Proxy.

Today we're taking a look at the traces that ReGeorg leaves in web server access logs.

ReGeorg is a "thick client" webshell that enables an adversary to create a SOCKS proxy via a .php, .aspx or .jsp script running on the compromised webserver, this can be used to pivot to internal networks.




Pictured above is the client side, it establishes the connection to the shell on a compromised server. After this connection is established an adversary can use something like proxychains to SOCKSify tools on their local machine that they want to use to access networks connected to the webserver but inaccessible from the net.




Above you can see nmap run via proxychains through ReGeorg, on the left ReGeorg reports on connections, in the right terminal window you can see proxychains reporting on nmap's progress. Worth noting running nmap through ReGeorg is not that efficient, but generates good traffic for us to look at.

Speaking of traffic, we can look at the uri_query field for evidence left by ReGeorg




The blog format is going to kind of mangle this first long line of SPL but lets take a look at it anyway:


index=win10 sourcetype=iis cs_method=POST AND cs_uri_query IN ("*cmd=read*", "*connect&target*", "*cmd=connect*", "*cmd=disconnect*", "*&port*", "*cmd=forward*")
| where sc_status <= 403 
| fillnull value=NULL cs_User_Agent cs_Referer
| search cs_User_Agent="NULL" cs_Referer="NULL" 
| stats count as Count values(cs_uri_query) BY cs_uri_stem 
| sort -Count


So to go through this SPL a little, in the first line we are looking for POSTs and we are providing a list of potential uri_query values that we have observed ReGeorg to use. In the second line we are looking for any status equal to or below 403 (perhaps in an overabundance of caution, but hey).

In the next line we are ensuring that any null fields are populated and searchable so we can pipe to a subsearch for events that have no referrer or user-agent. Finally we perform a stats count and list the uri_query field values associated with the uri_stem field and then sort by the count.

As you can see from the Splunk screenshot above, ReGeorg is quite noisy if you know where to look.

Sigma rule for this on the way, happy hunting everyone!


Popular posts from this blog

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

-
Image
  Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt . This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time. From the Seatbelt github repo: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. So essentially what the tool does is retrieve local system information that might have security or safety implications. In terms of commands that can be tacked on to Seatbelt there are a literal ton of options. But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc. The groups above are invoked like this, if you wanted to run all checks: Seatbelt.exe -group=all And so
read more »

Capturing Pcap driver installations

-
Image
Today we're looking at Network Sniffing , ATT&CK technique T1040. This is very much a signature based rule but if you are ingesting WinEventlog:Security (and of course you are, right?) and specifically EventCode 4697 ("A service was installed in the system") then you can take the barebones splunk SPL from below and make it work for you. So how are we going to detect network sniffing on Windows endpoints? The installation of the drivers for the various Pcap variants. index=win10 sourcetype="wineventlog:security" EventCode=4697 AND Service_File_Name IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table _time Account_Name Computer_Name Originating_Computer Service_Name Service_File_Name   The Service_File_Name list is derived from looking at the names of .sys files associated with the most popular packet capture o
read more »

Microsoft Defender, Find User Ignored Threats With Splunk

-
Image
  Today we're looking at "vanilla" Microsoft Defender and some SPL to find "severe" or "high" categories of detected threat severity that have subsequently been "ignored" by a user. EventID 1117 gives us our detection, categorization and severity of the threat found and EventID 5007 gives us a log of user changes made, including ignored threats. EventID 5007 logs changes enacted by users to how threats are handled with a field called "New_value", it will look something like this: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147742972 = 0x6 It is a registry value, the string of numbers at the end is the same ID assigned recorded in EventID 1117, the "0x6" at the end signifies that this is an ignored threat. A little bit of regex retrieves our 5007 newly created "ThreatID" field and we can then compare this to our 1117 ID value to see if they match. We achieve this without reco
read more »