File renaming technique vs Sysmon Powershell detection

One of the techniques used by attackers to evade some endpoint-based detections is renaming

Powershell binary before running the malicious  command. For example, according to Black Hills Information Security, on 2017 they were able to bypass Cylance using this technique 
https://www.blackhillsinfosec.com/bypassing-cylance-part-4-metasploit-meterpreter-powershell-empire-agent/ 

In this blog post we are going to evaluate if it is possible to bypass a Sysmon based Powershell detection search by renaming Powershell binary to something else before running the malicious Powershell command.  

Let’s assume that for whatever reason we were not able to detect the attack on the delivery phase and the attacker is able to rename the native Powershell program and run the malicious command using the renamed copy,  as shown in the following image.

When looking at Sysmon event id 1, we see that the Description is unchanged, despite being renamed.

If the detection search is looking for “powershell” in the Image or CommandLine and the hunter is looking for “powershell”, the detection is going to be evaded. However, as previously shown the description is not altered when the file is renamed, therefore this field can be used to resist the “renaming evasion technique”, as demonstrated in the following image.

Even if PowerShell is renamed, it retains its Description “Windows PowerShell”, which is tracked by Sysmon.  If the search is using this field, it will not be evaded by the file renaming technique. It will require extra steps from the attacker to bypass this search.

Defenders should have multiple detections for the various phases of the kill chain, to detect delivery, exploitation, command and control and actions on objectives. Even if the attackers would had been able to bypass an exploitation-based search, we should had detected them on the other stages, hopefully as early as possible.  Also it is necessary to complement endpoint based detection with network visibility.  

Jailbreaking iOS iphone 4s with Home Depot jailbreak

When analyzing iOS applications it is important to have an unrestricted environment to be able to fully analyze all the aspects related to that application and determine if it shows malicious behavior, decrypt the app to analyze strings and headers and even analyze the assembly code of the app, if time permits. When we are talking about overcoming restrictions on an iphone device, it means jailbreaking it. In this article, I will show the steps that I followed to jailbreak an old iphone 4s that I have.

Verify that there is an existing jailbreak for the iphone model and iOS version that you have.
In my case, there were several candidates but the jailbreak known as Home Depot seemed like a good option.
https://yalujailbreak.net/home-depot-jailbreak-offsets/
https://cydiainstaller.net/home-depot-jailbreak/


It is not a good idea to jailbreak your production device, because jailbreaking reduce the security posture of your device, making it easier for someone to get access to your data, therefore ideally you should this device for testing only. You should also create an apple account to be used only for this device, not your production account.

Download the Home Depot IPA file, version R3 worked for me
http://wall.supplies/MixtapePlayerRC3.ipa
If you are paranoid, like me, it is a good idea to download all the required software from a virtual machine, so you don't risk downloading and running potentially malicious programs.

Download and install iTunes

Create a new apple account for this process

Download Cydia Impactor
https://cydia.saurik.com/api/latest/2

Finally, run Cydia Impactor and drag and drop MixtapePlayerRC3.ipa file into it. It will ask for your apple account credentials, provide the credentials of the account you created. This will install the Home Depot jailbreak app.

In the iphone go to Settings > General > Device Management > Select the user used to sign the application and Trust It.

Open the Home Depot app, select Prepare for Jailbreak  > Accept > Dismiss > Proceed with Jailbreak > Begin Installation.

Once it is completed Cydia is installed. Open Cydia and delete the repo  repo666 by sliding it to the left as it causes an error. Update all the packages.

Install BigBoss Recommended Tools, as it has several command line useful tools, such as git, curl, etc.

Video where I found most of the instructions (in Spanish)
https://www.youtube.com/watch?v=qZeiW3Cyx1Y

Install OpenSSH in Cydia
This will allow you to access your device through SSH, the default password is alpine, you have access it and change it to prevent unauthorized use. Use the command passwd to change root and mobile accounts passwords.

That's it, enjoy it!

Enabling Windows Firewall log

One of the key evidence items to acquire and analyze in a security incident is information about network connections established on the device that is being investigated. Unfortunately, not on every situation this information will be available, because if the device was powered off, the network connections are lost, as it is volatile information that resides in the RAM memory of the computer. In this case, we would try to locate and analyze hibernation files (extremely valuable, but not always available) or offline files trying to identify any remnant of a network connection, such as the pagefile.sys or service specific logs, but this information would be very limited and incomplete as compared to the information that could have been displayed by the command netstat. We could also try to obtain logs from any firewalls available on the organization, but we would depend on logging being enabled and that the network traffic of the device under investigation had passed through the specific network path where the firewall is located. Finally, network activity could also happen when the device is not at the enterprise, common for laptops, in that case obviously the firewall would have no relevant logs for that specific investigation.

Modern OS have host-based firewalls which can be easily configured to store logs about the network connections, providing a valuable source of information in case of a security incident. Regarding the Windows operating system, it is very easy to enable logging of the network connections through the integrated Windows Firewall. If the log is enabled, it will require administrator privileges to delete it, which will not always be the case if the attacker cannot achieve admin rights on the compromised host. Even if the attacker achieves admin rights, not all of them will be aware of the log so there will be a good chance that it will be available for collection and analysis.

Windows Firewall log can be enabled extremely easy, both through command line interface and through GUI and it allows the user to determine what kind of network connections should be logged (failed or successful). I will show how to enable it using the command line interface. We can log both allowed and dropped connections, but I recommend doing it only for allowed connections, as dropped connections would log lots of noise, especially related to the UPnP protocol.

netsh advfirewall set allprofiles logging allowedconnections enable

netsh advfirewall set allprofiles logging droppedconnections disable

We can also increase the size of the log, the acceptable range is 1-32767 kilobytes.

netsh advfirewall set allprofiles logging maxfilesize 32767

The window Firewall will be created by default on C:\Windows\System32\LogFiles\Firewall, although it can be configured to a different location. If you try to open the active file, you will get an error. To solve this problem, simply create a copy of the file and open it. The structure of the log is very simple and straightforward to read, it is in clear text and stores the following fields:

Since it is generated by the host, it will be synced with other logs generated on the same computer, allowing for quick correlation. If the logs were generated by a network firewall, we would first have to check if it is synced to the same NTP server or otherwise calculate the time skew and adjust the timestamps, which is not always a fun or easy task to do.

You can determine if logging is enabled for a given Windows computer by running the following command:

netsh advfirewall show allprofiles




The relevant parameters for every profile are LogAllowedConnection, LogDroppedConnection FileName and MaxFileSize.

Enabling the Windows Firewall log is a quick win, as it is very simple to do and can provide extremely valuable information during a DFIR investigation. Because of its small size, it can be used for triage and rapidly search a given IP address or uncommon port that has been previously identified as malicious or suspicious. In the following article, I will show several use cases for this information, and I will share a useful script to extract information from the log to make it more actionable.

If you disabled Windows Firewall because you use a third-party host firewall, make sure that you have logging enabled in the third-party firewall, determine the retention time and make sure it meets your requirements.