tag:blogger.com,1999:blog-69193557527698994582024-03-20T03:03:09.847-07:00Digital Forensics, Incident Response and Malware Analysisd4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-6919355752769899458.post-60049330944069235622020-05-10T17:18:00.001-07:002020-05-10T17:30:25.978-07:00Probando la detección de archivos eliminados en Sysmon v11<br />
A finales del mes pasado se liberó la <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon">v<span id="goog_1257237825"></span>ersión 11 de Sysmon</a><a href="https://www.blogger.com/"><span id="goog_1257237826"></span></a>. Esta herramienta, parte de la célebre y bien conocida suite de herramientas SysInternals, permite monitorear los sistemas Windows. A medida que Sysmon ha evolucionado, sus autores le han agregado más funcionalidades que permiten identificar las acciones que los atacantes realizan cuando comprometen uno de estos sistemas.<br />
<br />
La última capacidad que fue agregada a Sysinternals en la versión 11 es la detección de eliminación de archivos y es que es muy común que los atacantes eliminen los archivos maliciosos después de completar un ataque, como bien sabemos esto corresponde a la fase de borrado de huellas, donde los atacantes tratan de reducir la probabilidad de ser detectados. En este artículo vamos a instalar la versión 11 de Sysmon y probar esta nueva funcionalidad.<br />
<br />
En primer lugar, necesitamos un archivo de configuración de Sysmon. Si bien podemos crear nuestro propio archivo de configuración manualmente, esto es un trabajo monumental ya que requiere hacer muchas pruebas e ir agregando excepciones para el software legítima, así como agregar reglas para identificar técnicas de ataque. Por ello, recomiendo utilizar alguno de los archivos de configuración de la comunidad y extenderlo para cubrir nuestras necesidades.<br />
<br />
Vamos a utilizar el archivo de configuración del investigador Olaf hartong, modificado hace 5 meses a la fecha de escritura de este artículo. Este archivo es de código abierto y está disponible en su <a href="https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml">GitHub</a>.<br />
<br />
Simplemente descargamos el archivo de configuración y lo instalamos con el comando<br />
<b>Sysmon -i config.xml</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu_W5BKqOJAe2BOsHo-wWKkJ204JKmhiX3Vbf5Lqyq8KFaaHXbdHDG8jY7CI7A0_ILg50_RCuYoCNdC6aI65rZtMGn9N3_PnGDgE44CharZCHXA1sMNbYgOoBBHxlxPkEsYByOG1pH0xHZ/s1600/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.23.51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="674" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu_W5BKqOJAe2BOsHo-wWKkJ204JKmhiX3Vbf5Lqyq8KFaaHXbdHDG8jY7CI7A0_ILg50_RCuYoCNdC6aI65rZtMGn9N3_PnGDgE44CharZCHXA1sMNbYgOoBBHxlxPkEsYByOG1pH0xHZ/s640/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.23.51.png" width="640" /></a></div>
<br />
<img src="blob:https://www.blogger.com/067b9175-218f-4128-a7ce-d2976b07587f" /><br />
<br />
Ahora pasaremos a extender el archivo de configuración para habilitar la nueva función de monitoreo de la versión 11, el borrado de archivos, para ello basta agregar las siguientes líneas en el archivo de configuración, con esto se van a auditar todos los eventos de eliminación de archivos en el sistema.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><RuleGroup name="" groupRelation="or"></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> <FileDelete onmatch="exclude"></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> </FileDelete></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"></RuleGroup></span><br />
<br />
Aplicamos la nueva configuración de Sysmon con la bandera -c.<br />
<img src="blob:https://www.blogger.com/d9589a9e-b7e3-4a18-b289-50d488ba19f6" /><br />
<a href="https://www.blogger.com/blogger.g?blogID=6919355752769899458" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=6919355752769899458" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAO7KG4A4CD6OiyfkLDEgGhvPy5SAKPGgA4eywcOas8_z1h0OFRURGPdWu4uFXs7NcNYAT7BGnFhFEILYLt4xoXNsp3O3IlUWbovtbJWG6T7zhBu-72QlAibH-KDSs5d_MtUMqv5R9JHo1/s1600/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.24.31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="180" data-original-width="683" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAO7KG4A4CD6OiyfkLDEgGhvPy5SAKPGgA4eywcOas8_z1h0OFRURGPdWu4uFXs7NcNYAT7BGnFhFEILYLt4xoXNsp3O3IlUWbovtbJWG6T7zhBu-72QlAibH-KDSs5d_MtUMqv5R9JHo1/s640/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.24.31.png" width="640" /></a></div>
<br />
Abrimos el log de eventos de Sysmon y filtramos por el evento 23, e inmediatamente vemos los eventos de borrado de archivos. Los campos registrados son: Fecha, GUID, Usuario, Imagen del programa, archivo destino (target filename), valores hash, si es ejecutable (booleano) y si está archivado (booleano), este último valor no me queda muy claro aún.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9BvdRPT8DvmNibrtSHU1sQ8uJ8RnTlUD8-j3HbiqYgU83q4BiXZSDVkbs-ZnetAwROBvuAnKaOc2kgw6biyYJSOicb5_r-ATyGSMNbYrS-hmQrXDTsPSZJYOxfO2V9p7xvjzjXmauLsWz/s1600/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.26.54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="221" data-original-width="489" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9BvdRPT8DvmNibrtSHU1sQ8uJ8RnTlUD8-j3HbiqYgU83q4BiXZSDVkbs-ZnetAwROBvuAnKaOc2kgw6biyYJSOicb5_r-ATyGSMNbYrS-hmQrXDTsPSZJYOxfO2V9p7xvjzjXmauLsWz/s640/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.26.54.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=6919355752769899458" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=6919355752769899458" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
Habilitar el monitoreo de todos los archivos eliminados, generará una importante cantidad de eventos, es posible también agregar condiciones específicas, por ejemplo auditar sólo los archivos que estén dentro de ciertas carpetas.<br />
<br />
<img src="blob:https://www.blogger.com/0820a447-ece0-4912-94bd-3edb492ce500" /><br />
Aplicamos el nuevo archivo de configuración. Ahora los únicos eventos registrados de archivos eliminados son lo que están en esa ruta, por ejemplo el siguiente evento muestra que se eliminó el archivo file.txt desde la terminal de comandos cmd. Esta ruta es sólo un ejemplo, generar la configuración apropiada para el evento FileDelete necesitará más pruebas a fin de poder registrar eventos interesantes, manteniendo un buen balance entre cantidad de eventos generados y el valor potencial de estos eventos.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH8V3H-1VQB4__Wpu3paDwrhI_atHZBme5vQJLvaqL8AKwuQNKVqVfAA6497qCQq7FqhXxiZpcV5EJTdH6xk1s3298QY1oAjtRP97CrW_M7XhUhxEamqH5I1wBBEwTU2n8BXgQ93dBqXvy/s1600/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.25.19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="224" data-original-width="493" height="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH8V3H-1VQB4__Wpu3paDwrhI_atHZBme5vQJLvaqL8AKwuQNKVqVfAA6497qCQq7FqhXxiZpcV5EJTdH6xk1s3298QY1oAjtRP97CrW_M7XhUhxEamqH5I1wBBEwTU2n8BXgQ93dBqXvy/s640/Captura+de+Pantalla+2020-05-10+a+la%2528s%2529+19.25.19.png" width="640" /></a></div>
<br />
<img src="blob:https://www.blogger.com/2933afa2-a8b5-4617-86b8-c7ead0c22ca8" /><br />
Monitorear archivos eliminados es una capacidad que faltaba en versiones anteriores de Sysmon y que viene muy bien para incrementar la visibilidad de seguridad en los equipos Windows.<br />
<br />d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com1tag:blogger.com,1999:blog-6919355752769899458.post-35628739852753906722020-05-01T14:37:00.004-07:002020-05-13T18:16:52.843-07:00Los mejores libros de ciberseguridad<div>
<br /></div>
<div>
Ser investigador de ciberseguridad, independientemente de nuestra especialidad, es una tarea que requiere de una preparación continua y sobretodo, pasión. El progreso que tendremos si contamos con estas dos cualidades será más alto que si nos quedamos sólo con lo que vimos en la Universidad o los entrenamientos obligatorios de nuestra empresa. </div>
<div>
<br /></div>
<div>
Como probablemente saben, soy un promotor de los cursos de SANS Institute ya que son muy didácticos y de gran calidad. Estos cursos tienen un gran enfoque práctico dirigido a las necesidades del día a día. Usualmente en la parte final del curso incluyen un reto CTF en el que puedes probar todas tus habilidades y competir por una hermosa moneda de ganador. La desventaja de estos cursos es su alto costo y es que, sobretodo para los precios de América Latina, resulta difícil para muchas personas reunir el dinero para autofinanciarse este tipo de cursos. Entonces, qué otra alternativa existe para continuar nuestra preparación en estos apasionantes temas?</div>
<div>
<br /></div>
<div>
Además de tomar cursos del SANS o de otras empresas de capacitación a mí también me ha servido leer y aprovechar varios libros de seguridad informática. Si bien, en muchas ocasiones, esto no se puede comparar con un entrenamiento completo en forma, nos servirán para expandir nuestros conocimientos en muchos temas si contamos con la disciplina y constancia suficientes para absorber los contenidos. </div>
<div>
<br /></div>
<div>
En este artículo voy a recomendar algunos libros de diferentes especialidades de seguridad informática, esperando que también a ustedes les sean de utilidad. Si creen que falta algún libro por mencionar que sea excelente, por favor avísenme para agregarlo a la lista.</div>
<div>
<br /></div>
<div>
<div>
<b>REVERSING Y ANÁLISIS DE MALWAR</b>E</div>
<div>
<a href="https://www.amazon.com.mx/Learning-Malware-Analysis-techniques-investigate-ebook/dp/B073D49Q6W/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=malware+analysis&qid=1588046590&sr=8-2&linkCode=ll1&tag=gadgetsama089-20&linkId=708985bc4faa5d29cd2e0c2b22d6e454&language=es_MX">Malware Analysis, Monnappa</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Malware-Data-Science-Detection-Attribution-ebook/dp/B077X1V9SY/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Malware+data+science&qid=1588046635&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=3b3f64d81a642220a832090314e1bc71&language=es_MX">Malware Data Science, Saxe, Sanders</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Michael+sikorski&qid=1588046680&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=5ab2082a6c198cc026190ace5ded0e99&language=es_MX">Practical Malware Analysis, Sikorski, Honig</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Malware-Analysts-Cookbook-Techniques-Malicious-ebook/dp/B0047DWCMA/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Michael+sikorski&qid=1588046720&sr=8-6&linkCode=ll1&tag=gadgetsama089-20&linkId=caf568e0e7788d65d7cf5ef362f98269&language=es_MX">Malware Analyst Cookbook, High, Adair, Harstein, Richard</a></div>
<div>
<br /></div>
<div>
<h2 class="a-size-mini a-spacing-none a-color-base s-line-clamp-2" style="-webkit-box-orient: vertical; -webkit-line-clamp: 2; box-sizing: border-box; caret-color: rgb(17, 17, 17); color: #111111; display: -webkit-box; line-height: 1.465 !important; margin-bottom: 0px !important; margin-left: 0px; margin-right: 0px; margin-top: 0px; max-height: 42.67px; overflow: hidden; padding: 0px; text-overflow: ellipsis; text-rendering: optimizeLegibility;">
<span class="a-size-medium a-color-base a-text-normal" style="box-sizing: border-box; font-weight: normal; line-height: 1.255 !important; text-rendering: optimizeLegibility;"><span style="font-family: inherit; font-size: small;"><a href="https://www.amazon.com.mx/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=secrets+of+reverse+engineering+eilam&qid=1588367734&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=0010a4419de389f4e1b2d94144e73136&language=es_MX">Reversing: Secrets of Reverse Engineering, Eilam</a></span></span></h2>
<h2 class="a-size-mini a-spacing-none a-color-base s-line-clamp-2" style="-webkit-box-orient: vertical; -webkit-line-clamp: 2; box-sizing: border-box; caret-color: rgb(17, 17, 17); color: #111111; display: -webkit-box; font-family: "Amazon Ember", Arial, sans-serif; line-height: 1.465 !important; margin-bottom: 0px !important; margin-left: 0px; margin-right: 0px; margin-top: 0px; max-height: 42.67px; overflow: hidden; padding: 0px; text-overflow: ellipsis; text-rendering: optimizeLegibility;">
<span style="font-size: small;"><a href="https://www.amazon.com.mx/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=practical+reverse+engineering&qid=1588367904&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=e9651e2c718deb0c2fe881e00c62d2ba&language=es_MX"><br /></a></span></h2>
</div>
<div>
<a href="https://www.amazon.com.mx/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=practical+reverse+engineering&qid=1588367904&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=e9651e2c718deb0c2fe881e00c62d2ba&language=es_MX">Practical Reverse Engineering, Dang, Gazet, Bachaalany, Josse</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/IDA-Pro-Book-Unofficial-Disassembler/dp/1593272898/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=The+ida+pro+book&qid=1588367967&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=9dda5b17f74b196b55af9a8ef14cbfbf&language=es_MX">The IDA Pro Book, Eagle</a> (Recomendable para los ya adentrados en reversing)</div>
</div>
<div>
<br /></div>
<div>
<b>ANÁLISIS FORENSE DIGITAL Y WINDOWS INTERNALS</b></div>
<div>
<a href="https://www.amazon.com.mx/Windows-Internals-Part-Architecture-Management/dp/0735684189/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=windows+internals&qid=1588044627&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=2f43dec42cd06e3c99b777eaffd93782&language=es_MX">Windows Internals 7th edition - Part 1, Yosifovich, Russinovich, Solomon, Ionescu</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Windows-Internals-Part-Mark-Russinovich/dp/0135462401/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=windows+internals&qid=1588044854&sr=8-2&linkCode=ll1&tag=gadgetsama089-20&linkId=52adcef014b86d293e5696be153a7340&language=es_MX">Windows Internals 7th edition - Part 2 Russinovich, Allievi, Ionescu, Solomon</a> (Preventa disponible)</div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Malware-Forensics-Field-Windows-Systems/dp/1597494720/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=malware+forensics&qid=1588045101&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=f1d05634893445f3c4db7b5d5c9751f5&language=es_MX">Malware Forensics - Field Guide for Windows Systems, Malin, Casey, Aquilina</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Malware-Forensics-Field-Guide-Systems-ebook/dp/B00HCIC722/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=malware+forensics&qid=1588045101&sr=8-5&linkCode=ll1&tag=gadgetsama089-20&linkId=12a2d4a089a92bcae88667f169de6b37&language=es_MX">Malware Forensics - Linux Malin, Casey, Aquilina</a><br />
<br />
<a href="https://www.amazon.com.mx/Windows-Registry-Forensics-Advanced-Forensic/dp/012803291X/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=windows+registry+forensics&qid=1588392753&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=8c23f937e3d85a7847422ac7fea6d9ab&language=es_MX">Windows Registry Forensics, Carvey</a> (algo costoso)</div>
<div>
<br /></div>
<div>
<b>RESPUESTA A INCIDENTES</b></div>
<div>
<a href="https://www.amazon.com.mx/Incident-Response-Computer-Forensics-Luttgens/dp/0071798684/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=incident+response+&+computer+forensics&qid=1588044437&s=grocery&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=654b0096d1768caf7e0df1f81befa04f&language=es_MX">Incident Response & Computer Forensics, Lutgens, Peppe, Mandia</a></div>
<div>
<br />
<a href="https://www.amazon.com.mx/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=jaron+bradley&qid=1588369349&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=2534aeab96093222a96c2eb5b275e99d&language=es_MX">OS X Incident Response, Bradley</a><br />
<br />
<b>BLUE TEAM</b><br />
<a href="https://www.amazon.com.mx/Blue-Team-Field-Manual-English-ebook/dp/B077WF4WYV/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&crid=30E7MQIOKB72I&keywords=red+team+field+manual&qid=1588393347&sprefix=red+tem+,aps,200&sr=8-2&linkCode=ll1&tag=gadgetsama089-20&linkId=e99d5bd17c64e0c2ca9aca99c98d6feb&language=es_MX">Blue Team Field Manual (BTFM), White, Clark</a> (Excelente precio)<br />
<br />
<b>RED TEAM</b><br />
<a href="https://www.amazon.com.mx/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&crid=30E7MQIOKB72I&keywords=red+team+field+manual&qid=1588393347&sprefix=red+tem+,aps,200&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=4fe6377964bee0db72d5516372971be0&language=es_MX">Read Team Field Manual (RTFM), Clark </a>(Excelente precio)<br />
<br /></div>
<div>
<b>FORENSE EN MÓVILES</b></div>
<div>
<a href="https://www.amazon.com.mx/Practical-Mobile-Forensics-Forensically-investigate-ebook/dp/B07YSTKGD5/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=heather+mahalik&qid=1588044551&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=f81bab868945c1da34eb14632b936ee7&language=es_MX">Practical Mobile Forensics, Mahalik, Tamma, Skulkin, Bommisetty </a> (Muy recomendable también el curso de SANS FOR 585 de la autora Heather Mahalik)</div>
<div>
<br />
<a href="https://www.amazon.com.mx/Mobile-Forensic-Investigations-Collection-Presentation/dp/1260135098/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Mobile+forensic+investigations&qid=1588375026&s=sports&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=b7af102ef9a95462ba35036d30125abc&language=es_MX">Mobile Forensic Investigations, Reiber</a><br />
<br /></div>
<div>
<b>ANÁLISIS DE VOLCADOS DE MEMORIA</b></div>
<div>
<a href="https://www.amazon.com.mx/Art-Memory-Forensics-Detecting-Malware/dp/1118825098/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=art+of+memory+forensics&qid=1588046554&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=90e56eef3e74814df7c920facbd1d0a4&language=es_MX">The Art of Memory Forensics, Ligh, Case, Levy, Walters</a></div>
<div>
<br /></div>
<div>
<b>PENTEST, HACKING y PYTHON</b><br />
<h1 class="a-spacing-none a-text-normal" id="title" style="background-color: white; box-sizing: border-box; color: #111111; font-variant-ligatures: normal; line-height: 1.2; margin-bottom: 0px !important; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; padding: 0px; text-decoration-line: none !important; text-rendering: optimizeLegibility; widows: 2;">
<span class="a-size-extra-large" id="productTitle" style="box-sizing: border-box; font-weight: normal; line-height: 1.2 !important; text-rendering: optimizeLegibility;"><span style="font-family: inherit; font-size: small;"><a href="https://www.amazon.com.mx/Network-Exploration-Security-Auditing-Cookbook/dp/1786467453/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=paulino+calderon+pale&qid=1588522445&sr=8-4&linkCode=ll1&tag=gadgetsama089-20&linkId=4c91e7e50444a7574a151fd52ec52d31&language=es_MX">Nmap Network Exploration and Security Auditing Cookbook, Calderón</a> (Del autor mexicano Paulino Calderón, también desarrollador de Nmap)</span></span></h1>
<b><br /></b></div>
<div>
<a href="https://www.amazon.com.mx/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=the+art+of+exploitation&qid=1588368057&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=cc07e044ce259d91e0a3cf1ee0522406&language=es_MX">Hacking the Art of Exploitation, Erickson</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Gray-Hat-Hacking-Ethical-Handbook/dp/1260108414/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=gray+hat+hacking&qid=1588368102&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=0142f633d1685c18346f12daae73161f&language=es_MX">Gray Hat Hacking, Harper, Regalado, Linn, Sims, Spasojevic, Martinez, Baucom, Eagle, Harris</a> (Uno de los autores es el researcher mexicano Daniel Regalado)</div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=violent+python&qid=1588368211&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=4773df1c9f18074c75b8f771765a70d7&language=es_MX">Violent Python, O´Connor</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Gray-Hat-Python-Programming-Engineers-ebook/dp/B007V2DNEK/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Gray+hat+python&qid=1588368339&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=53194758a64f2eb7e573ea00a346ff99&language=es_MX">Gray Hat Python, Seitz</a></div>
<div>
<br /></div>
<div>
<a href="https://www.amazon.com.mx/Black-Hat-Python-Programming-Pentesters/dp/1593275900/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=Gray+hat+python&qid=1588368398&sr=8-2&linkCode=ll1&tag=gadgetsama089-20&linkId=62b971074a2159a59ad7eefd20b5b810&language=es_MX">Black Hat Python, Seitz</a></div>
<div>
<br /></div>
<div>
<span style="font-family: inherit;"><b>OSINT Y CTI</b></span></div>
<div>
<h1 class="a-spacing-none a-text-normal" id="title" style="box-sizing: border-box; color: #111111; line-height: 1.2; margin: 0px; padding: 0px;">
<span class="a-size-extra-large" id="productTitle" style="box-sizing: border-box; font-weight: normal; line-height: 1.2;"><span style="font-family: inherit; font-size: small;"><a href="https://www.amazon.com.mx/Open-Source-Intelligence-Techniques-Information/dp/169903530X/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=open+source+intelligence+techniques&qid=1588367685&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=a2ccca344d5b3e3f7cf3cc16d422abef&language=es_MX">Open Source Intelligence Techniques, Bazzell</a></span></span></h1>
</div>
<div>
<span class="a-size-extra-large" style="box-sizing: border-box; font-size: 19px !important; font-weight: normal; line-height: 1.2 !important; text-rendering: optimizeLegibility;"><span style="font-family: inherit;"><br /></span></span>
<span class="a-size-extra-large" style="box-sizing: border-box; font-weight: normal; line-height: 1.2;"><span style="font-family: inherit;"><a href="https://www.amazon.com.mx/Psychology-Intelligence-Analysis-English-Richards-ebook/dp/B085HDPXPX/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=richard+heuer&qid=1588393560&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=60a5d5eb1dc19702c5a178cdf5113eaf&language=es_MX">Psychology of Intelligence Analysis, Heuer </a>(Excelente precio)</span></span><br />
<br />
<span class="a-size-extra-large" style="box-sizing: border-box; font-weight: normal; line-height: 1.2;"><span style="font-family: inherit;"><a href="https://www.amazon.com.mx/Structured-Analytic-Techniques-Intelligence-Analysis-ebook/dp/B082Z59BKT/ref=as_li_ss_tl?_encoding=UTF8&pd_rd_i=B082Z59BKT&pd_rd_r=c515074d-f1de-4aae-8f11-e23f677d9b0d&pd_rd_w=cQXNq&pd_rd_wg=k5eXP&pf_rd_p=7fcba123-90de-474d-8ddf-f1ad7e899b2d&pf_rd_r=WHHNH7VWTPKGZ35GJ4GM&psc=1&refRID=WHHNH7VWTPKGZ35GJ4GM&linkCode=ll1&tag=gadgetsama089-20&linkId=64f2b7c4146a808b8bdb82428daf59ea&language=es_MX">Structured Analytical Techniques for Intelligence Analysis, Heuer</a></span></span><br />
<span class="a-size-extra-large" style="box-sizing: border-box; font-size: 19px !important; font-weight: normal; line-height: 1.2 !important; text-rendering: optimizeLegibility;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<b>CONTEXTO DE LA SEGURIDAD</b></div>
<div>
<span class="a-size-extra-large" style="box-sizing: border-box; font-weight: normal; line-height: 1.2 !important; text-rendering: optimizeLegibility;"><span style="font-family: inherit;"><a href="https://www.amazon.com.mx/Future-Crimes-Digital-Underground-Connected/dp/0804171459/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=future+crimes&qid=1588368426&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=0694dd87f83a6f8c1f925fce5e89d19c&language=es_MX">Future Crimes, Goodman</a> (Excelente precio)</span></span></div>
<div>
<br />
<b>DECEPTION</b><br />
<a href="https://www.amazon.com.mx/CUCKOOS-EGG-English-Clifford-Stoll-ebook/dp/B0083DJXCM/ref=as_li_ss_tl?_encoding=UTF8&pd_rd_i=B0083DJXCM&pd_rd_r=e9260b9e-016c-4283-a1f0-6b9b74cade35&pd_rd_w=EkpbD&pd_rd_wg=La3BW&pf_rd_p=8284ca33-5795-438d-8644-e821683a35cb&pf_rd_r=BR1NEEJY2BZW6FSJ06Z2&psc=1&refRID=BR1NEEJY2BZW6FSJ06Z2&linkCode=ll1&tag=gadgetsama089-20&linkId=61f4a6e872e4d6e4e4e66e7e9da5cdc8&language=es_MX">The Cuckoo´s Egg, Stoll</a> (Viejo pero aún relevante)<br />
<br />
<b>ATAQUE Y DEFENSA PASO A PASO</b><br />
<a href="https://www.amazon.com.mx/Counter-Hack-Reloaded-Step-Step/dp/0131481045/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=counter+hack+reloaded&qid=1588393017&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=da8e32b8bbb319186de0ee38547cd89f&language=es_MX"> Counter Hack Reloaded, Skoudis, Liston</a> (Viejo pero aún relevante)</div>
<div>
<br /></div>
<div>
<b>CULTURA HACKER</b><br />
<a href="https://www.amazon.com.mx/Ghost-Wires-Adventures-Worlds-English-ebook/dp/B00FOQS8D6/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=mitnick&qid=1588375433&sr=8-2&linkCode=ll1&tag=gadgetsama089-20&linkId=4ac4cb0ecaa7ff63f61d319c130cde3a&language=es_MX">Ghost in the Wires, Mitnick, Wozniak</a><br />
<br />
<a href="https://www.amazon.com.mx/Art-Invisibility-Worlds-Teaches-Brother/dp/0316380504/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=mitnick&qid=1588375575&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=09a3e479efd425488ae6348a819033fe&language=es_MX">The Art of Invisibility, Mitnick</a><br />
<br />
<a href="https://www.amazon.com.mx/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=tribe+of+hackers&qid=1588375633&sr=8-1&linkCode=ll1&tag=gadgetsama089-20&linkId=c9406242f0d9cf25e34d1414fac91a0c&language=es_MX">Tribe of Hackers: cybersecurity advise, Carey, Jin</a><br />
<br />
<a href="https://www.amazon.com.mx/Tribe-Hackers-Red-Team-Cybersecurity/dp/1119643325/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=tribe+of+hackers&qid=1588375768&sr=8-3&linkCode=ll1&tag=gadgetsama089-20&linkId=d5cc8a53f33d914d5c8ef394cfd2bfc0&language=es_MX">Tribe of Hackers: Red Team, Carey, Jin</a><br />
<br />
<a href="https://www.amazon.com.mx/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414/ref=as_li_ss_tl?__mk_es_MX=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=tribe+of+hackers&qid=1588375768&sr=8-4&linkCode=ll1&tag=gadgetsama089-20&linkId=74814c08339d357bf7f76d27742e96bf&language=es_MX">Tribe of Hackers: Blue Team, Carey, Jin</a><br />
<br />
<br />
<span style="font-size: x-small;">Nota: los vínculos a los libros sugeridos se generaron como parte del programa de afiliados de Amazon. </span><br />
<br /></div>
d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com0tag:blogger.com,1999:blog-6919355752769899458.post-42309714846877133322020-01-13T19:08:00.003-08:002020-01-14T08:25:33.471-08:00Solving the Kringlecon 2 CTF<br />
This time I had the pleasure to solve the Kringle Con 2019 with my friend Alexa Gomez from Colombia, it was cool to team up to try to solve the challenge as it is a social, rather than an individual experience. We overcome frustration and difficulties and we were able to complete the 12 objectives and send our write up to the Kringlecon organizers to have the opportunity to compete for the full courses and not just the Tshirts. Teams in the Kringlecon are not encouraged but are not prohibited either. The only problem is that in case that we win, we will have to raffle the prize, for us this was not a problem.<br />
<br />
I think that Alexa is a solid player, never giving up, that was key solving all the objectives! I think that the challenge that I enjoyed the most was the reversing one, as that has been one of the areas that I have enjoyed most recently. You can see our write up available on our Github, feel free to download it and read it.<br />
<br />
<a href="https://github.com/debernal/CTFs/blob/master/Kringlecon_2019_Writeup.pdf">Kringlecon 2019 Write UP</a><br />
<br />
Thinking about the challenges that we faced, for me it was difficult to dedicate any time except for Saturdays and Sundays and at times it was difficult to fight against frustration when we didn't get the right answer, on those times it was better to step back a little bit and re think the problem. Also, analyzing what I could have done better, I think I overlooked some hints, maybe that will be helpful when playing next year.<br />
<br />
Participating in CTFs is a good way to learn something new, so even if you don't get the answers you will win more knowledge and skills. The progress can be very difficult depending on the time that one has available to play, experience, etc. When you can team up with a colleague it can be very positive if you do it with the right people. Finally, when you complete all the objectives you feel really good :). I encourage anyone in infosec to try to play CTFs from time to time.<br />
<br />
<br />
<br />d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com1tag:blogger.com,1999:blog-6919355752769899458.post-43731314245549629422019-10-02T00:29:00.003-07:002019-10-02T00:41:08.021-07:00File renaming technique vs Sysmon Powershell detection<br />
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">One of the techniques used
by attackers to evade some endpoint-based detections is renaming<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">Powershell binary
before running the malicious <span style="mso-spacerun: yes;"> </span>command. For example, according to Black Hills Information Security, on 2017 they were able to bypass Cylance using this technique </span><br />
<span lang="ES-MX"><span lang="EN-US" style="mso-ansi-language: EN-US;"><a href="https://www.blackhillsinfosec.com/bypassing-cylance-part-4-metasploit-meterpreter-powershell-empire-agent/">https://www.blackhillsinfosec.com/bypassing-cylance-part-4-metasploit-meterpreter-powershell-empire-agent/</a></span></span><span style="mso-ansi-language: EN-US;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">In this blog post we
are going to evaluate if it is possible to bypass a Sysmon based Powershell detection
search by renaming Powershell binary to something else before running the
malicious Powershell command. <span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;"><span style="mso-spacerun: yes;"><br /></span></span></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">Let’s assume that for
whatever reason we were not able to detect the attack on the delivery phase and
the attacker is able to rename the native Powershell program and run the
malicious command using the renamed copy, <span style="mso-spacerun: yes;"> </span>as shown in the following image.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihxLgXiB5phL_PVYiGCltt0_Ll5ixCKoKDkwwHhUc0Y9JnBPJzpyCmLukdJdL30yVTWJbqrD6vm7NivnhkOKowHHH5S6hAMoZGtbHaDJcz5A3qVdNScFfAuCb4Z4ol6BTDwfObl4qFxczR/s1600/th1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="100" data-original-width="724" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihxLgXiB5phL_PVYiGCltt0_Ll5ixCKoKDkwwHhUc0Y9JnBPJzpyCmLukdJdL30yVTWJbqrD6vm7NivnhkOKowHHH5S6hAMoZGtbHaDJcz5A3qVdNScFfAuCb4Z4ol6BTDwfObl4qFxczR/s1600/th1.png" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">When looking at Sysmon
event id 1, we see that the Description is unchanged, despite being renamed.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHy5xpTG4MjvzJlEowznmUPr4LOIXdpQczMvu9LQBq3Zgad7xSbDgNgDCL3SWip_K2zQSkwevOURlnF_P1Pf3TzuSsNJSa_SR2ECLXkBT7RQ7D_g3dKGBGB9I30B0T6pgivn6Bdq-B98Hq/s1600/th2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="245" data-original-width="411" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHy5xpTG4MjvzJlEowznmUPr4LOIXdpQczMvu9LQBq3Zgad7xSbDgNgDCL3SWip_K2zQSkwevOURlnF_P1Pf3TzuSsNJSa_SR2ECLXkBT7RQ7D_g3dKGBGB9I30B0T6pgivn6Bdq-B98Hq/s1600/th2.png" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">If the detection search
is looking for “powershell” in the Image or CommandLine and the hunter is
looking for “powershell”, the detection is going to be evaded. However, as
previously shown the description is not altered when the file is renamed,
therefore this field can be used to resist the “renaming evasion technique”, as
demonstrated in the following image. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0gKQjsLlg7Nrkgj8psWl9NKUFGmBBci5rnHtnKn8lkW2JK8R1kiR14SEGDfSff9e5OD4WoTHc0ILoNHoetQV5OBYIwqam469EJiqA8ehiJ2MJY-JiYTZBIgEcC-D2PopRIaGQknjDh-0H/s1600/th3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="491" data-original-width="809" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0gKQjsLlg7Nrkgj8psWl9NKUFGmBBci5rnHtnKn8lkW2JK8R1kiR14SEGDfSff9e5OD4WoTHc0ILoNHoetQV5OBYIwqam469EJiqA8ehiJ2MJY-JiYTZBIgEcC-D2PopRIaGQknjDh-0H/s1600/th3.png" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">Even if PowerShell is
renamed, it retains its Description “Windows PowerShell”, which is tracked by
Sysmon. <span style="mso-spacerun: yes;"> </span>If the search is using this
field, it will not be evaded by the file renaming technique. It will require
extra steps from the attacker to bypass this search. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;"><br /></span></div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">Defenders should have
multiple detections for the various phases of the kill chain, to detect
delivery, exploitation, command and control and actions on objectives. Even if
the attackers would had been able to bypass an exploitation-based search, we should
had detected them on the other stages, hopefully as early as possible. <span style="mso-spacerun: yes;"> Also it is necessary to complement endpoint based detection with network visibility. </span><o:p></o:p></span></div>
<br />d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com0tag:blogger.com,1999:blog-6919355752769899458.post-68654718623695511262019-04-14T13:42:00.000-07:002019-04-14T13:46:45.070-07:00Jailbreaking iOS iphone 4s with Home Depot jailbreakWhen analyzing iOS applications it is important to have an unrestricted environment to be able to fully analyze all the aspects related to that application and determine if it shows malicious behavior, decrypt the app to analyze strings and headers and even analyze the assembly code of the app, if time permits. When we are talking about overcoming restrictions on an iphone device, it means jailbreaking it. In this article, I will show the steps that I followed to jailbreak an old iphone 4s that I have.<br />
<br />
Verify that there is an existing jailbreak for the iphone model and iOS version that you have.<br />
In my case, there were several candidates but the jailbreak known as Home Depot seemed like a good option.<br />
<a href="https://yalujailbreak.net/home-depot-jailbreak-offsets/">https://yalujailbreak.net/home-depot-jailbreak-offsets/</a><br />
https://cydiainstaller.net/home-depot-jailbreak/<br />
<br />
<br />
It is not a good idea to jailbreak your production device, because jailbreaking reduce the security posture of your device, making it easier for someone to get access to your data, therefore ideally you should this device for testing only. You should also create an apple account to be used only for this device, not your production account.<br />
<br />
Download the Home Depot IPA file, version R3 worked for me<br />
http://wall.supplies/MixtapePlayerRC3.ipa<br />
If you are paranoid, like me, it is a good idea to download all the required software from a virtual machine, so you don't risk downloading and running potentially malicious programs.<br />
<br />
Download and install iTunes<br />
<br />
Create a new apple account for this process<br />
<br />
Download Cydia Impactor<br />
https://cydia.saurik.com/api/latest/2<br />
<br />
Finally, run Cydia Impactor and drag and drop MixtapePlayerRC3.ipa file into it. It will ask for your apple account credentials, provide the credentials of the account you created. This will install the Home Depot jailbreak app.<br />
<br />
In the iphone go to Settings > General > Device Management > Select the user used to sign the application and Trust It.<br />
<br />
Open the Home Depot app, select Prepare for Jailbreak > Accept > Dismiss > Proceed with Jailbreak > Begin Installation.<br />
<br />
Once it is completed Cydia is installed. Open Cydia and delete the repo repo666 by sliding it to the left as it causes an error. Update all the packages.<br />
<br />
Install BigBoss Recommended Tools, as it has several command line useful tools, such as git, curl, etc.<br />
<br />
Video where I found most of the instructions (in Spanish)<br />
<a href="https://www.youtube.com/watch?v=qZeiW3Cyx1Y">https://www.youtube.com/watch?v=qZeiW3Cyx1Y</a><br />
<br />
Install OpenSSH in Cydia<br />
This will allow you to access your device through SSH, the default password is alpine, you have access it and change it to prevent unauthorized use. Use the command passwd to change root and mobile accounts passwords.<br />
<br />
That's it, enjoy it!<br />
<br />
<br />
<br />d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com0tag:blogger.com,1999:blog-6919355752769899458.post-46276281225227642762019-02-03T22:27:00.000-08:002019-02-03T22:27:06.767-08:00Enabling Windows Firewall log<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">One of the key evidence items to acquire and analyze in a security incident is information about network connections established on the device that is being investigated. Unfortunately, not on every situation this information will be available, because if the device was powered off, the network connections are lost, as it is volatile information that resides in the RAM memory of the computer. In this case, we would try to locate and analyze hibernation files (extremely valuable, but not always available) or offline files trying to identify any remnant of a network connection, such as the pagefile.sys or service specific logs, but this information would be very limited and incomplete as compared to the information that could have been displayed by the command netstat. We could also try to obtain logs from any firewalls available on the organization, but we would depend on logging being enabled and that the network traffic of the device under investigation had passed through the specific network path where the firewall is located. Finally, network activity could also happen when the device is not at the enterprise, common for laptops, in that case obviously the firewall would have no relevant logs for that specific investigation.</span><br />
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">Modern OS have host-based firewalls which can be easily configured to store logs about the network connections, providing a valuable source of information in case of a security incident. Regarding the Windows operating system, it is very easy to enable logging of the network connections through the integrated Windows Firewall. If the log is enabled, it will require administrator privileges to delete it, which will not always be the case if the attacker cannot achieve admin rights on the compromised host. Even if the attacker achieves admin rights, not all of them will be aware of the log so there will be a good chance that it will be available for collection and analysis. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">Windows Firewall log can be enabled extremely easy, both through command line interface and through GUI and it allows the user to determine what kind of network connections should be logged (failed or successful). I will show how to enable it using the command line interface. We can log both allowed and dropped connections, but I recommend doing it only for allowed connections, as dropped connections would log lots of noise, especially related to the UPnP protocol.</span><br />
<span lang="EN-US"><br /></span></div>
<pre style="background: #EFF0F1; text-align: justify; vertical-align: baseline;"><code><span lang="EN-US" style="border: 1pt none; color: #242729; font-family: "consolas"; padding: 0cm;">netsh advfirewall set allprofiles logging allowedconnections enable</span></code><span lang="EN-US" style="color: #242729; font-family: "consolas"; mso-ansi-language: EN-US;"></span></pre>
<pre style="background: #EFF0F1; text-align: justify; vertical-align: baseline;"><code><span lang="EN-US" style="border: 1pt none; color: #242729; font-family: "consolas"; padding: 0cm;">netsh advfirewall set allprofiles logging droppedconnections disable</span></code><span lang="EN-US" style="color: #242729; font-family: "consolas"; mso-ansi-language: EN-US;"></span></pre>
<div class="MsoNormal" style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Qi5-L75FdNMECr-xTMOZ04Mmu436iei5oi16oYvFZwZJeNrIgQvLNH52QsI5AM1nHpr84KCh3yFda-cU-j3UlC-JmLgyYnrN2GA-X3ErkEpieZzus7KNPjmSOCQR2EyGuVjqzdrm_zag/s1600/EnableWindowsFirewallLogging.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="154" data-original-width="804" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Qi5-L75FdNMECr-xTMOZ04Mmu436iei5oi16oYvFZwZJeNrIgQvLNH52QsI5AM1nHpr84KCh3yFda-cU-j3UlC-JmLgyYnrN2GA-X3ErkEpieZzus7KNPjmSOCQR2EyGuVjqzdrm_zag/s1600/EnableWindowsFirewallLogging.PNG" /></a></div>
<br />
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">We can also increase the size of the log, the acceptable range is 1-32767 kilobytes. </span></div>
<pre style="background: #EFF0F1; text-align: justify; vertical-align: baseline;"><code><span lang="EN-US" style="border: 1pt none; color: #242729; font-family: "consolas"; padding: 0cm;">netsh advfirewall set allprofiles logging maxfilesize 32767</span></code></pre>
<div class="MsoNormal" style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ-dM-uiKnGR6o9XYrmc6EcvRu9GUPU0JSAL0AgAoD1-X03Bw6TCR9Xj_BUj21Kw9xTGSN4mXW9PxyNpjZcn-_Sni54fkq4nBv1Xd9SpEj_fURhDrrAgrydEKXHNAYWq_RbtbpdwNvlZeF/s1600/EnableMaxSize.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="34" data-original-width="639" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ-dM-uiKnGR6o9XYrmc6EcvRu9GUPU0JSAL0AgAoD1-X03Bw6TCR9Xj_BUj21Kw9xTGSN4mXW9PxyNpjZcn-_Sni54fkq4nBv1Xd9SpEj_fURhDrrAgrydEKXHNAYWq_RbtbpdwNvlZeF/s1600/EnableMaxSize.PNG" /></a></div>
<br />
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">The window Firewall will be created by default on C:\Windows\System32\LogFiles\Firewall, although it can be configured to a different location. If you try to open the active file, you will get an error. To solve this problem, simply create a copy of the file and open it. </span>The structure of the log is very simple and straightforward to read, it is in clear text and stores the following fields:</div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb_Nr1tOydC1sG0YpCqcqlJtbs4BTaKMmvvvL4phHeom1rbA08mSEvAPpGJ8UgzaLgyOTcNFroKYZk4Wm7bUjUwVrImRwh5AdHfrrtifdww7GpM3gkaMW3JNl3gf8hULLwfaZrIxpDb2EI/s1600/WindowsFirewallFields.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="89" data-original-width="1084" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb_Nr1tOydC1sG0YpCqcqlJtbs4BTaKMmvvvL4phHeom1rbA08mSEvAPpGJ8UgzaLgyOTcNFroKYZk4Wm7bUjUwVrImRwh5AdHfrrtifdww7GpM3gkaMW3JNl3gf8hULLwfaZrIxpDb2EI/s1600/WindowsFirewallFields.PNG" /></a></div>
<br />
<span id="goog_1101635882"></span><span id="goog_1101635883"></span><br />
Since it is generated by the host, it will be synced with other logs generated on the same computer, allowing for quick correlation. If the logs were generated by a network firewall, we would first have to check if it is synced to the same NTP server or otherwise calculate the time skew and adjust the timestamps, which is not always a fun or easy task to do.</div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">You can determine if logging is enabled for a given Windows computer by running the following command:</span><br />
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<code><span lang="EN-US" style="background: #eff0f1; border: none 1.0pt; color: #242729; font-family: "consolas"; font-size: 10.0pt; line-height: 107%; padding: 0cm;">netsh advfirewall show allprofiles</span></code><span lang="EN-US"></span></div>
<div class="MsoNormal" style="text-align: justify;">
<code><span lang="EN-US" style="background: #eff0f1; border: none 1.0pt; color: #242729; font-family: "consolas"; font-size: 10.0pt; line-height: 107%; padding: 0cm;"><br /></span></code></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">The relevant parameters for every profile are LogAllowedConnection, LogDroppedConnection FileName and MaxFileSize.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRFYwr6HKzrb3SgM0TdZqYiX3sXM13SancJPCZoCda653Pxp6K3gvZK4x3uGR1oz3m-mpfnca-vrF0KNucjmXvRA1mE4vCQd1QnSVfagqruop5bBbjuHFU_gtGlffkWDE-AaQ9_vQEhQJ4/s1600/showConfig.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="520" data-original-width="733" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRFYwr6HKzrb3SgM0TdZqYiX3sXM13SancJPCZoCda653Pxp6K3gvZK4x3uGR1oz3m-mpfnca-vrF0KNucjmXvRA1mE4vCQd1QnSVfagqruop5bBbjuHFU_gtGlffkWDE-AaQ9_vQEhQJ4/s1600/showConfig.PNG" /></a></div>
<span lang="EN-US"><br /></span></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">Enabling the Windows Firewall log is a quick win, as it is very simple to do and can provide extremely valuable information during a DFIR investigation. Because of its small size, it can be used for triage and rapidly search a given IP address or uncommon port that has been previously identified as malicious or suspicious. In the following article, I will show several use cases for this information, and I will share a useful script to extract information from the log to make it more actionable.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US">If you disabled Windows Firewall because you use a third-party host firewall, make sure that you have logging enabled in the third-party firewall, determine the retention time and make sure it meets your requirements. </span></div>
d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com0tag:blogger.com,1999:blog-6919355752769899458.post-69093408441579563652017-07-17T18:02:00.005-07:002017-07-17T18:09:19.335-07:00Detecting lsass Acess with Sysmon Process Access<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
Local Security Authority
Subsystem Service process (lsass.exe) is responsible for enforcing the security
policy on the system and handling password operations. Therefore, it contains user
passwords. One of the things that
attackers do when they have gained access to a system is to inject code into
that process to obtain clear text passwords, from the attacker’s perspective
this is great as they won’t have to consume precious time trying to attack
password hashes, as opposed as accessing password hashes from the SAM Windows registry
hive.<o:p></o:p><br />
<br /></div>
<div class="MsoNormal">
Sysmon is a useful and free tool created by Mark Russinovich
y Thomas Garnier from Microsoft that can
audit processes among many other things. One of the things that can be audited
on the most recent version is Process Access, which can detect any tools that
have accessed lsass process and that could have potentially dumped credentials.
By default process access audit is disabled, so it is required to tune Sysmon
to audit this event, which can be done with the following xml configuration
file.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"><Sysmon schemaversion="3.2"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">
<HashAlgorithms>*</HashAlgorithms><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> <EventFiltering><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> <!-- Log all
drivers except if the signature --><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> <!--
contains Microsoft or Windows --><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: xx-small;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">
<ProcessAccess onmatch="include"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> <TargetImage
condition="contains">lsass.exe</TargetImage><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">
</ProcessAccess><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-size: xx-small;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"> <!-- Enable
Network Connections --><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">
<NetworkConnect onmatch="exclude"/><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;">
</EventFiltering><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "courier new" , "courier" , monospace; font-size: xx-small;"></Sysmon></span><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Next we update sysmon configuration by using –c flag and
passing the xml file as parameter.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTOAYzf9AlYLWZXDgZXY0suRlP068KwTQdHjHHYW71fHASYAb9XVAQ1Hco6N0wu-epAU4YFP9V-5BMSHTLd_u20Y61gS_BSTEvYogP_QngS161Tq27baiPU8CMs7j5bvJuqD3tJXz1M1r6/s1600/sysmon1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="144" data-original-width="589" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTOAYzf9AlYLWZXDgZXY0suRlP068KwTQdHjHHYW71fHASYAb9XVAQ1Hco6N0wu-epAU4YFP9V-5BMSHTLd_u20Y61gS_BSTEvYogP_QngS161Tq27baiPU8CMs7j5bvJuqD3tJXz1M1r6/s400/sysmon1.png" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
To test the configuration, I used
mimikatz, which is a (in)famous tool used to get clear text credentials from
lsass process. I set up a meterpreter listener and created a reverse
meterpreter tcp executable called lolm.exe, which I executed on the test
Windows computer. As expected, I was able to load mimimkatz plugin and dump
clear text credentials using kerberos command.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD2oMf12jS_wLWTUV9XeCEyxzJiMz7B8ex0TRF8VR3lMrIOX_aqK7XG9QCwflsnoF99z0tvnlLykLFJ7rvR4M-nDyZLd5FXDdisPnr2_EPlztRLtc8q5IEF95thyphenhyphenEIrQn0czEE4782YCvO/s1600/sysmon2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="206" data-original-width="415" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD2oMf12jS_wLWTUV9XeCEyxzJiMz7B8ex0TRF8VR3lMrIOX_aqK7XG9QCwflsnoF99z0tvnlLykLFJ7rvR4M-nDyZLd5FXDdisPnr2_EPlztRLtc8q5IEF95thyphenhyphenEIrQn0czEE4782YCvO/s400/sysmon2.png" width="400" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
Sysmon was able to successfully
log the event, it traced time and date, full path of the meterpreter executable
and the call trace. It is important to notice that Sysmon will not only detect Mimikatz, but any tool that access lsass process, therefore other tools used to dump
credentials from lsass would be detected as well.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjldmfGaF2xUcSnBbqwcJU1Co6-r0uMy3O4ymlkWdhGhGBW3zyPHMRmox0LU3O9RZXb88z1F7y7R9xn_zkoziguXVOeDGDGsgHIzeP_vRNGjWWElUdujgeI20yrOOjCnWeATHHmpzWTyUR4/s1600/sysmon3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="396" data-original-width="763" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjldmfGaF2xUcSnBbqwcJU1Co6-r0uMy3O4ymlkWdhGhGBW3zyPHMRmox0LU3O9RZXb88z1F7y7R9xn_zkoziguXVOeDGDGsgHIzeP_vRNGjWWElUdujgeI20yrOOjCnWeATHHmpzWTyUR4/s400/sysmon3.png" width="400" /></a><br />
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
In the following articles we will see how we can tune sysmon configuration to detect other attacks.<o:p></o:p></div>
d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com1tag:blogger.com,1999:blog-6919355752769899458.post-57074097730211195792017-06-29T19:50:00.001-07:002017-06-29T20:24:41.654-07:00Collecting locked files from Windows hosts with sleuthkit<br />
<div align="center" class="MsoNormal" style="text-align: center;">
<b>Collecting locked files from Windows hosts with sleuthkit<o:p></o:p></b></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
When performing triage forensics
in Windows computers full hard drive images are not obtained, instead only a
small subset of files that can potentially have critical information are
collected in addition to other volatile evidence. Triage analysis is much
faster than collecting and analyzing a full forensic image and in many cases it
allows to determine which hosts require a full forensic investigation and
provide input for a deeper analysis. <o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
Unfortunately on Windows several files
that contain critical evidence are locked by the operating system and cannot be
copied through Windows API as most of the files on the computer. This is also
true for some malware that implement the same mechanism. One of the options to
copy such files is to power off the computer and boot it with a LiveCD/LiveDVD,
or remove the hard drive of the computer and connect it to a write blocker to
extract the files form other computer. But in many cases powering off the
computer is not an option, such as when the computer is mission critical, or when
encryption is used that would render the files inaccessible. To be able to
collect these files while the computer is on, it is required access the files
via raw instead of Windows API. <o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
One of the tools that allows raw
access to copy locked files is sleuthkit, as it is free to use and flexible. To
copy the locked files we will first use ifind to determine the metadata address
of the file to be copied and then run icat to dump the file. Make sure to
include all sleuthkit dll files on the same folder that sleuthkit executables
and to run it with elevated privileges. The syntax to run ifind and icat
command is included below.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;">ifind.exe -n <file path> \\.\
<logical drive><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: inherit;">ifind will return the metadataAddress
to be used in icat command</span><span style="font-family: "courier new" , "courier" , monospace;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;">icat \\.\ <logical drive> metadataAddress</span><o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
In the following example I show
how to collect the system registry hive with this method.<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbguRoJopXO4HMMim7gI0p0BUrG2n8yG9FAJCfg8Lh7PjmbSAjoL22fCXpE3iqrmIqiLa8Qwb_M_Oh2Zm_8L-6MjRLOe-EUTzieTFBdUIvthf1-C87rO9p6VVZfqyu1wVtQix7uMsRM33t/s1600/CopyLocked.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="103" data-original-width="493" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbguRoJopXO4HMMim7gI0p0BUrG2n8yG9FAJCfg8Lh7PjmbSAjoL22fCXpE3iqrmIqiLa8Qwb_M_Oh2Zm_8L-6MjRLOe-EUTzieTFBdUIvthf1-C87rO9p6VVZfqyu1wVtQix7uMsRM33t/s1600/CopyLocked.PNG" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<br />
<div class="MsoNormal" style="text-align: justify;">
Since sleuthkit does not use
graphical user interface, it can be used in wrapper scripts in vbscript, powershell
or any other language. With some automation you can collect all the files that
you require, such as Window registry files, amcache and NTFS MFT files.<o:p></o:p></div>
d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com0tag:blogger.com,1999:blog-6919355752769899458.post-36225512065886260082017-06-29T01:00:00.002-07:002017-06-29T20:25:01.423-07:00Generating Snort rules to prevent Apache Struts CVE-2017-5638 exploit<div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="line-height: 115%;">Generating
Snort rules to prevent Apache Struts CVE-2017-5638</span> exploit<o:p></o:p></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="line-height: 115%;">Attackers usually exploit vulnerabilities
in software to achieve code execution or gain more privileges on already
compromised system. The most severe vulnerabilities are those that allow remote
code execution without requiring elevated privileges, the situation is even worse
when the exploit is easy to run. This is the case of Apache Struts CVE-2017-5638</span>
which allows remote code execution due to poor validation of input parameters. As defenders, it is important to detect and prevent such vulnerabilities as soon
as possible. </span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">In the ideal world every system should apply the software updates to
fix the vulnerabilities, but in reality it is common that not all systems are
patched due to various reasons. Therefore it is useful to have compensating
controls that will allow detection and/or prevention of the attack. Even if all the best patching practices are followed, these rules can be used to generate intelligence about our adversaries, that can be used to enhance existing defenses or develop new ones. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">In this
article we will explore how to test this vulnerability in a lab environment in
order to develop a snort rule to detect and prevent attempts to exploit it. As
a second goal we improve the rule to not only log the exploit attempt web
request but also the response sent by the server, which will allow to know if
the exploit attempt was successful or not and assign the proper priority for response and containment.</span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Lab setup and install</b></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">The first step will be to
get the required software mentioned below to setup the vulnerable lab system. I decided to install it on a Windows host, although it can also be installed on a Linux system if you prefer.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
</div>
<ul>
<li>Java Runtime Environment
8u121</li>
<li>Apache
Tomcat 8.5.13</li>
<li>Apache Struts vulnerable
version, lower than a <span style="font-family: "arial" , "helvetica" , sans-serif;">2.3.32 or 2.5.10.1. </span></li>
</ul>
<br />
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif; line-height: 115%;">Create the environment
variable JRE_HOME </span><span style="font-family: "arial" , "helvetica" , sans-serif;">and assign it to JRE install Path, in my case it
was “C:\Program Files\Java\jre1.8.0_121”</span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Start tomcat web server by
running startup.bat script within bin subfolder on tomcat folder.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Check that java.exe is
running on port TCP 8080.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Access website <a href="http://ipaddress:8080/webapp-name/index.html"><span style="color: windowtext; text-decoration-line: none;">http://IPaddress:8080/webapp-name/index.html</span></a>,
default tomcat website must be displayed.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Exploit
test<o:p></o:p></span></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="line-height: 115%;">Download and run
the exploit from http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html. </span>We
can see that the exploit works correctly without any additional modifications;
however it returns the HTML code after the executed command, which is not
desired.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg900FSXWVsAfHVE0LjS9a2Z7sGceQFVcmAvPPjgEZmTRyKT9K0rPA-c7iCMWVX_qOClAaKbg4GLp2-IeowZDwOYmaP8b91ntz_ufzgN2l5vxKLboWc_FBH0URKXvyReMawF-jLQSc3sE29/s1600/1DefaultExploit.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="683" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg900FSXWVsAfHVE0LjS9a2Z7sGceQFVcmAvPPjgEZmTRyKT9K0rPA-c7iCMWVX_qOClAaKbg4GLp2-IeowZDwOYmaP8b91ntz_ufzgN2l5vxKLboWc_FBH0URKXvyReMawF-jLQSc3sE29/s640/1DefaultExploit.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Exploit improvement<o:p></o:p></span></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">By removing
everything after the string “<!DOCTYPE>” we can improve the output.<b> <o:p></o:p></b></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgev12qVKQvuuI3iZ9LyhsmHNlMGcOnHKOjCaE1XtNdf0x1n7kWlrjICoHaNqg9YFwemFZk7ymQfrERrm2zX2F5uRaAXOnO4NJOgcWEVc5DGkh0XaTDE7Jomhk5eE4ImGc2ubT5D9Z5zR7t/s1600/1Modificaci%25C3%25B3nExploit.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="46" data-original-width="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgev12qVKQvuuI3iZ9LyhsmHNlMGcOnHKOjCaE1XtNdf0x1n7kWlrjICoHaNqg9YFwemFZk7ymQfrERrm2zX2F5uRaAXOnO4NJOgcWEVc5DGkh0XaTDE7Jomhk5eE4ImGc2ubT5D9Z5zR7t/s1600/1Modificaci%25C3%25B3nExploit.PNG" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">We run the exploit again and now we only get the result of the command sent.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH0-VRwPmT0mIvkKHy45M7wYdUbR_pbA8-leNLmA1bTAAkfh3ZnlvAsnLngBH8NZaNuPbAu0048s7UBzlyn9L39ZGeEqqtmg4R-d8gkOfl5PxAsZ_8mUrN-kSbrJFVohg00gZT6c4NDe5v/s1600/1ImprovedExploit.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="91" data-original-width="740" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH0-VRwPmT0mIvkKHy45M7wYdUbR_pbA8-leNLmA1bTAAkfh3ZnlvAsnLngBH8NZaNuPbAu0048s7UBzlyn9L39ZGeEqqtmg4R-d8gkOfl5PxAsZ_8mUrN-kSbrJFVohg00gZT6c4NDe5v/s640/1ImprovedExploit.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Snort rule creation<o:p></o:p></span></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="line-height: 115%;">Now that we can
successfully exploit the vulnerability in a lab system, we can develop and test
the snort rule to prevent the attack. By analyzing the exploit, we can see that
the vulnerable header is Content-Type. On normal web requests this header, as its name suggest, is used to indicate the media type of the
resource</span>, valid examples of it are “application”, “audio”, “image”, “multipart”
or similar, as defined on the following RFC document: <a href="https://www.w3.org/Protocols/rfc1341/4_Content-Type.html"><span style="color: black; text-decoration-line: none;">https://www.w3.org/Protocols/rfc1341/4_Content-Type.html</span></a><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="line-height: 115%;">The exploit
assigns this header to an abnormal value "@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."</span>
With this information we can create a detection rule.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "courier new" , "courier" , monospace;">alert tcp any
any -> $HTTP_SERVERS $HTTP_PORTS (sid:900009; rev:1; msg:
"Apache-CVE-2017-563-exploitation-attempt-request";content:"Content-Type";
http_header; content:"@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).";
content:"com.opensymphony.xwork2.ActionContext.container";
flow:established,to_server; priority:80;)</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Snort rule<o:p></o:p></span></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "courier new" , "courier" , monospace;">alert tcp any
any -> $HTTP_SERVERS $HTTP_PORTS (sid:900009; rev:1; msg: "Apache-CVE-2017-563-exploitation-attempt-request";content:"Content-Type";
http_header; content:"@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).";
content:"com.opensymphony.xwork2.ActionContext.container";
flow:established,to_server; priority:80;)</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Run snort<o:p></o:p></span></span></b></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "courier new" , "courier" , monospace;">snort -c
C:\Snort\etc\snortmin.conf -k none -A console -i 1 -q</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Snort detection</b></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Run the exploit again and snort should detect it.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwNkfoW1cY1uNSR87Sk3LQgHyIkzHEQUYXcMiBs959FCfX5_fXz6I574qrWP6pZ3DQhqukt0P5WKLY9n3RemgnWDWPzCczfOmQ0Q6je-sqUHvDIw0DimZf-Yfbwo38mMLw4BzSnYwcWKeY/s1600/snortRegla1.PNG" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="67" data-original-width="1244" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwNkfoW1cY1uNSR87Sk3LQgHyIkzHEQUYXcMiBs959FCfX5_fXz6I574qrWP6pZ3DQhqukt0P5WKLY9n3RemgnWDWPzCczfOmQ0Q6je-sqUHvDIw0DimZf-Yfbwo38mMLw4BzSnYwcWKeY/s640/snortRegla1.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">If we open the generated pcap with Wireshark we can see the command that the remote attacker attempted to run, in this case the command whoami.</span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZFDaQFppLWak0S5PSU0-DLx0ggGtBGGYTX1Fyc3rzhHvRjxeTFM1NYZzXHvTJbyJZDQdAyC-uY0OjovTstr4MfWMxyIgMB2RiSD542bAUf3MirTPepALAhaq_1gmgz8vbZw97VJkOrvP5/s1600/CapturaPcap.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="473" data-original-width="1226" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZFDaQFppLWak0S5PSU0-DLx0ggGtBGGYTX1Fyc3rzhHvRjxeTFM1NYZzXHvTJbyJZDQdAyC-uY0OjovTstr4MfWMxyIgMB2RiSD542bAUf3MirTPepALAhaq_1gmgz8vbZw97VJkOrvP5/s640/CapturaPcap.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Snort rule
improvement</b><o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">We have successfully
detected the attack attempt, but the response is not captured only the request,
therefore only based on the generated pcap by Snort, we cannot know if it was
successful. So we will improve the rule to capture the response sent by the
struts web server. To achieve this, we will set a condition using flowbits
option in the first rule and will create
a second rule that will log the response if that variable is set.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Improved rule with flowbits arguments</b></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 115%;">alert tcp any
any -> $HTTP_SERVERS $HTTP_PORTS (sid:900009; rev:1; msg:
"Apache-CVE-2017-563-exploitation-attempt-request";content:"Content-Type";
http_header; content:"@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).";
content:"com.opensymphony.xwork2.ActionContext.container";flowbits:</span><span style="color: red; line-height: 115%;">set,struts_exploit_attempt</span></span><span style="line-height: 115%;"><span style="font-family: "courier new" , "courier" , monospace;">;
flow:established,to_server; priority:80;)</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br />
Rule to log the response</b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="line-height: 115%;">alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any
(msg:"SCILabs-Apache-CVE-2017-563-exploitation-attempt-response";
flowbits:</span><span style="color: red; line-height: 115%;">isset,struts_exploit_attempt</span></span><span style="line-height: 115%;"><span style="font-family: "courier new" , "courier" , monospace;">; flowbits:unset,struts_exploit_attempt;sid:900010; rev:1;
priority:80;)</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Snort detection of both request and response</b><o:p></o:p></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiALi2xxDRdosxv6fYqgFWxYNnBnpfd2P_yWR6AoSa6CkvKIT3acTZk_X-krVBVcmV4-Jm8uXZ_ix2jJHy5PPQRv47Q-AphIOUl5lc6XV4ni8gjHv99ELfyVE2PXkLR9t__7oZpHmrbK4ud/s1600/snortRegla1y2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="61" data-original-width="1254" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiALi2xxDRdosxv6fYqgFWxYNnBnpfd2P_yWR6AoSa6CkvKIT3acTZk_X-krVBVcmV4-Jm8uXZ_ix2jJHy5PPQRv47Q-AphIOUl5lc6XV4ni8gjHv99ELfyVE2PXkLR9t__7oZpHmrbK4ud/s640/snortRegla1y2.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">We open the
generated pcap in Wireshark and we can verify that the output generated by the
victim web server has been logged, in this case it is the hostname of the
victim computer.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuBgStbmCcZGQE52LgEPvOBxIoRVTJN8-nFu4fKSUMwVRejEC-0U2v8wXrYpGsScrljE2-AxWB6A5BNPzb5jNvdZgbjfoWivPqKrJSX5Xn8Mter8aAYCdKZLNN-KDU__3Q4OyjpHbiN9Ei/s1600/1WiresharkRequestResponse.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="447" data-original-width="878" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuBgStbmCcZGQE52LgEPvOBxIoRVTJN8-nFu4fKSUMwVRejEC-0U2v8wXrYpGsScrljE2-AxWB6A5BNPzb5jNvdZgbjfoWivPqKrJSX5Xn8Mter8aAYCdKZLNN-KDU__3Q4OyjpHbiN9Ei/s640/1WiresharkRequestResponse.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">In case that the
answer is very large, only the first part of the output will be shown, but that
will be enough to determine that the attack has been successful and the nature
of the extracted information. Below you can see the results when the attacker
ran tasklist command.<o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIzBaH8rJRYynIDORqpfJXYMwFMcLnONW-QI7j8hDBpzxyvZF5bl_c2ZB4eME2zrIlbt0e4Tnq7nJOSnCKfcjKdjaMvzuvZOHDA7OEkppWLhHldRzoMEkx0Y1jVkNDBD6JW-8Z0kjdbFyV/s1600/RespuestaTasklist.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="853" height="437" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIzBaH8rJRYynIDORqpfJXYMwFMcLnONW-QI7j8hDBpzxyvZF5bl_c2ZB4eME2zrIlbt0e4Tnq7nJOSnCKfcjKdjaMvzuvZOHDA7OEkppWLhHldRzoMEkx0Y1jVkNDBD6JW-8Z0kjdbFyV/s640/RespuestaTasklist.PNG" width="640" /></a></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Finally to
prevent the attack and not just detect it, change “alert” for “drop” on the
first rule in case that an IPS device is available and inline mode is setup.</span><span style="font-family: "arial" , sans-serif; font-size: 12pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
d4v3c0d3rhttp://www.blogger.com/profile/10506052748397636924noreply@blogger.com1