Tuesday, August 29, 2017

I Smell A RAT – Learning about Poison Ivy – The Setup

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this post, we will be learning more about setup and configuring Poison Ivy. In the next post we will look at learning about its capabilities while in the final post, we will try to analyze and learn more about detecting it.

My lab consists of 2 virtual machines. A Linux virtual machine which will be my command and control (C2) server/Poison Ivy client and a WindowsXP machine which will be the Poison Ivy Sever.On loading up the Poison Ivy executable in Linux we get the EULA screen:














Once we acknowledge the EULA, the next screen is the home screen:


From here we next select the “File” menu and select “New Server”. This is the executable which will be “sent” to the client and when it is executed, it will connect back to our C2 server or from Poison Ivy perspective, our “Client”.


Next up is to focus on the connection information:

From above, I’ve added multiple C2 Servers IPs as well as some domain information. The list consists of:
10.10.10.1:3460:0,
10.0.0.103:3460:0,
192.168.0.1:3460:0,
172.16.23.5:3460:0,
securitynik.web:3460:0,
ivy.securitynik.web:3460:0,
malware.securitynik.wejb:3460:0,


Once the C2 servers have been added, click “Next” at the bottom right which now produces the “Install” screen. In my example below I’ve set the persistence mechanism through HKLM/Run Name” as “SecurityNik_PIvy_Agent”. I’ve also enabled the “Copy File” and provided it with filename “secnik_piv.exe”. This will copy the file to the “system” folder and will also leverage Alternate Date Streams  through “Copy file to Alternate Data Streams”.


Once the above is completed, click “Next” at the bottom right of the above screen. This then brings up the “Advanced” window. I did not modify anything in this window so click “Next” which then brings up the “Build” screen.

In the “Build” screen, I choose generate to generate the new binary which brings up the window to save the file as shown below:

Once the above file is saved, click “OK”.

Now that the file has been generated, I’ve leverage Python’s Simple HTTP Server to serve the file to the client.

From below, we see Python’s Simple HTTP Server serving up the file

securitynik@siftworkstation:~/MalwareClass/PoisonIvy-2$ python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
10.0.0.101 - - [03/Aug/2017 17:56:01] "GET / HTTP/1.1" 200 -
10.0.0.101 - - [03/Aug/2017 17:56:07] "GET /SecurityNik_PoisonIvy.exe HTTP/1.1" 200 -
Now that the setup for the Poison Ivy server is complete and the file has been “delivered” to the client, it’s now time to setup the Poison Ivy Client.

From Poison Ivy’s “File” menu, select “New Client”. This brings up the screen below.

In the above example, I left everything at their defaults, then choose “start”. This now brings up the screen below which shows Poison Ivy waiting for connections.


At this point the setup is completed.

Let’s do one more thing before we go to the next post and that is to execute “SecurityNik_PoisonIvy.exe” on the Poison Ivy Server. Once executed successfully, this then produces the following.















As shown above, our client at “10.0.0.101” has successfully registered.

See you in the next post where we look at learning more about Poison Ivy’s capabilities.


Python Simple HTTP Server


Other posts in this series:

I smell a RAT – Learning about Poison Ivy – Live Forensics Analysis

Monday, August 21, 2017

Still Splunking Parsing TinyProxy logs – Building a monitoring system on the cheap

Having a proxy in your infrastructure, is essential for many different reasons. The first two to come to mind is bandwidth management and from a security perspective it gives excellent visibility into the domains and URLs being accessed by resources on your network. 

In this post, we will continue our building a monitoring system on the cheap by leveraging Splunk (free version) to identify domains and URLs which are detected, refused and allowed on our infrastructure via the TinyProxy proxy server.

Let’s get going!

First up with Splunk, let’s identify the log source so that we can focus on this traffic. In my case Tinyproxy has “source = /var/log/tinyproxy/tinyproxy.log” and “sourcetype = Tinyproxy”. Using either or both of these we can focus our search and filters.

Let’s filter our TinyProxy event types using “* sourcetype=Tinyproxy | rex field=_raw "(?<event_type>.*?\s+)" | stats count by event_type | sort count | reverse

This produces the following:

Now that we have the different event types, let’ save this and then focus on each of these to build our dashboard out.

Let’s first look at the hosts connecting to our proxy. This can be achieved through the use of the following search “* sourcetype=Tinyproxy CONNECT | rex field=_raw ".*\[(?<requesting_host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]$" | stats count by requesting_host | sort count | reverse

The above search produced:






















Next up let’s look at the HTTP methods which are being seen. The search “* sourcetype=Tinyproxy CONNECT | rex field=_raw ".*\):\s+(?<http_method>[A-Z]*?\s+)" | stats count by http_method | sort count | reverse” helps us to gather this information as seen below.














Next up let’s identify the URLs which are being requested via GET or POST methods using the search “
* sourcetype=Tinyproxy CONNECT | rex field=_raw ".*\):\s+(?<http_method>(GET|POST)*?\s+)(?<url>.*?)HTTP" | stats count by url | sort count | reverse” we get the following:

Next up let’s identify the domains which are being allowed by leveraging the search “* sourcetype=Tinyproxy CONNECT established | rex field=_raw "Established\s+connection\s+to\s+host\s+\"(?<allowed_domains>.*?)\"\s+" | stats count by allowed_domains | sort count | reverse”. This produces the following

Now that we have the URLs as well as the domains being requested, let’s now figure out the domains and URLs which are being rejected.
First let’s look at the domains using “* sourcetype=Tinyproxy NOTICE | rex field=_raw ".*filtered\s+url\s+\"(?<filtered_url>(http|https).*?)\"" | stats count by filtered_url | sort count | reverse

This produces:
 
Focusing in specifically on the domains using the search “* sourcetype=Tinyproxy NOTICE | rex field=_raw ".*filtered\s+url\s+\"(?<filtered_domains>.*:(80|443)?)\"" | stats count by filtered_domains | sort count | reverse” we get

 
So that’s it for this post. Hope this helped you to make better use of your Splunk Dashboard skillz.

Reference: