Purple Team: Why all the fuss? (I)

31 de January de 2022 Por

We often read or hear terms like Red, Blue, Purple, Adversarial Emulation and many others almost interchangeably, which often causes confusion in cybersecurity neophytes.

All these disciplines, often partially overlapping each other in their scope, have their place in an organization’s security plan, but it is important to be clear about their strengths and weaknesses in order to take advantage of the former and minimize the latter.

Throughout this article, or series of articles (let’s see how far down the rabbit hole I go), I will try to do my bit on this topic by ,firstly, introducing the Purple Team methodology and then looking into it with a bit more depth.

It is convenient to clarify that this article does not intend to be a lecture on the subject and only aims to make an exposition as educational as possible.

Some background

As organizations have matured and cybersecurity has become more and more important, different methodologies and approaches have been developed.

Several years ago (and unfortunately also in some organizations today) cybersecurity was reduced to hardening measures, and gradually detection and response technologies began to be appear.

[Read more…]

Is Windows SID registry important?

27 de January de 2022 Por

Within the Windows universe there are countless features and details that, given their magnitude and depth, could in turn make up multiple universes in which to wander, learn and, above all, get lost.

In today’s article we are going to take a break from Windows Security Identifiers, hoping to reveal (or remind) some of the possibilities it offers us. First, a bit of theory.

What is the SID? The SID (Security Identifier), briefly explained, is the equivalent of our National ID Card. That is, Windows generates a unique and unalterable SID for each of its entities. An entity is understood as everything that can be authenticated by the Operating System (users, groups, processes, etc.). Ultimately, thanks to this mechanism, the domain user Paco will forever have his own identifier, as will the group of Domain Administrators.

[Read more…]

So you want to go into cybersecurity…

21 de January de 2022 Por

This post has been prepared with the invaluable (and necessary) help of Maite Moreno (@mmorenog) and the cybersecurity team of S2 Grupo.

One of the good things that Information Security shares with other IT disciplines is the wide variety of training resources available, both free and for tight budgets.

Without a large financial investment, anyone with time and desire (and a minimum knowledge of technical knowledge, for which there is another large number of resources that we will not cover here) can be trained from practically zero to expert levels in practically any area of cybersecurity.

Below are some of the resources available on the Internet for free or for a reduced cost, bearing in mind that:

  • This list is not intended to be exhaustive. Feel free to comment on any content you think is missing and we will add it as soon as we can.
  • Some platforms have a freemium approach, combining free content and functionalities with paid ones.
  • Although the less technical areas of Information Security such as GRC are less (very little) represented in the list, the more generalist training sites include courses on data protection, control frameworks, risk management, etc.
  • Most of the courses are in English, so a minimum level is required to understand instructions and texts. This level is essential nowadays in the field of information technology.
  • Blogs, vblogs and podcasts on Information Security are left out, but there are plenty of extremely useful resources. This includes the thousands of webinars on every conceivable topic.
  • Nor have we included more general platforms such as edX or Coursera, which nonetheless contain many courses from prestigious universities and organizations.
  • Finally, we have not included courses from the device manufacturers, software or cloud providers, which in some cases are free, and which sometimes also provide free versions (with limitations) of their products. AWS, Tenable or Splunk come to mind, but there are many others.
[Read more…]

Omnium against Omnes (II): Towards political realism

20 de January de 2022 Por

In the previous article we commented on the impact of the possibility of anonymity in cyberspace. In this post we are going to investigate this issue and expose the details that explain the existence of anonymity, as well as the consequences in the geopolitical context.

Anonymity

The five factors make it impossible to directly attribute a cyberwarfare action to a nation are the following:

1.  The fact that the virtual environment is made up of information allows all types of users to create and modify artifacts, limited only by permissions. This means that there is no complete translation of the physical element to the virtual one and, therefore, there is no total control over it. Consequently, it is not possible to guarantee the immutability of the elements of the environment, i.e. what actions have been performed or by whom.

2. There is the factual impossibility of assigning a virtual profile of a nation. The problems related to attribution, based on the previous point, make it impossible to relate two campaigns separated in time only on the basis of their tactics, techniques and procedures. Even with an indicator such as the hash, there is no 100% guarantee that it is exactly the same actor, since the code could have been stolen or manipulated beforehand.

[Read more…]

Omnium against omnes (I): Foucault in cyberwarfare

18 de January de 2022 Por

There is no doubt that, in recent years, the number of politically motivated cyberspace operations has been increasing. Under the analysis of the geopolitical context, we can find one of the causes of the rise of this new model of warfare.

Not since World War II has there been a warlike conflict between two First World nations. This shows how the major nations have shifted the clash of interests to less classical methodologies, such as the use of subsidiary wars, commercial warfare and, in recent years, cyberwarfare.

However, it is the use of cyberwarfare that makes it possible to interpret the current geopolitical context, since it offers a series of particularities, as a conflict, that allow it to be adapted to contemporary international relations.

[Read more…]

Bypassing AV/EDR with Nim

12 de January de 2022 Por

TL;DR

Nim is a not too well known language that has interesting features that make it very appealing in attack scenarios. Here is a demonstration of its capabilities to bypass AV/EDRs and a journey into learning the language.

Motivation

The knights who say Nim

For quite some time now there had been a strange talk around in the cybersec community that often reminded me of the scene at the Monty Python and the Holy Grial movie. For whatever reason, these cybersec knights kept saying “Nim” all the time. When I finally found the time I took a deep look at this weird talk to try to decipher it’s meaning. And to find out whether or not this hype held the key to any kind of Holy Grial. Once I did, I can say that I do believe it does. Now, I myself have joined these knight’s peculiar order’s ranks. Out of that trip an interesting tool was born, and here’s what I found out in that journey.

Figure 1: Monty Python and the Holy Grail, The knights who say Ni scene
[Read more…]

Log4Shell: Apache Log4j 2 CVE-2021-44228

13 de December de 2021 Por

If you haven’t been living under a rock for the past few hours, you’ll know that last Friday a critical vulnerability in the Log4j 2 package, a massively used Java log library, started to go viral.

This vulnerability, dubbed Log4Shell and discovered by Chen Zhaojun (software engineer at Alibaba), has been assigned the CVE CVE-2021-4428, with a CVSS of 10.0.

Although by now there is tons of public information about it, let’s give a few hints about it.

The actors

Log4j 2: the Lookup plugin

As we have already mentioned, Log4j 2 is a log library for Java applications used by developers to log application information. Using it is as simple as including something like log.debug(“Test message”); in the code, which will generate a log entry. Often, the information that is logged is related to the application itself and its execution context.

One of the capabilities of the library, called Lookups, is the ability to use variables when writing to the log, which will be replaced by the corresponding value, with a specific syntax: ${variable}. For example, if we use ${java:runtime}, when the application logs, it will record the Java runtime version.

[Read more…]

De-constructing risk management (I): the inherent risk

2 de November de 2021 Por

Living beings are experts at managing risks. It’s something we have done over millions of years. It’s called, among other things, survival instinct. We wouldn’t be here if we were bad at it.

We avoid them, we mitigate them, we externalize them, we take them on.

For example, is it going to rain today? If it rains, how much is it going to rain? Do I take my umbrella? Do I stay home? Will I run into a traffic jam on the way to work? Will I be late for the meeting? Do I call to let you know? Do I try to postpone the meeting? Will I puncture a tire on the way home? When was the last time I checked the spare tire? Have I paid the insurance premium? What is the roadside assistance coverage?

All these everyday processes of risk identification and risk assessment are carried out unconsciously all the time, and we apply risk management measures without even realizing it. We grab an umbrella, call the office to inform them of a delay, attend the meeting by phone, leave home earlier or decide to take public transport. Obviously, it’s not always that easy.

However, when we move to the corporate environment, we start with risk tolerance, probability, impact and vulnerability criteria, threat catalogs (standard), strategies, risk registers, inherent, residual and projected risk, mitigation ratios. And we get lost for months in concepts, documents and methodologies, moving further and further away from the reality we have to analyze and protect.

The orthodoxy of (cybersecurity) risk management

As a result of this, a few months ago, in the middle of the pandemic, I came across an interesting article that contrasted two very different visions of risk management, which it called RM1 vs RM2.

Basically, and quoting directly from the article, RM1 would be focused on “risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks)“, while RM2 would be “risk management for decision makers within the company“.

A few weeks or months later, Román Ramírez published an entry in a similar vein, criticizing the prevailing orthodoxy in cybersecurity risk management and the problems it generated.

[Read more…]

TrustedInstaller, stopping Windows Defender

27 de September de 2021 Por

Often, during an intrusion process it can be useful to have the ability to disable the defense measures of the target computer. For those pentesters who have already tasted the joys of Microsoft’s default on-board security solution, Windows Defender, you will agree with me that it has improved substantially since its first releases, especially the latest cloud-enabled versions for Windows 10. Therefore, it is very likely that we will face this antivirus during an intrusion process, sooner or later.

Very briefly, the main component of Windows Defender is the “WinDefend” service, in charge of launching the continuous monitoring process “MsMpEng.exe” and loading its engine “mpengine.dll“, so if we are able to stop that service, we will be stopping its execution to a large extent.

read more

Ransomware ate my network (IV)

27 de July de 2021 Por
A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

[Editor’s note: Clicking on many images – those whose detail is not fully visible with the size of the main page – shows an enlarged version]

In the previous article we saw how Angela had deduced that the attackers had entered the computer used to connect to the DC from another computer using the PsExec tool. Determined to find the PsExec, Angela begins by converting the MFT extracted by CyLR with mftdump.exe to .csv, and searching for activity around the time she saw the connection on the other computer (about 2:16 p.m. 1:16 p.m. in UTC which is what the MFT shows us).

There is no clear target, but that stalin.exe Prefetch looks suspicious (remember that Prefetches are created the first time the software is run, with a delay of a few seconds).

[Read more…]