Silicon Shecky

Infosec Practitioner

Connect

Archives for August 2018

ALPC Bug and Carbon Black Defense

By 1 Comment

So with the drop of the ALPC 0Day (as of writing this), I decided to test the PoC on a machine running CarbonBlack Defense to see if the company I work for would be protected.

I started out with the write up from DarthSidious and followed his instructions to test.

Basically it was, open Process Explorer, download the PoC from Github, open a command prompt and Notepad. Get the PID of Notepad from Process Explorer and then watch the spool service for sub-processes (namely CMD.exe running as system).

As you can see, if you look at DarthSidious’ post it looks almost the same. There is an extra line that says “Couldn’t create remote thread 5.” This is interesting, so lets look at process explorer. In the post from DarthSidious at this point there is a cmd.exe subprocess to spoolsv.exe that is running as user NT AUTHORITY\SYSTEM. If the inject worked, that should be the same case, but when I looked at the spoolsv.exe service I saw this:

No sub-processes. Looks completely normal.

At this point I double checked that I did everything the exact way the blog post said to, and I had, so I went into the CarbonBlack Defense Console and immediately saw the following:

I know, it doesn’t say a lot other than an attack was stopped. Still, it is a promising thing to look at when testing. Clicking on the link into the potential malware gave me the following though:

Ah Ha! it sees the PoC try to inject and hit a deny policy. So it did stop it, but lets look a little further into the information CB Defense gives us:

Here we can see the process layout and the injection dotted line from the PoC. The summary shows that the InjectDLL.exe is completely unknown and CarbonBlack stopped the injection process. If we go into the investigate area off the block notification we see the following:

The items I found interesting from all of this is not just the TTPs, but that is saw the full command line, and shows that it was trying to deliver and exploit as the attack stage. From here I could take the hashes put them up to Virus Total, manually enter them into any protection service and pass the information onward, not that it would protect you because any chance or different file trying to use the exploit will change the hash. The bigger deal to me is that it stopped the attack with no other information than it being an unknown file and it tried to inject code.

I would hope that other EDR products would wind up stopping this attack in a similar fashion. I don’t have others to test unfortunately though. Still, with all the issues I have had with CB Defense, it is nice to see it do its job.

R.E.S.P.E.C.T.

By Leave a Comment

“R E S P E C T! Find out what it means to me” – Aretha Franklin

The recently deceased Queen of Soul sang about Respect. Respect, something that should be given across the board, to everyone until they prove otherwise. Respect, which is one quality that makes people Rockstars in our industry. Respect, something that winds up lacking all too often.

There has been a <expletive> storm going on from Defcon and the hotels about security policies that have been put in place since the mass shooting last October. This has had to do with room checks and issues with them, especially for women. Now, I am not going ot get into it all, you can look up at Katie Moussouris’ Twiter timeline to get a full idea of the storm itself. The fact that this female in our industry, who is not just a “Rockstar” but a huge leader wound up having to argue with others in our industry about the fears and the way the room checks were handled shows a lot about us. It shows why there are movements to protect women, it shows why women do not want to go into our industry. If someone who should be respected and listened to has to put up so many explanations because people keep belittling her statements and not listening to her, imagine how the women who keep a low profile feel? The funny thing is that Katie (and the others) did not object to the room searches themselves, but the way they were handled, and the blind faith they were supposed to put into believing a stranger at their door (if they were not walked in on which has been documented also for both male and female attendees).

Let us frame this in another way. Think of the field we are in, and the red team tests that happen. Think of the social engineering. For that matter, look up the show on Nation Geographic which featured Jayson Street performing social engineering in Lebanon. He walks into banks, no ID needed just saying that he is from X and needs to check X on their computers. Physical pen test complete. We can sit back and listen to his stories from other engagements he has been on and shake our heads at why people are so trusting without ID, and yet we turned around when women in our field that know this and were trying to verify that strangers were who they said they were (possibly hotel security), and felt threatened and uncomfortable, and tell them they were wrong to feel threatened? Look at this information from the National Sexual Violence Resource Center:

 

  • One in five women and one in 71 men will be raped at some point in their lives
  • In the U.S., one in three women and one in six men experienced some form of contact sexual violence in their lifetime
  • 51.1% of female victims of rape reported being raped by an intimate partner and 40.8% by an acquaintance
  • 52.4% of male victims report being raped by an acquaintance and 15.1% by a stranger
  • Almost half (49.5%) of multiracial women and over 45% of American Indian/Alaska Native women were subjected to some form of contact sexual violence in their lifetime
  • 91% of victims of rape and sexual assault are female, and nine percent are male

We are supposed to be security experts. Yes our main area is that of 1s and 0s but that does not matter. Security is security. Katie had mentioned ways that the situation could have been avoided. Defcon’s organizers are investigating the situations with the hotels. Hopefully something good will come of this in the end, but the lack of trust in fellow information security practitioners is not going to be easily fixed. Those that lashed out at the people complaining about the way these checks were handled might not care about the trust they lost, but I do, because that reflects on our “community” as a whole. It shows that we are not as welcoming as we think. We have a long way to go. We need to learn from this, and fast.

 

CarbonBlack doesn’t do it again

By Leave a Comment

No Summer Camp for me this year. Instead I had a small family style vacation, hence why there was no post last week.

This week, I figure on ranting about CarbonBlack again. Seems while I was on vacation they did back end upgrades to Defense. These wonderful upgrades, that should have been properly tested, have caused a lot of prior fixes to not work. What does this mean? Well a ton more false positive alerts, poorer performance, a recurrence of VDI sensors getting stuck in bypass mode (or spinning up in bypass mode and issues with grouping and dismissing alerts. How do you release something without proper testing?

The statement from CB is that most of this will be fixed in the next sensor update, which comes out this month, but in the mean time there is not much that can be done. I have been a huge fan of CB Response and CB Protect in the past. Well tested, well thought out, and all the controls one needed to be able to tune properly. Defense honestly seems like they do not care. This latest update seems to have not been tested with the current sensor. New sensors usually have some issues of their own (they keep breaking prior fixes for instance) and have to be tested and vetted by organizations to make sure that they do not break anything. Meanwhile, CarbonBlack breaks things on our end by making our job that much more difficult with their back end upgrades. These are lessons to be learned from by any company out there on what not to do. This also shows the problem with going with a cloud based solution that a company has no control over the update/upgrade cycle on.

Last year’s Blackhat, CarbonBlack put out a beautiful marketing claim about Defense stopping Mimikatz. Look up the video of someone proving that wrong within days. Some people I know over at CarbonBlack knew that would happen and were not happy with their marketing department over it.

I hope that CarbonBlack realizes what a pain these items are. I know the whole first to market, gotta keep things fresh and make changes is part of the industry. Forcing people to use that latest immediately upon release is the wrong way to do things though. Why this happens with Defense (which I have picked apart before) is beyond my understanding. Confer was bought by Carbon Black a few years ago now, but it seems like it is the item they are still not sure what to do with.