Threat Hunt - MS08-067 RCE

Executive Summary

The MS08-067 vulnerability was a remote code execution vulnerability that affected Windows XP and Windows 2003 systems. This vulnerability was first exploited by the Conficker worm, which used the SMB protocol to propagate across networks and infect systems.

The vulnerability was exploited by sending a specially crafted RPC (Remote Procedure Call) request to the vulnerable system, which could then be used to install malware, create new user accounts, or perform other malicious activities.

The Conficker worm used this vulnerability to propagate by exploiting unpatched systems and spreading through the network by accessing the IPC$ share while copying itself to other systems.

Legacy systems that still run unsupported operating systems still exist today in many production environments. Microsoft released a security patch to address the MS08-067 vulnerability in October 2008 but many systems still remain unpatched. ICS systems for example may run on older hardware/software which is not compatible with the latest technology, upgrading these systems may require significant time, effort, and expense. Further complicating matters, many of these systems which are often used in critical infrastructure cannot be taken offline for maintenance or updates without significant disruption to operations.

The intent and output of this threat hunt will be to provide Suricata/Snort detections in an ordered format which may be used to detect if a remote exploit is being executed. In addition, pseudo code will be provided to hunt recursively for such activity within Zeek/Bro metadata logging. The outputs of the detections and hunts will then verify the initial hypothesis generated.

Network Artifacts

The MS08-067 exploit takes advantage of a buffer overflow vulnerability in the Microsoft Server service (srvsvc.dll), which allows an attacker to execute arbitrary code with SYSTEM-level privileges.

To successfully exploit this vulnerability, the attacker must establish a remote connection to the target system and then send a specially crafted packet to the Server service. The packet will contain the exploit code, which is designed to overwrite certain areas of memory with instructions that will ultimately allow the attacker to take control of the system.

The IPC$ share is commonly used to establish remote connections to Windows systems using the Server Message Block (SMB) protocol, which is also used by the Server service. By accessing the IPC$ share, the attacker can connect to the target system and establish a session with the Server service, which allows them to send the exploit code and trigger the vulnerability as shown in Figure 1.

Figure 1 - Wireshark - IPC$

Named pipes are primarily used for local processes to communicate with each other, but can facilitate communication between two processes on separate hosts over SMB. This is a popular technique within Metasploit and a configurable option as well. If IPC$ shares being accessed along with named pipe usage is not common, this can also serve as a starting point to delve deeper onto the endpoint for further investigation. Figure 2 shows what this would look like as network telemetry.

Figure 2 - Wireshark - Pipes

Detection Guidance

To detect the entire attack chain, the following detection guidance will trigger in the following order. Ideally these signatures, should be instrumented within a targeted internal environment where legacy systems reside.

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:\"GPL NETBIOS SMB-DS IPC$ share access\"; flow:established,to_server; content:\"|00|\"; depth:1; content:\"|FF|SMBu\"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:\"IPC|24 00|\"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Detection #1 - IPC$ share access

alert tcp any any -> $HOME_NET 445 (msg:\"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)\"; flow:established,to_server; content:\"|1F 00|\"; content:\"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|\"; content:\"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|\"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008705; classtype:attempted-admin; sid:2008705; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) 

Detection #2 - NETAPI Stack Overflow

Hunting Process

A network traffic analyzer like Zeek can provide visibility into SMB traffic, such as the above packet capture. Since named pipes are treated like files, they show up within the name field. The SMB::FILE_OPEN field in the smb_files.log can be used to drill down further for this activity. The UID field could also be used to correlate the different log files together. Using these logs will be helpful if signatures fired today, and you needed to hunt recursively over an extended period of time.

{"ts":1634092925.899548,"uid":"CXjioG18zBnfPANIJf","id.orig_h":"192.168.1.69","id.orig_p":43183,"id.resp_h":"192.168.1.70","id.resp_p":445,"action":"SMB::FILE_OPEN","name":"\\BROWSER","size":0}

{"ts":1634092925.942094,"uid":"CXjioG18zBnfPANIJf","id.orig_h":"192.168.1.69","id.orig_p":43183,"id.resp_h":"192.168.1.70","id.resp_p":445,"action":"SMB::FILE_OPEN","name":"\\BROWSER","size":0}

{"ts":1634092925.970923,"uid":"CXjioG18zBnfPANIJf","id.orig_h":"192.168.1.69","id.orig_p":43183,"id.resp_h":"192.168.1.70","id.resp_p":445,"action":"SMB::FILE_OPEN","name":"\\SPOOLSS","size":0}

{"ts":1634092925.99429,"uid":"CXjioG18zBnfPANIJf","id.orig_h":"192.168.1.69","id.orig_p":43183,"id.resp_h":"192.168.1.70","id.resp_p":445,"action":"SMB::FILE_OPEN","name":"\\SPOOLSS","size":0}

{"ts":1634092926.024359,"uid":"CXjioG18zBnfPANIJf","id.orig_h":"192.168.1.69","id.orig_p":43183,"id.resp_h":"192.168.1.70","id.resp_p":445,"action":"SMB::FILE_OPEN","name":"\\BROWSER","size":0}

Zeek - smb_files.log

{"ts":1634092920.976657,"uid":"CXjioG18zBnfPANIJf","id.orig_h":"192.168.1.69","id.orig_p":43183,"id.resp_h":"192.168.1.70","id.resp_p":445,"path:\\\\192.168.1.70\IPC$","service":"IPC","share_type":"PIPE"}

Zeek - smb_mapping.log

References

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms08_067_netapi.rb

Threat Hunt - KillNet’s DDoS HEAD Flood Attack

Executive Summary

Killnet is a hacktivist group based in Russia that has been active since at least 2015. The group is known for launching DDoS attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.

Killnet has been linked to several high profile attacks, including distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk's Starlink satellite broadband service.

The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.

The aim of this threat hunt is to create a virtual attack environment that simulates Killnet's tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.

The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.

Network Artifacts

To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after "HEAD /?" consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.

Figure 1 –Wireshark - Dynamically Generated 11-12 Digits

Figure 2 –Wireshark - Forged Referrer & Anonymized IPs

Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.

Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts

Detection Guidance

Perl compatible regular expressions can be used to leverage the context derived from the packet capture during threat analysis, as shown in Figure 1. This allows us to write Suricata/Snort rules that will match observed patterns in headers. Detections tend to scale more than hunt queries and can be applied strategically on a per sensor basis. Specifically, the following rule will match any instance when an HTTP HEAD request containing 11-12 digits has been captured by a network sensor on a forward looking basis. This serves as our first hypothesis to identify the usage of DDoS HEAD floods:

alert tcp any any -> any any (msg:"Killnet cc.py DDoS HTTP HEAD Flood"; content:"HEAD"; depth:4; content:" /?"; distance:0; content:" HTTP/1.1|0d0a|Host: "; distance:0; fast_pattern; content:"."; distance:1; within:3; content:"."; distance:1; within:3; content:"."; distance:1; within:3; content:"|0d0a|Referer: https://"; distance:0; content:"|0d0a|Accept-Language: "; distance:0; content:"|0d0a|Accept-Charset: "; distance:0; content:"|0d0a|Connection: Keep-Alive|0d0a0d0a|"; distance:0; pcre:"/^HEAD\x20\/\?[0-9]{11,12}\x20HTTP/"; sid:10000001;)

Hypothesis #1

Hunting Process

The following is a Splunk hunt query that utilizes the Zeek/Bro dataset to identify "High connections from common source over a short amount of time". The query breaks the time column (shown in Figure 2) into 1-second chunks. Once an appropriate threshold has been established, the "where count > 10" statement can be adjusted accordingly to search retroactively within the last 7 days from when the activity was first observed. This query serves as our second hypothesis to identify the usage of DDoS HEAD floods:

index=zeek sourcetype=zeek_conn

| eval datetime=strftime(ts,"%Y-%m-%d %H:%M:%S") 

| bucket span=1s datetime 

| stats count by datetime, id.orig_h

| where count > 10

| rename datetime as "Date & Time" id.orig_h as "Attacker IP"

Hypothesis #2

Appendix A. – Adversary Emulation

Cc.py is a Python tool publicly available on the internet that can be used for Layer 7 DDoS attacks. The tool, created by a student in 2020, uses various dynamic characteristics to launch DDoS attacks against web assets. The script automates the process of using open proxy servers to relay attacks while maintaining anonymity, which can render traditional IP-based blocking techniques ineffective.

Figure 4 depicts a Python function called "head" that performs an HTTP HEAD request to a target server. The function takes two arguments: "event" and "proxy type". These arguments control the flow of the request and specify the type of open proxy to leverage. Additionally, the code concatenates the variables where the forged/randomized headers will be used.

Figure 4 - cc.py

To generate a dynamic list of compromised open proxies that will be used to relay attacks on behalf of the attacker, the following command is utilized:

python3 cc.py –down –f proxy.txt –v 5

Once the list is generated, the following command is used to launch an attack against a server running Apache web server within the attack range. The command specifies the use of the "head" module and sets the duration of the attack to 30 seconds. The "head" module floods the target server with continuous HTTP HEAD requests until it is knocked offline.

python3 cc.py –url http://<insert url> -f proxy.txt –m head –v 4 –s 30

Appendix B. – IOCs

At OTX pulse was created listing over the 12K+ indicators from this research.

https://otx.alienvault.com/pulse/642dd6df987a88229012d214

References

https://github.com/Leeon123/CC-attack