We Can no Longer Ignore the Cost of Cybersecurity, (Sun, May 28th)

This post was originally published on this site

I read recently that disregarding cyber risks is a way of inviting trouble and unnecessary attention to any organization. Cyber threats is nothing new, everyone is a target taking many forms whether it is by some form of scanning or targeted phishing. For example, Sophos describes the naughty nine which are all some form of services that can be purchased for a price (i.e. access, malware, phishing, crypting, etc). "Just as information technology companies have shifted to “as-a-service” offerings, so has the cybercrime ecosystem." [1] This is no surprise that ransomware is still the one thing that affect the most organizations and, in the end, cost the most if you have no choices but to pay the ransom. In the case of the Hospital for Sick Children in Toronto, lockbit , "[…] issued a brief apology and offered SickKids a free decryptor to unlock its data." [2] but this is far from always being the case. In the end, they did not use the decryptor but that isn't always the case.

VMware Skyline Advisor Pro Proactive Findings – May 2023 Edition

This post was originally published on this site

Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of May, we released 42 new Findings. Of these, there are 20 Findings based … Continued

The post <strong>VMware Skyline Advisor Pro Proactive Findings – May 2023 Edition</strong> appeared first on VMware Support Insider.

Using DFIR Techniques To Recover From Infrastructure Outages, (Fri, May 26th)

This post was originally published on this site

Recently, I was involved in a network outage caused by a defective pfSense firewall appliance. Due to storage issues (with the onboard flash), the firewall did not boot anymore. This can be quickly solved from a hardware point of view because this firewall model has a slot to install an M2-compatible flash device and boot from it. But, there was a problem with the configuration. The last backup they had was pretty old, and they made a lot of changes. No debate about the fact that a robust backup process should have been implemented. Let's focus on the challenge of recovering the last configuration from the firewall. Challenge accepted!

IR Case/Alert Management, (Wed, May 24th)

This post was originally published on this site

Recently I was discussing Alert/Case management tools for SOCs. I started thinking about what were the key points I used when deciding. Depending on how big your SOC is, you will have different priorities for each point if you have customer SLA's and a turnover. But these are the things I look for, in no particular order.

  • Open Source
  • Alert and Case Management
  • Artifact Enhancement
  • Playbook/Work Flows
  • Metrics


TheHive (1)

This has been my favorite tool for managing cases for a while. In the last year, it has gone to a pay model, if you use TheHive version 5. Support for 4 has stopped, but you can still use it. I did a quick look, and I didn't see anyone with a Forked version 4 supporting it. Metrics in version 3 could have been better, and in 5, they have improved. It also supports marking cases with ATT&C techniques. Elastalert has direct support for Hive, which is an excellent and easy way to get alerts from SecurityOnion into your case system. They use Cortex for enhancing artifact information, which has a great plugin architecture. Most people are familiar with TheHive, so I'll skip any screenshots. It's a great project, and if you have the money to allocate, I suggest supporting this project for your SOC.



It is a robust system that can run as a docker and the database is Postgres. In the latest revisions, released this month, they have added support for alert tracking. Alerts can be fed into their system using their API (No Elastalert support yet..) You can convert alerts into cases easily. You can create case templates that contain playbooks for what to do. If you put your information in the right places, the generated report feature does a very nice readable report. They currently do not have predefined ATT&CK techniques, but you can tag most items you add in cases. This project is very active and doing a great job with adding features. They already have a full demo online to try (3), so go take a look! 


Alert queue

The alert queue was added in the latest release. There is an API to get alerts into the system. 



Case Management


At the top of the case, view is where you access the different parts of the case. Assets are where you list which assets are involved in the incident. Typically with TheHive, I would create a new task per device and put in the notes for each compromised asset. This is a nice feature to quickly see what is involved.



Notes Section

I've only messed around with the demo, but I'm unsure how to use the note section now. You can group things together nicely, but in real cases, I would have to see if the input fields from the tasks were not enough to meet the needs first.



Case Template/Playbooks

Creating templates is easy to do. These end up in the task area of the case, where they can be used to walk the responder through tasks for the case type.



You can add files to the case along with IOCs.



They do have some modules and enrichment, but only a little for now. A 3rd party module by SOCfortress will integrate with Cortex, giving you a ton of flexibility. (4)



There is at least one more alert manager I plan on covering in the future, but let me know what you are using and why you like it in the comments.


(1) https://thehive-project.org/

(2) https://dfir-iris.org/





Tom Webb


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

This post was originally published on this site


The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.

One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.

Download the PDF version of this report (723 KB)

Technical Details

This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.


The authoring agencies are aware of recent People’s Republic of China (PRC) state-sponsored cyber activity and have identified potential indicators associated with these techniques. This advisory will help net defenders hunt for this activity on their systems. It provides many network and host artifacts associated with the activity occurring after the network has been initially compromised, with a focus on command lines used by the cyber actor. An Indicators of compromise (IOCs) summary is included at the end of this advisory.

Especially for living off the land techniques, it is possible that some command lines might appear on a system as the result of benign activity and would be false positive indicators of malicious activity. Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior. Additionally, if creating detection logic based on these commands, network defenders should account for variability in command string arguments, as items such as ports used may be differ across environments.


Network artifacts

The actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim. Owners of SOHO devices should ensure that network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible.

The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to:

cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.

Host artifacts

Windows management instrumentation (WMI/WMIC)

The actor has executed the following command to gather information about local drives [T1082]:

cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename"

This command does not require administrative credentials to return results. The command uses a command prompt [T1059.003] to execute a Windows Management Instrumentation Command Line (WMIC) query, collecting information about the storage devices on the local host, including drive letter, file system (e.g., new technology file system [NTFS]), free space and drive size in bytes, and an optional volume name. Windows Management Instrumentation (WMI) is a built-in Windows tool that allows a user to access management information from hosts in an enterprise environment. The command line version of WMI is called WMIC.

By default, WMI Tracing is not enabled, so the WMI commands being executed and the associated user might not be available. Additional information on WMI events and tracing can be found in the References section of the advisory.

Ntds.dit Active Directory database

The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) out of the network to perform password cracking [T1003.003]. (The ntds.dit file is the main Active Directory (AD) database file and, by default, is stored at %SystemRoot%NTDSntds.dit. This file contains information about users, groups, group memberships, and password hashes for all users in the domain; the SYSTEM registry hive contains the boot key that is used to encrypt information in the ntds.dit file.) Although the ntds.dit file is locked while in use by AD, a copy can be made by creating a Volume Shadow Copy and extracting the ntds.dit file from the Shadow Copy. The SYSTEM registry hive may also be obtained from the Shadow Copy. The following example commands show the actor creating a Shadow Copy and then extracting a copy of the ntds.dit file from it.

cmd /c vssadmin create shadow /for=C: > C:WindowsTemp.tmp

cmd /c copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit C:WindowsTemp > C:WindowsTemp.tmp

The built-in Ntdsutil.exe tool performs all these actions using a single command. There are several ways to execute Ntdsutil.exe, including running from an elevated command prompt (cmd.exe), using WMI/WMIC, or PowerShell. Defenders should look for the execution of Ntdsutil.exe commands using long, short, or a combination of the notations. For example, the long notation command activate instance ntds ifm can also be executed using the short notation ac i ntds i. Table 1 provides the long and short forms of the arguments used in the sample Ntdsutil.exe command, along with a brief description of the arguments.

Table 1: Ntdsutil.exe command syntax

Long form

Short form


activate instance %

ac i %

Sets variable % as the active instance for ntdsutil to use



Install from media (ifm). Creates installation media to be used with DCPromo so the server will not need to copy data from another Domain Controller on the network

The actor has executed WMIC commands [T1047] to create a copy of the ntds.dit file and SYSTEM registry hive using ntdsutil.exe. Each of the following actor commands is a standalone example; multiple examples are provided to show how syntax and file paths may differ per environment.

wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemppro

wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro"

wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"

"cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs"

cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"  1>$ 2>&1

Note: The would be an epoch timestamp following the format like “__1684956600.123456”.

Each actor command above creates a copy of the ntds.dit database and the SYSTEM and SECURITY registry hives in the C:WindowsTemp directory, where is replaced with the path specified in the command (e.g., pro, tmp, or McAfee_Logs). By default, the hidden ADMIN$ share is mapped to C:Windows, so the last command will direct standard output and error messages from the command to a file within the folder specified.

The actor has also saved the files directly to the C:WindowsTemp and C:UsersPublic directories, so the entirety of those directory structures should be analyzed. Ntdsutil.exe creates two subfolders in the directory specified in the command: an Active Directory folder that contains the ntds.dit and ntds.jfm files, and a registry folder that contains the SYSTEM and SECURITY hives. Defenders should look for this folder structure across their network:

Active Directoryntds.dit
Active Directoryntds.jfm



When one of the example commands is executed, several successive log entries are created in the Application log, under the ESENT Source. Associated events can be viewed in Windows Event Viewer by navigating to: Windows Logs | Application. To narrow results to relevant events, select Filter Current Log from the Actions menu on the right side of the screen. In the Event sources dropdown, check the box next to ESENT, then limit the logs to ID numbers 216, 325, 326, and 327. Clicking the OK box will apply the filters to the results.

Since ESENT logging is used extensively throughout Windows, defenders should focus on events that reference ntds.dit. If such events are present, the events’ details should contain the file path where the file copies were created. Since these files can be deleted, or enhanced logging may not be configured on hosts, the file path can greatly aid in a hunt operation. Identifying the user associated with this activity is also a critical step in a hunt operation as other actions by the compromised—or actor-created—user account can be helpful to understand additional actor TTPs, as well as the breadth of the actor’s actions.

Note: If an actor can exfiltrate the ntds.dit and SYSTEM registry hive, the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorized systems to the domain. If this occurs, defenders should follow guidance for removing malicious actors from victim networks, such as CISA’s Eviction Guidance for Network Affected by the SolarWinds and Active Directory/M365 Compromise.

In addition to the above TTPs used by the actor to copy the ntds.dit file, the following tools could be used by an actor to obtain the same information:

  • Secretsdump.py
    • Note: This script is a component of Impacket, which the actor has been known to use
  • Invoke-NinjaCopy (PowerShell)
  • DSInternals (PowerShell)
  • FgDump
  • Metasploit

Best practices for securing ntds.dit include hardening Domain Controllers and monitoring event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.


The actor has used the following commands to enable port forwarding [T1090] on the host:

"cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress= listenport=9999 connectaddress= connectport=8443 protocol=tcp""

"cmd.exe /c netsh interface portproxy add v4tov4 listenport=50100 listenaddress= connectport=1433 connectaddress="

where is replaced with an IPv4 address internal to the network, omitting the ’s.

Netsh is a built-in Windows command line scripting utility that can display or modify the network settings of a host, including the Windows Firewall. The portproxy add command is used to create a host:port proxy that will forward incoming connections on the provided listenaddress and listenport to the connectaddress and connectport. Administrative privileges are required to execute the portproxy command. Each portproxy command above will create a registry key in the HKLMSYSTEMCurrentControlSetServicesPortProxyv4tov4tcp path. Defenders should look for the presences of keys in this path and investigate any anomalous entries.

Note: Using port proxies is not common for legitimate system administration since they can constitute a backdoor into the network that bypasses firewall policies. Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.

Defenders should also use unusual IP addresses and ports in the command lines or registry entries to identify other hosts that are potentially included in actor actions. All hosts on the network should be examined for new and unusual firewall and port forwarding rules, as well as IP addresses and ports specified by the actor. If network traffic or logging is available, defenders should attempt to identify what traffic was forwarded though the port proxies to aid in the hunt operation. As previously mentioned, identifying the associated user account that made the networking changes can also aid in the hunt operation.

Firewall rule additions and changes can be viewed in Windows Event Viewer by navigating to:

Applications and Service Logs | Microsoft | Windows | Windows Firewall With Advanced Security | Firewall.

In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts. The actor is known to target perimeter devices in their operations. Firewall logs should be reviewed for any connections to systems on the ports listed in any portproxy commands discovered.


The actor has used the following PowerShell [T1059.001] command to identify successful logons to the host [T1033]:

Get-EventLog security -instanceid 4624

Note: Event ID 4624 is logged when a user successfully logs on to a host and contains useful information such as the logon type (e.g., interactive or networking), associated user and computer account names, and the logon time. Event ID 4624 entries can be viewed in Windows Event Viewer by navigating to:

Windows Logs | Security. PowerShell logs can be viewed in Event Viewer: Applications and Service Logs | Windows PowerShell.

This command identifies what user account they are currently leveraging to access the network, identify other users logged on to the host, or identify how their actions are being logged. If the actor is using a password spray technique [T1110.003], there may be several failed logon (Event ID 4625) events for several different user accounts, followed by one or more successful logons (Event ID 4624) within a short period of time. This period may vary by actor but can range from a few seconds to a few minutes.

If the actor is using brute force password attempts [T1110] against a single user account, there may be several Event ID 4625 entries for that account, followed by a successful logon Event ID 4624. Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).


The actor regularly employs the use of Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:Windows) containing an epoch timestamp in its name. The following is an example of the “dir” command being executed by wmiexec.py:

cmd.exe /Q /c *dir 1>$__1684956600.123456 2>&1

Note: Discovery of an entry similar to the example above in the Windows Event Log and/or a file with a name in a similar format may be evidence of malicious activity and should be investigated further. In the event that only a filename is discovered, the epoch timestamp within the filename reflects the time of execution by default and can be used to help scope threat hunting activities.

Enumeration of the environment

The following commands were used by the actor to enumerate the network topology [T1016], the active directory structure [T1069.002], and other information about the target environment [T1069.001], [T1082]:

arp -a

curl www.ip-api.com

dnscmd . /enumrecords /zone {REDACTED}

dnscmd . /enumzones

dnscmd /enumrecords {REDACTED} . /additional

ipconfig /all

ldifde.exe -f c:windowstemp.txt -p subtree

net localgroup administrators

net group /dom

net group "Domain Admins" /dom

netsh interface firewall show all

netsh interface portproxy show all

netsh interface portproxy show v4tov4

netsh firewall show all

netsh portproxy show v4tov4

netstat -ano

reg query hklmsoftware


tasklist /v


wmic volume list brief

wmic service brief

wmic product list brief

wmic baseboard list full

wevtutil qe security /rd:true /f:text /q:*[System[(EventID=4624) and TimeCreated[@SystemTime>='{REDACTED}']] and EventData[Data='{REDACTED}']]

Additional credential theft

The actor also used the following commands to identify additional opportunities for obtaining credentials in the environment [T1555], [T1003]:

dir C:Users{REDACTED}.sshknown_hosts

dir C:users{REDACTED}appdataroamingMozillafirefoxprofiles


reg query hklmsoftwareOpenSSH

reg query hklmsoftwareOpenSSHAgent

reg query hklmsoftwarerealvnc

reg query hklmsoftwarerealvncvncserver

reg query hklmsoftwarerealvncAllusers

reg query hklmsoftwarerealvncAllusersvncserver

reg query hkcusoftware{REDACTED}puttysession

reg save hklmsam ss.dat

reg save hklmsystem sy.dat

Additional commands

The actor executed the following additional commands:

7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z

C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe

C:WindowsSystem32cmdbak.exe /c ping -n 1 >



"cmd.exe" /c dir$ /od

"cmd.exe" /c ping –a –n 1 

"cmd.exe" /c wmic /user: /password: process call create "net stop "" > C:WindowsTemptmp.log"

cmd.exe /Q /c cd 1>$__ 2 2>&1

net use$ /y /d

powershell start-process -filepath c:windowstemp.bat -windowstyle Hidden

rar.exe a –{REDACTED} c:Windowstemp{REDACTED} D:{REDACTED}

wmic /node:{REDACTED} /user:{REDACTED} /password:{REDACTED} cmd /c whoami

xcopy C:windowstemphp d:{REDACTED}


The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Defenders should harden domain controllers and monitor event logs [2.T] for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
  • Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required [2.X].
  • Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
  • In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
  • Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
  • Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network [2.F].

Logging recommendations

To be able to detect the activity described in this CSA, defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs. Otherwise, the default logging configurations may not contain the necessary information.

Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes. Given the cost and difficulty of logging and analyzing this kind of activity, if an organization must limit the requirements, they should focus on enabling this kind of logging on systems that are externally facing or perform authentication or authorization, especially including domain controllers.

To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not enabled, but they can be enabled by following the configuration instructions linked in the References section.

The actor takes measures to hide their tracks, such as clearing logs [T1070.001]. To ensure log integrity and availability, defenders should forward log files to a hardened centralized logging server, preferably on a segmented network. Such an architecture makes it harder for an actor to cover their tracks as evidence of their actions will be captured in multiple locations.

Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared. All Event ID 1102 entries should be investigated as logs are generally not cleared and this is a known actor tactic to cover their tracks. Even if an event log is cleared on a host, if the logs are also stored on a logging server, the copy of the log will be preserved.

This activity is often linked to malicious exploitation of edge devices and network management devices. Defenders should enable logging on their edge devices, to include system logs, to be able to identify potential exploitation and lateral movement. They should also enable network-level logging, such as sysmon, webserver, middleware, and network device logs.

Indicators of compromise (IOCs) summary


Command execution

File names and directory paths used in these commands are only meant to serve as examples. Actual names and paths may differ depending on environment and activity, so defenders should account for variants when performing queries.

Note: Many of the commands are derivatives of common system administration commands that could generate false positives when used alone without additional indicators.

7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z c:windowstemp*

"C:pstoolspsexec.exe" {REDACTED} -s cmd /c "cmd.exe /c "netsh interface portproxy delete v4tov4 listenaddress= listenport=9999""

C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe

cmd.exe /C dir /S {REDACTED}c$Users{REDACTED} >> c:windowstemp{REDACTED}.tmp

"cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs"

cmd.exe /Q /c *cd 1>$__ 2>&1

cmd.exe /Q /c cd 1>$__1652470932.9400265 2>&1

cmd.exe /Q /c net group "domain admins" /dom 1>$__ 2>&1

cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"  1>$  2>&1

D:{REDACTED}xcopy C:windowstemphp d:{REDACTED}

Get-EventLog security -instanceid 4624

ldifde.exe -f c:windowstempcisco_up.txt -p subtree

makecab ..backup210829-020000.zip ..webappsadssphtmlLock.lic

move "c$userspublicAppfileregistrySYSTEM" ..backup210829-020000.zip

netsh interface portproxy add v4tov4 listenaddress= listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp

netsh interface portproxy delete v4tov4 listenaddress= listenport=9999

Rar.exe a –{REDACTED} c:WindowstempDMBC2C61.tmp

start-process -filepath c:windowstemp.bat -windowstyle hidden 1

Note: The batch file in question (.bat) could use any name, and no discernable pattern has been determined at this time.

wmic process call create "cmd.exe /c mkdir C:userspublicAppfile & ntdsutil "ac i ntds" ifm "create full C:userspublicAppfile" q q

wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"

wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro"

wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemp"

Command line patterns

Certain patterns in commands (with asterisks for wildcards) can be used to identify potentially malicious commands:

  • cmd.exe /C dir /S * >> *
  • cmd.exe /Q /c * 1>$__*.*>&1
  • powershell start-process -filepath c:windowstemp*.exe -windowstyle hidden

File paths

The most common paths where files and executables used by the actor have been found include:

  • C:UsersPublicAppfile (including subdirectories)
  • C:Perflogs (including subdirectories)
  • C:WindowsTemp (including subdirectories)

File names

The file names the actor has previously used for such things as malware, scripts, and tools include:

















In addition to the file names and paths above, malicious files names, believed to be randomly created, in the following format have also been discovered:


SHA-256 file hashes

  • f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
  • ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
  • d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
  • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
  • 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
  • 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
  • 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
  • c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
  • 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
  • fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
  • ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484


In some cases, the following user-agent string (including the extra spacing) was identified performing reconnaissance activities by this actor:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0)               Gecko/20100101 Firefox/68.0

Yara rules

rule ShellJSP {


        $s1 = "decrypt(fpath)"

        $s2 = "decrypt(fcontext)"

        $s3 = "decrypt(commandEnc)"

        $s4 = "upload failed!"

        $s5 = "aes.encrypt(allStr)"

        $s6 = "newid"


        filesize < 50KB and 4 of them

rule EncryptJSP {


        $s1 = "AEScrypt"

        $s2 = "AES/CBC/PKCS5Padding"

        $s3 = "SecretKeySpec"

        $s4 = "FileOutputStream"

        $s5 = "getParameter"

        $s6 = "new ProcessBuilder"

        $s7 = "new BufferedReader"

        $s8 = "readLine()"


        filesize < 50KB and 6 of them

rule CustomFRPClient {


        description=”Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool”


        $s1 = "%!PS-Adobe-" nocase ascii wide

        $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide

        $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide

        $s4 = "MAGA2024!!!" nocase ascii wide

        $s5 = "HTTP_PROXYHost: %s" nocase ascii wide



        all of them

rule HACKTOOL_FRPClient {


        description=”Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)”


        $s1 = "%!PS-Adobe-" nocase ascii wide

        $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide

        $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide

        $s4 = "HTTP_PROXYHost: %s" nocase ascii wide



        3 of them



Active Directory and domain controller hardening:

CISA regional cyber threats:

Microsoft Threat Intelligence blog:



Windows command line process auditing:

Windows Defender Firewall:

Windows management instrumentation:

Windows password spraying:


The NSA Cybersecurity Collaboration Center, along with the authoring agencies, acknowledge Amazon Web Services (AWS) Security, Broadcom, Cisco Talos, Google’s Threat Analysis Group, Lumen Technologies, Mandiant, Microsoft Threat Intelligence (MSTI), Palo Alto Networks, SecureWorks, SentinelOne, Trellix, and additional industry partners for their collaboration on this advisory.

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, or favoring by the authoring agencies’ governments, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation.


This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.


U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/field-offices.  

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov

NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov

NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.

Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca.

New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.

United Kingdom organizations: Report a significant cyber security incident at ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Appendix: MITRE ATT&CK Techniques

Table 2 captures all referenced threat actor tactics and techniques in this advisory.

Table 2: All referenced threat actor tactics and techniques

Initial Access

Technique Title



Exploit Public-facing Application


Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.


Windows Management Instrumentation


The actor executed WMIC commands to create a copy of the SYSTEM registry.

Command and Scripting Interpreter: PowerShell


The actor used a PowerShell command to identify successful logons to the host.

Command and Scripting Interpreter: Windows Command Shell


The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.


Server Software Component: Web Shell


The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.

Defense Evasion

Hide Artifacts


The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.

Indicator Removal: Clear Windows Event Logs


The actor cleared system event logs to hide activity of an intrusion.

Credential Access

OS Credential Dumping: NTDS


The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.

Brute Force


The actor attempted to gain access to accounts with multiple password attempts.

Brute Force: Password Spraying



The actor used commonly used passwords against accounts to attempt to acquire valid credentials.

OS Credential Dumping


The actor used additional commands to obtain credentials in the environment.

Credentials from Password Stores


The actors searched for common password storage locations.


System Information Discovery


The actors executed commands to gather information about local drives.

System Owner/User Discovery


The actors gathered information about successful logons to the host using a PowerShell command.

Permission Groups Discovery: Local Groups


The actors attempt to find local system groups and permission settings.

Permission Groups Discovery: Doman Groups


The actors used commands to enumerate the active directory structure.

System Network Configuration Discovery


The actors used commands to enumerate the network topology.

Command and Control



The actors used commands to enable port forwarding on the host.

Proxy: External Proxy


The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.


Help us figure this out: Scans for Apache "Nifi", (Tue, May 23rd)

This post was originally published on this site

Please let me know if you have any idea what they are trying to do here 🙂

I noticed today that our honeypots detected a few scans for Apache "Nifi." Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let's say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.

Today, I noticed a spike in requests for the URL "/nifi", the default URL used for the NiFi GUI.

Almost all the reports come from the same user-agent and IP address:

User-Agent: Go-http-client/1.1
Source IP: %%ip:

The source IP, located in the Ukraine, has a history of scanning for various vulnerabilities, but nothing I would assign to a particular bot. Just "random" URLs like:

  • /boaform/admin/formLogin
  • blank.org:443

There are a couple other IPs and User-Agents used to scan for Nifi:

%%ip: – Claiming to use headless chrome on Linux and Chrome on Windows. Reasonably recent versions so they may be real user agents.
%%ip: – Claiming to use Chrome, but ancient versions so I assume these user agents are fake

Both of these IPs are part of Qwest/CenturyLink/Lumen. at least used to be part of Paloalto.

But the real question: What are they looking for? Trying to steal data from badly secured NiFi installs? Poisoning ML data? cryptomining… ? There isn't a vulnerability that I would consider, other than bad configurations with no/weak/default passwords.

Let me know if you use NiFi, and if you have an idea what they may be looking for.



Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AWS Week in Review – AWS Documentation Updates, Amazon EventBridge is Faster, and More – May 22, 2023

This post was originally published on this site

AWS Data Hero Anahit Pogosova keynote at CloudConf 2023Here are your AWS updates from the previous 7 days. Last week I was in Turin, Italy for CloudConf, a conference I’ve had the pleasure to participate in for the last 10 years. AWS Hero Anahit Pogosova was also there sharing a few serverless tips in front of a full house. Here’s a picture I took from the last row during her keynote.

On Thursday, May 25, I’ll be at the AWS Community Day in Dublin to celebrate the 10 years of the local AWS User Group. Say hi if you’re there!

Last Week’s Launches
Last week was packed with announcements! Here are the launches that got my attention:

Amazon SageMakerGeospatial capabilities are now generally available with security updates and more use case samples.

Amazon DetectiveSimplify the investigation of AWS Security Findings coming from new sources such as AWS IAM Access Analyzer, Amazon Inspector, and Amazon Macie.

Amazon EventBridge – EventBridge now delivers events up to 80% faster than before, as measured by the time an event is ingested to the first invocation attempt. No change is required on your side.

AWS Control Tower – The service has launched 28 new proactive controls that allow you to block non-compliant resources before they are provisioned for services such as AWS OpenSearch Service, AWS Auto Scaling, Amazon SageMaker, Amazon API Gateway, and Amazon Relational Database Service (Amazon RDS). Check out the original posts from when proactive controls were launched.

Amazon CloudFront – CloudFront now supports two new control directives to help improve performance and availability: stale-while-revalidate (to immediately deliver stale responses to users while it revalidates caches in the background) and the stale-if-error cache (to define how long stale responses should be reused if there’s an error).

Amazon Timestream – Timestream now enables to export query results to Amazon S3 in a cost-effective and secure manner using the new UNLOAD statement.

AWS Distro for OpenTelemetryThe tail sampling and the group-by-trace processors are now generally available in the AWS Distro for OpenTelemetry (ADOT) collector. For example, with tail sampling, you can define sampling policies such as “ingest 100% of all error cases and 5% of all success cases.”

AWS DataSync – You can now use DataSync to copy data to and from Amazon S3 compatible storage on AWS Snowball Edge Compute Optimized devices.

AWS Device Farm – Device Farm now supports VPC integration for private devices, for example, when an unreleased version of an app is accessing a staging environment and tests are accessing internal packages only accessible via private networking. Read more at Access your private network from real mobile devices using AWS Device Farm.

Amazon Kendra – Amazon Kendra now helps you search across different content repositories with new connectors for Gmail, Adobe Experience Manager Cloud, Adobe Experience Manager On-Premise, Alfresco PaaS, and Alfresco Enterprise. There is also an updated Microsoft SharePoint connector.

Amazon Omics – Omics now offers pre-built bioinformatic workflows, synchronous upload capability, integration with Amazon EventBridge, and support for Graphical Processing Units (GPUs). For more information, check out New capabilities make it easier for healthcare and life science customers to get started, build applications, and scale-up on Amazon Omics.

Amazon Braket – Braket now supports Aria, IonQ’s largest and highest fidelity publicly available quantum computing device to date. To learn more, read Amazon Braket launches IonQ Aria whith built-in error mitigation.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

Other AWS News
A few more news items and blog posts you might have missed:

AWS Documentation home page screenshot.AWS Documentation – The AWS Documentation home page has been redesigned. Leave your feedback there to let us know what you think or to suggest future improvements. Last week we also announced that we are retiring the AWS Documentation GitHub repo to focus our resources to directly improve the documentation and the website.

Peloton case studyPeloton embraces Amazon Redshift to unlock the power of data during changing times.

Zoom case studyLearn how Zoom implemented streaming log ingestion and efficient GDPR deletes using Apache Hudi on Amazon EMR.

Nice solutionIntroducing an image-to-speech Generative AI application using SageMaker and Hugging Face.

For AWS open-source news and updates, check out the latest newsletter curated by Ricardo to bring you the most recent updates on open-source projects, posts, events, and more.

Upcoming AWS Events
Here are some opportunities to meet and learn:

AWS Data Insights Day (May 24) – A virtual event to discover how to innovate faster and more cost-effectively with data. This event focuses on customer voices, deep-dive sessions, and best practices of Amazon Redshift. You can register here.

AWS Silicon Innovation Day (June 21) – AWS has designed and developed purpose-built silicon specifically for the cloud. Join to learn AWS innovations in custom-designed Amazon EC2 chips built for high performance and scale in the cloud. Register here.

AWS re:Inforce (June 13–14) – You can still register for AWS re:Inforce. This year it is taking place in Anaheim, California.

AWS Global Summits – Sign up for the AWS Summit closest to where you live: Hong Kong (May 23), India (May 25), Amsterdam (June 1), London (June 7), Washington, DC (June 7-8), Toronto (June 14), Madrid (June 15), and Milano (June 22). If you want to meet, I’ll be at the one in London.

AWS Community Days – Join these community-led conferences where event logistics and content is planned, sourced, and delivered by community leaders: Dublin, Ireland (May 25), Shenzhen, China (May 28), Warsaw, Poland (June 1), Chicago, USA (June 15), and Chile (July 1).

That’s all from me for this week. Come back next Monday for another Week in Review!


This post is part of our Week in Review series. Check back each week for a quick roundup of interesting news and announcements from AWS!

Probes for recent ABUS Security Camera Vulnerability: Attackers keep an eye on everything., (Mon, May 22nd)

This post was originally published on this site

ABUS is usually better known for its "old-fashioned" mechanical locks. But as part of its b "Industry Solution" portfolio of products, ABUS is offering some more high-tech solutions, like, for example, network-connected cameras [1]. Sadly, these cameras suffer from some of the same vulnerabilities as many similar cameras.

In February, Peter Ohm disclosed a vulnerability affecting ABUS cameras on the full disclosure mailing list [2]. The disclosure includes three different vulnerabilities,

1 – Local File Inclusion

This vulnerability can be used to read arbitrary files:



2 – Remote command injection vulnerability


This vulnerability allows for arbitrary command injection. Instead of a semicolon, an attacker could also use a pipe or a carriage return.

3 – Fixed "maintenance" account

The affected cameras use the following credentials for a built-in "maintenance" account.

manufacture erutcafunam


Among these vulnerabilities, the remote command execution vulnerability is the most interesting one. Yesterday, our sensor picked up exploit attempts consistent with this vulnerability:


I did not obfuscate the command. The attacker did not correctly expand the command parameter. Maybe they are using a Python "f-string" but forgot the leading "f"?

All the attacks originate from an unconfigured server (%%ip: in the Netherlands. This server has a history of attempts to exploit various common vulnerabilities.

But there is more…

Our web application honeypots have been around for a while, so we have some history to look back at. Similar exploit attempts are going back to 2015:

| date       | url                                                                |
| 2015-07-12 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft?ap=testname;cat%20/var/www/secret.passwd |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2023-05-20 | /cgi-bin/mft/wireless_mft                                          |
| 2023-05-21 | /cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}                  |

Back in 2015, CORE security released a very similar vulnerability in "Air Live" cameras [3][4]. Searching further shows that this vulnerability was also found in 2013 Zavio IP Cameras [5]. 

So this appears to be one of these all too common "IoT" security issues: The same firmware/hardware is being resold under different brands, and once a vendor fixes the flaw does in no way guarantee that other vendors selling the same equipment will even bother to look if they are vulnerable as well. ABUS likely is just the sales organization feeling zero responsibility to check if what they are selling is remotely fit to be connected to a network.

As a user of such a camera, you must ensure that you keep your firmware up to date and avoid exposing these cameras to the internet. And as ABUS puts it: "KEEP AN EYE ON EVERYTHING.", most notably your vendors.

[1] https://mobil.abus.com/usa/Commercial-Security/Industry-solutions/Campus-Security
[2] https://seclists.org/fulldisclosure/2023/Feb/16
[3] https://seclists.org/fulldisclosure/2015/Jul/29
[4] http://camera.airlive.com/
[5] https://www.exploit-db.com/exploits/25815

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.