Identification and Disruption of QakBot Infrastructure

This post was originally published on this site

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.

CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

AA23-242A STIX XML
(XML, 51.62 KB
)
AA23-242A STIX JSON
(JSON, 43.12 KB
)

TECHNICAL DETAILS

Overview

QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.

Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.

QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.

QakBot Infrastructure

QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.

Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.

Figure 1: QakBot’s Tiered C2 Servers
Figure 1: QakBot’s Tiered C2 Servers

The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.

Indicators of Compromise

FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:

  1. QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and set it back up before computer restart: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
  2. QakBot will also write its binary back to disk to maintain persistence in the following folder: C:UsersAppDataRoamingMicrosoft
  3. QakBot will write an encrypted registry configuration detailing information about the bot to the following registry key: HKEY_CURRENT_USERSoftwareMicrosoft

In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.

Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.

Table 1: IPs Affiliated with QakBot Infections

IP Address

First Seen

85.14.243[.]111

April 2020

51.38.62[.]181

April 2021

51.38.62[.]182

December 2021

185.4.67[.]6

April 2022

62.141.42[.]36

April 2022

87.117.247[.]41

May 2022

89.163.212[.]111

May 2022

193.29.187[.]57

May 2022

193.201.9[.]93

June 2022

94.198.50[.]147

August 2022

94.198.50[.]210

August 2022

188.127.243[.]130

September 2022

188.127.243[.]133

September 2022

94.198.51[.]202

October 2022

188.127.242[.]119

November 2022

188.127.242[.]178

November 2022

87.117.247[.]41

December 2022

190.2.143[.]38

December 2022

51.161.202[.]232

January 2023

51.195.49[.]228

January 2023

188.127.243[.]148

January 2023

23.236.181[.]102

Unknown

45.84.224[.]23

Unknown

46.151.30[.]109

Unknown

94.103.85[.]86

Unknown

94.198.53[.]17

Unknown

95.211.95[.]14

Unknown

95.211.172[.]6

Unknown

95.211.172[.]7

Unknown

95.211.172[.]86

Unknown

95.211.172[.]108

Unknown

95.211.172[.]109

Unknown

95.211.198[.]177

Unknown

95.211.250[.]97

Unknown

95.211.250[.]98

Unknown

95.211.250[.]117

Unknown

185.81.114[.]188

Unknown

188.127.243[.]145

Unknown

188.127.243[.]147

Unknown

188.127.243[.]193

Unknown

188.241.58[.]140

Unknown

193.29.187[.]41

Unknown

Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.

MITRE ATT&CK TECHNIQUES

For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.[9]

MITIGATIONS

Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117

CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Best Practice Mitigation Recommendations

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) [CPG 2.O, 2.R, 5.A].
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards when developing and managing password policies [CPG 2.B]. This includes:
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
    • Store passwords in hashed format using industry-recognized password managers;
    • Add password user “salts” to shared login credentials;
    • Avoid reusing passwords;
    • Implement multiple failed login attempt account lockouts;
    • Disable password “hints”;
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started.
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.D, 2.E].
  • Disable unused ports [CPG 2.V, 2.W, 2X].
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task [CPG 2.E].
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
  • Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

Ransomware Guidance

  • CISA.gov/stopransomware is a whole-of-government resource that serves as one central location for ransomware resources and alerts.
  • CISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
  • CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate cybersecurity practices on their networks.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see MITRE ATT&CK’s page on QakBot).[9]
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.

RESOURCES

REFERENCES

  1. MITRE: Cobalt Strike
  2. MITRE: Conti
  3. MITRE: ProLock
  4. MITRE: Egregor
  5. MITRE: REvil
  6. MITRE: MegaCortex
  7. MITRE: Black Basta
  8. MITRE: Royal
  9. MITRE: QakBot

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

VERSION HISTORY

August 30, 2023: Initial version.

PowerShell Adapter Feedback Provider

This post was originally published on this site

PowerShell Adapter Feedback Provider

We’ve renamed the JSON Adapter Feedback Provider to PowerShell Adapter Feedback Provider! We
heard some good feedback that the name wasn’t as descriptive to what the feedback provider does so
we’ve changed it to be more consistent with its functionality.

The Microsoft.PowerShell.PSAdapter is a module that identifies scripts and tools on the user
machine that can help users more convert native command output into PowerShell objects. We designed
this as a tool to help you discover what tools and scripts are available to help you convert native
output to PowerShell objects.

Note


Feedback Providers are an experimental feature of 7.4-preview3+ and so you will be required to use one of the 7.4 previews for JSON Adapters to work and have `PSFeedbackProvider` experimental feature enabled .

Installing PowerShell Adapter Feedback Provider

The release is available from the PowerShell Gallery.

Use the following command to install using PowerShellGet v2.x:

Install-Module -Name Microsoft.PowerShell.PSAdapter -AllowPrerelease

If you are using PSResourceGet, you can use the following command:

Install-PSResource -Name Microsoft.PowerShell.PSAdapter -AllowPrerelease

To use it you must import the module into your session:

Import-Module Microsoft.PowerShell.PSAdapter

We encourage you to include this command in your $PROFILE so that it’s loaded in every PowerShell
session you start.

What are PowerShell Adapters?

A PowerShell Adapter is a script that converts the text output of a native executable and converts
it to PowerShell objects. The PowerShell Adapter module is a feedback provider that identifies these
scripts and provides suggestions when you run the native command without any adapter script. You can
read more about feedback providers in our blog post, What are feedback providers?.

You can make PowerShell Adapters for any command. Just use the exact name of the command as the
prefix to the script so that the module can identify the script and suggest it. For example, you
must name the script <name of command>-adapter.ps1 so that the PowerShell Adapter can identify it
as a adapter script. This script’s file location must included in your $env:PATH variable to be
found.

Creating an Adapter

For example, you want to use the macOS command vm_stat like a PowerShell object. Create a file
called vm_stat-adapter.ps1 and add the location of this file to your $env:PATH variable. The
PowerShell Adapter Feedback Provider will identify it as a possible suggestion for vm_stat.

Here is an example PowerShell Adapter for vm_stat:

[CmdletBinding()]
param ( [Parameter(ValueFromPipeline=$true)][string]$inputObject )
BEGIN {
    $h = @{}
}

PROCESS {
    if ( $inputObject -match "^Mach Virtual") {
        if ($inputObject -match "page size of (d+) ") {
            $h['PageSize'] = [int]$matches[1]
        }
    }
    else {
        $k,$v = $inputObject -split ":"
        $AdjustedK = ($k -replace "[ -]","_").trim() -replace '"'
        $AdjustedV = "$v".Trim() -replace ".$"
        $h[$AdjustedK] = [int64]$AdjustedV
    }
}

END {
    [pscustomobject]$h
}

The following shows the suggestion from the Feedback Provider when you run vm_stat without the
adapter script:

Screenshot showing vm_stat suggestions.

For another example, we can create a PowerShell Adapter for the df utility using the TextUtility
PowerShell module. We just need to create a df-adapter.ps1 script and include the following:

$input | ConvertFrom-TextTable -ConvertPropertyValue

DF utility adapter

Support for jc

The JSON Converter, jc, is a command line utility that converts text output to JSON for variety of
command line tools. The PowerShell Adapter module can suggest using jc as an adapter if the user
has it installed. When you use a command supported by jc, the PowerShell Adapter Feedback Provider
suggests using jc piped to ConvertFrom-JSON.

You can find instructions on how to install jc and more details about the tool in their
source code repository. When jc supports the native command, this can be the simplest way
to convert the output without needing to write a PowerShell Adapter. You can see this suggestion in
the previous screenshot for the df example.

The jc command supports many native commands, however, the Feedback Provider only provides jc
suggestions for the following commands:

"arp", "cksum", "crontab", "date", "df", "dig", "dir", "du", "file", "finger",
"free", "hash", "id", "ifconfig", "iostat", "jobs", "lsof", "mount", "mpstat",
"netstat", "route", "stat", "sysctl", "traceroute", "uname", "uptime", "w", "wc",
"who", "zipinfo"

Also, you need to use the appropriate parameters with your native command for jc to work properly.
For example, if you want to use jc with uname, you need to use uname -a because that produces
the output that jc expect to convert to JSON.

Predictive IntelliSense Support

We’ve also added Predictive IntelliSense support for the PowerShell Adapter feedback provider. With
Predictive IntelliSense enabled, the PowerShell Adapter Feedback Provider provides suggestions that
Predictive IntelliSense will show you on the command line. This makes it easy to try immediately,
rather than manually running the suggestion.

Screenshot showing predictive intellisense support

Feedback

We really appreciated the feedback we got on the first announcement of this tool and would love to
continue getting great feedback! The GitHub repository for this tool is still named
JSONAdapters, however the module name is Microsoft.PowerShell.PSAdapter and any reference to
this tool will be PowerShell Adapters going forward. You can submit any feedback to the
JsonAdapter repository.

Thank you so much!

Steven Bucher

PowerShell Team

The post PowerShell Adapter Feedback Provider appeared first on PowerShell Team.

PSResourceGet Preview 24 is Now Available

This post was originally published on this site

Microsoft.PowerShell.PSResourceGet is a continuation of the PowerShellGet 3.0 project. The latest preview release of this module under the new name is now available on the PowerShell Gallery. This release contains improved publish support, new aliases and many bug fixes. This is the last planned preview release before we release a “Release Candidate (RC)” of the module. From there we don’t expect to make any changes before we make the module “Generally Available (GA)”.

How to install the module

To install from PSResourceGet previews (which is included in PowerShell 7.4 Preview 4)

Install-PSResource Microsoft.PowerShell.PSResourceGet -Prerelease

To install from PowerShellGet 2.2.5

Install-Module -Name Microsoft.PowerShell.PSResourceGet -AllowPrerelease

What is included in this preview

For the purposes of this blog post, this list includes changes from both beta23 and beta24.

New Features

  • *-PSResourceRepository -Uri now accepting PSPaths
  • Add aliases for Install-PSResource, Find-PSResource, Update-PSResource, Publish-PSResource (‘isres’,’fdres’,’udres’,’pbres’)
  • Add support for NuGet.Server application hosted feeds
  • Add Import-PSGetRepository function to import existing v2 PSRepositories into PSResourceRepositories
  • Add ‘Get-PSResource’ alias to ‘Get-InstalledPSResource’
  • Add -ApiVersion parameter to Set-PSResourceRepository
  • Add support for FindNameGlobbing scenarios (i.e -Name az*) for MyGet server repository (V3)
  • Support Credential Persistence for Publish-PSResource
  • Support publishing with a prerelease dependency

Bug Fixes

  • Better error handling for scenario where repo ApiVersion is unknown and allow for PSPaths as URI for registered repositories
  • Bug fix for Uninstall to remove older versions of a package that are not a dependency
  • Bug fix for Publish finding prerelease dependency versions
  • Fix pagination for V3 search with globbing scenarios
  • Bug fix for publishing with ExternalModuleDependencies
  • Update Save-PSResource -Path param so it defaults to the current working directory
  • Allow environment variables in module manifests (Thanks @ThomasNieto!)
  • Updating prerelease version should update to latest prerelease version
  • Enable UNC Paths for local repositories, source directories and destination directories (Thanks @FriedrichWeinmann!)
  • Bug fix for version parsing in Publish-PSResource
  • Bug fix for Get-InstalledPSResource returning type of scripts as module
  • Bug fix for finding all versions of a package returning correct results and incorrect “package not found” error
  • Bug fix for saving module dependencies
  • Add parameters to Install-PSResource verbose message
  • Bug fix for parsing required modules when publishing
  • Bug fix for saving dependency modules in version range format
  • Bug fix for updating to a new version of a prerelease module
  • Set-PSResourceRepository run without -ApiVersion paramater no longer resets the property for the repository
  • Many error handling updates

Breaking Change

  • Update to Find-PSResource to return packages from all criteria matching repositories, in priority order, by default.

For a full list of changes please refer to the changelog.

Documentation Updates

As a part of our efforts with this module we have also been updating the documentation for this module. We recently updated the documentation on supported repositories to include more information on how to publish. Please check out the documentation and give us feedback in this repository so we can make improvements.

We also recently added an examples folder to our repository with examples for the expected behavior of Find and Install.

How to give feedback and Get Support

We cannot overstate how critical user feedback is at this stage in the development of the module. Feedback from preview releases help inform design decisions without incurring a breaking change once generally available and used in production.

In order to help us to make key decisions around the behavior of the module please give us feedback by opening issues in our GitHub repository.

Sydney

PowerShell Team

The post PSResourceGet Preview 24 is Now Available appeared first on PowerShell Team.

Announcing PowerShell Crescendo 1.1.0-RC1

This post was originally published on this site

We’re pleased to announce the release of PowerShell Crescendo 1.1.0-RC1. Crescendo is a
framework to rapidly develop PowerShell cmdlets for common command line tools, regardless of
platform. This release includes improved support for PSScriptAnalyzer, improvements to error
handling, and the addition of ExcludeAsArgument parameter property.

This is a community driven release built from the many suggestions and requests received directly or
from our Github. Thank you PowerShell Community for your adoption and suggestions!

The Release Candidate is now available for download on the PowerShell Gallery.

Installing Crescendo

Requirements:

  • Microsoft.PowerShell.Crescendo requires PowerShell 7.2 or higher

To install Microsoft.PowerShell.Crescendo:

Install-Module -Name Microsoft.PowerShell.Crescendo -AllowPreRelease

To install Microsoft.PowerShell.Crescendo using the new PowerShellGet v3:

Install-PSResource -Name Microsoft.PowerShell.Crescendo -PreRelease

Highlighted features

This Release Candidate includes many fixes and suggestions. Here are just a few of the highlights
added for this release.

Using ScriptAnalyzer with exported module generates a ton of output

Using PSScriptAnalyzer on a Crescendo generated module could result in several violations of the
PSAvoidTrailingWhiteSpace rule. This was due to an additional trailing space after generated
commands. The code generator for Crescendo has been updated to remove the trailing whitespace.

Increase UX of Crescendo-generated cmdlets

Crescendo is designed to pass parameters defined in the configuration as arguments to the native
application. There are times when you may wish to pass a parameter to the output handler but not the
native application. To enable this, a new boolean parameter property ExcludeAsArgument set to
true prevents the argument from being sent to the native application. The default is false.

"Parameters": [
        {
            "Name": "P1",
            "ParameterType": "string",
            "ExcludeAsArgument": true,
            "Mandatory": false,
            "Description": "Variable not sent to native app"
        }
    ],

CrescendoNativeErrorQueue and -ErrorAction Stop

Handling errors using Pop-CrescendoNativeError may include multiple errors from the same
execution. This can happen when the cmdlet and the native command both emit an error that gets
enqueued by Crescendo. The architecture is modified so that the error queue is now local to the
cmdlet.

Crescendo should probably set $PSNativeCommandUseErrorActionPreference = $false

By default, $PSNativeCommandUseErrorActionPreference is set to true. This causes Crescendo to
produce an additional error record for every error. To prevent this, Crescendo changes the value to
false for each generated cmdlet.

Add the current version of the Crescendo module

Crescendo modules now include version and schema metadata at the top of the module.

# Module created by Microsoft.PowerShell.Crescendo
# Version: 1.1.0
# Schema: https://aka.ms/PowerShell/Crescendo/Schemas/2022-06
# Generated at: 07/13/2023 12:48:59

More information

To get started using Crescendo, check out the documentation.

Future plans

We value your ideas and feedback and hope you give Crescendo a try. Stop by our
GitHub repository and let us know of any issues you find or features you would like added.

The post Announcing PowerShell Crescendo 1.1.0-RC1 appeared first on PowerShell Team.

Desired State Configuration (DSC) Planning Update

This post was originally published on this site

Desired State Configuration (DSC) Planning Update – August 2023

Hey DSC enthusiasts! We’re bursting with excitement to share new information about the plans for Desired State Configuration (DSC). First off, we’d like to extend a massive thank you to our amazing community for your feedback. Your input helps shape the future of DSC, and we’re grateful for your continued support.

A big shout-out to the Dev Home and WinGet teams for announcing new features at the recent Build conference. These new features, documented here, are the first solutions to leverage capabilities of the new DSC platform, and we plan for them to be the first of many.

We want to give you a sneak peek at the foundational tenets planned for the new DSC vision, and we’re looking forward to refining them with your help.

What’s in the Pipeline?

As we move forward, we want to focus on the following tenets as the foundation of our new DSC vision:

  • Compatibility: We plan to ensure that existing community resources work without changes, including those written as PowerShell script and classes. Class-based resources are recommended but not required.
  • Transparency: Our new project repo is now public on GitHub, allowing the community to view and submit issues. We are intentionally making the project open from an early stage of development so the community has opportunity to give early feedback.
  • Cross-platform Support: In the open-source project, we plan to compile builds that work on Windows, Linux, and macOS.
  • Language Flexibility: Resource authors can write DSC resources in any interpreted or compiled languages accessible by the command line, including PowerShell. MOF as a format for configurations is no longer supported and is being replaced with the industry accepted JSON and/or YAML. JSON schema replaces MOF schema for resources while existing PowerShell script based resources that have MOF schema will be supported as-is.
  • Common Concepts: We aim to support or provide extensibility for concepts like composability, re-use, reboots, secrets, dependencies, and runas.
  • Low Barrier To Entry: We plan to carry forward the concept of simple “one-liner” authoring previously used by Script/nxScript, while making it easier for newcomers to adopt best practices like test automation.
  • Isolated Network Usability: We intend to make the command-driven platform usable in isolated networks. While we do not currently plan to reintroduce LCM, we will continue as an extensible platform that any configuration solution can leverage.
  • Environmental Dependencies: Our plans include allowing users to express environmental dependencies as assertions when authoring configurations. Examples of assertions could be scenarios like detecting when a machine needs to be rebooted before taking action.
  • Resource Input/Output: We’re working towards enabling users to pass output from one resource as input to another when authoring configurations.

It is important to note that this is an early preview of the next generation DSC, so we expect breaking changes to occur based on feedback during development.

Next Steps

We know this blog post raises many questions, and we’re eager to address them! We have requested an agenda item during the next DSC community call on August 9th, 2023, to discuss the vision and answer questions. Details about DSC community calls are published on the DSC community website.

For detailed how-to information, visit our GitHub repository. The project repository is where we plan to publish builds for testing as releases. Keep in mind that this is an ‘alpha’, akin to a ‘developer preview’ and not ready for production.

Please submit issues in GitHub to send feedback, even if it’s a request or idea. To get started, we would love to hear your requirements around:

  • Resource authoring experiences and tools
  • Ease of integration with your favorite configuration management solution
  • The new configuration syntax

Together, we’ll shape the future of Desired State Configuration.

Make it so!

The post Desired State Configuration (DSC) Planning Update appeared first on PowerShell Team.

Threat Actors Exploiting Ivanti EPMM Vulnerabilities

This post was originally published on this site

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.

Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.

This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network. Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.[1] Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2]

CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability allows unauthenticated access to specific application programming interface (API) paths. Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.

According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081.[2] CVE-2023-35081 is directory traversal vulnerability [CWE-22] in EPMM. This vulnerability allows threat actors with EPMM administrator privileges the capability to write arbitrary files, such as webshells, with operating system privileges of the EPMM web application server. The actors can then execute the uploaded file.[2]

CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog on July 25, 2023, and CVE-2023-35081 on July 31, 2023.

CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices. Threat actors, including APT actors, have previously exploited a MobileIron vulnerability [3],[4].

APT Actor Activity

The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:

  • Perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD).
  • Retrieve LDAP endpoints [T1018].
  • Use API path /mifs/aad/api/v2/authorized/users to list users and administrators [T1087.002] on the EPMM device.
  • Make EPMM configuration changes (Note: It is unknown what configuration changes the actors made).
  • Regularly check EPMM Core audit logs [T1005].

The APT actors deleted some of their entries in Apache httpd logs [T1070] using mi.war, a malicious Tomcat application that deletes log entries based on the string in keywords.txt. The actors deleted log entries with the string Firefox/107.0.

The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands [T1059].

The APT actors tunneled traffic [T1572] from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet [T1090.001]. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT actors likely installed webshells [T1505.003] on the Exchange server in the following paths [T1036.005]:

  • /owa/auth/logon.aspx
  • /owa/auth/logoff.aspx
  • /owa/auth/OutlookCN.aspx

NCSC-NO also observed mi.war on Ivanti Sentry but do not know how the actors placed it there.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1—Table 7 for all referenced threat actor tactics and techniques in this advisory.

Table 1: APT Actors ATT&CK Techniques for Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

The APT actors exploited CVE-2023-35078 in public facing Ivanti EPMM appliances since at least April 2023.

Table 2: APT Actors ATT&CK Techniques for Execution

Technique Title

ID

Use

Command and Scripting Interpreter

T1059

The APT actors may have exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands.

Table 3: APT Actors ATT&CK Techniques for Discovery

Technique Title

ID

Use

Account Discovery: Domain Account

T1087.002

The APT actors exploited CVE-2021-35078 to gather EPMM device users and administrators.

Remote System Discovery

T1018

The APT actors retrieved LDAP endpoints.

Table 4: APT Actors ATT&CK Techniques for Persistence

Technique Title

ID

Use

Masquerading: Match Legitimate Name or Location

T1036.005

The APT actors likely installed webshells at legitimate Exchange server paths.

Server Software Component: Web Shell

T1505.003

The APT actors implanted webshells on the compromised infrastructure.

Table 5: APT Actor ATT&CK Techniques for Defense Evasion

Technique Title

ID

Use

Indicator Removal

T1070

APT actors deleted httpd access logs after the malicious activities took place using string Firefox/107.0.

Table 6: APT Actor ATT&CK Techniques for Collection

Technique Title

ID

Use

Data from Local System

T1005

APT actors regularly checked EPMM Core audit logs.

Table 7: APT Actor ATT&CK Techniques for Command and Control

Technique Title

ID

Use

Protocol Tunneling

T1572

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

Proxy

T1090

The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure.

The actors tunneled traffic from the internet to at least one Exchange server.

Proxy: Internal Proxy

T1090.001

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

EVIDENCE OF VULNERABILITY METHODS

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578:

id: CVE-2023-35078-Exposure

 

info:

  name: Ivanti EPMM Remote Unauthenticated API Access

  author: JC

  severity: critical

  reference:

    – https://nvd.nist.gov/vuln/detail/CVE-2023-35078

  description: Identifies vulnerable instances of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass.

  tags: ivanti, mobileiron, epmm, auth-bypass

 

requests:

  – method: GET

    path:

      – “{{RootURL}}/mifs/aad/api/v2/ping”

 

    matchers-condition: and

    matchers:

                   

      – type: status

        status:

          – 200

       

      – type: word

        part: body

        words:

          – “vspVersion”

          – “apiVersion”

        condition: and

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081:

id: CVE-2023-35081

 

info:

  name: Ivanti EPMM Remote Arbitrary File Write

  author: JC

  severity: High

  reference:

    – https://nvd.nist.gov/vuln/detail/CVE-2023-35081

  description: Identifies vulnerable unpatched versions of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10.0.3, 11.9.1.2, and 11.8.1.2 that allows an authenticated administrator to perform arbitrary file writes to the EPMM server.

  tags: ivanti, mobileiron, epmm

 

requests:

  – method: GET

    path:

      – “{{RootURL}}/mifs/c/windows/api/v2/device/registration”

 

    matchers-condition: and

    matchers:

                   

      – type: status

        status:

          – 200

       

      – type: regex

        part: all

        regex:

          – ‘.*?VSP ((0?[0-9]|10)(.d+){1,3}|11.(0?[0-7])(.d+){1,2}|11.8.0(.d+)?|11.8.1.[0-1]|11.9.0(.d+)?|11.9.1.[0-1]|11.10.0.[0-2]).*’

Run the following NCSC-NO-created checks to check for signs of compromise:

  1. Investigate logs in centralized logging solutions or forwarded syslogs from EPMM devices for any occurrences of /mifs/aad/api/v2/.
  2. Look for spikes or an increase of EventCode=1644 in the AD since at least April 2023. The LDAP queries performed by EPMM when the threat actor used the MIFS API generated tens of millions of this event code. Also look for EventCodes 4662, 5136, and 1153.
  3. To detect tunneling activity through Sentry, look for traffic from EPMM devices to other internal servers, as well as TLS traffic towards instances of EPMM with different TLS certificates than the instance itself would possess. Traffic to EPMM with certificates originating from endpoints further inside the network, e.g. standard Windows generated certificates such as CN=EXCHANGE01 or similar.
  4. Perform forensic analysis of disk and memory since log retention may be poor and threat actors have been observed deleting log entries. Pay particular attention to unallocated disk space (free space on filesystem).
  5. Check for activity from ASUS routers in your own country towards EPMM and Sentry devices.

INCIDENT RESPONSE

If compromise is detected, organizations should:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Provision new account credentials.
  4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or to NCSC-NO via NCSC-NO’s 24/7 Operations Center (cert@ncsc.no or +47 23 31 07 50).

MITIGATIONS

CISA and NCSC-NO recommend organizations:

  • Upgrade Ivanti EPMM versions to the latest version as soon as possible. See Ivanti CVE-2023-35081 – Remote Arbitrary File Write for patch information. This patch protects against CVE-2023-35078 and CVE-2023-35081.
    • See the Evidence of Vulnerability Methods section of this advisory for CISA-developed nuclei templates to find any EPMM versions vulnerable to CVE-2023-35078 and CVE-2023-35081.
    • Organizations using unsupported versions (i.e., versions prior to 11.8.1.0) should immediately upgrade to a supported version. If you cannot immediately upgrade, apply the Ivanti-provided RPM fix for CVE-35078 (this workaround does not protect against CVE-2023-35081):
  • Treat MDM systems as high-value assets (HVAs) with additional restrictions and monitoring. MDM systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
  • Follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and NCSC-NO also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started: 

  1. Select an ATT&CK technique described in this advisory (see Table 1–Table 7).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Ivanti: CVE-2023-35078 – Remote Unauthenticated API Access Vulnerability

[2] Ivanti: CVE-2023-35081 – Remote Arbitrary File Write

[3] CISA: Potential for China Cyber Response to Heightened U.S.-China Tensions

[4] CISA: Top Routinely Exploited Vulnerabilities

ACKNOWLEDGEMENTS

Ivanti contributed to this joint advisory.

VERSION HISTORY

August 1, 2023: Initial version.

APPENDIX: INDICATORS OF COMPROMISE

NCSC-NO observed the following webshell hash:

c0b42bbd06d6e25dfe8faebd735944714b421388

NCSC-NO observed the following hash of mi.war:

1cd358d28b626b7a23b9fd4944e29077c265db46

NCSC-NO observed the following JA3 Hashes used against MobileIron Core:

2d5bd942ebf308df61e1572861d146f6

473cd7cb9faa642487833865d516e578

579ccef312d18482fc42e2b822ca2430

849d3331f3e07a0797a02f12a6a82aa9

8d9f7747675e24454cd9b7ed35c58707

ad55557b7cbd735c2627f7ebb3b3d493

cd08e31494f9531f560d64c695473da9

e1d8b04eeb8ef3954ec4f49267a783ef

e60dc8370ecf78cf115162fbc257baf5

e669667efb41c36f714c309243f41ca7

e84a32d43db750b206cb6beed08281d0

eb5fdc72f0a76657dc6ea233190c4e1c

NCSC-NO observed the following JA3 Hashes used against Exchange when tunneling via EPMM Sentry:

0092ce298a1d451fbe93dc4237053a96

00e872019b976e69a874ee7433038754

01ecd9ab9be75e832c83c082be3bdf18

0212a88c7ed149febdefa347c610b248

02be3b93640437dbba47cc7ed5ab7895

03f8852448a85e14f2b4362194160c32

045f8ccdac6d4e769b30da406808da71

04e7f5787f89a597001b50a37b9f8078

070f9fe9f0ec69e6b8791d280fde6a48

07a624d7236cca3934cf1f8e44b74b52

09df72c01a1a0ad193e2fff8e454c9c4

0b28842d64a344c287e6165647f3b3fe

0b8e1211de50d244b89e6c1b366d3ccf

0cb0380cf75a863b3e40a0955b1ada9f

0da24834056873a8cd8311000088e8be

0e1fad8ffaa7a939f0a6cbf9cd7e2fcd

0f6e78839398c245d13f696a3216d840

119f8c9050d1499b6f958b857868b8ce

11c506d5e3fb7e119c4287202c96a930

1336df27f94b25a25acac9db3e61e461

14671c3f8deca7d73a03b74cb854c21d

146caf9bd0153428f54e9ef472154983

14994353f3ea6fd25952a8c7d57f9ecf

151bc875df15d1385e6eb02f9edaba06

15a074a397727b26a846b443b99c20ff

1660f3d882a4311ca013ee4586e01fd9

16a74fc216f8a4ce43466bb83b6d3fd2

188623fdd056c4ed13d1ff34c7377637

19f51486abd40c9f0fc0503559a6c523

1a024e63721c610d2e54e67d62cd5460

1aa7dae8f2ae0a29402ed51819f82db4

1abfdeaadb74a0f7c461e7bab157b17f

1b6720ed0b67c910a80722ce973d6217

1b7d9368c6ce7623fdbc43f013626535

1e0850e10a00c9bbdd5c582ff4cb6833

1ec71612e438cf902913eec993475eb9

206fed3a39d9215c35395663f5bb3307

22cc1b3bc9f99d3a520ae58fee79a0d5

23e3e6fa8b23d9bc19e82de4e64c79e9

253fd4659bf21be116858bc0f206c5b9

276e175d4fe8454c4c47e966d8cb3fa3

289a450c7478dd52a10c6ed2fb47f7e9

2aa8ba7478b1362274666d714df575bc

2beecb6b9e386f29d568229a9953c3d2

2ebc7fdceaa9a0df556e989d77157006

3003024afe64b4e8a5a30825c14bbb12

3082e669dda9d023e2dcd8b9549a84a8

309d33c6f77a3fc75654c44c61596ccd

30a9f568eb3df79352fc587a078623b6

30be84e6b95f44c203f8e7fce7339a8e

3268a5097a543c7dbd82c39a9193b7fe

32775ead3ea1ad7db2f4bea67fe0cabb

34ac9a6ef5d285119abec50fbe41fcfe

34d92552e278710c1e84f0bd8dc3a6b8

361f47a6357cc6e3a9bcdd20cfaaf0e9

3685abc75517e61e47e52e5f2d060f54

3744004013135b9f9a05cb58cda8134d

37d952966ea7e79277803f13d7147544

391a4c2c7541b8b78e2f99bf586e9794

393662e5aa0cb49c5d666a6d10a1ade6

3962b622c5aa815afb803b92aa948424

3b22af324abded2781ed8f6a61f3654f

3b30b4555cc8b4b164ad03cf322cbea8

3bd1bdb5e90b9590a8878bff2ada8204

3be529eb3a7daaf34f963a22188f6139

3dd13faad1c45eb0c23e4567210f7eac

403273b51f91cf3c333695e5532cb2c3

404f56045e436d53ead2177bf957ba39

41854adbc73b0b58e5c566f60bb0df25

43c22dabb1e6d2449a39c2f7e974d537

476e72bbda5b78d188766139889e3038

4898a51256ae7d914a5ffd5695973470

49230c486f0fd383cd301fe162d6a786

4959a611b9885022d81b4bc8e4b1d149

495c6ff7ca0379ad0891bac47917d09a

49d2bd08038dc7dada221008591940f9

4c1b73ec52e6eec0c5d20577fcbc9ef1

4d34db639ba84b11822fb3dac47ed7d1

5244b163f9326a1e5eaa8860f7543f99

539f1a5183800a96228458932f9307f7

5466368d4659f1b1470bcb09e65b484d

549cde6535a884126755fc53f59a820c

555389e92c622b87d3fc395fd8723501

588d0b42e54174a98e1eca59945e8b32

58bc21d305a65c41745327f142f3ac12

59401c9a60449c742d073d93d1b7039a

59eec218522cc5c7743a0d37892a3345

59faf75430e9326d3ae9d231bb3ae8c6

5d0259ca16cfc2d7d1b0fac69f29ab05

5d55026fb84dba91ac01e2095504b1bc

5e35f50c692081fd6c7ddac1272e2d6c

5f4d5965af741bba59b7c8d3425f33dd

6010282004917ecf3900babf61456432

6088c2a04c94cdcd5a283a6d1622ffba

61dee38d2f97220efb1218ad8971e3ab

62ac194f2526eb45485526bca35c8f43

634296a023280d020674c873d0199760

635755dadfab8b92fb502aafb09122db

63fc58be0d7b48eaa34da7f752ae8ae6

6441640409815cfb4bf469e685e1bdb5

646973d1928c401ba80961c12cbf84a2

65eef0a0ee257254ef0418aa57192cfb

66f6a192083a7ab00ae8e0b5cc52e8f4

67a42e2e27ffc26d1f3d0ceb8384afd0

689385f1218e0d4c347595648ca6a776

692f91c0c5e9e93e0a24bd3392887ca1

69ecf52960c8bd9e746dfe9ee19c11f6

6e359f3bbc622e9b1ed36f6e3d521bcf

6e3650528f719fc50988a1f697644832

6ead0d5d3f87911c27f3ae0a75e6b5bc

6f1fa8b444caf0d8238f948279ca74e1

6fb8cdf567dd7d89d53b5771d769cb5f

706b6055658aff067ae370f23831ef6b

708140c311d3d69418f75c928e7535a0

719ec5da8f2153a436ee8567ff609894

7292ef4cdca529071fad97496e1c9439

74871691eac48156ce0da2cfa3ab401a

74cf24f2a66a31c88b6fcfe01f12160c

75e874d8e0a79697633b87ea5e798b1c

76c0d09fed2f33babb0de8ee2c07144c

77a01363fa2b29af25c004da9570e23c

78988c65e9b70e7929e747408d8f0b0e

79c6d12d168b85437384b20eb94e106b

7b4137b4e85f31a81bb5bafeda993947

7b9db1d58326c1fa276ba2a39bcc2617

7cbc7459db5327c26476549f225030f5

7cd727171c2522f51417edeeba4f1791

7e3630c67c802eabb67b108ad4d7ded7

802f5d34c230da40c0912a1c5a9b702b

80bd0f3610f6c4d60584a5be0b8a3016

819030799f0020ed724c2ef3ffaa56c6

8207129585da68066ed08e94216d76ee

821f649d08687e22f96cea99fbb5d3a3

830838cb0620d659405a74401cd72557

833d3201066f5184c874c73a2083c448

840f488b7c0a5d686d1e89908735f354

84301b967a4d9a242466c04901bad691

85c3fac6a9885362c448f434671e362f

883b9fe16e45c388968defc73a5fba7a

8a6b0ba3496eeca39d6d3f9bae830c90

8ad0fd4b78c89bd63b97343fda1eeccb

8b0ae9029974091df12210255aaecad6

8b297f8b219e968932293ee7a8242ca3

8bb1781e756a53cd00d9b2ec670fa21e

8d5515351afdf27b013f96a05bf45147

8fafa73e9985e05d0c1c964da770c567

905967b08bd44cfa60d969229921ac23

9188ef45ea917a91ec9b92b5dd8cd90d

918dfab0333ae15d61f14fd24b5eaaac

922a3272aad17c9eaad733696a4321da

9253399537fad8448f1d4732dd79f6fa

934a8a6528e91caa019acb76e791a71d

95588e0386206fa02912cfcaf18c1220

9610328cdaa4694800c2c93410f8ce82

9622902cc43f4a20d0d686a37e4d8232

96c41e4c4a1812187fb279b9299ad63b

984c4653a563b19c87f264611a6adc01

9980febfaf901d4113a1c473f79d7eb6

9a176d818edff838fc057cea3ee372c0

9ba21c5148913186a5bf877078cbc048

9cfda02ef7e04c469b77f8197a249c17

9d74d395bd2f72a47a5c980e6040df5a

9df128ebe0c82064aa746647883112c9

9e5613533972a9d42d2e3344a4e58566

9ec17429eed5446e3720796ab50d8c60

9f2438aaab4744c4b7b5b7287a783099

9f3bf94572344b36f6ef1689cb30c66e

9fdd7a85b3a4ef8ded73beb3e6218109

a1b732a9af792f75a68ed78d72ffb8f6

a260d836428cdb971bdf147ca6940160

a4f11b1eb659869a0ae70898a4a0e5ee

a596ebbcf438980c880d711315e4fdf1

a80b6a354b493264f37aa39d0d41b5fc

a89df6156eb5a2de196388d4a123b470

a96837fe533247abb7f88000d0216a50

a98cf0a359f430a00f4f3d522f5b6cc0

aa2fe3a253e169b05e1782ca57a688d2

aef0172a2c03f77912de0bbf14aee00f

af06c3e72f2f307515ba549174d8e5a6

b311ab82b30f41b12cb9089d00c4a1ff

b4f31423445b5f13675f205ac997f41f

b50666c9aed1c2f222c56b6e9b326d27

b53f179b3f25f72bb0c7ccf45bf8beee

b57f3e41c03803306b0ee2111f7ef823

b79434613820faf30d58f103c4415a29

b8366aaa5ed51c0dea3fc90ef7e14889

b8f6b0d234a305c25411e83fd430c624

b956ed2b848dabb4e79ab7358233861b

b9ecb08402df0f1f6e1ce76b8ad6e91f

ba4a616c8d4ab9358a82b321d8e618bf

bcd62f3e029f96f62c24d50d2d1402ac

bcf75736d176394f3df69f3e0ef7dd9f

be1f24457141d80206bc2e58f55dc879

c013f308d170aa2eca4a5b0f0bbd3ccb

c0a2fd066c955137036f92da2c3a3ff1

c17b3ec40ed5216e44311138aafaea2c

c262a39f49604f05a5656213f758cd46

c66f36eb180438882133717c3abb5157

c986c7bf720ce1463c3d628d2b3dad01

c9c16287cbbe5a037244e374ba84aecc

cbcd728a2350712b5747cd3447473deb

cbeeb123efe8cf7f842426b673415c28

ccb15eef4287c8efa472915bcb4ec458

ccdddb69e9344a039c4ac9c49a6f2d7b

cd1312be032256a10cf866af3e9afae9

ce0dd163d9e02bfd42d61024523cb134

ceef2e728db1b5ae15432f844eeb66e1

d12d98a0877f6e3c8b5a59f41cc4de9b

d131f17689f1f585e9bfdcdb72a626bb

d173076d97a0400a56c81089912b9218

d255291bb8e460626cb906ebacc670e5

d2cea317778ad6412c458a8a33b964fd

d3cfee76468a9556fd9d017c1c8ee028

d3d72f4c7038f7313ad0570e16c293bf

d485a1b5db2f97dc56500376d677aa89

d662d20507bebc37b99a4d413afa2752

d711d577b9943ab4e2f8a2e06bb963e3

d92e87d2689957765987e2be732d728e

d966c6c822122e96f6e9f5f1d4778391

daee31d7cc6e08ead6afad2175989e1d

dbb293176747fa1c2e03cbc09433f236

dc26ef761c7ec40591b1fe6e561b521d

dc9e6edeb7557bc80be68be15cebb77a

dddfbae77336120febd5ad690af3e341

e1f579227327ebb21cde3f9e7511db01

e3c642432a815a07f035e01308aaa8fc

e54329351788661f2a8d4677a759fc42

e82b7ad2c05f4617efbc86a78c1e61e9

e99cffa2afa064625f09e1c5aca8f961

ea6bd3db104ca210b5ad947d46134aaf

eb277d809a59d39d02605c0edd9333e9

ed82a50d98700179c8ae70429457477a

ef35374f4146b3532f0902d6f7f0ef8c

ef4c4d79f02ac404f47513d3a73e20c7

f05a5a60ad6f92d6f28fa4f13ded952f

f0776dfe17867709fdb0e0183ed71698

f20fbfd508e24d50522eadf0186b03eb

f3d751b0585855077b46dfce226cfea1

f4dd9bb28d680a3368136fb3755e7ea9

f804388f302af1f999e4664543c885a1

f8bcc8f99a3afde66d7f5afb5d8f1b43

f8d6f89aecf792e844e72015c9f27c95

f967460f8c6de1cedb180c90c98bfe98

f9d5cc0cbae77ea1a371131f62662b6b

fa4f1a3b215888bc5f19b9f91ba37519

fdff2bf247a7dad40bac228853d5a661

fe6e7fac4f0b4f25d215e28ca8a22957

fe9de1cdd645971c5d15ee1873c3ff8d

febba89b4b9a9649b3a3bf41c4c7d853

NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS):

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agents communicating with Exchange webshell:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.02272.101 Safari/537.36

Mozilla/5.0 (Linux; Android 5.1.1; SAMSUNG SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, Like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.45 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1

NCSC-NO observed the following user agents communicating with Exchange Autodiscover:

ExchangeServicesClient/15.00.0913.015

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML  like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.0.0

NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx):

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agent communicating with Exchange (/powershell):

Windows WinRM Client