The Hurricane Labs Foundry: Volume 6 - Just “Root”ing Around

The goal of this blog is to inform viewers like you(™) about new and innovative information security and Splunk technology around the web, hot information security topics, and various in-house projects and observations that our Splunk and SOC analysts have been working on.

Welcome to another edition Hurricane Labs Foundry! I’m Tony Robinson, one of the security operations analysts at Hurricane Labs. The goal of this series is to inform readers about current security news and innovation to keep you aware of the latest threats and technology. Additionally this series discusses various aspects of splunk deployment, as well as observations and projects from the Hurricane Labs SOC.

The stories presented here are mostly short digests with links to source material in order for readers to get the full scoop, and additional context as required.

Please note: Tools, signatures, patches, resources, etc. that are linked to in this blog post are not the property of, and are in no way officially supported by Hurricane Labs. Remember to do your due diligence and test before deploying any new tools, signatures, patches or countermeasures!

Exim Remote Code Execution 0-day

Exim, a popular open-source SMTP server, appears to be suffering from a new Remote Code Execution vulnerability that was recently made public with a working Proof of Concept (PoC). According to the Exim mailing list, this vulnerability was made public with no private notice given to the developers in order to resolve this issue before public disclosure.

While there is a work-around currently available (see the link above), there is no patch yet available. With a publicly available PoC, this vulnerability is ripe for widespread exploitation. If you run Exim as a part of your mail infrastructure, it is advised that you deploy the work-around for the time being while the exim dev team works on a patch for this issue. If you want to take a closer look at the bug and proof of concept code, here is the Exim bug tracker with more of this information available. Additionally, the Positive Research Team github has made a Suricata signature available to detect attempts to exploit this vulnerability. The Suricata rule can be found here.

PacketTotal

I recently came across a website that allows users to submit packet captures for analysis. This website, dubbed “PacketTotal”, is almost like VirusTotal, except wholly dedicated to packet capture analysis. When a packet capture is uploaded, PackeTtotal will analyze the packet with both Bro and Suricata IDS platforms. Bro performs protocol and connection breakdowns, while Suricata provides IDS alert functionality to alert on known malicious or suspicious traffic signatures.

Be aware that if you use this service, that other users can browse the uploaded packets and download them at will. Check it out here.

Spotting Powershell empire HTTP listeners in the wild

Powershell Empire (or just “Empire” as it’s referred to by its users) is a powershell-driven post-exploitation framework that is just ripe with options for the enterprising penetration test or script kiddie out there. Tenable recently published an article on their blog about how one can fingerprint empire’s HTTP command and control infrastructure by fingerprinting the response to an HTTP GET request to the web root (“/”) directory.

What’s more is that there are enough of these identifiers where you could write a Suricata rule easily enough:

alert http any any -> any any (msg:”Powershell Empire HTTP C2 default web root response” flow:to_client, established; content:”HTTP/1.0”; http_protocol; content:”404 NOT FOUND”; http_stat_msg; content:”233”; http_content_len; content:”Pragma: no-cache”; http_header; content:”Expires: 0”; http_header reference: url,www.tenable.com/blog/identifying-empire-http-listeners; classtype: trojan-activity; sid: 2000000; rev:1;)

This Suricata rule looks for HTTP traffic returning to a client, specifically using the HTTP 1.0 protocol, returning a “404 NOT FOUND” http error message, with a precise content length of 233 bytes, a “no-cache” pragma header, and an expire header of 0. While this rule doesn’t use all of the unique fingerprints mentioned in the Tenable blog post, there are enough fingerprints here to result in very few false positives.

The DNA of malicious files

Organization SupportIntelligence claims to have developed a method for converting files into a DNA-like representation, and can use this clustering technology to rapidly detect known malicious malware in the same family. It remains to be seen, but the organization has released a treasure trove of YARA signature files based off of their DNA AI technology. You can download the YARA rules here. SupportIntelligence’s website can be found here.

OSX “I am Root” Local Privilege Escalation Vulnerability

It was reported by The Register that a privilege escalation bug exists in OSX “High Sierra” (AKA OSX 10.13 -- the newest release). Users of OSX can authenticate as the root user without needing to enter a password in authentication prompts. If you enter a username of root with no password, then hit enter a few times, you are granted root access. There are multiple videos popping up on social media demonstrating the bug working via the user login prompt (on boot) as well as via the unlock actions in the System Preferences menus. It has also been confirmed that this vulnerability can be triggered remotely via Apple Remote Desktop and/or Screen Sharing/VNC applications.

While this is bad, fortunately enough, it appears as though apple has released Security Update 2017-001 as an official patch to this issue. If for some reason you cannot immediately apply this update, the work-around is simple to implement. The work-around involves enabling the root password, setting a complex password, then disabling the root account again. Here is a link to a story by CSO Online’s Steve Ragan full of details on the scope of the issue and complete work-around instructions.

Feel free to check out the Hurricane Labs blog brief and video on this as well.

Unofficial guide to Mimikatz & Command Reference

Sean Metcalf is an expert on securing Microsoft Active Directory networks. I’ve had the pleasure of meeting Sean face-to-face many times. In addition to being a Microsoft MVP and extremely knowledgeable, hes a really down-to-earth guy.

Recently, he linked to a resource he made on his website, adsecurity.org that serves as a well-done and extremely detailed guide on the tool Mimikatz. Don’t know what Mimikatz is? Want to learn more? Check out his guide here.