Posts
-
Arbitrary File Read in Jenkins via args4j (CVE-2024-23897)
Arbitrary File Read in Jenkins via args4j (CVE-2024-23897) - is this another log4j? Please note that this analysis covers the vulnerability of @ expansion, not the entire attack chain possible from the advisory. Background The hot thing in the cyber security press this morning (25 JAN 2024) is a vulnerability in Jenkins allowing attackers to read arbitrary files. Jenkins has had a few vulnerabilities over the years, likely due to its incredible popularity and dominant...
Read more...
-
TGI HUNT Ruleset Update
TGI HUNT - Update January 2024 Hey all, I’ve decided to start being more verbose about this project’s activity in the hope of generating more feedback from people checking it out. Documentation Documentation will slowly appear in the ruleset as reference links to this site. If there is a particular rule you’d like to know more about, simply open a github issue here and I will bump it to the top of the doumentation queue....
Read more...
-
Easily Assemble Regular Expressions
List to regular expression Have you ever encountered a list like this and thought “I wish I could easily create a regex to cover all these possible values”? source I have a linux based method to share which makes this task easy by leveraging an incredible Perl module called Regexp::Assemble Step 1 - create a list In our example, We’d like to capture all the possible values behind the ${ characters (we’ll deal with the...
Read more...
-
Behavorial xbits with Suricata
The Setting: While attempting to build detection for DeepRats as revealed by @benkow_, I managed to have (what I think) is a pretty good idea about using xbits. I’ll admit its a bit basic but I think sometimes the best ideas are deceivingly simple. The Idea: 1.) observe potentially malicious behavior, set an xbit 2.) observe another potentially malicious behavior, set another xbit 3.) build detection consisting of a good fast_pattern match and xbits checks...
Read more...
-
2032936 - Suspected Sliver DNS CnC FP Report
Background It appears that SMTP MTAs and SMTP spam gateways utilizing DKIM sometimes make many _domainkey DNS TXT requests, which occasionally generate a false positive alert (FP) for rule 2032936. The cause of these alerts is a bit of inexact rule logic, which sometimes matches legitimate requests greater than a certain length that start with the underscore character: content:"_"; depth:1; content:"_domainkey"; distance:8; For example, this non-malicious request generates a FP: _conversica._domainkey.servicios.redactado.com This example request would...
Read more...
-
Cobalt Group Report
Cobalt Group Report Update/correction It has been brought to my attention that the attribution of this activity to cobalt group is not ironclad, it may change in the future. Recently an excellent report by Checkpoint was published explaining recent developments of the Cobalt Group threat actor group. The Checkpoint report covers a lot of interesting TTPs and the evolution of techniques and procedures, but for now we will focus on detecting the unique C2 used...
Read more...
-
Machete Malware Unsheathed
Machete Following on the excellent reporting by ESET, I decided to have a look at the malware myself to see if I could tease out Suricata signatures. The sample I found was a SFX Rar file that launched another SFX Rar containing several py2exe files: ;El comentario siguiente contiene secuencias de órdenes para auto extracción Setup=GoogleCrash.exe TempMode Silent=1 Overwrite=1 Within the decompiled exe files, we can see the python code used to generate the network...
Read more...
-
About the Anubis Sinkhole
A question that frequently comes up is: “What is the Anubis Networks Sinkhole, and what does it mean when I see IDS alerts for it?”. What is a Sinkhole? When you type a domain name like “google.com” into your browser’s address bar, your computer generates a DNS request to turn that name into an IP address. The same process happens when your computer is infected with a malicious program, and that program wants to communicate...
Read more...
-
About the Anubis Sinkhole
A question that frequently comes up is: “What is the Anubis Networks Sinkhole, and what does it mean when I see IDS alerts for it?”. What is a Sinkhole? When you type a domain name like “google.com” into your browser’s address bar, your computer generates a DNS request to turn that name into an IP address. The same process happens when your computer is infected with a malicious program, and that program wants to communicate...
Read more...
-
Online Safety - Top 10 Tips
These are my top tips for remaining safe online: Only install apps from the default authorized app store Never install something because you are asked to Never open unexpected email attachments Check links in email before clicking Use 2 factor authentication for banking and email logins Use a password manager Don’t reuse passwords If you think something is a scam, search the web for similar scams Use antivirus software, but know it is a 65%...
Read more...
-
AutoIDS vs SIGPIPE
Round 1: The problem Have you ever used flask’s built in webserver and thought “this is probably good enough to use for my little thing”? I’ve discovered that it isn’t good for production, and it took a few missteps to find out why. I deployed AutoIDS on a low cost VPS, fired up the .py file, and after a few hours/days, the app would simply hang. If you press ctrl+c in the console window, you’d...
Read more...
-
Dangerous Paste
How many times have we been working hard on an issue, searching forums, blogposts, stack overflow, etc, and come across a proposed solution that says “just paste this into your terminal”? In the heat of the moment it is easy to forget that this situation deserves caution. The problem is that it is easy to sneak extra commands into those cut/copy/pastes thusly: example 1: git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e...
Read more...
-
Introducing AutoIDS
Have you ever been on the road or mobile, and you don’t have a snort/suricata test environment set up? AutoIDS is a new(ish) research tool running many versions of Suricata and Snort in a web app. You can use it to: check for malicious traffic develop sigs test basic sig performance test pcap for malicious traffic check for INFO level events in traffic Using AutoIDS To use it simply visit the front page and click...
Read more...
subscribe via RSS