Introduction to fuzzing

Nowadays, most of the applications we use are getting more and more complex. Every user input, every field in configuration file can be a cause of a crash. It is getting harder to manually test the programs covering all the cases.
Fuzzing, on the other hand, is an automated testing technique that makes it possible to cover an infitely many test cases. Fuzzers provide a program unexpected or random input data, while monitoring its behaviour. The goal is to make a program crash or perform an unexpected behaviour while processing an unexpected input data. 

Getting Data into Splunk

In the first blog post(Introduction to Splunk), I walked you through the process of getting Splunk installed on your Linux systems. Now I will talk about how you can collect logs from remote servers. You can get data into your Splunk platform instance in a number of ways. The best way depends on the location and volume of data, your infrastructure and security needs. In this blog post, you will learn how to use a universal forwarder in order to collect logs from remote servers. The Universal Forwarder is the best mechanism for collecting logs from servers and end-user systems.

Introduction to Splunk

Splunk is a software platform that collects and stores all this machine data in one place. It makes it as easy to search through and investigate that data as using Google. Basically, it's Google for log files! Beyond troubleshooting, you can use this search capability to build reports and dashboards to monitor performance, reliability, or other metrics across a whole collection of related servers and devices, and even create alerts to warn you by text or email when something is going wrong.

Powershell Obfuscation Techniques

Fileless attacks are becoming a popular technique used by adversaries in Cyber attacks. Attackers often uses PowerShell to run file-less malware, which are non-binary files that can’t easily be detected by anti-virus solutions. Adversaries and attackers relies on the Obfuscation techniques to hide their malicious payload and to avoid detection of their attack. Today we will learn how and why attackers uses powershell.

What is the Powershell ?

Powershell was initially created by Microsoft as a powerful task-based command-line shell and scripting language built on .NET. Windows PowerShell is a popular tool for performing admin tasks and like any useful tool can be leveraged by adversaries. Powershell can easily import modules, access core Windows APIs, execute remote commands, start a process cmdlet that can be used to run an executable, and the Invoke-Command which runs a command locally or on a remote computer. Which is makes Powershell a lethal weapon in the hands of malware writers. PowerShell provides easy access to all major functions of the operating system. The versatility of PowerShell makes it an ideal candidate for any purpose, whether the user is a defender or attacker.

Reasons why attackers use PowerShell

Creating a malicious Word Document using macro

Malicious office documents are one of the main attack vectors for attackers trying to compromise a system.

There are 2 main methods to create a malicious Word Document:

1.  CVE-based.
2.   Functionality-based.

Both methods have their pros and cons, but the main problem with the CVE-based approach is that it usually requires certain versions of the software to be used by target. In reality, we are not always aware of the exact version of the software installed, so that using CVE-based approached can lead to a failed attack attempt.

On the other hand, functionality-based approach, as can be understood from the name, uses functionalities that are part of the software itself (Microsoft Word, in our case) and can be successfully executed on all versions of the software.

In the article the functionality-based approached will be discussed with the main focus on Macros.

Learning About Process Hollowing

 

Process hollowing is a useful subtechnique of process injection used by adversaries to execute malicious code in the context of otherwise a legitimate process. It can be used potentially as a privilege escalation method whilst bypassing any process based defenses which may be implemented on the system.

In this article we will take a deeper dive into the topic and create a windows executable which will write our malicious shell code inside a legitimate process.

To understand this technique more thoroughly I suggest to first check this post about Windows processes and how they work.

This technique in essence consists of three main stages,

• creating or finding a process to inject into
• injecting our shellcode inside this process
• resuming the execution of the target process

We can use many different techniques for each of these stages as time goes by I will be expanding this topic to include more topics.

Here I will be developing a native executable using Visual Studio via pinvoke techniques. Initially let’s set up our environment.

Threat Modelling is Important!

Intro

Today I wanted to write a bit about threat modelling. Unfortunately, in our local information security culture, terms such as penetration testing, red teaming exercises overshadow threat modelling if you have had a proper introduction to cyber security. You will have heard about the famous CIA(Confidentiality, Integrity and Availability) triad and the notion of a threat violating these values. But how often do we use this information we learned during practice?

This is where threat modelling comes in.

“Experience shows that nearly 50% of security flaws will be discovered from Threat Modeling because it finds different threats than those found through other assessment techniques.”

 - Michael Howard
 Security Architect, Microsoft