Is Windows SID registry important?

Within the Windows universe there are countless features and details that, given their magnitude and depth, could in turn make up multiple universes in which to wander, learn and, above all, get lost.

In today’s article we are going to take a break from Windows Security Identifiers, hoping to reveal (or remind) some of the possibilities it offers us. First, a bit of theory.

What is the SID? The SID (Security Identifier), briefly explained, is the equivalent of our National ID Card. That is, Windows generates a unique and unalterable SID for each of its entities. An entity is understood as everything that can be authenticated by the Operating System (users, groups, processes, etc.). Ultimately, thanks to this mechanism, the domain user Paco will forever have his own identifier, as will the group of Domain Administrators.

[Read more…]

So you want to go into cybersecurity…

This post has been prepared with the invaluable (and necessary) help of Maite Moreno (@mmorenog) and the cybersecurity team of S2 Grupo.


One of the good things that Information Security shares with other IT disciplines is the wide variety of training resources available, both free and for tight budgets.

Without a large financial investment, anyone with time and desire (and a minimum knowledge of technical knowledge, for which there is another large number of resources that we will not cover here) can be trained from practically zero to expert levels in practically any area of cybersecurity.

Below are some of the resources available on the Internet for free or for a reduced cost, bearing in mind that:

  • This list is not intended to be exhaustive. Feel free to comment on any content you think is missing and we will add it as soon as we can.
  • Some platforms have a freemium approach, combining free content and functionalities with paid ones.
  • Although the less technical areas of Information Security such as GRC are less (very little) represented in the list, the more generalist training sites include courses on data protection, control frameworks, risk management, etc.
  • Most of the courses are in English, so a minimum level is required to understand instructions and texts. This level is essential nowadays in the field of information technology.
  • Blogs, vblogs and podcasts on Information Security are left out, but there are plenty of extremely useful resources. This includes the thousands of webinars on every conceivable topic.
  • Nor have we included more general platforms such as edX or Coursera, which nonetheless contain many courses from prestigious universities and organizations.
  • Finally, we have not included courses from the device manufacturers, software or cloud providers, which in some cases are free, and which sometimes also provide free versions (with limitations) of their products. AWS, Tenable or Splunk come to mind, but there are many others.
[Read more…]

Omnium against Omnes (II): Towards political realism

In the previous article we commented on the impact of the possibility of anonymity in cyberspace. In this post we are going to investigate this issue and expose the details that explain the existence of anonymity, as well as the consequences in the geopolitical context.

Anonymity

The five factors make it impossible to directly attribute a cyberwarfare action to a nation are the following:

1.  The fact that the virtual environment is made up of information allows all types of users to create and modify artifacts, limited only by permissions. This means that there is no complete translation of the physical element to the virtual one and, therefore, there is no total control over it. Consequently, it is not possible to guarantee the immutability of the elements of the environment, i.e. what actions have been performed or by whom.

2. There is the factual impossibility of assigning a virtual profile of a nation. The problems related to attribution, based on the previous point, make it impossible to relate two campaigns separated in time only on the basis of their tactics, techniques and procedures. Even with an indicator such as the hash, there is no 100% guarantee that it is exactly the same actor, since the code could have been stolen or manipulated beforehand.

[Read more…]

Omnium against omnes (I): Foucault in cyberwarfare

There is no doubt that, in recent years, the number of politically motivated cyberspace operations has been increasing. Under the analysis of the geopolitical context, we can find one of the causes of the rise of this new model of warfare.

Not since World War II has there been a warlike conflict between two First World nations. This shows how the major nations have shifted the clash of interests to less classical methodologies, such as the use of subsidiary wars, commercial warfare and, in recent years, cyberwarfare.

However, it is the use of cyberwarfare that makes it possible to interpret the current geopolitical context, since it offers a series of particularities, as a conflict, that allow it to be adapted to contemporary international relations.

[Read more…]

Bypassing AV/EDR with Nim

TL;DR

Nim is a not too well known language that has interesting features that make it very appealing in attack scenarios. Here is a demonstration of its capabilities to bypass AV/EDRs and a journey into learning the language.

Motivation

The knights who say Nim

For quite some time now there had been a strange talk around in the cybersec community that often reminded me of the scene at the Monty Python and the Holy Grial movie. For whatever reason, these cybersec knights kept saying “Nim” all the time. When I finally found the time I took a deep look at this weird talk to try to decipher it’s meaning. And to find out whether or not this hype held the key to any kind of Holy Grial. Once I did, I can say that I do believe it does. Now, I myself have joined these knight’s peculiar order’s ranks. Out of that trip an interesting tool was born, and here’s what I found out in that journey.

Figure 1: Monty Python and the Holy Grail, The knights who say Ni scene
[Read more…]

Log4Shell: Apache Log4j 2 CVE-2021-44228

If you haven’t been living under a rock for the past few hours, you’ll know that last Friday a critical vulnerability in the Log4j 2 package, a massively used Java log library, started to go viral.

This vulnerability, dubbed Log4Shell and discovered by Chen Zhaojun (software engineer at Alibaba), has been assigned the CVE CVE-2021-4428, with a CVSS of 10.0.

Although by now there is tons of public information about it, let’s give a few hints about it.

The actors

Log4j 2: the Lookup plugin

As we have already mentioned, Log4j 2 is a log library for Java applications used by developers to log application information. Using it is as simple as including something like log.debug(“Test message”); in the code, which will generate a log entry. Often, the information that is logged is related to the application itself and its execution context.

One of the capabilities of the library, called Lookups, is the ability to use variables when writing to the log, which will be replaced by the corresponding value, with a specific syntax: ${variable}. For example, if we use ${java:runtime}, when the application logs, it will record the Java runtime version.

[Read more…]

De-constructing risk management (I): the inherent risk

Living beings are experts at managing risks. It’s something we have done over millions of years. It’s called, among other things, survival instinct. We wouldn’t be here if we were bad at it.

We avoid them, we mitigate them, we externalize them, we take them on.

For example, is it going to rain today? If it rains, how much is it going to rain? Do I take my umbrella? Do I stay home? Will I run into a traffic jam on the way to work? Will I be late for the meeting? Do I call to let you know? Do I try to postpone the meeting? Will I puncture a tire on the way home? When was the last time I checked the spare tire? Have I paid the insurance premium? What is the roadside assistance coverage?

All these everyday processes of risk identification and risk assessment are carried out unconsciously all the time, and we apply risk management measures without even realizing it. We grab an umbrella, call the office to inform them of a delay, attend the meeting by phone, leave home earlier or decide to take public transport. Obviously, it’s not always that easy.

However, when we move to the corporate environment, we start with risk tolerance, probability, impact and vulnerability criteria, threat catalogs (standard), strategies, risk registers, inherent, residual and projected risk, mitigation ratios. And we get lost for months in concepts, documents and methodologies, moving further and further away from the reality we have to analyze and protect.

The orthodoxy of (cybersecurity) risk management

As a result of this, a few months ago, in the middle of the pandemic, I came across an interesting article that contrasted two very different visions of risk management, which it called RM1 vs RM2.

Basically, and quoting directly from the article, RM1 would be focused on “risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks)“, while RM2 would be “risk management for decision makers within the company“.

A few weeks or months later, Román Ramírez published an entry in a similar vein, criticizing the prevailing orthodoxy in cybersecurity risk management and the problems it generated.

[Read more…]

Ransomware ate my network (IV)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

[Editor’s note: Clicking on many images – those whose detail is not fully visible with the size of the main page – shows an enlarged version]


In the previous article we saw how Angela had deduced that the attackers had entered the computer used to connect to the DC from another computer using the PsExec tool. Determined to find the PsExec, Angela begins by converting the MFT extracted by CyLR with mftdump.exe to .csv, and searching for activity around the time she saw the connection on the other computer (about 2:16 p.m. 1:16 p.m. in UTC which is what the MFT shows us).

There is no clear target, but that stalin.exe Prefetch looks suspicious (remember that Prefetches are created the first time the software is run, with a delay of a few seconds).

[Read more…]

Ransomware ate my network (III)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we left the investigation with the IP 10.11.2.14 as the source of the connections to the DC (and with connections to the C2 101.143.122.216 as well as the antivirus disabled prior to the generalized attack).

Since we are talking about connections and considering that we have the RAM memory, the first thing Angela does is to use the Volatility netscan plugin to remove the network connections (the memory profile is Win10x64_17134) and confirm the connections with the C2:

Netscan returns a few additional results:

A connection to a remote SSH?

What is this computer doing providing a service on port 443/TCP? Has it gone mad? Clearly we need to dig deeper into these connections to find out what is behind them.

Angela decides to check the Sysmon logs, which should show the network connections… but it seems that the FFP (remember, the Federation of Patron Festivities) did not correctly apply the standard MINAF Sysmon configuration, so no such data is being collected (grrrrrrr).

[Read more…]

Ransomware ate my network (II)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we saw how MINAF narrowly avoided a ransomware attack, but we still have a lot of questions to answer. First, finding out the identity of the ransomware group that had affected MINAF.

To do this, Angela converts the MFT of the DC with mftdump.exe and performs a quick search of the v2.exe and v2c.exe files, which seemed a priori those in charge of deploying the ransomware. She hits the spot because she finds the files in the c:\temp\scheduler folder:

Quickly calculates her hashes:

5994df288813a7d9588299c301a8de13479e3ffb630c49308335f20515ffdf57  v2c.exe
b2a304e508415d96f417ed50d26e0b987b7cbd9a77bb345ea48e803b5a7afb49 v2.exe
ffa8722a09829acd7ef8743688947f6ccb58d2ef v2c.exe
7320b34c07206fcaf1319d6ce9bef2b29648a151 v2.exe
eddc0e293b0f0ee90bab106f073a41c9 v2c.exe
91438699bed008be9405995f0a158254 v2.exe

The next thing is to check if they are known. VirusTotal gives you a quick answer:

[Read more…]