Tuesday, February 16, 2021

Azure Getting Started via PowerShell

Step 1: Run PowerShell as an Administrator

Allows you to run administrative commands [sometimes needed to install modules]

Start – Type PowerShell – Right-click, run as administrator      


Step 2: Install Azure RM Module

The Azure RM Module will give you the ability to run Azure commands in PowerShell.  Prior to Windows 10, you will need to download and install Azure PowerShell;  from the Azure downloads page Command Line Tools (Windows Install) .

Install-module AzureRM    

Install-module AzureRM.storage     

Get-Module -ListAvailable AzureRM*   

Step 3: Authenticate to Azure

Connect to Azure      

Login-AzureRmAccount  

Step 4: Change Default Subscription

Get-AzureRMSubscription  # List available subscriptions

Select-AzureRmSubscription –SubscriptionID “SubscriptonID”  # Copy SubscriptionID of the subscription from the SubscriptionList
Set-AzureRmContext -SubscriptionID “SubscriptionID” [where SubscriptionID  is the  subscription from the SubscriptionList ]

Change Default Subscription via GUI (popup box)

$MySubscription = (Get-AzureRmSubscription | Out-GridView -Title “Select an Azure Subscription …” -PassThru)

$subscriptionId = $mySubscription.SubscriptionId   # Set a variable for SubscriptionID
$SubscriptionName = $mySubscription.SubscriptionName  #Set a variable for SubscriptionName
Select-AzureRmSubscription -SubscriptionId $SubscriptionId   # Set Default Subscription
Set-AzureRmContext -SubscriptionID $subscriptionId                 # Set Default Context
Write-Host “Subscription: $SubscriptionName [ID: $subscriptionId  ]” -ForegroundColor Green    # Show the new default subscription

get-AzureRMContext  
 

Give Users Access to a Subscription


#Search for an Azure Group By Name
#Get-AzureRmADgroup -SearchString “group  name”    # Optional: if needed   
#Get-AzureRmADServicePrincipal -SearchString “service name”   # Optional: if needed
Get-AzureRmRoleDefinition |format-table ID, Name, Description   # List existing Role Definitions
#Get the OjectID of the user by name
$User=Get-AzureRmAdUser -SearchString “Dan Stolts”    # Get ObjectID for a particular user (by name)
$User      # Display list of users
Get-AzureRmAdUser -UserPrincipalName “email@company.com”
$User=Get-AzureRmAdUser -UserPrincipalName “Dan Stolts”    # Get ObjectID for a particular user (by name)

$User.UserPrincipalName
Get-AzureRmSubscription # List avaialble subscriptions

# Set the permission for the user
# Syntax: New-AzureRmRoleAssignment -ObjectId <application id> -RoleDefinitionName <role name> -Scope <subscription id>
# Example:New-AzureRmRoleAssignment -ObjectId “81f4a203-9950-4f4d-9a5d-12e3b45d67f8”  -RoleDefinitionName “Owner” -Scope “1942a221-7d86-4e10-9e4b-a5bc2688651d”
New-AzureRmRoleAssignment -ObjectId “UserID”  -RoleDefinitionName “Role” -Scope “SubscriptionID”

New-AzureRmRoleAssignment -ObjectId <application id> -RoleDefinitionName <role name> -Scope <subscription id>

Thursday, June 29, 2017

Petya Ransomware – Microsoft Guidelines

On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States. The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of Ransom:Win32/Petya. This new strain of ransomware, however, is more sophisticated. To protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including Windows Defender Antivirus and Microsoft Security Essentials. You can download the latest version of these files manually at the Malware Protection Center. Windows Defender Advanced Threat Protection (ATP) automatically detects behaviors used by this new ransomware variant without any updates.

Delivery and installation

Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers which requires advanced defense.

We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 GMT.

The diagram of the execution chain leading to the ransomware installation is represented in the picture below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line:

C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30

clip_image002

The same update vector was also mentioned by Ukraine Cyber Police in a public list of indicator of compromise (IOCs) , which includes the MeDoc updater.

A single ransomware, multiple lateral movement techniques

Given this new ransomware’s added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:

? stealing credentials or re-using existing active sessions

? using file-shares to transfer the malicious file across machines on the same network

? using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

In the next sections, we’ll dig into the details of each technique.

Lateral Movement using credential theft and impersonation

This ransomware drops a credential dumping tool (typically as a .tmp file in the %Temp% folder) that  shares code similarities with Mimikatz and comes in 32-bit and 64-bit flavors.  Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.  Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports tcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts calls DhcpEnumSubnets() to enumerate DCP subnets all hosts on all DHCP subnets before scanning for tcp/139 and tcp/445 services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with stolen credentials.

It then tries to execute remotely the malware using either PSEXEC or WMIC tools.

The ransomware attempts to drop the legitimate psexec.exe (typically renamed to dllhost.dat) from an embedded resource within the malware.  It then scans the local network for admin$ shares, copies itself across the network, and executes the newly copied malware binary remotely using psexec.

In addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW function to get all the other user credentials potentially stored on the credential store. If a credential name starts with “TERMSRV/” and the type is set as 1 (generic) it uses that credential to propagate through the network.

clip_image003

Ransomware code responsible for accessing \\Admin$ shares on different machines

This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using NetEnum/NetAdd) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).

clip_image004

Screenshot showing launch of malware on a remote machine using WMIC

Lateral movement using EternalBlue and EternalRomance

The new ransomware can also spread using an exploit for previously patched SMB vulnerability CVE-2017-0144 (also known as EternalBlue), which was also exploited by WannaCrypt to spread to out-of-date machines. In addition, Petya also uses a second exploit for CVE-2017-0145 (also known as EternalRomance and still fixed by the same bulletin).

We’ve seen Petya attempt to use these exploits by generating SMBv1 packets (which are all XOR 0xCC encrypted) to trigger these vulnerabilities at the following address of the malware code:

clip_image005

clip_image006

These two vulnerabilities were leaked by a group called Shadow Brokers. However, it is important to note that both of these vulnerabilities have been fixed by Microsoft since March 14, 2017.

Machines that are patched against this exploit (with security update MS17-010) or have disabled SMBv1 are not affected by this particular spreading mechanism. Please refer to our previous blog for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.

Encryption

This ransomware’s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:

clip_image008

? 0x2E214B44 – if a process with this hashed name is found running on the machine then the ransomware will not infect the MBR

clip_image010

? 0x6403527E or 0x651B3005 – if these hashes of process names are found, the ransomware will not carry out any of its network-related actions (such as attempting to exploit the SMBv1 vulnerability)

clip_image012

This ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up schedule tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random (GetTickCount()). For example:

schtasks /Create /SC once /TN “” /TR “<system folder>\shutdown.exe /r /f” /ST 14:23

Upon successfully modifying the MBR, it displays the following fake system message, noting that your drive contains error and shows the fake integrity checking:

clip_image013

It then displays this ransom note:

clip_image014

Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code.

This ransomware attempts to encrypt all files found on fixed drives with the following extensions in all folders, except for C:\Windows:

.3ds

.7z

.accdb

.ai

.asp

.aspx

.avhd

.back

.bak

.c

.cfg

.conf

.cpp

.cs

.ctl

.dbf

.disk

.djvu

.doc

.docx

.dwg

.eml

.fdb

.gz

.h

.hdd

.kdbx

.mail

.mdb

.msg

.nrg

.ora

.ost

.ova

.ovf

.pdf

.php

.pmf

.ppt

.pptx

.pst

.pvi

.py

.pyc

.rar

.rtf

.sln

.sql

.tar

.vbox

.vbs

.vcb

.vdi

.vfd

.vmc

.vmdk

.vmsd

.vmx

.vsdx

.vsv

.work

.xls

.xlsx

.xvd

.zip

It uses file mapping APIs instead of a usual ReadFile()/WriteFile() APIs, shown in the following code snapshot:

clip_image015

Unlike most other ransomware, this threat not append a new file name extension to encrypted files. Instead, it overwrites the said files.

The AES key generated for encryption is per-machine and it gets exported and encrypted using the embedded 800-bit RSA public key of the attacker.

clip_image016

Embedded RSA public key

clip_image017

Code exporting the per machine AES 128 bit key and encrypting it using embedded RSA public key during export

The unique key used for files encryption (AES) is added, in encrypted form, to the README.TXT file the threat writes under section “Your personal installation key:”.

Beyond encrypting files, this ransomware also attempts to overwrite the MBR and the first sector of the VBR. If the malware is run with SeShutdownPrivilege or SeDebugPrivilege or SeTcbPrivilege privilege, it  overwrites the MBR of the victim’s machine. It directly accesses the drive0 \\\\.\\PhysicalDrive0 as described in the following code snapshots:

MBR overwrite pseudo code:

clip_image018

Overwriting the first sector of VBR:

clip_image019

After encryption, it drops a text file called README.TXT with the following text:

clip_image021

This ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.

Detection and investigation with Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. WDATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including for example the execution of PsExec.exe with different filename, and the creation of the ‘perfc.dat’ file in remote shares (UNC) paths.

Today, without the need of additional updates, an infected machine may look like this:

clip_image023

The second alert targets the distribution of the ransomware’s dll file over the network. Clicking into this event provides helpful information during investigation as it includes the User context which was used to move the file remotely.  This user has been compromised and could represent the user associated with patient-zero:

clip_image025

With Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.

Protection against this new ransomware attack

Keeping your Windows 10 up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.

As another layer of protection, Windows 10 S only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.

We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

? Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously

? Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445

As the threat targets ports 139 and 445, you could block any traffic on those ports to prevent propagation either into or out of machines in your network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and apply definition updates.

Windows Defender Antivirus detects this threat as Ransom:Win32/Petya as of the 1.247.197.0 update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running. Monitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook.

Resources

Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

Download localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

Next-generation ransomware protection with Windows 10 Creators Update: https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/

Indicators of Compromise

Network defenders may search for the following indicators:

File Indicators

? 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

? 9717cfdc2d023812dbc84a941674eb23a2a8ef06

? 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

? 56c03d8e43f50568741704aee482704a4f5005ad

Command Lines

In environments where command-line logging is available, the following command lines may be searched:

? Scheduled Reboot Task:  Petya schedules a reboot for a random time between 10 and 60 minutes from the current time

o schtasks /Create /SC once /TN “” /TR “<system folder>\shutdown.exe /r /f” /ST <time>

o cmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:\Windows\system32\shutdown.exe /r /f” /ST <time>

This may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.

? Lateral Movement (Remote WMI)

o “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1”

Network indicators

In environments where NetFlow data are available, this ransomware’s subnet-scanning behavior may be observed by looking for the following:

? Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope

? Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes

Tuesday, May 16, 2017

Alert: WannaCry Malware Attack and Recommended Actions

 

This alert is to provide guidance regarding malware variously named WannaCrypt, WannaCry, WannaCryptor, or Wcry.

On May 12, 2017, organisations around the world and the critical systems were victims of malicious “WannaCrypt” software. Below we have given further details of the threat and steps every individual and business should take to stay protected. Additionally, Microsoft are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Organizations running Windows 10 were not targeted by the attack.

In March, Microsoft released a security update which addresses the vulnerability that these attacks are exploiting. Unfortunately, the malware appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, Microsoft remind users to install MS17-010 if they have not already done so. Microsoft antimalware telemetry constantly monitors for such threats, and alerted  to this attack. These systems gave  the visibility and context around the attach, allowing Windows Defender Antivirus to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling were able to protect many up-to-date systems against this malware.

Steps to prevent and protect against this threat

To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.

We recommend organizations that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, Microsoft also recommend two possible workarounds to reduce the attack surface:

Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update. Enable Windows Defender Antivirus to detect this ransomware. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.

Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.

Monitor your network with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook.

For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.

 

Attack vector

A ransomware threat does not normally spread so rapidly. Threats like WannaCrypt typically leverage social engineering or emails as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators incorporated publicly-available exploit code for the patched SMB EternalBlue vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server, was fixed in security bulletin MS17-010, released on March 14, 2017.

WannaCrypt’s spreading mechanism is borrowed from well-known public SMB exploits, which armed this regular ransomware with worm-like functionalities, creating an entry vector in machines still unpatched even after the fix had become available.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

There are two scenarios which are highly possible for this ransomware family:

  • Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
  • Infection through SMB exploit when an unpatched computer can be addressed in other infected machines

Dropper

The threat arrives as a dropper Trojan that has the following two components:

  • Ccomponent that tries to exploit the SMB EternalBlue vulnerability in other computers
  • Ransomware known as WannaCrypt

The dropper tries to connect the following domain using the API InternetOpenUrlA():

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If connection is successful, the threat does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the dropper proceeds to drop the ransomware and creates a service on the system.

In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files.

clip_image004

The threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:

Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”

clip_image006

WannaCrypt ransomware

The ransomware component is a dropper that contains a password-protected archive in its resource section. The document encryption routine and the files in the .zip archivecontain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”.

When run, WannaCrypt creates the following registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe”
  • HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”

It changes the wallpaper to a ransom message by modifying the following registry key:

  • HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”

It creates the following files in the malware’s working directory:

  • 00000000.eky
  • 00000000.pky
  • 00000000.res
  • 274901494632976.bat
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.bmp
  • @WanaDecryptor@.exe
  • b.wnry
  • c.wnry
  • f.wnry
  • m.vbs
  • msg\m_bulgarian.wnry
  • msg\m_chinese (simplified).wnry
  • msg\m_chinese (traditional).wnry
  • msg\m_croatian.wnry
  • msg\m_czech.wnry
  • msg\m_danish.wnry
  • msg\m_dutch.wnry
  • msg\m_english.wnry
  • msg\m_filipino.wnry
  • msg\m_finnish.wnry
  • msg\m_french.wnry
  • msg\m_german.wnry
  • msg\m_greek.wnry
  • msg\m_indonesian.wnry
  • msg\m_italian.wnry
  • msg\m_japanese.wnry
  • msg\m_korean.wnry
  • msg\m_latvian.wnry
  • msg\m_norwegian.wnry
  • msg\m_polish.wnry
  • msg\m_portuguese.wnry
  • msg\m_romanian.wnry
  • msg\m_russian.wnry
  • msg\m_slovak.wnry
  • msg\m_spanish.wnry
  • msg\m_swedish.wnry
  • msg\m_turkish.wnry
  • msg\m_vietnamese.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • TaskData\Tor\libeay32.dll
  • TaskData\Tor\libevent-2-0-5.dll
  • TaskData\Tor\libevent_core-2-0-5.dll
  • TaskData\Tor\libevent_extra-2-0-5.dll
  • TaskData\Tor\libgcc_s_sjlj-1.dll
  • TaskData\Tor\libssp-0.dll
  • TaskData\Tor\ssleay32.dll
  • TaskData\Tor\taskhsvc.exe
  • TaskData\Tor\tor.exe
  • TaskData\Tor\zlib1.dll
  • taskdl.exe
  • taskse.exe
  • u.wnry

WannaCrypt may also create the following files:

  • %SystemRoot%\tasksche.exe
  • %SystemDrive%\intel\<random directory name>\tasksche.exe
  • %ProgramData%\<random directory name>\tasksche.exe

It may create a randomly named service that has the following associated ImagePath: “cmd.exe /c “<malware working directory>\tasksche.exe””

Then it searches the whole computer for any file with any of the following file name extensions: .123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw

WannaCrypt encrypts all files it finds and renames them by appending “.WNCRY” to the file name. For example, if a file is named “picture.jpg”, the ransomware encrypts and renames to “picture.jpg.WNCRY”.

This ransomware also creates the file “@Please_Read_Me@.txt” in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (screenshot below).

After completing the encryption process, the malware deletes the volume shadow copies by running the following command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

It then replaces the desktop background image with the following message:

clip_image008

It also runs an executable showing a ransom note which indicates a $300 ransom and a timer:

clip_image010

The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.

The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.

clip_image012

Spreading capability

The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which normally can be observed by SecOps personnel, as shown below.

clip_image014

The Internet scanning routine randomly generates octets to form the IPv4 address and targets that IP to attempt exploitation of CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode which seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

clip_image016

clip_image018

Microsoft Malware Detection and Removal Tools

Use the following free Microsoft tools to detect and remove this threat:

Additional Resources

Microsoft Safety and Security Center webpage: http://www.microsoft.com/security/default.aspx

 

Source: Microsoft

Friday, April 14, 2017

Remove X-powered by ASP.NET version and IIS version from HTTP response header of IIS webservers

Russian-hackersHackers are using footprinting techniques to collect as much information about a target network. By simply telnetting a webserver, sensitive information such as servername, server type, operating systems and application running can be disclosed. For example, tools such as httprecon, ID serve and NMAP can perform such tasks.

After obtaining information about version of applications, the hacker will know whether the applications have the latest patches or not. If the latter is true, all the vulnerabilities that are not yet patched could be potentially be exploited by the hacker. Therefore it is important not to reveal such information on webservers.

The following details how to remove X-powered by ASP.NET version and IIS version from HTTP response header of IIS webservers.

Generally, when a client browser requests a Web page, IIS returns a response with a Hypertext Transfer Protocol (HTTP) header. HTTP response headers are name and value pairs that contain information about the requested page. These include the HTTP version, date, and content type.

You can create or modify HTTP headers to pass special information in responses to clients. For example, You could create a custom header named “authors” that might contain the names of content authors. Or you might create a Content-Language header to describe the natural languages used in the body of your Web page, and provide several language-country/region values such as en-US (United States English), en-CA (Canadian English), and en-GB (British English).

If you create a custom HTTP response header at the Web server level, all Web sites, Web applications, virtual directories, and files inherit the header unless you override the header at a child level. Likewise, Web applications and virtual directories inherit headers from the Web site level, and files inherit headers from the Web application or virtual directory level. You can remove an inherited header so that it is not passed in a response, and restore the header later if it is required.

Note: To view HTTP response headers, You need to install the browser add -ons. Browser add-ons can be downloaded from the internet.

Steps to remove server name from HTTP Header:

Download and install the latest version of urlsacn tool (version 3.1) from the following link

32-Bit (x86): http://www.microsoft.com/downloads/details.aspx?FamilyID=ee41818f-3363-4e24-9940-321603531989

64-Bit (x64): http://www.microsoft.com/downloads/details.aspx?FamilyID=361e5598-c1bd-46b8-b3e7-3980e8bdf0de

1.Double-click the MSI file to begin the installation process.

2.Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.

3.When the installer completes, a dialog box stating that UrlScan has been successfully installed will be displayed.

4.Click Finish to close the installer.

Verify whether the installer is configured correctly:

1.Installs the UrlScan.dll and UrlScan.ini files in the %windir%\system32\inetsrv\UrlScan directory. If UrlScan is already installed on the computer, the UrlScan.ini file is updated with any new settings that are not present in the current configuration file.

2.Adds UrlScan as a global filter to IIS.

3.Creates a %windir%\system32\inetsrv\UrlScan\Logs directory.

4.We can configure UrlScan's operation by setting options in the UrlScan.ini file. This file should reside in the same directory as UrlScan.dll, and it contains the sections and options that are listed below.

Note: UrlScan 3.0 added change notifications for the UrlScan.ini file, so it is no longer necessary to restart IIS after updating your UrlScan.ini file.

The [Options] section of a UrlScan.ini file contains a list of name/value pairs that define the general behavior for UrlScan. A few of the settings enable or disable other sections in the UrlScan.ini file.

Set Remote server header Allowed values are 0 or 1. The default value for RemoveServerHeader is 0.

If set to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored.

If set to 0, IIS will return the default server header on all responses.

Note: This feature is only available if UrlScan is installed on IIS 4.0 or later.

Remove X-powered header from HTTP header:

IIS 7:

1.From the Internet information console, Click on server name in the left pane.

clip_image001

2.Click on HTTP response header.

clip_image002

3.Now Click on X-Powered  Asp.net version HTTP header and click remove in the top right panel.

clip_image003

IIS 6:

1.Right click on web site, and click properties.

2.Click on HTTP header.

3.Now under custom HTTP header, click on X-powered ASP.NET version.

4.Click Remove on the right pane.

How to center align the ActionBar title or icon in Android?

In your Activity, in your onCreate() method:
getSupportActionBar().setDisplayOptions(ActionBar.DISPLAY_SHOW_CUSTOM); 
getSupportActionBar().setCustomView(R.layout.abs_layout);

Thursday, April 13, 2017

Microsoft Enterprise Threat Detection (ETD)

2870448202_d8036d9aa8_zETD-Hosted is a managed security service used to detect security related incidents and vulnerabilities within your environment that other sensors may have missed, providing unique insight into their global impact. There’s a range of 25,000 till 250,000 endpoints/hosts which can monitored (include physical and virtual laptops, desktops, and servers, etc.). The service leverages a number of data feeds emanating from or instrumented within your environment and a suite of detection tools run by Microsoft to detect security incidents.Using a combination of machine analytics, proprietary telemetry sources, and dedicated human analysis, the service is uniquely positioned to continually monitor for advanced attacks in the rapidly-evolving modern threat environment. Analysts leverage unique Microsoft technologies and assets to provide you with unparalleled insight into your environment and enhanced detection capabilities. Working with you as a technical advisor and extension of your security team, Microsoft use world-class technologies, Windows internals, and global telemetry sources to establish the use of the infrastructure as a sensor, determining if your network is compromised, under attack, vulnerable, and/or non-compliant.

Microsoft will monitor data and provide alerts based on Microsoft’s Cyber Threat Intelligence (CTI) platform, which is a global telemetry system with advanced data mining capabilities. This platform leverages the vast network of global sensors owned and operated by Microsoft as part of multiple antimalware programs at Microsoft that enable Microsoft to become aware of potential threats.

How the Offering Works

Microsoft will work with you to configure your clients to send native Windows telemetry events to one or more ETD collectors deployed on your network. This can all be performed through Active Directory and there is no software to deploy to clients. These collectors will forward events to our cloud-based ETD Analysis Center where our analysts will use enhanced heuristics to analyze the data and work with you to provide actionable information. The analysis is focused on detecting attacks, vulnerable systems, persistent malware, and corporate policy violations.

The analysts also query Microsoft’s vast global telemetry and threat intelligence sources to monitor and analyze your environment, providing you with a deeper understanding of activity emanating from your environment and threats facing your environment. Data from the Microsoft Active Protection System (MAPS), our global antimalware telemetry system, is combined with indicators from Microsoft’s Digital Crimes Unit (DCU) and other internal threat intelligence sources, to provide you with actionable intelligence.

The service also leverages output from your existing Advanced Threat Analytics (ATA) and Defender Advanced Threat Protection (D-ATP) implementations, if available. Your ATA center is configured to send data to ETD analysts for additional investigation and cross-correlation with ETD data feeds. By providing ETD analysts access to your D-ATP tenant, detection capabilities for Windows 10 endpoints is increased as well.

The Offering consists of weekly, monthly and/or quarterly summative reports on findings and threat profiles of your organization, as well as “out of band” alerting for critical threats such as an on-going attack or serious vulnerability.

Subscription Components and Pricing

• ETD Hosted is provided as an annual fixed-fee subscription service. Included in this subscription are:

• Architectural guidance on deploying ETD Collectors and enabling telemetry collection through Active Directory

• License to install as many ETD Collectors as required for the duration of the subscription

• Detailed weekly, monthly or quarterly summative reporting on findings and threat profiles of your organization

• Out-of-band reporting on immediate threats and active attacks once detected

ETD Hosted subscription pricing does not include the cost of the collector hardware or required collector Windows operating system licenses. It does not include the licensing, deployment, and configuration of Advanced Threat Analytics (ATA) and/or Windows Defender ATP (D-ATP). Pricing varies based on the number of Windows endpoints within the organization and the frequency of summative reporting.

Potential Benefits:

  • Enhanced detection and situational awareness, leveraging best in class detection technologies
  • Analysis of threats using Microsoft global telemetry and threat intelligence sources with a focus on your environment
  • Improved detection of
    • Zero-day vulnerabilities
    • Malware undetected by antivirus
    • Systems missing security patches
    • Suspicious web traffic

Sample Alert

image 

image

Source: Microsoft

Thursday, April 6, 2017

Build cross-platform apps with Visual Studio Tools for Apache Cordova




VS2015 and Cordova

Create a new Multi-Device Hybrid App project


Visual Studio 2015 RC

In Visual Studio 2013, the Cordova tools are released as a preview (CTP) version. Cordova tools will be released as part of Visual Studio 2015 and we recommend that you now use Visual Studio 2015 RC to develop apps using Visual Studio Tools for Apache Cordova. You can download Visual Studio from the Microsoft Download Center.
You can build cross-platform apps for iOS, Android, and Windows devices by using Visual Studio Tools for Apache Cordova. The easy-to-use installer identifies the right versions of the required SDKs, tools, and libraries that you need to build Apache Cordova apps. Use the Visual Studio debugger to attach to iOS, Android, and Windows apps, hit breakpoints, and inspect code using the console and DOM Explorer. Apache Cordova enables cross-platform development standard web technologies such as HTML, CSS, and JavaScript.
You can build apps using the tools for these devices and platforms:
  • Android 2.3.3 and later (4.4 provides the best developer experience)
  • iOS 6, 7, and 8
  • Windows 8 and 8.1
  • Windows Phone 8 and 8.1
Note Note
The default version of Cordova installed with Visual Studio Tools for Apache Cordova in CTP3.1 is 4.3.0. You can select a different version using the configuration designer.
Some tasks are common to most Cordova apps. These include:


Create a Cordova project


Before you can create a new project, make sure that you’ve met all system requirements and installed the Visual Studio Tools for Apache Cordova, which is an optional feature in Visual Studio 2015. For more information, see Install Visual Studio Tools for Apache Cordova.

To create a new project

  1. Open Visual Studio. On the menu bar, choose FileNewProject.
  2. In the New Project dialog box, under Templates, choose JavaScriptApache Cordova Apps, and then choose the Blank App template.
    Note Note
    A Blank App template for TypeScript is under TypeScriptApache Cordova (the complete ToDoList tutorial uses JavaScript.)
  3. Choose Browse to find a location for the project.
  4. Give the app a name and then choose OK.
    Note Note
    If you intend to go through the complete tutorial by creating the ToDoList sample app, name the app AngularJSToDo.
    Create a new Multi-Device Hybrid App project Visual Studio creates the new project and opens Solution Explorer in the right pane.
    Project structure in an Apache Cordova app in VS
Important note Important
The project structure in Visual Studio 2015 RC is updated to support third-party CLIs, and to match the Cordova project structure. Visual Studio 2013 uses the deprecated project structure. We recommend that you create Cordova apps using Visual Studio 2015.
The new Cordova project includes four top-level folders:
  • merges is used to add platform-specific code. For more information, see Configure Your App Build with Visual Studio Tools for Apache Cordova.
    • By default, the Blank App template includes commonly used platform-specific code for Windows and Android devices in the merges folder. (platformOverrides.js is used to specify the platform file.)
    • For Android devices, a .js file is included to provide support for the JavaScript Function.prototype.bind() function on Android 2.3 devices.
    • For Windows and Windows Phone 8.1, a winstore-jscompat.js file is included in the merges\windows folder to enable support for a variety of JavaScript libraries. For more information, see the JavaScript Dynamic Content shim for Windows Store apps project site.
  • plugins is used for Apache Cordova plugins that provide access to native device features.
  • res is used for platform-specific visual assets (icons and splash screens), signing certificates, and (if needed) platform-specific configuration files. For more information, see Configure Your App Build with Visual Studio Tools for Apache Cordova.
  • www folder, which is used for your app code.
    The www folder contains several more folders:
    • css contains basic CSS style sheets that are included with the blank template.
    • images is the suggested location for images for your app.
    • scripts is the default location for all JavaScript or TypeScript files.
In addition to CSS and JavaScript files, the new project also includes several more files:
  • config.xml contains configuration settings for your app. You can open this file from Solution Explorer in the configuration designer, an interface for config.xml, or you can edit it directly by selecting View Code from the shortcut menu for the file.
  • taco.json stores project metadata that enables Visual Studio to build on non-Windows operating systems like a Mac.
  • www\index.html is the default home screen for your app.
  • Project_Readme.html contains links to useful information.
For in-depth information on the Cordova build process in Visual Studio and on the Visual Studio project structure, see Deploy and Run your App.

Build and run the default "Hello" app


After you create a project using the default Blank App template, run a quick test to verify your installation and setup. For this initial test, run the default "Hello" app (the unmodified Blank App template) on either Windows or one of the Apache Ripple emulators, which have minimal setup requirements. If you prefer to test your app on another target, see the following topics: Run Your Apache Cordova App on AndroidConfigure the Visual Studio Tools for Apache Cordova, and Run Your Apache Cordova App on Windows Phone.

To build and run the default "Hello" app

  1. Choose Windows-x64, Windows-x86, or Android from the Solution Platforms list.
    The following illustration shows the Android platform.
    Select Android as your deployment target
    If the Solution Platforms list isn’t showing, choose Solution Platforms from the Add/Remove Buttons list, and then choose your platform (Windows-x64, Windows-x86, or Android).
    Selecting a platform for deployment
  2. If you chose the Android platform, choose one of the Apache Ripple emulators, as shown here.
    Selecting the Ripple emulator
     If you are using Visual Studio 2015 and have Hyper-V enabled on your machine you can run the app on the Visual Studio Emulator for Android (select an option such as VS Emulator Android Phone).
    If you chose a Windows platform, you can run the app on the default deployment target, Local Machine.
  3. Press F5 to start debugging, or Shift+F5 to start without debugging.
    Here’s what the default app looks like in one of the Ripple emulators.
    Run the "Hello" default app in Ripple Emulator
    Tip Tip
    If you are running on a Ripple emulator and you get an error that indicates you need to install a new version of the Android SDK, use the Android SDK Manager to install it. On Windows, SDK Manager.exe is in C:\Program Files (x86)\Android\android-sdk.
    If you see an error such as Cannot find module [modulename], see Re-installing vs-tac. If you experience other problems, see Known Issues and the FAQ.
  4. Press Shift + F5 to stop debugging.
Next steps:

Choose a third-party JavaScript framework


Typically, when building a Cordova app, you’ll also want to include a third-party JavaScript framework to make application development easier or to follow best practices for designing apps. You're not limited to just one framework! (Nor is one required. These frameworks are not part of Cordova.)
Third-party JavaScript frameworks may include a variety of features and design characteristics, such as:
  • Model-View-Controller (MVC) design patterns to help separate application concerns. AngularJS and Backbone are just two popular examples of this.
  • UI controls and styles. A UI framework (or library) typically includes specific controls, such as a grid control, and sometimes CSS style sheets. For more info, see Build a UI.
  • Navigation model. Frameworks like AngularJS and open source WinJS, and other frameworks provide a single-page navigation model to help enable app-like behavior.

Build a UI


Cordova apps run in a WebView control on all platforms except Windows and Windows Phone 8.1, so they will tend to look more like web apps. When planning a UX for customers, it is important to ask a couple of questions:
  • Do you want your app to look the same on different platforms?
    A UI framework typically provides a branded experience and is intended to look the same across platforms. A few examples of popular UI frameworks include Ionic and Bootstrap.
    For a sample that uses Ionic, see the Ionic SideMenu Starter Template.
  • If you want a native look-and-feel, are you targeting a particular platform more than others?
    Some UI frameworks may resemble a particular platform's look-and-feel, such as iOS. If you are aiming for a native look-and-feel for each platform, development cost will be higher and a native look-and-feel may be difficult to achieve.
It is important to follow the design guidelines for particular platforms to make sure that your app can pass the review process. Apps don't necessarily need to look native to get approved for an app store, but they should behave more like an app than a web page. For more information. see Get Your Apache Cordova App Approved by the App Stores.
For a sample that uses Ionic, see the Ionic SideMenu Starter Template. For a sample that uses open-source WinJS, see WinJS Navigation template.
If your UI is relatively simple, or if you have the development resources on hand, you can create your own UI using best practices for cross-platform CSS, such as using CSS3 Flexbox and @media queries. There are many web resources that provide information about this.
A few things to keep in mind if you build your own UI:
  • If you target Android 4.4 or later (Chromium-based browser), Windows, or Windows Phone, support for current CSS standards and other web technologies is better. See caniuse.com for specific information on supported features.
  • If you target iOS or Android versions before 4.4, the browser is WebKit-based. (The Ripple Emulator, which uses the installed version of Chrome, behaves more like Android 4.4.) Some WebKit browser behavior is different. For example, WebKit browsers don't provide consistent support for vw and vh units, which are useful when designing a responsive UI.
Tip Tip
Use the merges folder in your project to handle platform differences that can't be coded in a more generic fashion.

Add native features (plugins)


One of the most important features that Cordova provides is support for plugins that enable access to native features, such as geolocation and battery. Using a plugin, you can program to a generic JavaScript API. Core plugins typically support all the main platforms, while third-party plugins may require more investigation. If plugin support is not available, you may need to customize an existing plugin or write your own, which will require native code.
For more info, see Manage Plugins for Apps Built with Visual Studio Tools for Apache Cordova

Add connected services


If your app is using Azure or Office365 services, see Add Connected Services to App Built with Visual Studio Tools for Apache Cordova. A core plugin for Azure Mobile Services is available in the Config Designer in Visual Studio.
For information on adding the Azure services in the task list sample app for Visual Studio Tools for Apache Cordova (AngularJS version), see Create the ToDoList Sample App.
To get started creating apps using Azure or O365 services with Cordova, see the following articles and blog posts.

Add platform-specific resources


Platform-specific resources, like splash screens and store icons, are required to get apps approved for download from app stores. The res folder in your project contains these resources. You can also use the res folder to add custom configuration files. For more info, see Configure Your App Build with Visual Studio Tools for Apache Cordova.
Download the tools Get the Visual Studio Tools for Apache Cordova