Exchange 2010 Rapid Analysis for IOCs

Purpose

With the Hafnium “incidents” and Exchange vulnerabilities I wanted to help people with ruling in or out compromise of their Exchange 2010 environments. At the time of writing, I don’t believe that Hafnium affected Exchange 2010 via the reported kill chain, I believe that BEC would be required but this is a theory, my general view is Exchange 2010 might be ‘safe’ from this kill chain. This is due to the initial stage leveraging CVE-2021-26855 which is an SSRF vulnerability which only affectes the new architecture (2013+). However, this is an unsupported platform so I wanted to help with some baselines and talk about how I would approach ruling compromise in or out (at least with regards to these vulnerabilities). The key impact area is a web shell. I’ve made some baselines to help people look for abnormalities.

Disclaimer

This document was made with limited time and without full Whitebox access to source code and engineering expertise. The areas we are checking for IOCs appear to make logical sense, but the OS and APP (Exchange 2010) are unsupported, and we are not the vendor. So, I am afraid your hunting responsibility is on you, this is just my opinions and thoughts from a very fast analysis. Use at your own risk. Read more “Exchange 2010 Rapid Analysis for IOCs”

The grass is always greener, until it is not

A PwnDefend Story – Day 7

It is a blur so far, I figured after the last place the grass would be greener, surely no one else has that many security challenges. I did some due diligence during the interview process, they seemed very confident about having certifications and that they took security seriously. hell, that should have set some red flags off but even the cynical sometimes hope that it is as someone says.

I have started to work myself around the board and I am making friends with people, my diary is filled with zoom calls and my notebook is already many pages deep.

You cannot make this stuff up though, day two and I’ve dealing with a business email compromise incident, the phishing page was not even in good English but then it only takes a second or so whilst in a meeting to not quite realise your running on autopilot so you cannot blame people. Hell, the branding was copied so we know it was a targeted phish. It would have been nice to at least had centralised logs for the team to analyse though. Read more “The grass is always greener, until it is not”

How to enable NULL Bind on LDAP with Windows…

History of NULL bind

Back in the early Active Directory days NULL bind was actually enabled by default, these days you can get a rootDSE NULL bind out of the box but on Windows Server 2019 you can even disable this!

So why would I want to enable NULL bind? Well, some legacy apps may need it but generally speaking you don’t want NULL bind enabled.

The lesson here is DO NOT copy what I am doing here! Simples! Read more “How to enable NULL Bind on LDAP with Windows Server 2019”

vSphere Unauthenticated Remote Code Execution Vulnerability – VMSA-2021-0002

For vendor guidance please see:

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

CVE Refs: CVE-2021-21972, CVE-2021-21973, CVE-2021-21974

Introduction

There’s a new unauthenticated remove code execution (RCE) in vSphere 6.5, 6.7 and 7.0 which has just dropped. There’s a vendor patch and currently there is no known public exploit however the hunt will now be on and I can imagine that it’s hours and days until this is in the wild rather than weeks or months.

Read more “vSphere Unauthenticated Remote Code Execution Vulnerability – VMSA-2021-0002”

Active Directory Effective Permission Auditing

Active directory permissions are a complex beast, at the core of Active Directory you have databases and partitions.

These have access controls lists, there are two types of these:

  • DACL
  • SACL

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists

In active directory auditing these with out of the box tools can be a pain, especially when you are looking to enumerate effective permissions. Luckily a nice chap as made a great PowerShell app which can help you with your auditing activities! Read more “Active Directory Effective Permission Auditing”

Threat Modelling 101

What is a threat?

https://csrc.nist.gov/glossary/term/threat

According to those clever people at NIST it is:

“Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.” Read more “Threat Modelling 101”

CyberChef Taster

A quick snack

Everyone knows about cyber chef, right? Well, I can tell you now that my misses knows so if you don’t now’s a great time to get to know! Cyber Chef is a tool created by GCHQ distrubted via an apache license that’s hosted on GitHub or you can download and run locally. Read more “CyberChef Taster”

WordPress Security Considerations

WordPress is one of the most popular content management systems in the world today. I believe it is about 35% of the market share globally. That is a lot of sites.

I have been using WordPress for years myself; some people give it some stick for being vulnerable but that is usually them referring to third party plugins. I like it because you can build a site easily, without having to spend ages and you can deploy it and migrate etc. without having a huge headache. Read more “WordPress Security Considerations”

Copyright (c) Xservus Limited