Jun 30, 2022

Remediate Security Recommendations with Governance


This webinar introduces the new Governance feature in Defender for Cloud. It helps to drive security posture improvement by creating governance rules, notify owners and monitor it, and take action to improve secure score.

 

Building an automated process

To make sure your organization is systematically improving its security posture, you can define rules that assign an owner and set the due date for resources in the specified recommendations. That way resource owners have a clear set of tasks and deadlines for remediating recommendations.

  • Defining governance rules to automatically set the owner and due date of recommendations
  • Manually assigning owners and due dates for recommendation remediation
  • Tracking the status of the recommendations for further action
  • Tracking progress by rule with the governance report
  • Weekly email notifications to the owners and managers.

 

Links:

Jun 24, 2022

Using winget

A quick note on learning how to use winget.exe cmdline.


Install Packages

PS> winget install python


Search for Packages

PS> winget search mysql


Show Package Details

PS> winget show Notepad++


Manage Sources (List, Add, Update, Remove, Reset)

PS> winget source list

PS> winget source add --name azure https://winget.azureedge.net/cache

PS> winget source update

PS> winget source remove --name azure

PS> winget source reset --force


List Packages

PS> winget list


Uninstall Packages

PS> winget uninstall Notepad++.Notepad++


Links:

Jun 23, 2022

Windows Cmdline

A series of blog posts from Windows Command-Line.

  1. Backgrounder
  2. The Evolution of the Windows Command-Line
  3. Inside the Windows Console
  4. Introducing the Windows Pseudo Console (ConPTY)
  5. Unicode and UTF-8 Output Text Buffer

Try to follow the text encoding history from 7-bit ASCII text encoding, to 8-bit, and UTF-8 encoding; all the way to command-line, shells, and consoles.

Jun 22, 2022

New Attack Vector PetitPotam

Still remember PetitPotam attack?

PetitPotam is an NTLM Relay Attack tracked as CVE-2021-36942 that French security researcher GILLES Lionel discovered, aka Topotam, in July 2021

It is an NTLM Relay attack that allows threat actors to force devices, even domain controllers, to authenticate against malicious servers they control. Once a device authenticates, the malicious server can impersonate the device and gain all of its privileges.

The PetitPotam attack allowed unauthenticated users to use the EfsRpcOpenFileRaw function of the MS-EFSRPC API to force a device to perform NTLM authentication against attacker-controlled servers.

In 2022 (Jan ~ Mar), a security researcher, Raphael John, says that he discovered that PetitPotam was still working when conducting pentests. However, when he disclosed it to Microsoft, they fixed it under a new CVE rather than the original one assigned to PetitPotam.

A PoC tool, from Topotam, to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw. 

The tool uses the LSARPC named pipe with inteface c681d488-d850-11d0-8c52-00c04fd90f7e because it's more prevalent. But it's possible to trigger with the EFSRPC named pipe and interface df1941c5-fe89-4e79-bf10-463657acf44d. It doesn't need credentials against Domain Controller. And disabling the EFS service seems not to mitigate the "feature".

 

During the May 2022 Patch Tuesday, Microsoft released a security update for an actively exploited NTLM Relay Attack labeled as a 'Windows LSA Spoofing Vulnerability' and tracked as CVE-2022-26925.

In June 2022, a new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System, to completely take over a Windows domain.

A security researcher, Filip Dragovic, released a proof-of-concept script for a new NTLM relay attack called 'DFSCoerce' that uses Microsoft's Distributed File System (MS-DFSNM) protocol to relay authentication against an arbitrary server.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an RPC interface.

To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols.

These mitigations include disabling NTLM on domain controllers, disabling web services on Active Directory Certificate Services servers, and enabling Extended Protection for Authentication and signing features, such as SMB signing, to protect Windows credentials.


Links:

Jun 21, 2022

Code Bloat

The golden age of programming used to be when CPUs and memory were limited; now, we live in a pile of inefficient rubbish.

Jun 9, 2022

EPSS version 2

EPSS version 2 is out (by Feb 04, 2022).

Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that vulnerabilities will be exploited in the wild. It collects ground-truth information such as how often vulnerabilities are being exploited in the wild and comparing that with attributes of each vulnerability.

The goal of EPSS v2 is to estimate the probability of observing exploitation for CVE in the next 30 days.

Objectives:

  1. Centralized (data collection, scoring and API driven)
  2. Performant (outperform other scores and EPSSv1)


Comparing CVSSv3 and EPSS Coverage

We all know select a right remediation strategy is so important. Here, we can compare the remediation strategy and the efficiency, by using different scoring system.

Comparison by Coverage: CVSSv3 Vs EPSSv2

Scoring Strategy Efficiency
Threshold Effort Coverage
CVSS v38.8+253/100050.7%5.0%
EPSS v10.066+93/100051.2%12.9%
EPSS v20.149+47/100050.9%42.5%

With the right strategy, we can balance it against the reality of time,money, and energy needed to remediate.


Links:

Jun 8, 2022

Switch Between CLI and GUI

How to change between the cmdline interface and the GUI by editing the boot target.

First, we no longer use the runlevel term. Instead, we refer to boot choices as targets. The 2 primary targets here: multi-user.target (the CLI or runlevel 3 in legacy) and the graphical.target (the GUI or runlevel 5 in legacy).


To identify the current target:

$ sudo systemctl get-defeault


To launch GUI from the multi-user.target:

$ sudo systemctl isolate graphical.target

And to switch back to CLI mode:

$ sudo systemctl usolate multi-user.target


To set a default target

$ sudo systemctl  set-default multi-user.target


To reboot and confirm the appropriate target:

$ sudo systemctl reboot


Target Files

Targets are managed by .target files that simply group units and dependencies into a convenient format. It;s really the .unit files that define exactly what services and other features start when the target is initiated.

$ sudo systemctl enable sshd

$ sudo systemctl disable sshd

 

Links:

Jun 7, 2022

Windows Virtual Machines

Here're the 2 ways to actually get a pre-made Windows Virtual Machine directly from Microsoft. Note that this isn't a permanent solution. 

The first is the Microsoft Edge Developer page under Tools and then VMS. You can choose between Windows 8, 8.1, and 10. For VM platform, we can choose between VirtualBox, Vagrant, VMware, HyperV, and Parallels (Mac).

For Windows 11 VM, we need to head over to the Windows 11 development environment page. Again, we can choose between 4 different virtualization software options. Note the expiration date!

Microsoft recommends to save a "snapshot" of the VM. But this only works for the first method.


Links:

Jun 6, 2022

Adopting PasswordLess

Why passwordless?

Signing in without a password seems almost nonsensical, yet it can be more secure than traditional sign-ins.

Passwordless sign-in with only an email address is almost a backhanded approach to two-factor authentication. By proving you have access to that email account — by clicking a link emailed to you — you’ve authenticated securely and need nothing else. The site using this technique is relying on your maintaining the security of your email account appropriately.


 Links:

Jun 5, 2022

Finding bugs with Nuclei


Nuclei is a community-powered scanner that can scan for almost every web-based vulnerability. But how does it work and how can you tailor it to your needs? All that and much more will be covered in this session.


Links:

Jun 4, 2022

DevSecOps 101

This is 4 parts tutorial on DevSecOps 101.

In part 1, we will learn how to detect and avoid vulnerable dependencies when developing applications.In the first step of DevSecOps, the first step towards building more secure apps is detecting and avoid using dependencies that have known vulnerabilities. This process is called Software Component Analysis or SCA

There are a few commercial options like Snyk, but for this tutorial, we will use the open-source pip package safety.

$ pip install safety

$ safety check --full-report

The 2nd step is to integrate SCA into the CI/CD process by adding GitHub workflow to our repository.

Next, we will perform analysis on the source code to find security vulnerabilities. This process is known as Static Application Security Testing, and this has been part of the enterprise software development lifecycle (SDLC) for years.

Recently, there are opensource tools like pylint, eslint or semgrep.

semgrep is, as its names suggest, like grep, but for source code. It allows developers to automatically find patterns in their source code while taking into account semantics like variable renaming. You can find an example of semgrep finding XSS in Django code here.

Even better, semgrep supports a lot of languages, and the semgrep community already has written plenty of rulesets to detect bad practices and security flaws for those.

$ pip install semgrep

$ semgrep --config "p/ci" --exclude .venv --error

  •     --config "p/ci" means "use the community-written security rules for running in a ci environment"
  •     --exclude .venv means "do not search for vulnerable source code in the .venv folder" (otherwise it would return hundreds of alerts!)
  •     --error means return a non-zero error code if alerts are found. Useful for making the CI fail if insecure patterns are detected

Next, we need to add semgrep to the CI/CD to avoid ever doing the in the future. With this, we just installed a tool that scans all our python code to find insecure patterns, gives us recommendations on how to solve them, and integrates seamlessly into our CI/CD.

In part 3, we will be moving into Security Integration Testing (SIT) with automation.

To have an additional layer of security testing that is closer to the application's production context, security teams use specialized tools that will simulate attacks against the running application and report the successful ones.

This process is called Dynamic Application Security Testing (DAST).

Nuclei is an easy-to-use application security testing tool written in go-lang. It leverages the community to create new automated tests using simple YAML template files.  

$ go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

$ docker-compose up

$ nuclei -u http://localhost:8080

Next, we will be integrating Nuclei inside the CI/CD process. Again,, in only a few steps, we just install a tool that scans for vulnerabilitites directly inside CI/CD. We scannd our live running app using nuclei web-app security scanner.

In part 4, we will be learning how to scan Docker images using Trivy. This is an opensource security scanner to find mis-configuration and vulnerabilities.

Thanks to trivy, one can scan its docker images to know literally in seconds if they contain packages with known vulnerabilities. Even cooler, trivy is free, open-source, and well maintained.

$  curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.21.0

$ docker build . --file Dockerfile.app -t dvpwa.app

$ trivy image dvpwa.app:latest

Lastly, we will be integrating trivy in GitHub Actions by following a template from AquaSec. So we just set up a tool that automatically detects vulnerable packages inside our docker images, directly in the CI/CD.

In fact trivy can scan way more than docker images: filesystems, requirements.txt, package.json, Dockerfiles and K8s configs.

$ trivy config .

This will scan Dockerfile.app and Docker.db automatic.


Links:

Jun 2, 2022

Naabu - A Port Scanner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

naabu --host 192.168.233.81 -nmap-cli 'nmap -sV'

Installation

$ sudo apt install -y libpcap-dev

$ go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

 

Links:

Jun 1, 2022

Nuclei - Community Powered Vulnerability Scanner

Nuclei is a fast and customizable vulnerability scanner based on simple YAML-based templates.

It has two components, 1) Nuclei engine - the core of the project allows scripting HTTP / DNS / Network / Headless / File protocols based checks in a very simple to read-and-write YAML-based format. 2) Nuclei templates - ready-to-use community-contributed vulnerability templates.


nuclei -u http://192.168.233.81 -t misconfiguration/

Installation

$ go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest


Link: