Hasain Alshakarti

Six months ago I had a talk with Fabio Viggiani  about the development of ransomware and we made an educated guess about the next big type of ransomware attack to be CRYPTOWORMS!

The last few days many of us witnessed how a major ransomware attack affected many organizations across the world. Telefonica in Spain, theNational Health Service in the UK, and FedEx in the US are some tom mentions among many many more. The responsible for this attack was reported to be a ransomware variant known as ‘WannaCry’.

The malware has the ability to spread to other system by scanning a attacking the Server Message Block/SMB protocol resulting in a worm behavior. Once the malware has a foothold on a system it used different techniques to persist on that host.  The WannaCry malware appeared to primarily use the ETERNALBLUE modules for the initial exploitation of the SMB vulnerability addressed as part of Microsoft Security Bulletin MS17-010. If successful it then used the DOUBLEPULSAR backdoor to install the ransomware.

The domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – a “randomly” human-typed address primarily consists of keys in the top row of the keyboard, was observed in the malware code as a kill switch. If the malware could establish communication with the mentioned domain, it would stop but because the domain wasn’t registered, it continued to execute. A researcher worked out what was going on and simply registered the domain name and activated the kill switch!

In this particular case, the foremost reason for the success of “WannaCry” was because many didn’t upgrade or patch things. Reports started talking about the malware hitting machines as old as Windows XP and Windows 2003! Once infected other problems started to appear. Many affected individuals and organisations had no proper backups to recover from the ransomware.

At this point many affected entities are in the clean-up phase of the “WannaCry” story. Vendors and security professionals are helping out with patches, signatures, detection tools, removal tools, damage assessment and recommendations. The bigger lesson remains that we need to reinforce proper security focus and measures such as:

• Keep systems current and supported
• Apply and verify patches early
• Establish robust backups and recovery procedures
• Lock down and harden machines
• Conduct least privilege and protect administrative provileges
• Don’t open suspicious emails or attachments
• Restrict access to network resources
• Block unnecessary ports and implement host-based firewalls
• Enhance you ability to detect attacks
• Ensure you have the tools to perform incident response
• Establish strategies to inform users

These recommendations and many more discussions and security features and strategies are discussed as part of my Windows Cyber Security Road Trip. The class offers a detailed description and demonstrations of current risks and how to mitigate these risks using modern tools, features and strategies in the most current versions of Windows 10 and Windows Server 2016.

To summarize some of the most important steps needed during an attack we made this poster

Play safe and make sure to get well prepared before the next time! 

Microsoft has released the security baseline settings for Windows 10 along with an updated baseline settings for Internet Explorer 11. With this release Microsoft reevaluated older settings to determine whether they address contemporary threats, and have so far removed 44 that don’t.

The new baseline is to be combined with the newly released Local Administrator Password Solution (LAPS), Enhanced Mitigation Experience Toolkit EMET 5.5 beta and new security features in Windows 10 such as Credential Guard.

The draft baseline is available through the Microsoft Security Guidance blog http://blogs.technet.com/b/secguide/archive/2015/10/08/security-baseline-for-windows-10-draft.aspx

It didn’t take long time for spammers to start abusing the Boston Marathon bombing sending  emails with links to various Youtube videos of the explosions at the Boston Marathon, an automatic download of a malicious binary named “boston.avi_______.exe”, embedded malicious java code and other iframed pages with malicious content.

Sample email

Sample landing page with videos and Java 

The presenations from our pre-con/workshop sessions “Defending your Microsoft infrastructure from cyber threats” at TechDays 2013 in Belgium and the Netherlands are now available for download:

  TechDays 2013 Presentations download:(4.7 MiB, 4,525)

If you have any follow up questions about the sessions or any related topics please contact Hasain Alshakarti or Marcus Murray 🙂

The Hey, Scripting Guy! Blog is one of those blogs I would normally recommend to any body interested in scripting Windows. But I do have a very good reason to bump that recommendation this week just to make sure everybody following my blog do not miss that my colleague and fellow MVP Niclas Goude will be writing a couple of guest posts on The Scripting Guys blog regarding security from the 2:ndto the 6:th of July.

The specific subjects will be:

Monday: Scanning

Tuesday: Brute Force

Wednesday: Shares and Metadata

Thursday: Give yourself System Permission without psexec

Friday: LSA Secrets

Enjoy Powershell!

Microsoft has published the Windows 8 Release Preview Product Guide for Business, the guide describes how Windows 8 changes the work environments and how Windows is reimagined to support people’s unique working styles.

Windows 8 provides enterprise-class security capabilities that keep clients more secure from power-on to power-off.

Windows 8 provides the following enhanced security features:

Trusted boot process

With UEFI 2.3.1 equipped devices, the UEFI Secure Boot feature helps to ensure that malware is not able to start before Windows 8. The Windows 8 Trusted boot feature protects the integrity of the remainder of the boot process, including the kernel, system files, boot critical drivers, and even the antimalware software itself. The system’s antimalware software is the first 3rd party application or driver to start. Moving antimalware into the Trusted Boot process prevents it from being tampered with. In the event that malware is able to successfully tamper with the boot process Windows can automatically detect and repair the system.

Measured boot process

On Trusted Platform Module (TPM)-based systems, Windows 8 can perform a comprehensive chain of measurements during the boot process that can be used to further validate the boot process beyond Trusted Boot. Measured boot process enables all aspects of the boot process to be measured, signed, and stored in a Trusted Platform Module (TPM) chip. This information can be evaluated by a remote service to further validate a computer’s integrity before granting it access to resources. This process is called Remote Attestation.

BitLocker Drive Encryption

BitLocker now supports encrypted drives, which are hard drives that come pre-encrypted from the manufacturer. BitLocker offloads the cryptographic operations to hardware, increasing overall encryption performance and decreasing CPU and power consumption. On devices without hardware encryption, BitLocker allows you to choose to encrypt the used space on a disk instead of the entire disk. As free space is used, it will be encrypted. This results in a faster, less disruptive encryption of a hard drive. In addition, the user experience is improved by allowing a standard user, one without administrative privileges, to reset the BitLocker PIN.

AppLocker

AppLocker enables IT administrators to create security policies through Group Policy to prevent potentially harmful or other non-approved apps from running. With AppLocker, IT administrators can set rules based on a number of properties, including the signature of the application’s package or the app’s package installer and can more effectively control apps with less management.

Windows SmartScreen app reputation service

Windows SmartScreen app reputation is a safety feature in Windows 8. This service provides application reputation-based technologies to help protect users from malicious software that they may encounter on the Internet. This technology checks reputation on any new application, helping to keep users safe no matter what browser they use Windows 8. This helps to prevent malware and other viruses from infiltrating your organization. The Windows SmartScreen app reputation feature works with Internet Explorer’s SmartScreen feature, which also protects users from websites seeking to acquire personal information such as user names, passwords, and billing data.

Claim-based access control

With Windows 8, IT administrators can dynamically allow users access to the data they need based on the user’s role in the company. Unlike previous statically-controlled security groups, Claim-based access control allows IT admins to dynamically control access to corporate resources based on the user and device properties that are stored in Active Directory. For example, a policy can be created that enables individuals in the finance group to have access to specific budget and forecast data, and the human resources group to have access to personnel files.

I många sammanhang brukar penetrationstester förknippas med 3:e parts verktyg och linux-distributioner. Det brukar exempelvis krävas ett antal olika produkter och tekniker för att samla in den information som krävs för att avgöra om ditt företag sitter i en säker miljö.

I den här presentationen kommer vi att fokusera på vad du kan utföra i form av penetrationstestning utifrån en standardinstallerad Windowsklient.

Vi kommer även att gå igenom olika metoder du kan använda för att säkra upp din miljö.

Hasain, MVP på Security och Goude,MVP på Powershell kommer både att ge en spännande presentation som en spännande diskussion om pentest, säkerhet och PowerShell.

Ladda ner presentationen här: 2W-Pentest-Powershell

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 4,338)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 5,572)

When developing Metro style apps, Network Isolation helps your product to take advantage of the isolation mechanisms that will keep the app and system secure.

The new Windows Runtime APIs enable a developer to control the security profile of an app under development. Network access is part of this application security model. Not all apps will require access to the network. However for those that do, Windows provides the appropriate level of granularity for apps to access the network securely.

With network isolation, developers can define the scope of the network access required for each process, which prevents a process without the appropriate scope from accessing the specified type of network or connection. The ability to set and enforce these boundaries ensures that compromised apps have access only to networks they have explicitly been granted access to, significantly reducing the scope of their impact in other apps or the system itself.

Download and Read more about Network Isolation for Metro style Apps http://www.microsoft.com/download/en/details.aspx?id=27534. This paper provides information about network isolation for Windows operating systems. It provides guidelines for developers to determine the network boundary that a Metro style app will operate in, and what capabilities will be necessary to access required resources.

SYMPTOMS:

• You install the Routing and Remote Access Service (RRAS) role on a server that is running Windows Server 2008 R2.
• You configure the server to accept Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connections.
• You run the Netsh ipsec dynamic set config property=strongcrlcheck value=2 command to configure the StrongCRLCheck setting on the server.
• You revoke a certificate on a client computer. The certificate is used to make L2TP/IPsec connections to the RRAS server.
• You establish an L2TP/IPsec connection from the client computer to the server.
• The connection to the RRAS server is successful. However, you expect that the client computer cannot connect to the server.

The notes below are extracted from the “DigiNotar public report version 1” published at http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

“The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didn‟t block some of the outside web server attacks. No secure central network logging is in place.”

Microsoft has published an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie – G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven

http://support.microsoft.com/kb/2607712

1. Create, edit or change a group policy object for your clients
2. Navigate to “User Configuration”, “Administrative Templates”, “Windows Components”, “Remote Desktop Services”, “RD Gateway” and select the “Set RD Gateway server authentication method” setting:
3. Select the “Enabled” radio button.
4. Under “Set RD Gateway server authentication method”, click on the combo-box and select “Use locally logged-on credentials”.
5. If you want the users to be able to override this authentication method then select “Allow users to change this setting” checkbox.
6. Confirm the changes by clicking on the “OK” button until you return back to the main Group Policy Object Editor dialog.
7. Apply the policy and make sure it has been enforced on the client by running “gpupdate” to force the policy to be refreshed immediately on the local machine.
8. Start up the RD client and navigate to “Options”, “Advanced”, click on “Settings” under “connect from anywhere”. You should see the status text indicate the following: “Your Windows logon credentials will be used to connect to this RD Gateway server”.
9. The client will now be able to connect to the gateway server using locally logged on credentials

CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.

Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps

1. Create a certificate request inf file describing the request, below you find a sample inf file for EOBO request

[Version]
Signature= “$Windows NT$”

[NewRequest]
RequesterName = Crisco0\Administrator
RequestType = CMC

[RequestAttributes]
CertificateTemplate = EOBO_Template

2. Generate the initial self signed CMC certficate request using the command:

certreq.exe -new certificate_request.inf certificate_request.req

3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:

certreq.exe -sign certificate_request.req signed_certificate.req

4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:

certreq.exe -submit signed_certificate.req new_certificate.cer

The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.

What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:

Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)

After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx  about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the “Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.

What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sign operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!

Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.

Solution: use another version of certreq.exe or another tool like the cmcSigner tool

  cmcSigner Tool download:(258.8 KiB, 3,535)

Learn how, in Windows 7, you can connect to a wireless access point in just three clicks. With this screencast from the Springboard Series IT Pro at Home: Tips and Tricks series, you’ll see how, whether you’re sitting in a coffee shop or at the airport, connecting to a wireless network is simple and easy when you’re using Windows 7. This demonstration will also go over moving between wireless networks and provide tips to help you go from home to the office using each network seamlessly.

Download the Wireless Networking screencast here or from Microsoft at http://www.microsoft.com/download/en/details.aspx?id=1271

Microsoft has released an updated version of the banned.h header file to help developers sanitizing resource which supports the SDL requirement and to remove banned functions from code. The header file simply lists all banned APIs and allows any developer to locate them in code and remove or adjust the code to be aligned with the SDL requirements.

The updated banned.h can be downloaded from Microsoft Download Center http://www.microsoft.com/download/en/details.aspx?id=24817

Some interesting FIM CM 2010 links from Microsoft Donwloads:

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Smart Card Centralized Registration

Demonstrating FIM CM using a centralized smart card registration model in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service

Demonstrating User Smart Card Self-Service using FIM CM in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration

Delegated smart card registration with FIM CM in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Certificate Self-Service

Demonstrate using FIM CM for Self-Service certificate management.

Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Integration

Install FIM CM with Constrained Delegation, Update 1, and FIM 2010 in a test lab.

Hur hanterar du och ditt företag er it-miljö på bästa sätt?

Best of MMS är eventet du inte ska missa. Här får du veta allt om de mest aktuella produkterna och teknikerna från Microsoft när det gäller it-management. Under det kommande året väntas till exempel flera produktlanseringar inom System Center-familjen.

På plats är de främsta svenska it-experterna. Det blir två dagar fyllda med teknikspäckade föredrag – om ämnen som Opalis, System Center Configuration Manager 2012, IPv6, System Center Virtual Machine Manager 2012 och System Center Service Manager R2, Hyper-V Cloud med mera.

Är du nyfiken på IPv6 och hur det nya protokollet kommer att påverka båda hanteringen av Windows Server och säkerheten i dina system?

Läs mer och boka din plats redan idag på http://www.microsoft.com/sverige/bestofmms2011/default.html

Microsoft has published a document http://www.microsoft.com/download/en/details.aspx?id=26673 that provides an overview of the Win32/Rustock family of rootkit-enabled backdoor trojans.

The document examines the background of Win32/Rustock, its functionality, how it works, and provides threat telemetry data and analysis from calendar year 2010 through May 2011.

In addition, the document details the legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.

Internet Explorer 7 and later. In order to confirm the identity of organizations that host secure webpages, certifying authorities issue security certificates. These certificates are validated when you request a secure webpage.

By default, Internet Explorer performs a number of steps in order to validate the security certificate for a secure website. If a certificate is invalid, is out-of-date, or improperly identifies the website in question, Internet Explorer displays a notification to the user.

As an additional verification step, many certifying authorities also provide a service that identifies certificates that have been recently revoked. Earlier versions of Internet Explorer displayed notifications when this service could not be reached.

Because the inability to reach these services does not necessarily indicate that a certificate has been revoked, many users complained that such notifications were “false positives.” After considerable negative feedback, these notifications were disabled by default in Internet Explorer 7 and later.

When enabled, the FEATURE_WARN_ON_SEC_CERT_REV_FAILED feature displays notifications when Internet Explorer cannot reach the certificate revocation service published by a certifying authority. By default, this feature is disabled for Internet Explorer. This feature is not supported for applications hosting the WebBrowser Control.

To enable this feature using the registry, add the name of the Internet Explorer executable file to the following setting.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED]
“iexplore.exe”=dword:00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.