Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2019 > February > 19

This blog post is a follow on from the following two blog posts:

 

 

 

The Attack

The attacker is not happy with executing commands via the Web Shell, so she decides to upload a new Web Shell called, reGeorg (https://sensepost.com/discover/tools/reGeorg/). This Web Shell allows the attacker to tunnel other protocols over HTTP, therefore allowing the attacker to RDP for example, directly onto the Web Server, even though RDP isn’t directly allowed from the internet.

 

The attacker can upload the Web Shell via one of the previously utilized Web Shells:

 

The attacker can now check the upload was successful by navigating to the uploaded JSP page. If all is okay, the Web Shell return the message shown in the below screenshot:

 

The attacker can now connect to the reGeorg Web Shell:

 

This means the attacker now has remote access to anything accessible from the Web Server where the Web Shell is located. This means the attacker could choose to RDP to a previously identified machine for example:

 

Attackers also like to keep other access methods to endpoints, one way of doing this is to setup an accessibility backdoor. This involves the attacker altering a registry key to load CMD when another application executes, in this case sethc.exe – this is an accessibility feature you typically see when pressing the SHIFT key five times. This now means that anyone who can RDP to that machine, can receive a system level command prompt with no credentials required; this is because sethc.exe can be invoked at the login screen by pressing the SHIFT key five times, and with the registry key altered, will spawn CMD as well.

 

To set this up, the attacker can use the Web Shell, and perform this over WMI using REG ADD:

 

Now the attacker can RDP back to the host they just setup the accessibility backdoor on, press the SHIFT key five times to initiate sethc.exe, and will be given the command prompt as system without having to use credentials:

 

 

The Analysis in RSA NetWitness

The analyst, while perusing Behaviors of Compromise, observes some suspicious indicators, runs wmi command-line tool, creates remote process using wmi command-line tool, and http daemon runs command shell just to name a few:

 

Drilling into the WMI related metadata, it is possible to see the WMI lateral movement that was used to setup the accessibility backdoor from the Web Shell:

 

The analyst also observes some interesting hits under the Indicators of Compromise meta key, enables login bypass and configures image hijacking:

 

Drilling into these sessions, we can see it is related to the WMI lateral movement performed, but this event being from the endpoint the backdoor was setup on:

 

The analyst, further perusing the metadata, drills into the Behavior of Compromise metadata, gets current username, and can see the sticky key backdoor being used (represented by the sethc.exe 211) to execute whoami:

 

The analyst, also perusing HTTP network traffic, observed HTTP headers that they typically do not see, x-cmd, x-target, and x-port:

 

Drilling into the RAW sessions for these suspicious headers, it is possible to see the command sent to the Web Shell to initiate the RDP connection:

 

Further perusing the HTTP traffic toward tunnel.jsp, we can see the RDP traffic being tunnelled over HTTP requests. The reason this shows as HTTP and not RDP, is that the RDP traffic is being tunnelled over HTTP, there are therefore more characteristics which define this as HTTP, compared to RDP:

 

Conclusion

Attackers will leverage a diverse range of tools and techniques to ensure they keep access to the environment they are interested in. The tools and techniques used here are freely available online and are often seen utilized by advanced attackers; performing proactive threat hunting will ensure that these types of events do not go unnoticed within your environment.

Joshua Randall had a recent post that showed how to use the resourceBundle package to create a custom package for content deployment.

Leveraging RSA Live to Deploy Custom Parsers in Large Environments 

 

I took the idea from Josh and took it a step further to create a script that lays down the structure of the resourceBundle for you, then provides a second script to zip up the appropriate content to create your resource bundle.  This should remove the need to hand edit the xml files to create the proper linkages.

 

The script is hosted here:

GitHub - epartington/rsa_nw_script_resourcebundle: Script to create a resource bundle for netwitness content 

 

Run the script from the site above in the folder where you want the bundle created

follow the README.MD to add supported content to the right folder structure created.

Content is placed in the version folder
-------------------
##Currently working in this script:
APPLICATION RULES
LUAPARSERS
-------------------
Not working/Not implemented
All other folders


### APPLICATION RULES
--------------------
require clear text nwr files to be placed in the version folder
if there is more than 1 line per .nwr file then it will split the file into multiples (one line per file) and rename the original file to .multiline
### LUAPARSERS
--------------------
requires lua parser in the version folder
the script will zip the lua file up

 

run the resourceBundleZipper.py script to create the XML and zip file for upload via the RSA NW UI > Configure > Deploy package.

 

Now you are able to upload content in one file, to many locations in the NW environment saving you time.

 

 

 

 

Filter Blog

By date: By tag: