Saturday, March 23, 2019

Windows Event Log - Security Group Management


Event IdDescription
4727A security-enabled global group was created.
4728A member was added to a security-enabled global group.
4729A member was removed from a security-enabled global group.
4730A security-enabled global group was deleted.
4731A security-enabled local group was created.
4732A member was added to a security-enabled local group.
4733A member was removed from a security-enabled local group.
4734A security-enabled local group was deleted.
4735A security-enabled local group was changed.
4737A security-enabled global group was changed.
4754A security-enabled universal group was created.
4755A security-enabled universal group was changed.
4756A member was added to a security-enabled universal group.
4757A member was removed from a security-enabled universal group.
4758A security-enabled universal group was deleted.
4764A group's type was changed.

Windows Event Log - User Account Management


Event IdDescription
4720A user account was created.
4722A user account was enabled.
4723An attempt was made to change an account's password.
4724An attempt was made to reset an account's password.
4725A user account was disabled.
4726A user account was deleted.
4738A user account was changed.
4740A user account was locked out.
4765SID History was added to an account.
4766An attempt to add SID History to an account failed.
4767A user account was unlocked.
4780The ACL was set on accounts which are members of administrators groups.
4781The name of an account was changed:
4794An attempt was made to set the Directory Services Restore Mode.
5376Credential Manager credentials were backed up.
5377Credential Manager credentials were restored from a backup.

Friday, March 22, 2019

Brute Force Attack


Brute-force attack: Simple yet difficult 
Understanding what Brute Force Attack is fairly simple, but protecting against it is quite difficult.

Brute Force Attack
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (with some exception). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.

An attack of this nature can be time- and resource-consuming. Hence the name "brute force attack" success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm. However, Encryption is math, and as computers become faster at math, they become faster at trying all the solutions and seeing which one fits.

Defend against Brute Force Attack
  • Restrict the use of default usernames and passwords
  • Requiring users to have complex passwords
  • Limiting the number of times a user can attempt to log in
  • Temporarily locking out users who exceed the specified maximum number of login attempts
Detection of Brute Force Attack
With the evolution of faster and more efficient password cracking tools, brute force attacks are on a high against the services of an organization. As a best practice, every organization should configure logging practices for security events so that any possible attack underway will get noticed and treated before the attack succeeds.

To check for brute force pattern, enable auditing on logon events in the Local Security Policy and then feed Windows Security Event log to the SIEM product used.

Below are the correlation search that is created in Splunk and LogPoint against Win:Security logs to monitor real time login attempts. In this search, brute force criteria gets matched with two failure attempts.


Splunk:
sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 2

LogPoint:
MSWinEventLog event_id=4625 -target_user=*$ -caller_user=*$ -failure_code=0x19 | rename target_user as Account, caller_user as user | chart count() as Event by Account | search Event > 2

Thursday, March 21, 2019

Struts2 Remote Code Execution vulnerability

CVE-2018-11776 - Struts2 Remote Code Execution vulnerability

According to National Vulnerability Database this vulnerability is still awaiting analysis. About this vulnerability

"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace."

It is to be noted that this vulnerability does not exist with a default configuration of Struts, but in commonly seen configurations for some Struts plugins. Due to this vulnerability Struts improperly validates namespaces, allowing for OGNL injection, and can lead to full remote code execution on the target system.

Recommendations
PoC has already been published and is publicly available. You can very likely expect an active attacks against this vulnerability. It is, therefore, recommened to immediately apply update to Struts version 2.3.35 and 2.5.17.

SIEM Detection

1. Carry out vulnerability scan of your infrastructure and send the output to your SIEM solutions
2. Create a rule to look for cve_id=CVE-2018-11776

Firmware Security: An Overlooked Threat