I recorded a video for my diary entry "Detecting (Malicious) OneNote Files".

It shows how I familiarized myzelf with the .one file format, enough to know how to extract embedded files, wrote a tool (onedump.py) and take a look at detection rules.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2]

First step, install the server. My server configuration is as follow: 

• Ubuntu 22.04
• Ubuntu Server (minimized)
• 8+ Cores
• 16+ GB RAM
• 100 GB
• 100+ GB /var/lib/docker
• Static IP

After rebooting and before installing AL, I update the server and added the following packages:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
$ sudo apt-get install net-tools open-vm-tools htop ntp bind9-utils vim

Setup a separate disk for the docker which will also store the sample malware. Mine is 100 GB:

$ sudo cfdisk /dev/sdb
$ sudo pvcreate /dev/sdb1
$ sudo vgcreate malware_vg01 /dev/sdb1
$ sudo vgdisplay malware_vg01
$ sudo lvcreate -n /dev/mapper/malware_vg01-virus --size 99G malware_vg01
$ sudo lvdisplay malware_vg01
$ sudo mkfs.xfs /dev/malware_vg01/virus

Add the new disk to /etc/fstab

$ sudo vi /etc/fstab
Add: /dev/malware_vg01/virus /var/lib/docker xfs defaults,noatime,nosuid 0 0
$ sudo mkdir -p /var/lib/docker
$ sudo mkdir -p /etc/docker
$ sudo mount -a
$ df -k

The server is ready to install Assemblyline. Next, I followed the instructions here  to install the software. I selected Docker to install AL for my VM appliance. After completing the installation, it is time to login: admin:admin

After logging in, check the Services tab for other Services Available you might choose to install. Some of them you need are paid the vendor to access the service (i.e. IntezerDynamic, IntezerStatic) while other are free to use and might need to register to enable them.

Next, it is time to configure some of the other services under the Services tab such as adding an API key to use them (i.e. Virustotal)

Before submitting any files, check out the Options tab to set other scan services:

Submitting Files via API

This is an example to submitting a sample via Rest API [4]. Check the reference where to go to create an API key in an account in the sandbox with the word mykey to generate the key. Here is an example to submit a file to AL:

$ curl -X POST https://malware/api/v4/submit/ \
    -k --insecure \
    -H 'x-user: admin' \
    -H 'x-apikey: mykey:SomeApiKeyHere' \
    -H 'accept: application/json' \
    -F 'bin=@myfile.txt'

$ curl -X POST https://malware/api/v4/submit/ -k --insecure -H 'x-user: admin' -H 'x-apikey: mykey:SomeApiKeyHere' -H 'accept: application/json' -F 'bin=@myfile.txt'

Submitting Files to AL

Using some of the files uploaded to my DShield sensor, I submitted 3 of them using the API for analysis.

AL release regular updates who can be seen by clicking on the Bell in the top right corner which shows in green the current version. I found over time the following worked best for me to update my AL by doing the following commands in the following order:

Updating AL

$ sudo apt-get update
$ sudo apt-get upgrade
$ cd ~/deployments/assemblyline
$ sudo docker-compose pull
$ sudo docker-compose build
$ sudo docker-compose up -d
$ sudo docker-compose stop
$ sudo docker-compose start

Indicator of Compromised

ed902957efb11382546f2cff80e5284832f7f53c4e2b82b9d181c1f3ef65513f
db10d1e7a141350bfb25a9947088979fa6a1d32d4ad2629eceb54ecc82f92938
d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

[1] https://cybercentrecanada.github.io/assemblyline4_docs/overview/how_it_works/
[2] https://cybercentrecanada.github.io/assemblyline4_docs/user_manual/submitting_file/
[3] https://cybercentrecanada.github.io/assemblyline4_docs/installation/appliance/docker/
[4] https://cybercentrecanada.github.io/assemblyline4_docs/integration/rest/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

I don't get nearly as much opportunity to play with packets these days as I did in the first 5-10 years I was a handler and I miss it. I was looking back through some of my old diaries and realized that in the years since I wrote some of them, we have at least a generation of folks who have entered the field. So I thought that on (the day after) Groundhog Day, it might be time to point folks back to some stuff I wrote earlier. Note, some of the tools have changed/evolved, so ethereal is now wireshark and instead of hping3 I would probably use scapy, but here are 2 of my favorite diaries from the past. Check them out, [1] is from 2006 and [2] is from 2009.

[1] A TCP/IP mystery (solved)

[2] A packet challenge and how I solved it

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files. 

I'll be keeping files 1,000 MB (1 GB) in size and storing a total of 300,000 MB (300 GB) That means I'll be storing a rotation of 300 files. The packet captures are going to be performed using tcpdump [1], which comes preinstalled on pfSense.

tcpdump -ni igc3 -W 300 -C 1000 -w captures.pcap

Figure 1: tcpdump options for keeping a rotation of 300 files of packet captures 1GB in size

Running the command itself is relatively easy. I could use:

• the Command Prompt [2] option within fpSense
• the local console
• an administrative SSH session

Any of these options work well, but don't help me with one thing: automation. I considered a variety of options here and ran into a solution from Olaf Schwarz. Olaf put together a great example of a script that could be used to help automate the process and using a package available in pfSense [3]. 

This solution uses Shellcmd and it can be installed from the pfSense Package Manager [4]. 

System --> Package Manager (search for "shellcmd")

Figure 2: Installation of Shellcmd using pfSense Package Manager

If I wanted to simply run the tcpdump command on startup I could just add it to Shellcmd. Shellcmd would take it from there and would initiate the command during the boot process. However, there are some benefits to the script created by Olaf that would allow me to easily start, stop or check the status of packet captures without rebooting the firewall to kick off the process. 

Some modifications to Olaf's script were made for my situation:

• Using internal "live" storage and not externally mounted media
• Using rotation settings for 1GB file captures and keeping last 300 files

FIgure 3: Highlights of script modifications for tcpdump

A subset of my changes is also available below. For the full script, check out Olaf's blog post [3].

#!/bin/sh
#
# Startup script for trdump via tcpdump
#
# description: trdump control script
# processname: tcpdump


PCAP=/data/captures.pcap
SIZE=1000
COUNT=300
INTERFACE=igc3
PIDFILE=/var/run/tcpdump

start() {
        if [ -f $PIDFILE ]; then
                echo "PID File $PIDFILE exists"
                exit 1
        fi

  /usr/bin/logger "starting traffic dump"
  # if we reach the code here, our disk is mounted
  # start recording
  # -n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names
  # -C 1000 -W 300 capture 300 files of 1000 MB; 
  /usr/sbin/tcpdump -ni $INTERFACE -W $COUNT -C $SIZE -w $PCAP >/dev/null 2>&1 &

As outlined in Olaf's blog, I stored the file in /usr/local/trdump.sh and also enabled execution. Since i was going to be storing the captures in the root "data" directory, I also created that folder. 

chmod +x /usr/local/trdump.sh
mkdir /data

If creating the file locally on the firewall from an SSH session, make sure to familiarize yourself with vi [5]. The only thing left to do is reference the script through Shellcmd. 

Services --> Shellcmd

Figure 4: Enter script command in Shellcmd package

The "start" command will run the command if tcpdump is not already started. In this case, I started just by running the command from an SSH session and then checked the status. 

/usr/local/trdump.sh start
/usr/local/trdump.sh status

Figure 5: Output of tcpdump script "status" 

Checking the /data path shows the new PCAP files in the directory. 

Figure 6: Rotating PCAP files generated from script

It's recommended to keep PCAP files at or below 100MB in size since it can cause delays when reviewing files with tools such as Wireshark. In my case, I wasn't concerned since I wanted to store less files and could easily extract what I needed. For example, if I wanted to take a look at data only for my honeypot, one quick command can get me what I need. 

tcpdump -r /data/captures.pcap001 host 192.168.68.178 -w /data/filtered.pcap

Figure 7: Creating file of extracted PCAP data for a specific host

The new PCAP is much smaller and could easily be transferred to a different system or quickly viewed using tcpdump from the command line. 

tcpdump -r /data/filtered.pcap tcp port 80 -v | head -n 20

Figure 8: Using tcpdump to view traffic on TCP port 80

There are a lot of options to modify this setup, but gives some great opportunities to take a deep dive into network packet captures.

[1] https://linux.die.net/man/8/tcpdump
[2] https://docs.netgate.com/pfsense/en/latest/diagnostics/command-prompt.html
[3] https://www.00010111.at/blog/2017/06/27/add-traffic-recording-to-pfsense-easily/
[4] https://docs.netgate.com/pfsense/en/latest/packages/manager.html
[5] https://www.redhat.com/sysadmin/introduction-vi-editor

--
Jesse La Grew
Handler

We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document").

OneNote files have their own binary fileformat: [MS-ONESTORE].

A OneNote file starts with GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}.

Files contained in a OneNote file start with a header (FileDataStoreObject) followed by the embedded file itself. This header also starts with a GUID: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}.

Hence, to detect OneNote files with embedded files, look for files that start with byte sequence E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 (that's GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}) and contain one ore more instances of byte sequence E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC (that's GUID {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}).

This allows you to detect OneNote files with embedded files. Which are not necessarily malicious ... Because an embedded file can just be a picture, for example.

I have a bit more detail on the analysis of this format, in my blog post "Analyzing Malicious OneNote Documents".

Florian Roth developed YARA rules that look for these GUIDs, together with some typical malicious payloads: PE files, BAT files, VBS files, LNK files.

The trick is to look at the beginning of the embedded file, which can be found 36 bytes after the start of structure FileDataStoreObject (hence 36 bytes after each {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC} guid).

If an embedded file starts with MZ, it's most likely an embedded Windows executable (but it could also be a text file that starts with MZ). If it starts with 4C 00 00 00, it's most likely an LNK file.

BAT and VBS files are harder to recognize, as they have no magic header: they can start with any byte sequence. Florian's rule uses a little heuristic: it identifies files that start with "@ECH" as BAT files (@ECHO OFF) and files that start with "on e" as VBS files (on error resume). Of course, this will not detect all malicious OneNote files, but we can never have perfect detection ...

Here is one of Florian's rules that detects a OneNote file with an embedded PE file ($x1):

Mostly as an exercise for myself, I created Suricata rules for onenote files. You can find them here, in my beta GitHub repository.

Caveat: these rules have not been tested in production, and the first rules detect any onenote file, with or without benign/malicious payload.

I'll provide more details on these Suricata rules in an upcoming blog post.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com