CRX Collection Workflow: A Practical Guide

-
Image
2024 was quite the year for me. I left a company where I had been in my dream role, moved across the country (again) for a new position, and even got engaged. It has been nearly a year since I last wrote anything on my blog, so I figured there was no better time than this chilly Saturday afternoon to share something I have been working on over the past few days. I was honestly struggling to choose a topic, especially after so many exciting projects in the last year. In the spirit of keeping my posts short and digestible, I decided to focus on a workflow I created (and had help with!) for threat-hunting malicious extensions, along with some of the challenges I have faced. Hunting for a CRX Resource In late December, security teams around the globe scrambled when security vendor Cyberhaven  discovered one of its extensions had been compromised, primarily targeting Facebook ad accounts. As of this writing, 36 malicious extensions have been identified on  extensiontotal.com . As a...
Post a Comment

Creating Windows Defender Exclusions

-

Something interesting I've come across, admittedly only a handful of times, is that the `MpPreference` cmdlet is being used in nefarious ways. Specifically, this involves instances where Domain Admin accounts have been compromised, and they are being to create exclusions that bypass Windows Defender detections. 

The `MpPreference` cmdlet family is related to Windows Defender. There are 12 different cmdlets in this family, but I've really only encountered `Add-MpPreference` in the wild. On that note, this is not referring to Windows Defender for Endpoint, ATP, or whatever it was called before that.

One important aspect of using MpPreference is that it requires some form of an elevated account to create the exclusions.

I first came across this technique when I observed a script being executed after a DA pushed a GPO that did a few interesting things. This script disabled AVs, EDRs, backups, grabbed a malicious executable from a network share, and cleared audit logs. The fact that the script also disabled Windows Defender caught my attention, as this was not a common occurrence or really something I was aware of at the time. 

There are four different exclusions that can be used with the Add-MpPreference cmdlet:

-   ExclusionExtension
-   ExclusionIP
-   ExclusionPath
-   ExclusionProcess

An attacker can now use the `Add-MpPreference` cmdlet to write any extension, path, process, or IP to these locations; bypassing Windows Defender. I conducted a search to determine if this technique was being used in the wild, and I found one instance of an administrator using a third-party file backup software.

This led me to the idea of enumerating any previously written exclusions in an environment and then writing to them to bypass Defender. Which can be accomplished through Get-MpPreference and doesn't require an elevated account to use. A simple and likely undetected PowerShell script, such as the one shown below, could be used for this purpose:

Get-MpPreference | Select-Object -Property ExclusionExtension,ExclusionPath,ExclusionProcess,ExclusionIP | Format-table -Wrap

Because these exclusions cover multiple different areas, there are no restrictions on writing to these. An attacker with knowledge of any of these exclusions would be able to execute arbitrary files from here and evade defender. Therefore, it's important to verify any use of the `MpPreference` cmdlets, including the applications that are written and the account being used. 

Solo + Finn 23

Comments

Post a Comment

Popular posts from this blog

Certifried Red Team Operator

-
Image
I wasn't actually planning on writing up a blog about passing the CRTO, but here I am about two months since passing and felt like writing down some after-thoughts. Now that all the information has had time to simmer, there have been some key takeaways I've noticed in my day to day working in threat research. If you're not familiar with the CRTO, a TLDR is this focuses on using the C2 framework CobaltStrike from a red team perspective created by RastaMouse at Zero Point Security .    If you've ever worked in a SOC before, you've maybe heard the long standing joke 'it's an admin, false positive'. It used to make me laugh, until I moved in threat hunting and intelligence. Now hearing this just gives me anxiety. Elevating privileges typically isn't that difficult to accomplish but, detecting and preventing it before it has a negative impact is challenging. This is even more difficult when going against a skilled attacker that understands elevating privi...
Read more

VirusTotal Enterprise - Starting Workflow

-
Image
In 2023, I set out to write a personal blog every four months but didn't quite meet that goal. Reflecting on the year, it's amusing to think I attributed this to writer's block. My role in threat intelligence and working with an advanced pursuit team involves crafting internal reports and advisories. Realizing this could have been a goldmine for blog content, I'm reminded of one of my favorite quotes, "I'm going to make this way harder than it needs to be." So, let's dive in. I frequently utilize what I term 'open source databases' – resources like Shodan, Censys, VirusTotal, and AbuseIPDB. These databases provide intelligence on various artifacts, with limitations typically based on the account type (free, verified, or paid). Today, I want to focus on how I leverage VirusTotal Enterprise in my daily workflow. Before we delve deeper, a quick tip: check the VT Enterprise Group tab under your profile to monitor your monthly usage. These resources...
Read more

Tracking Malicious Files with Favicons

-
Image
In today's post, we're diving into the world of favicons and their role in malware detection with VirusTotal Enterprise. If you read my last blog, you’ll remember we explored using VirusTotal Diff to track down new iterations of DarkGate malware. Though it might seem like I live and breathe VirusTotal, I assure you there are other tools I use. However, I do find these ad-hoc workflows interesting, and although I rarely document them, I'm making another post. Imagine you’re part of a product company that distributes a high volume of binaries, software, and various other items across a vast amount of websites. Often, third-party partners host legitimate versions of these products on their sites and SEO boosts. Unfortunately, this widespread distribution gives attackers a chance to mimic your products by using similar file names and even your company's favicon to deceive users. This is by no means a novel or new technique, in fact, it's quite trivial in my opinion, w...
Read more