Friday, June 04, 2010

Reminder for Incident Responders

I found this post [Dailydave] How to pull a dinosaur out of a hat in 2010 by Dave Aitel to contain two warnings for incident responders:

I do know that reliably owning Wireshark on Windows 7 is priceless.

and

So many otherwise very cautious people don't realize that RDP is like giving your passwords away to the remote machine. So we had to write a trojan that stole the passwords as people RDP'd in and we installed it for demos on various client sites.


The first is a reminder that intruders sometimes practice counter-forensics, i.e., attacking defensive tools. In fact, the post I just linked from 2007 mentions Wireshark vulnerabilities. Some things never change.

The second is a reminder that gaining remote access to suspected intrusion victims is a risky gambit. If you suspect a system is compromised, and you connect to it, expect trouble. This applies across the spectrum of intruders, from mindless malware to advanced persistent threat. Your best bet is to gather as much evidence as possible without ever touching the victim, if possible. Since you can't trust the victim to report in a trustworthy manner anyway, this has always been sound advice.

As a bonus, Dave throws in the following:

My favourite latest is the NGINX remote exploit which works even when you don't expect it to!

This reminds me that many intruders use Nginx to host their Web-based C2 servers. If you want to practice aggressive incident response, you may consider attacking that infrastructure yourself. Intruders tend not to be the best defenders.

2 comments:

Anonymous said...

This is important point that's easy to overlook.

I'd also add that it's probably a good idea to avoid initiating the session from anything other than a trusted machine.

When I started in IT, the system admin used to deal with Active Directory account issues by launching an RDP session from the customer's desktop! He was giving away his DC Admin password to the world.

I guess if you wanted to be sneaky you could register a bogus helpdesk ticket and install a user-mode keylogger on your machine ...then simply wait for this guy to show up and "fix" your issue.

Anonymous said...

"This reminds me that many intruders use Nginx to host their Web-based C2 servers"

Would you mind to clarify this ?
Based on ?

I do understand:
"Dave throws in the following:
My favourite latest is the NGINX remote exploit which works even when you don't expect it to!"

meaning SysAdmin do not update systems ?