eternalblue
play

EternalBlue: Exploit Analysis and Beyond WHO AM I? Emma McCall - PowerPoint PPT Presentation

Nov 05, 2023 •94 likes •462 views

EternalBlue: Exploit Analysis and Beyond WHO AM I? Emma McCall Cyber Security Analyst @ Riot Games @RiotNymia on Twitter JUST A LITTLE HISTORY Black Market Intelligence Auc1on Approx. August 2016 No bites April 14 th 2017 Group

  1. EternalBlue: Exploit Analysis and Beyond

  2. WHO AM I? Emma McCall Cyber Security Analyst @ Riot Games @RiotNymia on Twitter

  4. JUST A LITTLE HISTORY ‣ Black Market Intelligence Auc1on Approx. August 2016 ▾ No bites ‣ April 14 th 2017 ▾ Group calling themselves ‘Shadowbrokers’ ▾ Equa1on Group (NSA) Tools and Exploits dumped onto GitHub

  5. THE DUMP Overall ~35 Exploits and tools SMB ‣ SendMail ‣ Kerberos ‣ IIS ‣ Windows XP -> 10 ‣

  6. THE DUMP Of particular note were: ‣ Fuzzbunch – Exploita1on Framework ‣ DanderSpritz – Command and Control Solu1on ‣ DoublePulsar – Backdoor Trojan ‣ EternalBlue – SMB Exploit

  7. ETERNALBLUE ‣ Where has EternalBlue been seen? ▾ WannaCry Ransomware ▾ Adylkuzz Viral Crypto Miner ▾ Zealot - Apache Struts ‣ Lateral movement in ALL cases

  8. JUST SOMETHING THAT POPPED UP Slight segue to look at this one: ‣ Exploit for MDaemon pre v9.5.6 ▾ v9.5.6 was Released in October 2006 ‣ Shodan check on 16 th April 2017… Lets have a closer look at that number….

  9. ETERNALBLUE Exploit for Windows Server Message Block (SMB) ‣ ▾ Affected both versions v1 and v2 ▾ Remote Code Execu1on on vic1m machine WHAT Exploita1on targeted the following services ‣ ▾ TCP 445 (Microsof Domain Service) ▾ TCP 139 (NetBIOS Session Service) HOW THEN WHAT

  10. ETERNALBLUE ‣ First things first: How does SMB data transfer work? WHAT HOW THEN WHAT

  11. ETERNALBLUE ‣ First things first: How does SMB data transfer work? ▾ Data larger than SMB MaxBufferSize in Trans2 WHAT HOW THEN WHAT

  12. ETERNALBLUE ‣ Exploits Non-Paged Pool Overflow in srv2.sys ▾ Fills NT Trans with Zeros ▾ Malformed Trans2 packet containing shellcode and Encrypted Payload WHAT HOW THEN WHAT

  13. ETERNALBLUE ‣ Ini1al Payload: DoublePulsar ▾ Non-Persistent ▾ Customisable Process Name / Command Line ▾ Code Execu1on via .DLL or raw shellcode upload ‣ Ini1ally Uploaded DLLs came from 2 sources WHAT ▾ Created via ‘Danderspritz’ ▾ Via Metasploit (Meterpreter) HOW THEN WHAT

  14. Attacker Attacker Victim

  15. ETERNALBLUE ‣ TCP 445 On the internet? … what about on your LAN?

  16. WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

  17. WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

  18. NETWORK ANALYSIS Run it. ‣ ▾ ….. In a lab! ▾ hnps://medium.com/@xNymia For all your lab crea1on needs Sysinternals and Wireshark are your best friends ‣ Comparison against known good SMB traffic ‣ Look for irregulari1es and panerns in mul1ple samples ‣ Check protocol docs ‣

  19. NETWORK ANALYSIS

  20. NETWORK ANALYSIS

  21. NETWORK ANALYSIS Interes1ng Mul1plex ID ‣

  22. WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

  23. DETECTION CREATION We have 4 indicators now ‣ ▾ Mul1plex ID 64/65 ▾ Mul1plex ID 81/82 Lets flex our learnings ‣ ▾ Suricata IDS Rules ▾ Snort IDS Rules alert tcp $HOME_NET any -> any any (msg:"EXPLOIT Possible ETERNALBLUE SMB Exploit Anempt Stage 1/2 - Tree Connect AndX Mul1plexID = 64 - MS17-010"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|40 00|"; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-ac1vity; sid:5000074; rev:1;)

  24. DETECTION CREATION NetBios Header SMB Packet 0010 < ........ Frame / TCP / IP Headers .........> SMB Structure - "|FF|SMB|75 00 00 00 00|" 0020 00 00 00 60 FF 53 4D 42 75 00 00 00 00 18 07 C0 Multiplex ID - "|40 00|" 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 0040 00 08 40 00 04 FF 00 60 00 08 00 01 00 35 00 00 SMB Content 0050 5C 00 5C 00 31 00 39 00 32 00 2E 00 31 00 36 ...

  25. DETECTION CREATION alert tcp $HOME_NET any -> any any (msg:"EXPLOIT Possible ETERNALBLUE SMB Exploit Anempt Stage 1/2 - Tree Connect AndX Mul1plexID = 64 - MS17-010"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|40 00|"; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-ac1vity; sid:5000074; rev:1;)

  26. WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

  27. IMPACT IDENTIFICATION ‣ What is actually vulnerable? ‣ Run it. ▾ In lots of labs!

  28. IMPACT IDENTIFICATION ‣ What has already been compromised? ▾ Scan the internet?

  29. WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

  30. MITIGATION ADVICE ‣ How can we help others mi1gate? ▾ Patching can be difficult ▾ What other op1ons can we offer? ‣ Disable SMBv1? ‣ What did Riot do? ▾ Suricata detec1ons ▾ No external SMB ▾ Firewalled Inbound SMB on worksta1ons

  31. WHAT CAN I DO? NETWORK ANALYSIS DETECTION CREATION IMPACT IDENTIFICATION MITIGATION ADVICE BINARY ANALYSIS

  32. BINARY ANALYSIS ‣ Some1mes worthwhile disassembling …Simplest things right under your nose.

  33. … AND BEYOND ‣ So shits going down, what can I do? ▾ Get a lab setup ▾ Grab a sample ▾ Run it. Don’t be too afraid ▾ What can I do with this data? ▾ Blogging, Twee1ng, IRC / Slack / Discord ‣ A few don'ts for good measure: ▾ Don’t work in a silo, talk to people ▾ Don’t run dodgy files on your main machine Be Heard

  34. THE GANG Emma McCall Dan Tentler DEY! Kevin Beaumont @Viss @ronindey @GossiTheDog @RiotNymia

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On-line Learning Architectures March 2017 Tarek M. Taha Electrical and Computer Engineering

On-line Learning Architectures March 2017 Tarek M. Taha Electrical and Computer Engineering

On-line Learning Architectures March 2017 Tarek M. Taha Electrical and Computer Engineering Department University of Dayton 1 Tarek Taha Device SPICE Model Boise State Univ of Michigan HP Labs Actual Device 1 60 0 1 Current (mA)

528 views • 14 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
Bear Essentials Bear Essentials Rangers in the Classroom Presentation Rangers in the Classroom

Bear Essentials Bear Essentials Rangers in the Classroom Presentation Rangers in the Classroom

Bear Essentials Bear Essentials Rangers in the Classroom Presentation Rangers in the Classroom Presentation Lesson Plan 1st and 2nd Grade Lesson Plan 2nd Grade Introduction: Grade Level(s): 1st &amp; 2nd Welcome to the Rangers in

454 views • 7 slides
Network Monitoring on Industrial Control Systems Alvaro Cardenas, PhD. David I Urbina, PhD.

Network Monitoring on Industrial Control Systems Alvaro Cardenas, PhD. David I Urbina, PhD.

Network Monitoring on Industrial Control Systems Alvaro Cardenas, PhD. David I Urbina, PhD. candidate Introduction of NSM Long term goals Current Research ICS T raffjc Analysis Intrusion Detection Some T ools for NSM

458 views • 22 slides
SDN / NFV panel @ SBRC Sbastien Tandel sta@hpe.com slideshare.net/standel May 2017

SDN / NFV panel @ SBRC Sbastien Tandel sta@hpe.com slideshare.net/standel May 2017

SDN / NFV panel @ SBRC Sbastien Tandel sta@hpe.com slideshare.net/standel May 2017 Sbastien Tandel Working within HPE Aruba CTO as a Principal Architect Technologist with sound business knowledge Software engineer with sound

492 views • 21 slides
IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler,

IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler,

IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler, Universitt Potsdam Co-Financed By: Project Goals Independently assess the true, current risks of IPv6 attacks Develop intrusion detection tools for

447 views • 17 slides
15 20 years ago Internet starting to reach a wider audience most people did not

15 20 years ago Internet starting to reach a wider audience most people did not

10/19/2010 15 20 years ago Internet starting to reach a wider audience most people did not have emails Mitigating Cyber Attacks computer security an afterthought The typical hacker, often portrayed as teenager,

588 views • 25 slides
Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray

Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray

Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray continually; give thanks in all circumstances, for this is Gods will for you in Christ Jesus. I Thessalonians 5:16-18 For the kingdom of God is

332 views • 19 slides
Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Ka aniche, V.

Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Ka aniche, V.

Problem statement Methodology Testbed and Experimental Results Conclusion Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Ka aniche, V. Nicomette LAAS-CNRS - Dependable Computing and Fault Tolerance (TSF)

719 views • 22 slides
Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com &lt;http://www.cymru.com&gt; Network Forensics what does it mean? network forensics is the analysis of network events in order to discover the source of problem

997 views • 43 slides
CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

THE cloud data feed CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC - Erik Christensen Damn-fast and effective malware info sharing with MISP by Christophe Vandeplas http://misp-project.org

692 views • 47 slides
Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday, March 11, 12 Introduction Chris Davis Emerging Threats &amp; University of Toronto Fellow IPTrust, DefIntel, Damballa... Mariposa, Conficker,

158 views • 15 slides
Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE

Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE

Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE Teacher of the Year 2017 NYS Health Education Amazing Person of the Year IGOR ELEVANCE ELATIONSHIPS Snack Time What was most memorable? Why are

863 views • 85 slides
River Runners Citizen Science Training Workshop with support and funding from New Hampshire

River Runners Citizen Science Training Workshop with support and funding from New Hampshire

River Runners Citizen Science Training Workshop with support and funding from New Hampshire Rivers Council members like you Exotic Species EXOTIC and INVASIVE: A species that is not native and is introduced to an area either purposely

1.01k views • 71 slides
Geometry Euclid of Alexandria The Founder of Geometry. He was a Greek mathematician, often

Geometry Euclid of Alexandria The Founder of Geometry. He was a Greek mathematician, often

Geometry Euclid of Alexandria The Founder of Geometry. He was a Greek mathematician, often referred to as the &quot;Father of Geometry&quot;. He was active in Alexandria during the reign of Ptolemy I (323283 BC) Pythagorean theorem Geometry

807 views • 66 slides
Results &amp; Commentary May 7, 2020 Always Secure. Always Available. Cautionary Statements

Results &amp; Commentary May 7, 2020 Always Secure. Always Available. Cautionary Statements

Q1 2020 Financial Results &amp; Commentary May 7, 2020 Always Secure. Always Available. Cautionary Statements &amp; Disclosures This presentation and the accompanying oral presentation contain forward - looking statements that are based on

537 views • 21 slides
+ Curating the Northumbrian Commons Dr Martyn Hudson Martyn.Hudson@Newcastle.ac.uk +

+ Curating the Northumbrian Commons Dr Martyn Hudson Martyn.Hudson@Newcastle.ac.uk +

+ Curating the Northumbrian Commons Dr Martyn Hudson Martyn.Hudson@Newcastle.ac.uk + Northumbrian Exchanges Knowledge, arts and communities in rural Northumberland Partners; ACA, VARC, Alwinton, HIP etc. Universities, partners and

94 views • 6 slides
Planning Controls and Property Rights Addressing Council Risk Simon Berry Barrister

Planning Controls and Property Rights Addressing Council Risk Simon Berry Barrister

Local Government New Zealand Managing Council and Community Risk from Natural Hazards 16 February 2011 Planning Controls and Property Rights Addressing Council Risk Simon Berry Barrister Context

584 views • 41 slides
13/01/2016 Selective Licensing Harrow 2011 Census Project 239.000 residents a 2 year

13/01/2016 Selective Licensing Harrow 2011 Census Project 239.000 residents a 2 year

13/0 1/20 16 Housing Act 2004 (and Regs) Selective Licensing Section to. Housing Act 2004 Selective Licensing Designate the whore, part or parts of a Borough Wealdstone Re quiresa II private rented accommoda ticni area to be lcensed

358 views • 6 slides
SUS BUDGET BALANCE SHEET - 2017-18 BUDGET Unrestricted Funds Supported SUS Activities and

SUS BUDGET BALANCE SHEET - 2017-18 BUDGET Unrestricted Funds Supported SUS Activities and

SUS BUDGET BALANCE SHEET - 2017-18 BUDGET Unrestricted Funds Supported SUS Activities and Operations DEPARTMENT PROJECTED SURPLUS/DEFICIT 0100 Corporate $ 131,940 0200 Student Affairs $ (68,044) 0300 Student Services* $ (39,898.16) *

650 views • 48 slides
COMPLIANCE ISSUES FOR BUSINESSES ENTERING IRAN Outline Sanction consulting in banking,

COMPLIANCE ISSUES FOR BUSINESSES ENTERING IRAN Outline Sanction consulting in banking,

COMPLIANCE ISSUES FOR BUSINESSES ENTERING IRAN Outline Sanction consulting in banking, industrial and trade sectors: Getting to grips with international sanctions Issues for traders and banks What does legal advice on sanctions

277 views • 24 slides
Concrete and Steel Rebar Steel Rebar for reinforcing Concrete Steel Rebar for reinforcing

Concrete and Steel Rebar Steel Rebar for reinforcing Concrete Steel Rebar for reinforcing

Traditional Building Materials Concrete and Steel Rebar Steel Rebar for reinforcing Concrete Steel Rebar for reinforcing Concrete Steel Rebar for reinforcing Concrete Steel Rebar for reinforcing Concrete Advantage Easy to use Initial

522 views • 37 slides
FDI Recent changes in Policy, Sectoral and other developments CA Shabbir Motorwala 22

FDI Recent changes in Policy, Sectoral and other developments CA Shabbir Motorwala 22

FDI Recent changes in Policy, Sectoral and other developments CA Shabbir Motorwala 22 December 2018 CTC - Intensive study course on FEMA Mumbai 1 Conten Co ents Overview of FEMA Inbound Investment Recent Developments FEMA 20

593 views • 35 slides
World Ocean Day for Schools Assembly and classroom presentation 7th June 2019 AN UNDERSTANDING

World Ocean Day for Schools Assembly and classroom presentation 7th June 2019 AN UNDERSTANDING

World Ocean Day for Schools Assembly and classroom presentation 7th June 2019 AN UNDERSTANDING OF THE OCEANS INFLUENCE ON YOU AND YOUR INFLUENCE ON THE OCEAN Hi, its me! Its the ocean again. Can everyone wave? Here are some of the

191 views • 16 slides

More recommend