Sunday, 23 September 2018

GIAC Certified Forensic Analyst (GCFA) – PASSED



I recently sat and successfully obtained my GIAC Certified Forensic Analyst certification and thought I'd write a small post about it. What a year it’s been of study. I started my OSCP in early February. As per my previous post about it, it was a brutal 90 days of persistence, patience and suffering :)

After passing my OSCP, I had about 1 week of ‘free time’ before attending the SANS event for the FOR508: Advanced Digital Forensics and Incident Response course. I had this already booked from late 2017. So I knew it was coming, which I guess added to my stress of passing the OSCP first time and quickly.

--> What is it?
The course was great, it was the usual SANS format which entailed 6 days of lecturing from industry experts. The courses themselves are always valuable, not just from the content, but from the stories of people in the industry. You get real-life examples of how the content you’re learning is applied in day-to-day work.
There’s a lot covered in the course and at a high level:

  • The incident response, threat intelligence & threat hunting process
  • Cyber kill chain and Mitre ATT&CK models
  • In-depth memory forensics
  • Finding evidence of malware and answering (who, how, why?!)
  • Carving out artefacts to create a ‘story’ and timeline of what happened
  • In-depth look of the Windows file-system and how it all works


--> Study tips
This is my 3rd SANS certification and I think I’ve now got the hang of studying for these. During the course week, I tend to just listen as much and as I can and not really focus on the books. Tip, Get the most out of being there. It’s how you study later in your own time for passing the exam. While you’re there, just enjoy it. You’ve probably paid good $$$ for it too!
After the course, I take a few weeks away from it then get into studying. My method is simple, read the books and create an index.
The exam is open book where you can bring in an armful of written content. The best and only content you need is the official books and an index of keywords and page numbers.
I give all books a thorough read-through highlighting keywords, statements and points. This can take a while if not weeks. Once I’ve gone through all books, I then do it again, this time I create an index in Excel which is simply:
Keyword, Book Number, Page number.
For this certification, my index was 18 pages long. After I’ve completed the second read-through and built this index, time to sit a practice exam. My advice, sit them as you would the real exam. Set aside 3 hours of uninterrupted time, only using what you’d bring into the exam. I passed my first test with 73% (just scrapped through). Pass mark is 71%.
At the end, a summary is provided. Use this to focus on areas where you should devote more time.
In the end, I passed my exam with 88% and only 37 seconds to spare! It was a nerve racking final 5 minutes. 
I could definitely tell during my second read-through of this course I was ‘burnt-out’ with study. Having just finished the OSCP where I dedicated easily 300-500 hours, I had one week break, then onto the GCFA.

--> Why the GCFA?
You might be wondering why I did do a forensics course/certification after my OSCP? Simple. I’m passionate about all things security and an advocate for learning both sides of the story. A great blue-teamer should have an understanding of how their adversary is attacking them. Likewise for a penetration tester. Understanding how your actions will be detected, what footprint you’ll leave behind and how you may (or may not) be detected, can only do you justice in rounding out your skills.
I’ve learnt great techniques to help me with my journey as a penetration tester. There’s definitely ways in which forensics can be used for the offensive. Why try and break through a hardened host with multiple layers of security? For example, if you can obtain or somehow gain access to a hypervisor with the right privileges, and take snapshots or memory of servers, it makes hacking easy. 
Once you have a memory image, you’re not restricted by defensive security products and Windows security controls. You have free rein access to data. At the end of the day, that’s what an attacker/pentester is after. Data. 
I’m amazed at how mature forensic tools have become. I can’t imagine how a lot of this would have been done 20-30 years ago. Now, it literally is just mounting an image, running some tools to get what you need. It’s great, and kudos to all the developers of forensic tools.

--> Next certification?
You cray! For now, I think it’s time to rest the brain. But keen to attack a CREST certification or the OSWP. Perhaps in 2019

--> n33dle

Thursday, 13 September 2018

A look (and play) into CVE-2018-8440. The Windows ALPC Elevation of Privilege Vulnerability

--> So what is it?
On Aug 27, freelance researcher @SandboxEscaper let loose a POC 0-day privilege escalation affecting all versions of Windows.
From what I gather, the vulnerability was not responsibly disclosed. There was some banter on Twitter towards SandboxEscaper…

A few days later, Acros Security, a security research company in Slovenia released an unofficial patch. Eventually, Microsoft released an official patch as part of the September Patch Tuesday on the 10th.
As detailed in VU#906424. A flaw exist due to the way the SchRpcSetSecurity API (which is part of the Windows Task Scheduler), handles the Advanced Local Procedure Call (ALPC) interface. This can be leveraged to overwrite protected system files in which an authenticated user does not have access too. 

--> Let’s play with the poc
First, fire up my Windows 10 vm, and make sure I’m a regular low-privileged user
























Let’s check the spoolsv.exe service through process explorer. As below, no child process is spawned or running:




























Now I open notepad (PID 1988). As below, running as n33dle (low-priv) user:






Now let’s inject this process into spoolsv using the poc exploit:







And there you have it… notepad.exe now running as NT AUTHORITY\SYSTEM as a child process from spoolsv.exe.







--> Mitigation/Remediation
1. Ultimately, patch systems as per CVE-2018-8440 (Microsoft September Security Updates).
2. Not recommended, but you could modify the NTFS ACL on the Tasks directory under C:\windows. Removing the Authenticated Users group and deny system user.
--> icacls c:\windows\tasks /remove:g "Authenticated Users"
--> icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)

That’s it for now. I’m going to look into the source code and see if I can spawn a SYSTEM command shell. Will need to modify the resource.aps source file, as that is used to compile the DLL which is injected into the spoolsv service.

--> n33dle