There is no shortage of organizations these days running McAfee’s ePolicy Orchestrator in an effort to combat maliciousness. Much like any endpoint security platform, it has its strengths and weaknesses. One of the great features of the application is that it contains an audit log containing authentication information to include any supplied usernames, as shown below.
As weird as it may seem, sometimes people will type in their username AND their password on the same line and submit them for authentication, not realizing the mistake. Well, McAfee ePO logs that information as is. In the example below, the password is likely ‘PA$$word1337’.
This happens more often than what you may think and users with the applicable permissions can see this information in the audit logs. From a blue team perspective, being cognizant of the likelihood of this artifact is vital. As a red team member, this is easy pickings. Not only will it likely get you into the application with the user’s information in the logs but that user could also have more rights than the user you may be currently using. Also, whatever the password is for the user whose information is in the log, it is also likely to be that user’s password to their local or domain account or possibly to other applications in the network.
A great starting point for anyone analyzing a system is the running processes. Taking the time to not only retrieve the command line execution of the process but also the parent process will enable you to find outliers. Taking it a step further, retrieving the hashes of the binary of each process expand your aperture substantially. Especially when you are able to group and stack those hashes against those from other machines. With that in mind, I’ve written a simple little script that will get the hashes of all running processes.
As of late, I’ve been experimenting more and more with the McAfee HIPS Firewall with the McAfee ePO. So far, I think it is decent. It is at least stateful, so that’s a plus. The firewall has a feature to block domains and using the GUI, you can only add them one at a time. There is an option to import them but that would require us to have it in a readable format the McAfee could understand. Thinking outside the box, I decided to put an entry in the firewall and export that policy in order to get a feel for the structure. Once I did that, I was able to take a list of domains from www.malwaredomains.com, change some formatting in their file, and fit it into the McAfee format. The result is a perfectly formatted firewall policy ready to import. The workhorse of it all, PowerShell!
In my testing from testing with www.malwaredomains.com, I imported over 14000 entries and while McAfee HIPS took it, I don’t think it can handle that much as the server became incredibly slow. Nonetheless, you could now take my script, make some minor adjustments and use it with your malware domain listing of choice. Since we are on the subject, below are a few other sites that are good sources as well.
Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is that I, much like the customer, normally wants to limit and lessen the amount of external tools that are added to any of their systems. Resident to Microsoft Windows, we have a way to do some detection using one of two ways but one provides a little more capability than the other. Let’s check them both out.
The DOS way depicted below will recursively search a directory (/s), search for ADS (/s), and then look at the string “:DATA”.
The PowerShell way is depicted below. Be advised that the cmdlet used below goes back as far as version 2. The –Stream option was not available until version 4.
If you just executed these commands, you probably noticed how a number of the files might have popped up matching the (more…)