Year: 2024

If you are working in SOC as SOC Analyst or Incident Response, Threat Hunters, Threat Intelligence Analyst, you might be facing with whitelisting and blacklisting already.

Whitelisting consists of allowing access within your environment. In SOC term, when you whitelist a file or command, it won’t show up in the alert, which could be very dangerous as you might not see the malicious activities triggering.

Blacklisting consists of blocking access within your environment.

Whitelisting and Blacklisting are usually done by tools such as EDR, SIEM, Antivirus and other.

You should be very careful while doing any of those, as it might cause several damages to your organization.

Below, we will describe some of the Windows files system that you should never whitelist within your environment.

First of all, let’s start by the folder C:\WINDOWS\system32\ . The folder is used by Windows OS to hold systems files and folders. Most of the files we will be discussing today, are in this folder.

Mshta.exe: Is an utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. Attacker can use the command as System Binary Proxy Execution to execute malicious code directly from a remote server to bypass application control and browser security.

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility (https://attack.mitre.org/techniques/T1218/005 ).

Cmd.exe: command-line interpreter for Windows, many threat actor run the malicious command from command-line interpreter to compromise the system, to exfiltrate data and others

utilman.exe: The file is associated with the Utility Manager application of Windows. Can be used to monitor an application and give access to useful UI settings within Windows.

Svhost.exe: Used to host Windows services, malware can use the file to hide itself from the Antivirus or the detection engine.

Microsoft Shortcut File (LNK): The file is used to link various types of information such as files, network shares, can be used by a malware to execute a malicious file located in a remote environment.

powershell.exe: It is a command line tool used to manage and automate tasks in the Windows operating system. The tools can be used to exploit the system by creating a script.

msiexec.exe: It is used to install, modify, and perform operations on Windows Installer (MSI (Windows Installer Package)) from the command line.

services.exe: Is the Windows service control manager, it controls all the services. It can be used by a malware to start and stop a malicious service.

fodhelper.exe: Used for managing language changes in the operating system. It can be used by adversaries to bypass User Account Control and execute additional commands with escalated privileges.

dllhost.exe: It is used to host and execute DLLs. The process is used to host COM (Component Object Model) object. It can be used by malware to execute a fake DLL code.

rundll32.exe: It is used to give the access to the developers to create functions stored separately as a DLL file. It can be used my malware to run a DLL file to perform a malicious activity.

BCDEdit.exe: It can be used to verify the new stores, modifying existing stores, and adding boot menu options. It can be used by malware to modify the boot loader configurations.

regsvr32.exe: It is used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. It can be used by malware to store malicious file or key in the registry.

WMIC: It is a deprecated command-line interface working with Windows Management Instrumentation to manage data and operations on a Windows. The tool is deprecated and not available in PowerShell 6+. The tool can be used to provide users information from the remote computer.

PowerShell: It is an automation configuration tool. It can be used to deploy, test, build solution. The tool is quite often used by malware to deploy on the system and compromised.

userinit.exe: It is a is a program that restores the profile, fonts, colors for a user. It can be used by malware to add a program.

Schtaske.exe: It is used for performing a task scheduling task, maybe used by threat actors for the execution of malicious code.

taskhostw.exe: The file is used by Windows 10 as a host for processes that execute as part of a DLL file. It can be used to monitor applications, keyboard, mouse activities. A threat actor can used that to perform malicious activities.

wsmprovhost.exe to identify remote connection related to WINRM or PowerShell

Vssadmin: Used to display the volume shadow copy backups and installed shadow copy writers and providers. The threat actor can leverage to perform it to delete or copy the data backup, resize it (anti forensic technic) to destroy the evidence.

Mstsc.exe Creates and edit connections to Remote Desktop Session Host servers or other remote computers.

In conclusion, it is required to always check the file perform suspicious activity. You might know that some activities might be legitimate, for example activities performed by the admin. You need to know how to differentiate those normal activities from the malicious one. Checking the file location, the file hash, and signature will be a good starting point to detect a malicious file.

Main News

New update in URLSCAN to detect malicious domains

Bangaly Koita 3 months ago

If you are following our blog Home Home - osintafrica, you already know the tool URL and website scanner - urlscan.io, click on https://www.osintafrica.net/how-to-use-urlscan-part1/ for more details.

The best tools always need improvement and urlscan.io is one of those. The tool has done some improvements that can help an Analyst to perform faster and more efficiently the investigation on phishing website mimicking an organization.

Let’s have a look at the new improvements.

The tool introduced two great features (Favicon hash detection based and the HTTP post request detection) which can be used to detect phishing website mimicking an organization and credentials harvesting domain.

To better understand that, lets practice a bit.

Detecting a website mimicking Netflix using the FAVICON HASH ANALYSIS

A Favicon is the website icon, it helps to visually represent a website and to distinguish between open tabs or search results.

A favicon contains a hash, a hash of a favicon can be used to detect similar website.

The feature has been introduced into urlscan.io to make it easier for the Analyst to quickly perform his or her investigation.

Example 1:

We will connect to urlscan.io and use a domain mimicking NETFLIX website, we will use the favicon hash to find similar website.

Let’s do it.

Connect to https://urlscan.io/result/fb90e947-db87-4476-924d-5db678a50acd/#transactions

Click on the “HTTP” button in blue, type (crtl F - favicon), scroll down, click on the hash and open in a new tab, you will see the result.

Example 2: Detect website mimicking Microsoft.com.

https://urlscan.io/result/b4cf2f17-ebee-47b4-b85e-f63eae623ec4/#transactions

click on the hash and open in a new tab, you will see the result.

Detecting a credential harvesting domain using HTTP POST request detection based.

A credentials harvest is when a threat actor sends a phishing link to user, once the user clicks and enters his/her credentials, the credentials will be sent to another domain, where they will be stored by the threat actor which will be used to impersonate the user or sell via the Dark web. This technic is commonly used against organizations that use the cloud as a service such as Microsoft O365

Let’s give an example, we have detected a maldomain mimicking Microsoft login, when a user enters the credentials, the credentials will be sent to hxxps://robertreed1313[.]xyz/next.php

Click on the link:

https://urlscan.io/result/e25dc1e1-9ab7-491c-94a8-20aec6eba2d8/#transactions

As you see in the image, there is “HTTP POST” request which is an indication of data being sent to another URL in this case (hxxps://robertreed1313[.]xyz/next.php)

Let’s give another example to better understand it.

Another maldomian mimicking Microsoft login website:

fattykins.za.com - urlscan.io

Let’s show the last example

ron-marom12.github.io - urlscan.io

Maldomain mimicking Netflix website login.

NB: Be careful while checking the domains, always check with Virustotal and check if the domain is newly created before making a decision.

Do you know that we can use URLSCAN to find maldomains or typo squatting domains mimicking our organization?

We will try to find domains name similar to Microsoft.com

Connect to urlscan.io, go to search – type: page.domain:( page.domain:(microsoft.com~ AND NOT microsoft.com))

Search - urlscan.io

Like you see, URLSCAN has improved a lot; by using the tool, you can save a lot of times during your investigation. Feel free to start using the tool https://urlscan.io/.

Main News

How to securely open a file

Bangaly Koita 8 months ago

Working as malware analyzer or SOC analyst or Incident responder or Journalist or Governmental investigator, you may need sometimes or often to open a file from the internet or email address or any other source possible to receive a file.

As you may know, one of the easier ways for the threat actor to compromise someone is to send him or her a malicious file that look like a legitimate one. This issue been for decade and still is one of the most efficient ways to target the users.

The best way to securely open any file is to have your own SANDBOX (automatic or manual sandbox) that may check the file before opening it. However, if you do not have enough resources to implement a sandbox, you still can use online tools to open a file securely.

It worth mentioning that opening a confidential file or highly sensitive file using online tools could lead to data leak. Be careful always before you use a tool to open a file online. The best option is to use a tool that you can download offline and use.

In the upcoming line, we will share some tools that you can use online to view the file content without the risk of being compromised.

DANGERZONE

Dangerzone allow a user to open dangerous PDFs, office documents, images and convert them to safe PDFs.

Dangerzone: Convert potentially dangerous documents into safe PDFs

Pdffiller

An online tool to open a PDF file online.

https://www.pdffiller.com/

Google Drive

You can use Google Drive to open a file without harming you.

For example, when you receive a message from Gmail containing an attachment, you can add the attachment to Google Drive and view it. By doing it that, you avoid your system from being infected if the file is malicious.

https://drive.google.com/

Onlinedocumentviewer

The tool can be used to open different files formats such as office packages files, pdf and others.

https://onlinedocumentviewer.com/

Dropbox

You can use Dropbox to open a file without damaging your computer.

Dropbox.com

They are many tools that you can use online to view a file but the inconveniency can raise. For example, the confidential file share online can fall in the hand of other people. If you upload a malicious file via online tool, another person that gets in touch and open the file on his system can be infected. Always be careful before you open a file online and download any file from the file viewer sources.

Main News

Payoutproject[.]com the biggest scam ever on social media Facebook, twitter, TikTok, Instagram

Bangaly Koita 10 months ago

A big scam is going on social medias. At the time of writing, thousands of people were scammed and the number is growing.

The Payoutproject website is a marketing company located in the United States of America. The owner affirms that the members will be awarded after doing some tasks and activities which are given to them.

Many people already complained about the fake business. Unfortunately, the scam business is still growing up around the world.

As always, I love such investigation, I will share with you, how I investigated the fake business and the outcome after.

First of all, I checked the website via webarchive.org (https://web.archive.org/web/20230402014918/https://payoutproject.com/)

Like you see, the website is well design and will attract many visitors, let’s read the “Home page”.

We can see some information about the website and how we can be rewarded and get paid after performing some tasks. Well, I will be rich now 😊.

One important thing on the Home page is “There is no any fee, no any membership fee and no any paid thing. All is free... The main thing is your passion to the completion of task and promote to the friends”

Many people will register to gain money fast because the is very easy and fast.

I scrolled over the website, and found out that they are operating in many socials’ medias such as Facebook, Instagram, Twitter, TikTok.

As many scammers are usually on Facebook, I went through Facebook.com and I found on Facebook that someone published a post about the business (for privacy reason I won’t publish the name). I checked the profile of the user and found some suspicious comments scams and others social engineering threat. That was my first hit.

I found out that the post published by the user is getting more attention and is being viewed by millions of people following with thousands of comments.

At this point, we can see that the scam is word wide and many people are already impacted and will be impacted by this malicious activity.

Now, let’s reviews people feedback about the website via search engine online such as Chrome.

There are many reviews about the website, let’s detailed some of the reviews:

https://www.cloudbooklet.com/entertainment/is-payoutproject-scam-or-legit

2. https://www.scamadviser.com/check-website/payoutproject.com?utm_content=cmp-true

3. https://ie.trustpilot.com/review/payoutproject.com

Like you see in the comments from different websites, most of people who commented agreed on one thing, the website is a scam, after investing in the website, the money grow and never received the money back.

Back on the website, you can see the payment methods available to invest and be paid later.

This method can be used by the scammers to steal your sensitive data, so if you already created an account and used your PII or any sensitive data removed and changed your sensitive data and password if you used the same in any other account.

The websites mentioned the top payouts countries using the application

In you are located in any of the location mentioned above, inform your authority about the scam.

Always verify such business before using it. The best option will be to avoid such online business.

Main News

How to use a proxy server for free over the internet

Bangaly Koita 10 months ago

A proxy server is used to protect the network for the following reasons:

Preventing the users to connect to malicious websites

Protecting the company web application by preventing any malicious request that can be used to compromised it

Act as intermediary between the private network and the internet

Can be used to hide the user’s location

In our example, we will show how you can use a proxy server own by another organization to hide your identity or change your location in order to connect to different web application restricted by the government or the authority.

Over the internet, there are many proxy servers that don’t require any authentication to be used. We will use one of those to show how we can take advantage of it to achieve our goal.

SPYS

HTTPS proxy list, HTTP proxy with SSL support, free SSL proxy servers (spys.one)

The website is collecting different types of proxy on daily basis. We will use this website to find a proxy server that fits our needs.

Go to “HTTPS/SSL proxy” choose one proxy with the HTTPS protocol. In our case we choose the proxy server located in Turkey (Cankaya)

Once we find the proper one, now we can start our configuration.

2. CONFIGURATION MODE

In this example, we will use the browser Mozilla.

Open the browser

We need a tool to configure the proxy server. We will install the tool FoxyProxy to manage the proxy.

After the installation, the tool will be embedded in Mozilla, click on the “extension” toolbar

The application will be listed, click on “option”, go to “proxies’ menu”

Now, you can start the configuration.

Like you see above, we choose the configuration details from the proxy server “Turkey”, we put all the setting from the proxy.

The last thing to do is to configure our browser

Type in the browser search button: about:preferences#searchResults

Type the IP address and port and chose the HTTPS protocol

Once done, we can check if the configuration works fine.

https://getfoxyproxy.org/geoip/

As you see, the location is visible. We can now connect to social media or any other website not restricted in this area.

NB One important thing to mention is that when you use a proxy server from a third party, all you information are passing through his server and know that, it is also not legal to use a proxy server without authorization.