Windows Server 2016, AppLocker Rules

AppLocker rules can be set up by using group policy in a Windows domain and have been very useful in limiting the execution of arbitrary executable files. AppLocker takes the approach of denying all executables from running unless they have specifically been whitelisted and allowed.

AppLocker is available in Windows Desktop and Servers.  Desktop Windows require Enterprise Editions.
The AppLocker requirements can be found here.

Note:  before implementing AppLocker rules in a production environment it is important to perform thorough testing. AppLocker will not allow anything to run unless it has been explicitly whitelisted. So keep in mind those non-standard installs to the system root or other drives (C:\ or E:\).

 

AppLocker Rule Types:

  • Executable Rules: These rules apply to executables, such as .exe and .com files.
  • Windows Installer Rules: These rules apply to files used for installing programs such as .msi, .mst and .msp files.
  • Script Rules: These rules apply to scripts such as .bat, .js, .vbs, .cmd, and .ps1 files.
  • Packaged App Rules: These rules apply to the Windows applications that may be downloaded through the Windows store with the .appx extension.

With each of these rules, we can also whitelist based on the publisher, path, or file hash.

  • Publisher: This method of whitelisting items is used when creating default rules as we’ll soon see, it works based on checking the publisher of the executable and allowing this. If the publisher, file name or version etc change then the executable will no longer be allowed to run.
  • Path: Executables can be whitelisted by providing a folder path, for example, we can say that anything within C:\tools is allowed to be run by a specific active directory user group.
  • File Hash: While this may be the most secure option, it is inconvenient to work with and manage. If a file changes at all, for instance, if an executable is updated, it will not be allowed to run as the allowed hash will have changed too.

 

AppLocker Configuration:

  • Open Server Manager, selecting Tools, followed by Group Policy Management.
  • From the Group Policy Management window that opens, we’ll select the group policy objects folder within the domain, right click and select new to create a new group policy object (GPO). In this case, we’ll create one called AppLocker Rules.
  • From within the Group Policy Management Editor (GPME). Select Computer Configuration > Policies > Windows Settings > Security Settings > Applications Control Policies > AppLocker
  • In the main AppLocker interface where we can create executable, windows installer, script, and packaged app rules. We can get started with the default settings by clicking the “Configure rule enforcement”  By default each of these four items is unticked and not enabled, we can tick the box next to “Configured” to enable to set the rules to be “Enforced”.

 

 


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more info: https://www.microsoft.com/en-us/learning/exam-70-744.aspx

Phishing Attacks using Office 365 and SharePoint

The bad guys are at it once again and now have a new slick way of stealing your login credentials, by sending you an invite via email to open a SharePoint document. The link(s) takes you to an actual SharePoint page where you will see a OneDrive prompt.

This prompt will have an “Access Document” link in it – don’t click this link!

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked.

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you.

Remember, Think Before You Click.

Here’s how the Phish / Scam attack works

  • You the Friendly Office 365 user receives the malicious email –Often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
  • The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLs, which adds credibility and legitimacy to the email and link since the user is being directed to a known-good hosting site.
  • You are then shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL, as shown below.
  • You are then presented with an Office 365 login screen – Here is where the scam takes place. Using a very authentic-looking login page where the cybercriminals harvest the user’s credentials.

Here are is an example of a phishing email:

Just some advice – Jermal

 

How to search for Open Amazon S3 Buckets and their contents

How to search for Open Amazon s3 Buckets and their contents — https://buckets.grayhatwarfare.com

GrayHatWarfare created https://buckets.grayhatwarfare.com/ a free tool that lists open s3 buckets and helps you search for interesting files.

For an intro on what Amazon open buckets are, please read the following: https://blog.rapid7.com/2013/03/27/open-s3-buckets/

In essence, many files are publicly accessible, some by design. These files sometimes include very sensitive data. https://github.com/nagwww/s3-leaks has a list of the biggest leaks recorded.

Another reason why application owners who provide backups solutions and cloud storage should be encrypting their data before placing it on S3.  Anything less is negligence on their part.

Since this was exposed, many projects have been created that can enumerate s3 buckets:

All these tools/projects have some common problems:

  • The real problem is where to find the list to brute-force for buckets,  and not actually doing the brute-force.
  • All tools/projects only scan the first page for results.
  • thebuckhacker.com includes uninteresting files and useful results tend to be lost in the noise. Also, the first 1000 results of each bucket are fairly limited.
  • The process is slow and not productive. It’s not very useful for pen-testers to run a tool to run for days, save the exports somewhere and then grep them whenever they want to search for something. What is better is a useful tool in front of a large database.

 

Now there is  http://buckets.grayhatwarfare.com/.  Which took the ideas of the many projects and tools previously mentioned above.

The project’s features are:

  • It is a searchable database of open buckets.
  • Includes millions of results within buckets (In the future might be more).
  • Cleaned up and removed uninteresting files like images. Most images names are auto-generated.
  • Currently has ~180.000.000 files. Included are all images that number would go up to a few billion, which is a completely different system.
  • As of today, 70 000 and growing buckets are listed (not all of them have “interesting” files)
  • Full-text search with binary logic (can search for keywords and also stopwords)
  • List of the buckets.
  • The user can browse the contents of the bucket.
  • Excluded a lot of other things that are not interesting like cloud-watch logs.
  • Found a solution to the problem on how to generate possible names for buckets. The process reviles some hundreds of new buckets per day.
  • Automated the process.

The project is currently free and running on servers paid by me. There are some limitations in place to protect resources, but otherwise pentesters can use this on their daily tasks.

Whats to come in grayhatwarfare.com

Lots of cool things:

  • Subdomains pointing to expired buckets which can lead to something like this: https://www.reddit.com/r/netsec/comments/8t0pb2/how_i_hacked_applecom/
  • Huge lists of exposed version control (.git) which can expose the website’s repository (Source, password files, log files etc).
  • Exposed cameras/IOT devices.
  • Huge resources like extremely large (actual) cracked password lists.

 

Ref Source

Removing a Orphaned Virtual Machine from vRealize Automation

**** ATTENTION !!! ****
**** Please be sure to BACKUP any related databases

 

The following steps provide information on removing virtual machines from VMWare vRealize Automation (vRA).

These steps are to be used when the following conditions exist:

  • A virtual machine that is being managed without being deleted from the endpoint.
  • You want to manually remove the machine from the endpoint.

 

vRA Application Steps:

Log into vRA – https://vcac.yourdomain.tld using your-domain\*your-user-id*

  1. Click the Infrastructure Tab
  2. Click Machines > Reserved Machines
  3. Search for Service Name (e.g. VRA-FAQ360)
  4. Delete the associated service

SQL Database Steps:

  1. Connect to SQL Database Server: VRA-SQL
  2. In “Object Explorer” window, Locate database vCAC
  3. Backup the vCAC database
  4. Expand the vCAC database
  5. Under Programmability > Stored Procedures, locate ‘dbo.usp_RemoveVMFromVCAC’
  6. Execute Procedure and apply ID of the Multi-Machine Service (e.g. VRA-FAQ360)
  7. Repeat this step for each instance

Notes:

The store procedure may look like the following:

USE [vCAC]
GO

DECLARE @return_value int

EXEC @return_value = [dbo].[usp_RemoveVMFromVCAC]
@MachineName = N’VRA-FAQ360′

SELECT ‘Return Value’ = @return_value

GO

McGruff the Crime Dog Celebrates His 38th Birthday on July 1, 2018

The symbol of the National Crime Prevention Council celebrates another year delivering crime prevention and safety information nationwide. So remember to take a bite out of Crime

 

Celebrate McGruff’s and the National Crime Prevention Council’s efforts to “Take A Bite Out Of Crime” by joining us on your favorite social media site.

Back in 1980, a dog in a rumpled trench coat said, “You don’t know me yet. But you will.” Since then, McGruff the Crime Dog has taught millions of people that the police can’t fight crime alone – crime prevention is everybody’s business and everyone can help “Take A Bite Out Of Crime.”

Through television commercials, comic books, live appearances, and more, McGruff has encouraged Americans to take common-sense steps to reduce crime. Some of his favorite messages are

  • To lock doors, leave the lights on when away from home, and let neighbors know when you go on vacation
  • Do things that build a sense of neighborhood and create communities that don’t produce crime and where people look out for each other and kids to feel safe
  • Get involved, join Neighborhood Watch, and clean up streets and parks
  • For children and teens to protect themselves from substance abuse, bullies, and gang violence

 

In 1978, the Advertising Council, Inc., accepted the mission of helping the nation learn ways to prevent crime. The Ad Council gave the assignment to Dancer Fitzgerald Sample (now Saatchi & Saatchi), which volunteered its creative time and talent. That work was supported and informed by a group of 19 agencies, which formed the nucleus of the Crime Prevention Coalition of America. Today the National Crime Prevention Council manages the National Citizens’ Crime Prevention Campaign, featuring McGruff the Crime Dog and his slogan, “Take A Bite Out Of Crime.”

Over the years, McGruff has made thousands of appearances at community and school events and on radio and television. His messages have changed from urging personal, family, and home security to more broadly based crime prevention concerns. In 1984, the U.S. Postal Service released a first-class postage stamp bearing McGruff’s likeness. By the mid-1980s, McGruff was encouraging people to join Neighborhood Watch and clean up streets and parks so they’d be less inviting for criminals. During the mid-1990s, the Campaign addressed the effects of gun-related violence on children. Current issues include volunteering, bullying, cyberbullying, Internet safety, telemarketing crime against seniors, identity theft, intellectual property theft and safe firearm storage.

Some Facts About McGruff

  • There are 4,000 active McGruffs (number of costumes in use).
  • McGruff has a classy Corvette, a monster truck in Arizona, and a wiener wagon in Florida. But most of all, he likes to ride in patrol cars assisting law enforcement.
  • McGruff’s favorite crime-fighting techniques are to teach children specific tips to be safe at home and school and to help law enforcement officers do their jobs better.
  • McGruff is a “ham,” so he loves doing public service announcements for television and radio or posing for print or billboard advertising.
  • In 2010, McGruff turned 30 years young. He had birthday parties all around the country, making appearances at health and safety fairs and other media events and showing off his 32-foot-tall balloon at county and state fairs. He has blown out birthday candles on countless cakes. He has made the most of these opportunities to spread the word about preventing crime.

Source Info: https://www.ncpc.org/