Tenable Core Appliance and GDPR Data Deletion Concept – Datenschutz Löschkonzept

If you are living in the EU you might already have been confronted with the GDPR requirement to have a concept that guarantees all User Sensitive Information gets deleted from systems after a certain time.

Based on this requirement some customers require Tenable Core Appliances to forward all logs to a central Syslog server and make sure local logs get deleted after a specified timeframe.

Starting Point References:

• https://gdpr-info.eu/art-17-gdpr/
• https://community.tenable.com/s/article/How-to-send-Tenable-sc-logs-to-a-syslog-server
• https://community.tenable.com/s/article/An-overview-of-Tenable-sc-application-logs
• https://www.casesup.com/category/knowledgebase/howtos/how-to-forward-specific-log-file-to-a-remote-syslog-server

Update June 22nd 2021: I verified that rsyslog needs to be run initially once time with SELinux set to Persmissive, after this initial start it will function with SELinux enabled.

Todo – Missing: SC Application Logs

This post is currently missing a solution for automatic deletion of the main SC Application Log (e.g. /opt/sc/admin/logs/202105.log) as they get rotated by the application itself on a monthly basis and thus not rotated by logrotate and is not truncated/deleted/cut by logrotate!

A simple solution might be bash script deleting these logs based on mtime run by a cronjob regularly. If i need to write a simple script for a customer i will post this here as well in the future.

Log forwarding of this main SC Application log however is working by default as described further down.

Making sure local logs get rotated and deleted

This can be done using logrotate which is included in the tenable core Appliance by default and comes with a predefined config file in:

/etc/logrotate.d/SecurityCenter

You might want create a backup of this logrotate config file and change a couple of things

• By default this config file lets logrotate only /opt/sc/admin/logs/sc-error.log – you can change this to /opt/sc/admin/logs/* to catch all logfiles in the directory (except the Main SC Application Log which gets rotated by the application itself and thus never grows longer than a month)
• You might want to look at the list of all SC Logs described in the Starting References links to see if you are missing any logfiles in the logrotate config that require rotating and deletion after a certain amount of time

Look at the defined sections in the config file, eg:

/opt/sc/admin/logs/sc-error.log {
monthly
notifempty
missingok
dateext
rotate 5
compress
}

This will rotate the log monthly and keep 5 rotations – thus deleting old logs after 6 months. If your concept requires you to delete in different intervals edit the sections accordingly.

If you need to test and troubleshoot this you can exchange monthly with daily to see it rotating during a week and testing it until you set it back to monthly again – or keep it at daily and rotate 14 for example to keep 14 days of logs.

Forwarding SC Main Application log to a central syslog server using rsyslog

The tenable core appliance comes with rsyslog preinstalled and tenable has a good starting reference for syslog forwarding linked in the beginning of this post.

If you implement this you will see some error messages in the rsyslog logfile but it will still work and forward the main SC Application log via the LOG_USER facility.

Attention: Don’t forget to activate SC Application logging in SC Admin Panel – Misc:

tenable.sc Admin Settings -> Misc -> Syslog

To troubleshoot this just run a local ncat / nc tcp or udp port listener and point rsyslog to your machine (if accessible) and read the forwarded logs in cleartext:

UDP Listener:
ncat -lup 514 
nc -nlvpu 514

TCP Listener:
ncat -ltp 514
nc -nlvp 514

These ncat or nc commands will open a UDP (or TCP) listener on Port 514 where UDP matches the tenable Community KB article forwarding line (one @ meaning UDP):

*.* @IPaddress:514

If you see Permission Error Logs in the rsyslog logfile – these can be traced to SELinux. I have found that forwarding of the LOG_USER syslog facility (the main SC Application Logs) still work though.

Encryption of logs via syslog is not part of this post but can be looked up by searching for rsyslog encryption in the search engine of your choice.

Forwarding other logfiles on the core appliance to a central syslog server using rsyslog

If you want or need to go all in you can tell rsyslog to read local logfiles and send their content to the syslog server.

In the beginning references of this blogposts I linked to an article that I used to test this.

Basically you have to create a new config file for rsyslog under /etc/rsyslog.d/ by an arbitrary name (accesslog.conf in this example) and give it the details which log to parse and to which Syslog Facility it should be forwarded to:

[root@tenable rsyslog.d]# cat /etc/rsyslog.d/accesslog.conf
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$InputFileName /opt/sc/support/logs/access_log
$InputFileTag APP
$InputFileStateFile Stat-APP
$InputFileSeverity app
$InputFileFacility LOG_USER
$InputRunFileMonitor
$InputFilePersistStateInterval 1000

You can give it any Tag you like – You maybe want to consult your SIEM Admin regarding specifics for Tagging.

If you see Permission Error Logs in the rsyslog logfile – these can be traced to SELinux. I have found that forwarding of the access_log logfile still works in my lab setup though. SELinux troubleshooting is not part of this blogpost but can be started with:

getenforce
setenforce

Attention: do not permanently disable SELinux on a hardened Appliance if you are not certain what you are doing.

Update June 22nd 2021: I verified that rsyslog needs to be run initially once time with SELinux set to Persmissive, after this initial start it will function with SELinux enabled.

EOL

This might help you getting started with Log management of the tenable core appliance! I may update this post down the line when i have implemented this with a customer and learned additional information about this topic.

BR
Sebastian

The Road to Hell is paved with EICAR

Or how to fuck with Windows Admins
(Last Update May 18th 2021)

The obvious ones – EICAR as:

User-Agent	See what Webserver is running Windows and AV
Password	See what crappy application is hosted on Windows and Stores Passwords in Cleartext
Eicar in Cookies	See some cookie monsters?
OS Username	If you are not on Windows obviously! Clusterbomb, see where your username gets stored as Metadata – like every Office Document – kind of a DLP :)
As Crypto transaction comment	In the blockchain forever! Ruin Coins for Windows Users!

Obvious Admin approved EICAR Usecases

Maybe less successful ones – EICAR as:

Spray EICAR against any Login Prompt as Username	See what Logfiles are stored and processed on Windows machines with AV
EICAR as TLS Certificate Alternate Name or Comment	See who processes TLS Certificates on Windows machines
EICAR as DNS Reverse Lookups	Anyone hosting SIEM on Windows?
EICAR as TXT/MX DNS Lookups	Mailsecurity on Windows? Logging of Mailsecurity on Windows?
Post EICAR in MS Teams Chats, Calls	Maybe they get delivered as mails or stored as chatlogs?
Inside Website Icon	Eicar as Icon – see recent vulnerabilities in Browser Icon Storage – Some browsers never clear Icon Cache?!
In as many social media Information Fields as possible	See who mines social media and works with the results in excel? Shoot me!
In as many Azure as a Service thingies you can find?	Lets test how much cloud backend Microsoft still runs on Windows with AV?
HTML Comments – especially in every automatically generated CMS Page	Just for the kicks?
In Webpage Forms?	Any food delivery Comments? WARNING: DO NOT DO THIS IF YOU ARE ACTUALLY HUNGRY!
Webshops	Like in every single input field if the Webserver is running on IIS?
OTP Token Entry field	Microsoft Azure Authenticator and Microsoft LDAP MFA Whatever Proxy?
WiFi SSID	SupplicAVnt?

EICAR as a Challenge

Stupid Stuff – Eicar as:

Inside Games, Chats, Items, Character Names	Gameserver Backend on Windows?
Bumper Sticker	OCR on the Road – or what crazy person is storing car camera Images/OCR on Windows?
As a banking transaction comment	HELL NO! DONT DO THIS!

YOLO

Disclaimer

Do not do this at work, or anywhere without permission!
If you have to do this do it in VMs and Safe Environments for testing!
It may not be illegal to use EICAR as a string but it sure will be illegal to willingly and knowingly use EICAR to cause harm.

Regards
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Tenable LCE Specs verify EPS for Productive LCE Setup

Hey,

If you think about setting up a Tenable LCE you have to decide on the underlying HW specs at some point. For up-front planning there is a nice calculator right on the Specs/HW Requirements page:

https://docs.tenable.com/generalrequirements/Content/LCEHardwareRequirements.htm

But if your want to verify the HW Specs of an already running Tenable LCE you might ask yourself where you can see the EPS of your running Setup. One good answer is that Tenable LCEs self-logs this continuously and you can get a nice Overview over time in Tenable.sc. Just look for the Normalized Events LCE-Server_Statistics*:

So in this example the LCE is mostly within 1-2k EPS sometimes peaking around 2-3k EPS but not hitting the next EPS tier – so its safe to HW Spec it around 3-4k EPS to have some reserves for peaks.

Hope this helps someone out there!

BR
Sebastian

Tenable ContainerSecurity simple pyTenable examplescript to list vulns associated with scanned containers

If you want or need to pull data of Tenables ContainerSecurity Solution which is part of the Tenable.io offering and aim to use the pyTenalbe API Wrapper then you might have stumbled over the fact that the associated documentation for the pyTenable Wrapper is not aimed at beginners and is not providing any complete example Scripts at all.

Search no more! Here is an example-script how to import the ContainerSecurity Wrapper, authenticate to Tenable.io/ContainerSecurity and pull all reports / vulns for all scanned containers:

#!/usr/bin/env python3

from tenable.cs import ContainerSecurity 

yourAccessKey = "xxx"
yourSecretKey = "xxx"

cs = ContainerSecurity(access_key=yourAccessKey, secret_key=yourSecretKey)

image = cs.images
for image in cs.images.list():
    report = cs.reports.report(image['digest'])
    print(image)
    print(report)

Hope this helps anybode out there starting to automate their vulnerability management process!

Props to Josh!

Tenable.sc automated Plugin Updates in Airgapped or otherwise Offline Environments

If you ever need to deploy a Tenable.sc in an Airgapped or otherwise online environment and need guidance on how to implement automated Pluginupdates this is the righ blogpost for you!

Prerequisite

Note that you will require a valid Tenable.sc subscription and with that comes:

• A license file matching the hostname of your Tenable.sc host – which can be applied via the normal admin webinterface or during the setup wizard without any internet connectivity
• A plugin activation code which you do not apply in the Tenable.sc admin interface in an offline setup. Make sure to not activate the key (for example by temporarily connecting the sc to the internet) as a already activated key will not let you download the plugins via the Offline Download Website!

Plugin Download

The Download of the Plugins is rather straight forward. On the internet facing side of your airgap you can automated the download of the Plugins quite easily using curl or wget following the following documentation provided by Tenable:

https://docs.tenable.com/tenablesc/Content/OfflineNessusPluginUpdate.htm

And make sure to use the correct download URLs also documented here:

https://community.tenable.com/s/article/How-to-Download-md5-Checksums-for-Offline-Plugin-Update-Files

If you are using the Tenable Core appliance do not be discouraged by the following paragraph in the documentation:

https://docs.tenable.com/tenablesc/Content/OfflineNessusPluginUpdate.htm

You can just scp the most recent CentOS 7 Nessus Installer to the core appliance and follow the steps provided in the documentation if you are on the Tenable Core appliance as well.

This procedure is only to generate a challenge code which is probably used to sign the Plugin Package so it will only work on the intended system – probably to prevent License violations.

Data Transfer over Airgap

The mechanism to transfer the Plugin and SC Feed tar.gz files is not part of this article. Use whatever Data Transfer you have in place to either:

• Place the plugin Update files on the Tenable.sc underlying System itself – or
• Place the plugin Update files on any System that can reach the API of Tenable.sc

Applying the Plugin Updates to SC

There are multiple ways how you can script to upload and process the Plugins in Tenable.sc:

1. Update the Plugins via CLI / PHP

Probably the easiest way is to just apply the Updates on a scheduled / cronjob via simple php executions in a shell script:

#!/bin/bash
su - tns
/opt/sc/support/bin/php /opt/sc/src/tools/pluginUpdate.php /tmp/sc-plugins-diff.tar.gz
/opt/sc/support/bin/php /opt/sc/src/tools/feedUpdate.php /tmp/SecurityCenterFeed48.tar.gz

For this the Plugin files obviously have to reside on the System that Tenable.sc is installed on or otherwise accessible from that system in a mounted share or similar! The Same of course applies for Passive and LCE / Event Update files if you are on SCCV!

A successful plugin update will look like this in the Tenable.sc log:

Note that you will not got an auth / login event as no user login is performed this way!

2. Update the Plugins via API using the pyTenable API wrapper script

If you want to use the API to upload the Plugins I recommend you use the pyTenable API Wrapper which will allow you to use a fairly simple python script:

#!/usr/bin/env python
from tenable.sc import TenableSC

import logging
logging.basicConfig(level=logging.DEBUG)

sc = TenableSC('172.16.121.133')
sc.login('admin', 'password')

with open('sc-plugins-diff.tar.gz', 'rb') as plugfile:
	sc.feeds.process('active', plugfile)

with open('SecurityCenterFeed48.tar.gz', 'rb') as plugfile:
	sc.feeds.process('active', plugfile)

No this are not the IP, Username, and Password of a productive Tenable.sc System! :) Also rather use API Keys now that they are available in Tenable.sc as well:

https://pytenable.readthedocs.io/en/stable/sc.html

https://docs.tenable.com/tenablesc/Content/EnableAPIKeys.htm

A successfull active plugin update with the above debug logging activated will look like this:

and it will look like this in the Tenable.sc log:

Note that the API Script will perform a login and thus be log an auth event!

Using the API you can chose to call the API either from the Tenable.sc machine itself (including the Tenable Core Appliance which comes with python preinstalled) or perform the API call from a different system – for example a central update system in your airgapped environemt.

Getting pyTenable and dependencies on the Airgapped Tenable.sc System

Next Step – how to get pyTenable and its dependencies onto the airgapped Tenable.sc host?

Luckily the Tenable Core Appliance comes with pip3 and python3 preinstalled so its rather simple:

First we use any internet connected Linux or macOS System with python3 and pip3 installed to download pyTenable and all of its dependencies and package it into a tar.gz file:

mkdir wheelhouse && pip3 download pytenable -d wheelhouse
tar -zcf wheelhouse.tar.gz wheelhouse

Which should look like this:

Now transfer the wheelhouse.tar.gz file to the Tenable Core Appliance (or any other Tenable.sc CentOS installation with pip3) and install the pip3 packages offline with:

tar xzf wheelhouse.tar.gz
pip3 install wheelhouse/*

Which in turn should look like this:

et vóila – now you can use pyTenable on the Core Appliance:

There is probably no point in doing all of this for only a simple plugin update as the php cli way explained above will only take one line and everything is already there on the Core appliance.

However if you want to do more complex automation on the Airgapped Tenable.sc Host like automatically import .nessus scan result files from not directly connected nessus scanners than a python script can make sense at some point.

Conclusion

With these simple steps you can ensure that an offline Tenable.sc system is receiving scheduled Plugin Updates automagically!

I hope this helped at least one person out there! Have fun!

Tenable LCE 5.x / 5.1.x free Up disk-space manually

Hey there,

related to my prior post:

https://itunsecurity.wordpress.com/2020/04/03/tenable-lce-5-x-5-1-x-archive-repo-missing/

I want to make sure you can also find out about the script:

/opt/lce/tools/es-helper-script/rectify-disk-utilization

Which will stop the LCE, delete unnecessary files and then ask you silo by silo the delete the oldest silos until the disk usage goes under 90% again.

In conjunction with the archive repo script this should help “recitfy” all disk space issues in the Elastic based LCE 5.x Versions!

Pay especially good attention if your Archive repo is on the same partition als the active database (which makes no sense but is the default if you have not designed a special archive partition/dont need archiving):

In my case in this constellation the LCE is doomed to fill up diskspace when the HDD goes over 90% usage, das this will prevent archiving which will in turn prevent disk automated disk trimming.

So ideally make sure you have a dedicated Archive Partition and if not set the limits so that the active database does not fill the HDD > 90%

If you run into a LCE 5.x with a filled up disk use the script above and if broken, the Archive Repo and get it under 90% again so it keeps selftrimming!

If i missed something or you have problems feel free to use the comments below!

BR
Sebastian

Tenable LCE 5.x / 5.1.x – Archive Repo Missing

Hey,

for some reason Tenable as no Community/KB Articles about the Troubleshooting of the Elastic Stack used in the 5.x branch of LCE so I want to share what i learned today and make it google serachable as a solution:

Due to a disk fillup i was presented with a LCE in version 5.1.1 that was logging:

Apr 03, 20 07:19 (siloMinder) WARN (trim-activeDb.cpp:285,archiveSilo) - Received an error (code 404) response: {
    "status": 404,
    "error": {
        "reason": "[archive_repo] missing",
        "type": "repository_missing_exception",
        "root_cause": [
            {
                "reason": "[archive_repo] missing",
                "type": "repository_missing_exception"
            }
        ]
    }
}

Basically the archive Repository structure of elastic was broken and thus the cleanup/disk trimming was not working anymore potentially leading to a predetermined diskfillup (again).

After the helpfull tip of a fellow guardian I found all the Elastic Troubleshooting scripts under /opt/lce/tools/es-helper-scripts

Including the script register-archiveDb:

# ./register-archiveDb

USAGE: ./register-archiveDb <absolute path of archiveDir> | --deregister

A simple new registration of the archive path solved the issue and a new Archiving structure was created.

So I hope this post will help at least one other fellow person in need to rescue their LCE! :)

Stay sane during these Corona Days guys!

BR
Sebastian

Good IT Security related Books to read during the Holidays

Looking for something to recharge your passion for IT Security during the holidays? Maybe one of these books will inspire you!

I do not get any affiliation / referral for the following Links – I am just sharing my recommendations for IT Security related books that I myself really enjoyed!

Of course they are all available on Audible as well – I myself listend to all of them!
Support the Authors and think about buying the books at full price even if you listen to them on Audible Credits!

My absolute Favorites:

Sandworm – Any Greenberg

Link to Publisher: https://www.penguinrandomhouse.com/books/597684/sandworm-by-andy-greenberg/

What its about:
The Group Sandworm from the Russian GRU that is behind Attacks on the Ukrain Energy Grid, NotPetya and countless other Internet menace in the last years.

What stood out for me:
I follow Andy Greenberg since his longform article The Untold Story of NotPetya on wired and really enjoyed every Chapter of this very thoroughly investigated Story!

Permanent Record – Edward Snowden

Link to Publisher: https://us.macmillan.com/books/9781250237231

What its about:
The Life of Edward Snowden of course focusing mainly on his leaking of NSA and other States ecrets.

What stood out for me:
You may think about Edward Snowden what you want but I found his Story very interesting including the part before he became infamous. Also you get a narrated version of many of the leaked secrets and thus learn some aspects that you might missed in the news reports about his revelations.
Furthermore the part about NSA Analysts beeing able to see people typing search queries into Google letter by letter and spying on their (ex)partners.

American Kingpin – Nick Bilton

Link to Publisher:
http://www.americankingpin.com

What its about:
Ross Ulbricht singlehandedly created the Silkroad and managed to evade Lawenforcement for years! The book describes how he got to this point and how it got to his arrest.

What stood out for me:
Many details like how Ross Ulbricht wasn’t really a hardcore techie, how he grew magic mushrooms to list the first drugs on the Silkroad and of course my favorite part of the book was his arrest – which im not going to spoil here!

Countdown to Zero Day – Kim Zetter

Link to Publisher:
https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/

What its about:
The Story about Stuxnet and one of the first publicly known military Cyber Attack instigated by the USA and Isreal against Irans Nuclear program.

What stood out for me:
The wholistic description of every aspect of the story starting with satelite photos of the building site of the Natanz uranium enrichment facility.
Also the part about the centrifuges that get ripped apart under their own movement and how Iran tried to cover this up from the IAEA by encasing broken down centrifuges.

Ten Arguments for Deleting Your Social Media Accounts Right Now – Jaron Lanier

Link to Publisher:
https://www.penguin.co.uk/books/1116104/ten-arguments-for-deleting-your-social-media-accounts-right-now/9781847925398/

What its about:
The Infosec link is not that strong for this book however it is still refers to the Cambridge Analytica scandal and shines a light on how careless Social Media companies manipulate us.

What stood out for me:
The in depth description of how exactly social media companies manipulate us and how they have no qualm to destroy society to earn a quick buck! And yes I really deleted my facebook account after finishing this one!

Spam Nation – Brian Krebs

Link to Publisher:
https://krebsonsecurity.com/tag/spam-nation/

What its about:
The world wide spam industry and why it is even feasible to earn money with fake pharmaceuticals. If you know Brian Krebs you know how detailed he gets when someone gets “Krebsed”!

What stood out for me:
The guts it takes to travel to Russia to meet some Spam/Drug Kingpin on their turf. Also the explanation why someone would by drugs from links in Spam mails.

Other Worthy Reads:

Ghost in the Wires – Kevin Mitnick
Hacker, Hoaxer, Whistleblower, Spy – Gabriella Coleman
Cult of the Dead Cow – Joseph Menn

Tenable NNM: Old Chrome User-Agent Beaconing out of my Network – was I Hacked? (a Threat-Hunting Story)

Intro

So as a Tenable Partner we have a Lab-License for the Tenable Product Suites which we often use to test new Products, Features, Updates and recreate issues in the Lab for further analysis. For this reason I was again setting up a Nessus Network Monitor in my Home Network with Mirrored Traffic from a Switch Uplink.

If you want to perform cheap and rasy Port-Mirroring at home you don’t have to rob a Cisco Dealer! Netgear offers cheap and functional switches that worked pretty good in my HomeNetwork so far.

With the Netgear GS108E you can grab a 40€ 8-Port Gigabit switch – which is Manageable and lets you just specify the port mirror in a Webinterface – on Amazon.

And with the Netgear GS110EMX you even get 2x 10G-Ports for 217€ – again with a Simple Webinterface for Portmirror Setup – on Amazon.

Please Note that I don’t want/get any incentives if you go to those Amazon links! They are just for your reference and you can buy elsewhere and chose other manageable Switches as well!

Also of course those are consumer Grade switches not intended for Enterprise Usage! I however find the value exceptional for Home Lab Port-Mirror Setups!

Just for reference – I set up the Mirror for the Switches Uplink Port which goes to another story of my house where the Internet Router is located. As there is other Stuff Connected on that level as well the Port-Mirror was not perfect, but I was not looking for a perfect setup, just some traffic to test on and play arround with.

The Perfect placement for a Nessus Network Monitor would be directly on the Internet Breakout (internal Side of the Router or Firewall to reduce Noise) and additional Sensors/Nessus Network Monitors in front of Sensitive Systems or VLAN choke Points – for example Production VLAN Uplinks.

The Evil Outdated Chrome User-Agent

When I got the Nessus Network Monitor set up and traffic mirrored I was greeted with a couple of interesting Vulnerabilities:

Vulnerability Overview for a Specific Host in NNM

I know the System! Its my *cough* Windows HomeServer 2011 installed on a neat HP MicroServer N36L (wildly outdated, but new versions are available). As Windows HomeServer 2011 is long out of support this is a horrible system to have running! And I thought I probably now have the kick in the ass to do it quickly!

But let me back up – at first glance I was recognizing outdated Browser and Chrome Vulnerabilities captured by Nessus Network Monitor. A couple of years ago I had an old Android tablet in my gym for playing music. All separated away in an IoT WiFi Network that is limited by ACL’s to only access the Internet.

This tablet was running old vulnerable Versions of Chrome as well, but as I only used it for Spotify and not browsing the web at all I let it slide…

The thing is: I replace that Android tablet with an (old and yet again vulnerable) iPad i had left over. So I looked into it and as you can see above identified the Chrome coming from my Windows Home Server 2011 *cough-again*

Before hunting for the old Chrome Installation (and btw – what is it doing accessing the Internet without me using it?!?!) I took a Peak at a specific Plugin Output to identify the exact Chrome Version:

The Plugin Output of the Plugin 4645 – Google Chrome Version Detection

A specific Chrome Version Number in the User-Agent is pretty good indicator its Chrome. But Version 47 is really old…

One of the Chrome Vulnerability Plugins (9083) that you can see on the Right was reporting CVE IDs from 2016 so it was probably even Older!

Googling it you will find references pointing to a release in Dec 2015.

This got me a bit worried: I dont run old Browser Versions on Computers that are quite capeable to Updateing and Running the newest Browser Versions.

Also I have all Browsers on Auto-Update – but then Again, a forgotten Browser that was never Used could lurk in an old Version on my Homeserver….

The Part where I got worried

Mhhh… Never beeing used equals old version.
User-Agent beaconing out to the Internet equals usage…

I got really worried when I connected to the system and:

THERE WAS NO CHROME! 🙀 :shockedcatfaceemoji:

I need to replace this system….

This got me thinking that when I would let Malware beacon out I would use a commonly used User-Agent to mask my C&C traffic to the Internet! Overdoing this by choosing far to old or non-existing User-Agents is stuff that happens! Also as this system has been running for years this could be an indicator of a really old compromise.

Now I was at a loss! I feared Malware compromise but I did not know what process called out to the Internet…

Ofcourse there is plenty of options with windows to investigate this but out of the box if you have not set up anything prior I found out it is pretty hard to investigate this!

This is when I hat to learn again that Incident Response works far better if you plan ahead and deploy tools and logging prior to an incident!

Let the Hunt begin

But as I had a Nessus Network Monitor deployed I had at least some logging capabilities now!

Sadly out of the Box you only get the vulnerability Plugins that triggered in the GUI but it is possible to Log a detailed Realtime feed of all Plugins Triggering with some more Information than beeing displayed in the Webinterface.

You can set up this realtime-logs.txt file in the Webinterface Settings:

Logging Realtime Events with NNM to Disk

This will create a plain Logfile on the Disk of the NNM system.
Please note that I created a lot of the screenshots while writing this Blogpost so Timestamps will not be in Sync with the “Incident Timeline” but show the points they are created for.

realtime-logs.txt

I grepped this file for “Chrome/47” to get an Idea how, when and where the Strange old Chrome User-Agent was beeing used:

Timestamps and Realtime Events with IPs and Ports

This was weird – Internal and External Traffic!

Also you can see specific beaconing patterns – short requests with hours of delay in between.

I was again freaked out by Google Hits to the external IP Adress and the Random GET URI Parameter!

Oh Noes – IP on Abuse Lists ?!

If you google for the HTTP GET URI you will also find some Inconclusive Malware Analysis matching at least parts of the string….

Needing a Break to think

This is when I against all Forensic Best-Practices took offline the Server and Checked it offline with an Anti Virus scanner via c’t desinfect 2019.

I am in no way saying that AV is the solution for this nor did I have any hope that AV would give me a positive signal that the system was not compromised. However as I needed a break I decided that AV could at least give me a signal if the system got compromised 3 ways sideways and filled with bad stuff.

So AV will not give me piece of mind, but if it finds stuff i know I have a problem.

And I did not necessarily needed the break because I was exhausted but because I had registered for a Blackhills Infosec Webcast about Sysmon and Applocker that was beginning to start and could be watched by an Hour of Crosstrainer in my Gym!

You know there is even a name for the phenomena when you see stuff exactly in the right moment. Like when you buy a new car and start seeing them on the road everywhere all of a sudden.

Its called: the Baader-Meinhof phenomenon

I am telling you this because Sysmon probably is the answer to finding out which process is beaconing out at the timestamp when it is beeing logged by Nessus Network Monitor!

Check out the Blackhills Infosec Webcasts:
https://www.blackhillsinfosec.com/blog/webcasts/

The AV came back clean and more Logging was required – as well as a good nights sleep!

The Webcast about Sysmon and Applocker was very informative and Syslog was exactly the answer I needed! I was thinking about another Tool from the Sysinternals Suite – tcpview – however I know how big these logs become and Syslog seems pretty awesome and something I have to deploy on all my Windows Machines anyhow soon!

As stated in the Blackhills Infosec webcast you can directly start with a proper XML from @SwiftOnSecurity which you can get in his Github.

So I set my trap – if I was compromised for years I could probably sleep another night over it – and Installed Sysmon and tailed my NNM realtime log.

Not everything goes according to plan!

This morning (August 16th) I woke up and ofcourse again there was an Old Chrome beaconing out (which was already shown above):

A fresh beacon in the morning vertreibt Kummer und Sorgen

So I checked the Sysmon log and was greeted with no matching log:

No matching logevent

Little sidestory: When I set up Sysmon I verified that date/time stamps where close enough to each other on the NNM host and the Windows Server to be able to correlate Events properly based on Time.

Ofcourse I found out that the ESXi in my Lab was not able to ntp out and time was off for 15 Minutes…

Let that be a lesson to never skip on proper basic Setup in productive environments – it will always bite you in the ass in case of an incident!

Luckily this was only my lab which I don’t even run continuously so I have somewhat of a lame excuse and I promise that I always check the basics in productive Setups that I perform!

All of this however doesn’t change the fact that I don’t have a matching event in Sysmon… I also searched for the destination IP but got nothing….

Finally the Conclusion

What got me to the conclusion was that the beacon was internal and the destination IP of the becaon (and a couple of inbetween) was my LG Smart TV which is ofcourse joined to my Network to Stream Netflix!

Thats when i remembered that Windows Home Server does have some UPNP Streaming stuff going on and also that I have Plex Server running on the Windows System and a Plex App on the TV.

After getting no Google Results to Windows HomeServer 2011 and the User-Agent in question I stumbled over Plex in some Google results.

Low and behold – The Villain:

The Villain was caught red handed!

Not Everything is resolved but I dont think I got hacked anymore….

So I should still get to the bottom of why the fuck Plex is beaconing to the Internet and my Smart TV with 4 year old Chrome User-Agent strings – probably because they are embedding horrible old code for some reason – but I am now certain that I was not hacked….

At least …. 99% …. somewhat…. lets not talk about paranoia….

Kthxbye! :-)

WordPress.com forces you to use SMS-2FA

So im using wordpress.com as I definetly dont want the burden of running one of the most hacked CMS myself!

Now that I finally found out that you can securely configure your PayPal with TOTP 2FA I revisited all my other Accounts with SMS-2FA activated.

I still stand behind using SMS-2FA is better than no 2FA at all but if proper OTP-2FA or U2F is available then SMS-2FA really becomes a Security-Downgrade…

So I contacted @wordpressdotcom and fot the following responses:

So I guess it boils down to saving money/earning more money is more important for them than security which might bite them in the ass at some point…

BR

Sebastian