Review of Countdown to Zero Day

December 01, 2014 by Carlos Perez in Review

I finished the Kim Zetter book on the airplane on the way back from several meetings where my work team and I discussed Industrial Control System security, malware and offensive toolsets among other things. The book as the title mentions "Student and the launch of the first digital weapon" is the story about STUXNET detection, progress and analysis by the Symantec, Karsperky and other teams around the globe. She also covers the variants that seemed to be based out of the same tool framework the malware known as DUQU and FLAME. She also goes farther in the book providing context on the geopolitical events that where at play at the moment of the infection and provides a holistic picture of the possible reasons of why the malware evolved in its versions and what was being seen by the UN inspectors at the nuclear facilities in Iran.

Sysinternals New Tool Sysmon (System Monitor)

August 10, 2014 by Carlos Perez

The new tool in the Sysinternal Suite released recently by Mark Rusinovich is called Sysmon (System Monitor) http://technet.microsoft.com/en-us/sysinternals/dn798348 . The tool installs a service and a driver that allows for logging of activity of a system in to the Windows event log. The activity it monitors are:

Process Creation with full command line for both current and parent processes. In addition it will record the hash of the process image using either MD5, SHA1 or SHA256. In addition it will record the process GUID when it is created for better correlation since Windows may reuse a process PID.
Network connection from the host to another. It records source process, IP addresses, port numbers, hostnames and port names for TCP/UDP connections.
Changes to the file creation time of a file.
Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

PowerShell Tip: Validating IP Address as a Parameter

June 18, 2014 by Carlos Perez

I find myself many times writing an Advanced Function that takes as its parameters only IP Addresses. A quick way I found for validating that an IP Address was passed is using the [IPAddress] Type Accelerator and the parameter option of [ValidateScript()] if we look at the type accelerator it self if we pass a valid IPv4 or IPv6 Address we get an IPAddress object:

PS C:\Windows\system32> [ipaddress]"192.168.1.1"


Address            : 16885952
AddressFamily      : InterNetwork
ScopeId            : 
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 192.168.1.1

Lets try passing a none valid IPv4 Address:

PS C:\Windows\system32> [ipaddress]"260.0.0.1"
Cannot convert value "260.0.0.1" to type "System.Net.IPAddress". Error: "An invalid IP address was specified."
At line:1 char:1
+ [ipaddress]"260.0.0.1"
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvalidCastParseTargetInvocation

As we can see it generated an error that says that the value provided is an invalid IP address.

Here is an example function where we can see how we would set the paramter:

function Test-IPaddress
{
    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$true,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [ValidateScript({$_ -match [IPAddress]$_ })]  
        [string]
        $IPAddress
    )

    Begin
    {
    }
    Process
    {
        [ipaddress]$IPAddress
    }
    End
    {
    }
}

And this is how it would look when used:

PS C:\Windows\system32> Test-IPaddress -IPAddress "192.168.1.1"


Address            : 16885952
AddressFamily      : InterNetwork
ScopeId            : 
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 192.168.1.1




PS C:\Windows\system32> Test-IPaddress -IPAddress "260.0.0.1"
Test-IPaddress : Cannot validate argument on parameter 'IPAddress'. Cannot convert value "260.0.0.1" to type "System.Net.IPAddress". Error: "An 
invalid IP address was specified."
At line:1 char:27
+ Test-IPaddress -IPAddress "260.0.0.1"
+                           ~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Test-IPaddress], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Test-IPaddress

PowerShell Tip: Working with Systme.Enum

June 18, 2014 by Carlos Perez

Many times I find myself working with enumerators in .Net like System.Diagnostics.EventLogEntryType http://msdn.microsoft.com/en-us/library/vstudio/system.diagnostics.eventlogentrytype to het the names of the member one would simplyuse System.Enum to get the names using the GetValues() method like

PS C:\Windows\system32> [System.Enum]::GetValues([System.Diagnostics.EventLogEntryType])
Error
Warning
Information
SuccessAudit
FailureAudit

We ca even use the GetValues() method on the object itself:

PS C:\Windows\system32> [System.Diagnostics.EventLogEntryType]::GetValues([System.Diagnostics.EventLogEntryType])
Error
Warning
Information
SuccessAudit
FailureAudit

Review of Rogue Code by Mark Russinovich

May 12, 2014 by Carlos Perez

This is the third book in what is now called the Jeff Aiken Series that Mark has written the previous ones where Zero Day and Trojan Horse. Mark works for Microsoft as a Technical Fellow in the Cloud and Enterprise Division. In the technical and security world he is known to most as the author of the Sysinternal tools many sysadmins and security professionals use on a daily basis in their work. He is also known for his Windows Internals series of books from Microsoft Press.