Aurora Archives - Nextron Systems

Extended ProxyNotShell Detection Covering OWASSRF

Florian Roth — Fri, 23 Dec 2022 11:42:10 +0000

In a report published on the 20th of December CrowdStrike published a report of a new technique exploiting the Microsoft Exchange vulnerability called ProxyNotShell. The called the new technique OWASSRF as it uses Outlook Web Access, CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE).
PaolAlto Networks’ Unit42 released their report one day later.

Dray Agha's Tweet

The security researcher Dray Agha noticed the proof-of-concept (POC) in an unprotected open directory used by an unknown threat actor

CrowdStrike's Report on OWASSRF

The report contains information on the exploitation, log patterns and a script to detects possible exploitation attempts

Unit42's report on OWASSRF

PaloAlto Networks Unit42 also published a report that also contains information on observed TTPs and information on a PowerShell backdoor called SilverArrow

Signatures That Detect This Attack

Exploitation

YARA (public)

EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1

EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_2

EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_3

EXPL_LOG_ProxyNotShell_PowerShell_Proxy_Log_Dec22_1

LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22

EXPL_Exchange_ProxyNotShell_Patterns_CVE_2022_41040_Oct22_1

SIGMA (public)

Potential OWASSRF Exploitation Attempt – Proxy
UUID: 1ddf4596-1908-43c9-add2-1d2c2fcc4797

Potential OWASSRF Exploitation Attempt – Webserver
UUID: 181f49fa-0b21-4665-a98c-a57025ebb8c7

Post-Exploitation

SIGMA (Private)

Microsoft Exchange ProxyNotShell Exploit
UUID: df23d4fb-b12b-4425-a340-8d59e2460c43

Webshell Detection Suspicious Children
UUID: 9a8e8057-32a7-432d-bf80-197dacf1a77f

Shells Spawned by Web Servers in Process Tree
UUID: 6dc0f4e1-7a11-429f-b240-d9f852cea8b3

SIGMA (Public)

Suspicious File Drop by Exchange
UUID: 6b269392-9eba-40b5-acb6-55c882b20ba6

Shells Spawned by Web Servers
UUID: 8202070f-edeb-4d31-a010-a26c72ac5600

The post Extended ProxyNotShell Detection Covering OWASSRF appeared first on Nextron Systems.

Follina CVE-2022-30190 Detection with THOR and Aurora

Florian Roth — Mon, 13 Jun 2022 08:25:41 +0000

The Follina 0day vulnerability (CVE-2022-30190) in Microsoft Windows is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Kevin Beaumont's Blog Post

Kevin’s post contains links to tweets of researchers that discovered the 0day exploit, information on the timeline, and mitigations

Huntress Labs Blog Post

Explains the exploit in more detail

Counter Measures

Recommended counter measures by Benjamin Deplhy

Signatures Detecting Follina / CVE-2022-30190 Attacks

Check for matches with the following rules:

YARA

Rules shared in the public signature-base and used in THOR and THOR Lite

Only available in THOR

SUSP_PS1_Obfusc_Combo_Base64_CharacterConcatenation_May22
SUSP_PS1_Nested_InvokeExpression_May22
SUSP_Office_Cloaked_MHT_Moniker_Jun22 (uses external vars; not in Valhalla)
EXPL_MAL_MalDoc_TemplateInjection_Jun22
SUSP_Encoded_Follina_CVE_2022_30190_Payloads_Jun22
SUSP_EXPL_Follina_CVE_2022_30190_Jun22_1
SUSP_EXPL_Follina_CVE_2022_30190_Jun22_2
EXPL_Encoded_CVE_2022_30190_Payloads_Jun22_1

Sigma

Public Sigma rules used in Aurora, THOR and Aurora Lite

Sdiagnhost Calling Suspicious Child Process – f3d39c45-de1a-4486-a687-ab126124f744
New Lolbin Process by Office Applications – 23daeb52-e6eb-493c-8607-c4f0246cb7d8
MSDT Executed with Suspicious Parent – 7a74da6b-ea76-47db-92cc-874ad90df734
Execute Arbitrary Commands Using MSDT.EXE – 258fc8ce-8352-443a-9120-8a11e4857fa5
Microsoft Outlook Product Spawning Windows Shell – 208748f7-881d-47ac-a29c-07ea84bf691d

Private Sigma rules only available in Aurora

Sdiagnhost Loading System.Management.Automation.dll – 1a4a0e9c-e47d-492c-800f-545f83fac88a
Sdiagnhost Calling Suspicious Descendant Process – 8655fa4b-e956-4ed4-b20d-151dfd8c802d

The post Follina CVE-2022-30190 Detection with THOR and Aurora appeared first on Nextron Systems.

Aurora Lite Agent v1.0 Release

Florian Roth — Mon, 04 Apr 2022 11:37:16 +0000

After almost half a year of development, we are pleased to announce the release of our free version of the Aurora Agent named Aurora Lite.

The Aurora agent is a Sigma-based endpoint agent that offers maximum transparency, flexibility, and confidentiality. It doesn’t require an additional kernel driver but uses the native Event Tracing for Windows (ETW). Other detection modules like the “Cobalt Strike Beaconing Detector” or the “LSASS Dump Detector” provide detection capabilities that exceed the scope of pure Sigma matching.

Aurora Lite is a limited but free version of the endpoint agent. It lacks some features, has no additional detection modules, and cannot be used with the comfortable ruleset and configuration management in ASGARD Management Center. The complete list of limitations can be found here.

Regardless of these limitations, we believe that even the free version can compete with other commercial endpoint agents and provides similar detection coverage.