Follow

Today I created a test word document with a macro that tries to reverse connect out to a C2 server controlled by me. The idea was to use it to test our firewall's capability to inspect protocols on certain ports.

I was positive that this would fail, but provide us good data for designing alerts.

It did not fail. Full reverse shell with very little indication on our firewalls.

Guess what I'm doing tomorrow? 😓

@GigaByte4711

Word macros have networking?
Why not a browser?

🤦‍♂️

@GigaByte4711

Change to ACLs?

For DNS monitoring also check out Sysmon, which now monitors event ID 22 which is for DNS query, and having a Sysmon XML rule file which has your C2 server link monitoring clients trying to connect to it (say, from a Powershell command)

@GigaByte4711

Metadata snippet of #Sysmon event ID 22 monitoring where I ping an IP:

"AccountName":"SYSTEM",
"UserID":"S-1-5-18",
"AccountType":"User",
"Message":"Dns query:\r\nRuleName: \r\nUtcTime: 2019-10-29 15:47:43.274\r\nProcessGuid: {b3c285a4-5f1e-5db8-0000-0010c24d1d00}\r\nProcessId: 5696\r\nQueryName: example.com\r\nQueryStatus: 0\r\nQueryResults: ::ffff:93.184.216.34;\r\nImage: C:\\Windows\\System32\\PING.EXE",
"Category":"Dns query (rule: DnsQuery)",
"QueryName":"example.com",

@superruserr
Thanks!
I'd deliberately used a hardcoded IP rather than DNS, just because I didn't want to use my personal domain for what WAS technically an infosec incident.

It looks as though we can inspect protocols in/out on our Palo Alto's, its just not on for the port I used (8080). As it was just a raw TCP connection, the Palo couldn't classify the app type.

Lesson learned, change request going in today.

It is, however more ammo for enabling application whitelisting.

@superruserr yup. I only wrote the script to help a colleague with some academic work! I didn't expect it to become a Thing™.

Ah well, keeps me employed!

Sign in to participate in the conversation
Whitespashe Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!