Today I created a test word document with a macro that tries to reverse connect out to a C2 server controlled by me. The idea was to use it to test our firewall's capability to inspect protocols on certain ports.

I was positive that this would fail, but provide us good data for designing alerts.

It did not fail. Full reverse shell with very little indication on our firewalls.

Guess what I'm doing tomorrow? πŸ˜“


Word macros have networking?
Why not a browser?



Change to ACLs?

For DNS monitoring also check out Sysmon, which now monitors event ID 22 which is for DNS query, and having a Sysmon XML rule file which has your C2 server link monitoring clients trying to connect to it (say, from a Powershell command)


Metadata snippet of #Sysmon event ID 22 monitoring where I ping an IP:

"Message":"Dns query:\r\nRuleName: \r\nUtcTime: 2019-10-29 15:47:43.274\r\nProcessGuid: {b3c285a4-5f1e-5db8-0000-0010c24d1d00}\r\nProcessId: 5696\r\nQueryName:\r\nQueryStatus: 0\r\nQueryResults: ::ffff:;\r\nImage: C:\\Windows\\System32\\PING.EXE",
"Category":"Dns query (rule: DnsQuery)",

I'd deliberately used a hardcoded IP rather than DNS, just because I didn't want to use my personal domain for what WAS technically an infosec incident.

It looks as though we can inspect protocols in/out on our Palo Alto's, its just not on for the port I used (8080). As it was just a raw TCP connection, the Palo couldn't classify the app type.

Lesson learned, change request going in today.

It is, however more ammo for enabling application whitelisting.

@superruserr yup. I only wrote the script to help a colleague with some academic work! I didn't expect it to become a Thingβ„’.

Ah well, keeps me employed!

Sign in to participate in the conversation
Whitespashe Mastodon

This is a mastodon instance that allows users to share ideas and participate in discussions.

We have a hidden service frontend running at: https://whtspshcehqg4nj4wqyiopjcfxradop7ujflycxum7wkfivewqt36zyd.onion

Our code of conduct and extended information can be found after the 'Learn More' link below!