Hello All. As many people who know me can attest, I am a huge fan of Sysmon. I have presented at a lot of cons about it and recommended it many times to customers. As much as I loved Mark Russinovich‘s product before, the following major updates he has made are mind blowing.
- OriginalFileName, which adds the PE Original Filename to EventID 1 and 7
- EventType to Named Pipe events (EventID 17 and 18)
- DNS events (EventID 22)
Looking at the EventLog, the Process Create and Image Load events have the OriginalFileName field added to them, this is derived from the PE header of the file. This will make it a lot harder for malware and/or actors to rename binaries to try and avoid detection based on the original file name / path.
Named Pipe EventType
This now allows for instance filtering on ConnectPipe (18) events to only see the creation, saving a lot of data.
Now, this is the update that I have been so excited about. The addition of EventID 22, or DNS logging – see the example (from medium.com) below:
If course, Sysmon 10, as with the other Sysinternals tools, can be downloaded from Microsoft
SwiftOnSecurity also has an alpha configuration available on his website – download it here
PwC was recognized as a Leader in Global Cybersecurity Consulting Services by Forrester Research. In the Forrester Wave – Global Cybersecurity Consulting Providers, Q2 2019, PwC is ranked above all other market participants in cybersecurity strategy and strength of the offering. PwC has made big investments in amazing people and are a great place to work!
Hello All. A follow-up to my post on April 29 regarding the Oracle Weblogic vulnerability. Apparently attackers are not leveraging the vulnerability to install the Sodinokibi Ransomware. As this vulnerability is trivial to exploit, it is important that server admins install the patch immediately in order to prevent infections or unauthorized access.
To read the complete article see: https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-being-installed-on-exploited-weblogic-servers/
If you haven’t already read about it, Oracle has released its Critical Patch Update for April 2019 to address 297 vulnerabilities across multiple products on April 16, 2019.
On Friday, April 26, 2019, Oracle released an important fix (what they refer to as an “overlay”) for Oracle WebLogic Server component of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0 and 22.214.171.124.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. This is not to be confused by the update that came out in 2018. This is a net-new vulnerability and patch. This is identified by CVE-2019-2725. Was just listening to the SANS ISC StormCast (April 29, 2019) this morning and they made mention of it. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The exploit has been confirmed as The Storm Center has noted that their honeypot has seen exploitation using this bug and successful install of cryptocoin miners.
Download the latest exploit code – https://www.exploit-db.com/exploits/46450
Here is the ISC’s write-up of the vulnerability – https://isc.sans.edu/forums/diary/Update+about+Weblogic+CVE20192725+Exploits+Used+in+the+Wild+Patch+Status/24890/