Security Boulevard

Find out more about shadow AI and the risks of leaving it uncovered.

The post Shining a Light on Shadow AI: What It Is and How to Find It appeared first on Security Boulevard.

Our teams are always hard at work improving the TrustCloud platform. Here are this month’s biggest updates. Introducing our ServiceNow integration! This is a bidirectional integration with ServiceNow to pull ticket details into TrustCloud. Teams can create new ServiceNow tasks in TrustCloud and attach ServiceNow links as evidence to your tests. The integration also supports […]

The post TrustCloud Product Updates: August 2024 first appeared on TrustCloud.

The post TrustCloud Product Updates: August 2024 appeared first on Security Boulevard.

Specula is a framework that allows for interactive operations of an implant that runs purely in the context of Outlook. It works by setting a custom Outlook homepage via registry keys that calls out to an interactive python web server. This web server serves custom patched vbscript files that will execute a command and return a string response. This is not a completely new concept, other public tools have existed before that take advantage of the vbscript capability within outlook to perform attacks.

One of the unique features of Specula outside of running entirely within Outlook is its ability to load and execute XLL Files. Once an agent has been hooked the malicious xll can be staged and executed via execute_registerxll.

In this blog we are going to break down using an XLL file to launch an application using Specula C2 and Outlook. Some of the logs shown in this blog will be truncated to show the important parts for brevity.

Hooking Agents

To hook an agent, all you need to do is to create the registry REG_SZ value of URL under HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox and add the value pointing to your validation url on the Specula server.

Hooked Registry Keys

There are a few settings that are preferable to add/adjust in order to avoid issues with ActiveX. To generate a full reg file with all the recommended settings you can, from the root of the Specula menu, run generatehooker and it will show you the reg file you can copy over to an Windows client with Outlook on and import it. For the registry key to take effect, you will need to stop Outlook if it is running and restart it.

XLL

An XLL (Excel Add-In) is a type of dynamic link library (DLL) specifically designed for use with Microsoft Excel, providing a way to extend Excel’s built-in functionality by adding custom functions, commands, and toolbars. Like DLLs, XLLs are compiled libraries that can be loaded into Excel, integrating seamlessly to create custom functions that behave like native Excel functions. Written in low-level programming languages such as C or C++, XLLs offer better performance and efficiency compared to VBA (Visual Basic for Applications) macros. They can also call Excel’s C API, allowing for deeper and more complex interactions with Excel. Additionally, XLLs can be distributed and deployed as standalone files, making them easy to share and install across different systems.

These files are basically DLLs with specific function names.

• xlAutoClose: Cleans up and unregisters the add-in when unloaded.
• xlAutoAdd: Initializes settings or notifies users when the add-in is added to Excel.
• xlAutoRemove: Cleans up when the add-in is removed from Excel.
• xlAddInManagerInfo: Provides information about the add-in to the Add-In Manager.
• xlAutoRegister: Handles automatic registration of functions and commands.
• xlAutoFree: Manages memory allocation and freeing.

Putting it all together

So to quickly recap. A victim running Outlook is hooked via a reg file containing specific registry keys for an Outlook homepage pointing at the Specula Server. Once hooked and approved the malicious xll is staged.

XLL Upload via Specula C2

Once staged the execute/host/execute_registerxll module is executed with an input of our staged xll file. This will launch an Excel COM object, load, and execute the malicious file. This can essentially perform any action that a typical DLL can without utilizing typical DLL methods of loading.

Execute XLL

Successful execution can be checked via the data command

Successful Execution Logs and Detection Opportunities Registry Hook

As mentioned, the first thing that will happen when using Specula C2 is the agent hooking via the registry. The framework achieves this by modifying specific registry keys related to Outlook’s web view and homepage settings, redirecting them to the C2 server controlled by the attacker.

When an Outlook user opens a specific folder (like Inbox, Calendar, or Tasks), Outlook queries the registry to determine if a custom homepage or web view has been set for that folder. This HTML page allows execution of VBScript or JScript within a privileged context, granting nearly full access to the local system, similar to running scripts via cscript or wscript.exe.

The ability to abuse the Outlook home page was reported as CVE-2017–11774. The Outlook home page was believed to be patched, however, even though the UI elements used to set this was disabled the registry values can still be changed manually.

Since this is registry modifications it can be captured with Sysmon EventID 13.

...
Channel: Microsoft-Windows-Sysmon/Operational
Details: http://10.3.99.1/css/uennGj2qfCrVGQ
EventDescription: RegistryEvent (Value Set)
EventID: 13
EventType: SetValue
Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
ProcessName: OUTLOOK.EXE
ProcessPath: C:\Program Files\Microsoft Office\root\Office16\
TargetObject: HKU\S-1-5-21-1538153195-943065003-848949206-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Webview\Inbox\URL
User: WIN10-21H1\localuser
registry_hive: HKEY_CURRENT_USER
registry_key_name: HKU\S-1-5-21-1538153195-943065003-848949206-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Webview\Inbox
registry_path: HKU\S-1-5-21-1538153195-943065003-848949206-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Webview\Inbox\URL
registry_value_data: http://10.3.99.1/css/uennGj2qfCrVGQ
registry_value_name: URL
user: localuser
user_id: "S-1-5-18"
...

You will want to look for the URL being set in the following Registry Keys:

Software\Microsoft\Office\*\Outlook\Today
Software\Microsoft\Office\*\Outlook\Webview\Inbox
Software\Microsoft\Office\*\Outlook\Webview\Calendar
Software\Microsoft\Office\*\Outlook\Webview\Contacts
Software\Microsoft\Office\*\Outlook\Webview\Deleted Items
Software\Microsoft\Office\*\Outlook\Webview\Drafts
Software\Microsoft\Office\*\Outlook\Webview\Journal
Software\Microsoft\Office\*\Outlook\Webview\Junk E-mail
Software\Microsoft\Office\*\Outlook\Webview\Notes
Software\Microsoft\Office\*\Outlook\Webview\Outbox
Software\Microsoft\Office\*\Outlook\Webview\RSS
Software\Microsoft\Office\*\Outlook\Webview\Sent Mail
Software\Microsoft\Office\*\Outlook\Webview\Tasks Agent Registration Traffic

If you have network insights, tools such as Zeek offer some detection opportunities around the agent registration. Specula will make a web POST to the /plugin/search uri by default. This will contain a base64 encoded payload containing the hostname and username.

bytes: 58
bytes_in: 0
bytes_out: 58
dest: 10.3.99.1
dest_host: 10.3.99.1
dest_ip: 10.3.99.1
dest_port: 80
direction: unknown
extracted_host: 10.3.99.1
flow_id: CDMIsf2xzq09GxY3r5
http_method: POST
http_user_agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/7.0; Specula; Microsoft Outlook 16.0)
method: POST
post_body: "VwBJAE4AMQAwAC0AMgAxAEgAMQB8AGwAbwBjAGEAbAB1AHMAZQByAA=="
product: OS_Zeek
request_body_len: 58
response_body_len: 0
src: 10.3.10.8
src_ip: 10.3.10.8
src_port: 52734
status: 200
status_code: 200
status_msg: OK
tag: web
trans_depth: 1
ts: 1722452540.230311
uid: CDMIsf2xzq09GxY3r5
uri: /plugin/search/
uri_path: /plugin/search/
url: 10.3.99.1:80/plugin/search/
user_agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/7.0; Specula; Microsoft Outlook 16.0)
vendor: Corelight
vendor_product: OS_Zeek
version: 1.1 Stage XLL

The xll file that will be executed needs to be staged locally. This is usually accomplished via the put_file function of Specula. This will generate a File Creation event for the XLL File by the Outlook process. The location is determined by the attacker but looking for any xll files created by Outlook will highlight this activity.

Provider Name: Microsoft-Windows-Sysmon
Provider Guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
EventID: 11
TimeCreated SystemTime: 2024-08-01T15:51:16.635730Z
ProcessID: 3092
ThreadID: 4892
Channel: Microsoft-Windows-Sysmon/Operational
Computer: WIN10-21H1.snapattack.labs
UserID: S-1-5-18
RuleName: -
UtcTime: 2024-08-01 15:51:16.634
ProcessGuid: F51F9151-AEB9-66AB-4006-000000000B00
ProcessId: 6344
Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
TargetFilename: C:\Windows\Temp\specula.xll
CreationUtcTime: 2024-08-01 15:51:16.634
User: WIN10-21H1\localuser Excel Com Object

When Outlook goes to execute the XLL, it will launch an instance of Excel using the Office COM Objects. This will cause svchost.exe to launch Excel with /automation -Embedding arguments. You can find this activity by looking for process creation events. Outside of just Excel being launched, you can use this to identify other suspicious executions of Office products.

CommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
CurrentDirectory: C:\Windows\system32\
Description: Microsoft Excel
EventDescription: Process creation
EventID: 1
Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
IntegrityLevel: High
OriginalFileName: Excel.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p
ParentImage: C:\Windows\System32\svchost.exe
ParentProcessGuid: F51F9151-65B6-66AA-0D00-000000000B00
ParentProcessId: 860
ParentProcessName: svchost.exe
ParentProcessPath: C:\Windows\System32\
ParentUser: NT AUTHORITY\SYSTEM
ProcessName: EXCEL.EXE
ProcessPath: C:\Program Files\Microsoft Office\root\Office16\
Product: Microsoft Office
User: WIN10-21H1\localuser
...

Looking at the process graph you won’t see a connection to Outlook as the originator of the activity because of the way it uses these COM Objects.

Process Graph of XLL Execution XLL Load

Finally the Excel Object will load and execute the XLL Add-in from the uploaded location. This shows up in Image Loads (EventID 7).

EventDescription: Image loaded
EventID: 7
Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
ImageLoaded: C:\Windows\Temp\specula.xll
Parent_process_exec: EXCEL.EXE
Parent_process_guid: F51F9151-AF2F-66AB-6406-000000000B00
Parent_process_id: 1952
Parent_process_name: EXCEL.EXE
Parent_process_path: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Process_exec: specula.xll
Process_hash:
- MD5=0D802B900868A249605D9A8FE5B6586B
- SHA256=9EBFB3F9861738869B0D9BA148B69AB901894005DBE8FFCCFC66E99C1AC78D1B
- IMPHASH=F3B1802819FE1B8C9D47F5D9C6F0911F
Process_name: specula.xll
Process_path: C:\Windows\Temp\specula.xll
Service_dll_signature_exists: false
Service_dll_signature_verified: false
...

Excel loading an XLL is in itself not necessarily malicious. However, you can hunt for this and narrow it down to unusual locations such as Temp or Public folders.

For more logs and details on this and other Specula C2 activity, check out the collection in our platform: Specula.

Mitre

T1137.004 — Office Application Startup: Outlook Home Page
Adversaries may abuse Microsoft Outlook’s Home Page feature to obtain persistence on a compromised system.

T1559.001 — Inter-Process Communication: Component Object Model (COM)
Adversaries may use the Windows Component Object Model (COM) for local code execution.

T1059.005 — Command and Scripting Interpreter: Visual Basic
Adversaries may abuse Visual Basic (VB) for execution.

T1071.001 — Application Layer Protocol: Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.

T1112 — Modify Registry
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

T1203 — Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.

Conclusion

In summary, Specula C2 represents an advanced and innovative approach to conducting interactive operations entirely within the context of Microsoft Outlook. By leveraging custom Outlook homepages and registry modifications, Specula enables seamless command execution through a Python web server. Its unique ability to load and execute XLL files further enhances its versatility, allowing for sophisticated attack scenarios. Understanding the techniques employed by Specula, such as registry manipulation and COM object utilization, is crucial for strengthening cybersecurity defenses.

SnapAttack is the threat hunting, detection engineering, and detection validation platform for proactive threat-informed defense. Register for a FREE community account to access the tons of content included in this blog post, as well as thousands of other community detections. Subscribers also get advanced features like a no-code detection builder, one-click deployments to leading SIEMs and EDRs like Chronicle, Sentinel, Splunk, CrowdStrike and SentinelOne, advanced threat profiles to prioritize relevant threats, and customized reports that track MITRE ATT&CK coverage and more!

Resources

• https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/
• https://github.com/trustedsec/specula/wiki

Hunting Specula C2 Framework and XLL Execution was originally published in SnapAttack on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Hunting Specula C2 Framework and XLL Execution appeared first on Security Boulevard.

via the inimitable Daniel Stori at Turnoff.US!

Permalink

The post Daniel Stori’s ‘Linux Top Explained’ appeared first on Security Boulevard.

Artificial Intelligence (AI) is revolutionizing healthcare, and its impact on patient experience is nothing short of transformative. According to a study by Accenture, AI applications...Read More

The post The Role of AI in Enhancing Patient Experience in HealthTech appeared first on ISHIR | Software Development India.

The post The Role of AI in Enhancing Patient Experience in HealthTech appeared first on Security Boulevard.

In today’s digital world where availability and security are of the utmost importance, time is of the essence. We know how important it is for our customers to get up and running with the solutions they chose from AppViewX as quickly as possible. At AppViewX, we’re more than just a software company, we’re also a […]

The post The AppViewX Experience: A Journey to Seamless Solution Onboarding appeared first on Security Boulevard.

Threat actors increasingly target industrial processes because of the costly and sometimes dangerous disruptions they can cause in OT environments. Making adversaries’ jobs easier are continued manufacturing security vulnerabilities that both provide entry points to these environments and facilitate dangerous lateral movement. Here’s a look at some of the main manufacturing security vulnerabilities threat groups have been targeting lately.  Industrial ... Read More

The post Manufacturing Security Vulnerabilities: Combating the Risks appeared first on Nuspire.

The post Manufacturing Security Vulnerabilities: Combating the Risks appeared first on Security Boulevard.

Discover how GitGuardian's latest product innovations enhance your secrets security, streamline remediation, and improve incident management for better protection of your software supply chain.

The post Elevating your secrets security hygiene: H1 roundup of our product innovations appeared first on Security Boulevard.

Authors/Presenters:Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, Selcuk Uluagac

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – RøB: Ransomware over Modern Web Browsers appeared first on Security Boulevard.

The CPS 234 Information Standard, established by the Australian Prudential Regulation Authority (APRA), mandates that organizations in the financial and insurance industries bolster their information security frameworks to safeguard themselves and their customers from the growing threat of cyber attacks. 

The post 4 Key Requirements for APRA CPS 234 Compliance [+ CHECKLIST] appeared first on Security Boulevard.

MEDIA ADVISORY Leading experts to share insights on using orchestration to re-architect aging identity and access management environments BOULDER, Colo., Aug. 29, 2024 – Strata Identity, the Identity Orchestration company, today announced it will host a free webinar on how to tear down outdated IAM architectures and replace legacy identity and access management (IAM) services...

The post Strata Identity to Host Tear Down and Modernization Webinar for Legacy Identity Infrastructures appeared first on Strata.io.

The post Strata Identity to Host Tear Down and Modernization Webinar for Legacy Identity Infrastructures appeared first on Security Boulevard.

Gift cards and loyalty programs are used by retailers to increase customer traffic, build brand awareness, and gain new customers. However, they also attract the attention of fraudsters who exploit these systems, causing substantial financial losses and undermining customer trust. This blog explores the nature of gift card and loyalty program abuse and how proper […]

The post What is Gift Card and Loyalty Program Abuse? appeared first on Cequence Security.

The post What is Gift Card and Loyalty Program Abuse? appeared first on Security Boulevard.

During our recent webinar, “From Setup to Success: ...

The post Answering Your Webinar Questions: Email Security with EasyDMARC appeared first on EasyDMARC.

The post Answering Your Webinar Questions: Email Security with EasyDMARC appeared first on Security Boulevard.

In the last year alone, the education sector experienced a 44% increase in cyberattacks. Malicious actors frequently target K-12 schools as they possess a range of sensitive information, including student records, employee data, financial documents, and more.  While just over 50% of K-12 school data breaches are intentional, approximately 30% are unintentional. This means that ...

The post A Guide To Selecting The Best URL Filtering Software appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post A Guide To Selecting The Best URL Filtering Software appeared first on Security Boulevard.

BusyBox, often referred to as the “Swiss Army knife of embedded Linux,” is a compact suite of Unix utilities combined into a single executable. It’s widely used in small and embedded systems due to its lightweight nature. However, like any software, it is not immune to vulnerabilities. Recently, Canonical has released security updates to address […]

The post Ubuntu Fixes Multiple BusyBox Vulnerabilities appeared first on TuxCare.

The post Ubuntu Fixes Multiple BusyBox Vulnerabilities appeared first on Security Boulevard.

Nisos
AI Hype vs Hesitence

AI isn’t just a buzzword anymore—it’s woven into the fabric of our daily lives. From chatbots handling customer service to self-driving cars and AI-generated content...

The post AI Hype vs Hesitence appeared first on Nisos by Nisos

The post AI Hype vs Hesitence appeared first on Security Boulevard.

In light of recent cybersecurity events, a critical SolarWinds Web Help Desk vulnerability has been revealed. Although SolarWinds patches pertaining to the vulnerability have been released, if it were to be exploited, it could lead to the execution of arbitrary code on certain instances. In this article, we’ll dive into the details of the vulnerability […]

The post SolarWinds Patches: Severe Web Help Desk Vulnerability Fixed appeared first on TuxCare.

The post SolarWinds Patches: Severe Web Help Desk Vulnerability Fixed appeared first on Security Boulevard.

The recent National Public Data (NPD) breach stands as one of the largest social security number (SSN) exposures in history. With reports suggesting potential compromises affecting up to 3 billion SSNs, it is crucial to understand the scope of the breach and take immediate steps to protect yourself from identity theft. This guide provides an …

The post National Public Data (NPD) Breach: Essential Guide to Protecting Your Identity appeared first on Security Boulevard.

Protecting Organizations with Up-to-Date CVE Awareness  Reports from the National Institute of Standards and Technology (NIST) through its National Vulnerability Database (NVD) highlight critical cybersecurity vulnerabilities that demand immediate attention and underscore the persistent risks organizations face, including potential data breaches and system compromises if left unaddressed. Recent critical vulnerabilities emphasize the importance of timely...

The post Recent Critical Vulnerabilities: August 2024 CVE Roundup appeared first on TrueFort.

The post Recent Critical Vulnerabilities: August 2024 CVE Roundup appeared first on Security Boulevard.

Why are some organizations planning an Oracle Java migration of some (but not all) of their Java from Oracle to another JDK provider?

The post Are Java Users Making Bad Oracle Java Migration Decisions? appeared first on Azul | Better Java Performance, Superior Java Support.

The post Are Java Users Making Bad Oracle Java Migration Decisions? appeared first on Security Boulevard.