Oct 20, 2017

Microsoft Office Windows Dynamic Data Exchange (DDE) Mitigations

Out with the old, in with the new. Are macro trojans a thing of the past, or just put off to the side while the new kid on the block gets to show off for a bit? That’s the question behind Dynamic Data Exchange method of executing a payload. Using this technique, which has been available since Windows 2.0, allows an attacker to give the user a different prompt when sending a document with a malicious payload, and in some cases, can change it to say whatever they want!

If you’re looking to spin your head around for a bit reading up on the technical specs, here is a link from Microsoft outlining DDE

I’m going to share with you a couple of methods that can be used to mitigate this threat, in various environments.

Let’s start out with the basics, of getting the registry changes that will be needed:

(Credit to: https://gist.github.com/wdormann for sharing this!)

Let’s start out by saving a copy of the disable_ddeauto.reg file somewhere on your network, or local machine. If you’re saving it on your network, put it on a shared drive, and set the permissions to read only.

Here are some ways you can import this registry file:

reg.exe IMPORT disable_ddeauto.reg

DisableDDE.bat

%windir%\system32\reg.exe IMPORT \\server\share\disable_ddeauto.reg

DisableDDE.ps1

[Diagnostics.Process]::Start("reg.exe","import \\server\share\disable_ddeauto.reg")

By placing either of these methods in the Logon policy under User Settings, will ensure that Office 2010-2016 will block

The following script can be converted easily into a base 64 string

DisableDDE-Direct.ps1

New-Item -Path c:\temp -Force
(New-Object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b/raw/6d19917f59f1d20c46ddc9c97765bc6ef4f2814e/disable_ddeauto.reg", "c:\temp\disable_ddeauto.reg")
[Diagnostics.Process]::Start("reg.exe", "import c:\temp\disable_ddeauto.reg")
Remove-Item -Path C:\temp\disable_ddeauto.reg -Force

Finally if you have a method of “firing and forgetting” to multiple systems to protect, you can convert to a base64 value and push through a command line:

$stringToEncode =
{
New-Item -Path c:\temp -Force
(New-Object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b/raw/6d19917f59f1d20c46ddc9c97765bc6ef4f2814e/disable_ddeauto.reg", "c:\temp\disable_ddeauto.reg")
[Diagnostics.Process]::Start("reg.exe", "import c:\temp\disable_ddeauto.reg")
Remove-Item -Path C:\temp\disable_ddeauto.reg -Force
}
$base64 = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($stringToEncode))

With it’s output (please don’t rely on mine! 😉)

powershell.exe -ex bypass -enc DQAKAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAGMAOgBcAHQAZQBtAHAAIAAtAEYAbwByAGMAZQANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcABzADoALwAvAGcAaQBzAHQALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHcAZABvAHIAbQBhAG4AbgAvADcAMwAyAGIAYgA4ADgAZAA5AGIANQBkAGQANQBhADYANgBjADkAZgAxAGUAMQA0ADkAOABmADMAMQBhADEAYgAvAHIAYQB3AC8ANgBkADEAOQA5ADEANwBmADUAOQBmADEAZAAyADAAYwA0ADYAZABkAGMAOQBjADkANwA3ADYANQBiAGMANgBlAGYANABmADIAOAAxADQAZQAvAGQAaQBzAGEAYgBsAGUAXwBkAGQAZQBhAHUAdABvAC4AcgBlAGcAIgAsACAAIgBjADoAXAB0AGUAbQBwAFwAZABpAHMAYQBiAGwAZQBfAGQAZABlAGEAdQB0AG8ALgByAGUAZwAiACkADQAKAFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAiAHIAZQBnAC4AZQB4AGUAIgAsACAAIgBpAG0AcABvAHIAdAAgAGMAOgBcAHQAZQBtAHAAXABkAGkAcwBhAGIAbABlAF8AZABkAGUAYQB1AHQAbwAuAHIAZQBnACIAKQANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAdABlAG0AcABcAGQAaQBzAGEAYgBsAGUAXwBkAGQAZQBhAHUAdABvAC4AcgBlAGcAIAAtAEYAbwByAGMAZQANAAoA

Good luck and happy protecting!

 

 

Jul 22, 2017

WMI Querying Techniques, Part 2 – Command Line

Photo by Jason Rosewell on Unsplash

In this post, we will be going over various WMI command line techniques and options, we’ll cover the built in alias, as well as using alternate namespaces and paths, and let’s not forget running remotely!  Let’s get started!

WMIC Aliases

One of the nice things Microsoft did when providing a command line utility for access WMI objects, is building Aliases on top of the more commonly used WMI Classes.  To follow along in any of our excercises today, you should open a command prompt or two as Administrator if you can.  If you don’t have Admin rights, that’s ok, you can do some of the querying as well.  Hopefully you read the last article on Wbemtest, we will keep that open to get some properties and methods as needed.

From your command prompt, type in “wmic /?” to get a list of commands and aliases.  Today we will be playing around with Process, Service, and Product. Faster IT has a good article mapping the Aliases and Classes. read more

Jul 22, 2017

WMI Querying Techniques, Part 1 – WbemTest

https://unsplash.com/@branch_portraits

Breaking the ice with WMI

I wanted to throw together a few different use cases for WMI querying.  There are many articles that have some good information on various use cases of WMI, I figured I would share some that I’ve used recently for various engagements. In the next couple of posts, we’ll go over a few different methods to use WMI, using GUI, Command line, PowerShell, and incorporating into your C# code.

Let’s jump in! We’re going to start out with some basics, starting with the Windows GUI, Windows Management Instrumentation Tester, or WBEMTest.  You can open it by clicking on your start menu, and just type in wbemtest.  Once the window opens up, click on Connect, leaving everything to default, where your namespace is root\cimv2 for our examples, we’ll stick with default impersonation level, and use the default connector, click Connect again.  You should be back to the main screen and all of the options should be available. read more

Page 1 of 4
1 2 3 4