Deceptive Internet Kiosk

[jymcheong]

What & Why

• Internet Kiosk is like a library public terminal for users to search for titles, surf internet...
• Deception is commonly used by adversaries (eg. Phising & social-engineering) but attackers are humans too.

What	Why
Limited Functionalities eg. purpose-built terminals like Info-boards/signages, hospital-terminals running web apps...	Consistent use-case profiles Eg. check emails, surf/use web-apps, printing & so on
Auto-Recovery (reboot to a clean state)	Reduce remediation effort
Free, low-resource & turn-key Deception	Deter Malware (20% are Sandbox aware) & APT actors alike

Let's turn the table!

How

Install OpenEDR Backend & Frontend

• Backend installation churns out a Powershell command for client-side/endpoint installation
• Use the Powershell command with central software deployment tools or manually with an admin Powershell session
• Prefix endpoint Hostname with WWW eg. WWW_PC1.

Install Reboot-to-Restore Tools

• For budget-challenged, consider http://www.toolwiz.com/lead/toolwiz_time_freeze/
• Otherwise, https://www.faronics.com/news/blog/microsoft-windows-system-restore-vs-deep-freeze

Turn Internet Kiosk into a "Malware Analysis Sandbox"

1. https://github.com/NavyTitanium/Fake-Sandbox-Artifacts
2. https://github.com/Phoenix1747/fake-sandbox

Careful adversaries who bothers with Opsec will check, the question is with what techniques when foreign executable-files are denied.

Outcomes

Improve Signal-to-Noise Ratio

• Based on Symantec's 2019 survey, there's a 20% chance (should be higher now) that the Malware will stop just purely with Fake-Sandbox.
• 100% denial of executable-files written by non-privileged processes.
• When file-write ACL control is somehow evaded & runs, process check kicks-in & reboot terminal to clean state.
• 100% of non-obfuscated Office-Macro will be stripped.
• Most commonly abused scripting extensions are associated with notepad.exe, showing the files instead of executed.
• Child processes from Office apps are blocked at two layers: Microsoft Attack-Surface Reduction rules & OpenEDR agent

I pioneered in a number technical deployments of larger-scale (a few hundred Ks Events-Per-Sec) Security Ops-Center for my workplace. Many SOCs that are stuck with "SIEM 1.0" are still wasting time with "noise".

I have done some profiling for various MS-Office version-applications, have yet to see Word, Excel & Powerpoint creating a child process. Only Office setup/licensing process was sighted to create child processes.

Living-off-the-Land Techniques will Stick Out

Let's say Advance-Persistent-Threat Actors get into the endpoint & establish C2, all without touching the disk...

• OpenEDR will deny writable EXE/DLL upon file-write & process-create.
• Actors cornered to use LOL binaries or scripts, trips new Sequence & CommandLine cluster detection.
• How often do you see users running CommandLine kung-fu in the background? Just reboot when in doubt!

Sense-making is not just about products but methodology & tooling to provide clear awareness of your assets' profiles.

What's Next

What if you really like this idea but don't operate a fleet of "kiosk"? What about non-technical office or even remote work-force?

Next up, how to adapt Sandbox for non-kiosk use-cases!

[jymcheong]

Will usually reserve such fun projects for Interns. But COVID has made such arrangements challenging.