Open mallorybobalice opened 7 years ago
doomedraven
commented
7 years ago would need to check automatic package detection system how it detects it, and about the mouseover, i think there should be some switch option to pass to office, i don't have time till 19.06 to check it, so if someone wants check it would be great :)
mallorybobalice
commented
7 years ago hmmm i'm submitting it renamed to ppt as well and it still opens it in word. though our git clone is about 6m old.
doomedraven
commented
7 years ago well it may not pass mimetype, there few more, try to check the same data what cuckoo checks and you will have the answer where it bypassed :)
mallorybobalice
commented
7 years ago File Details
File Name Invoice1.ppt File Size 34650 bytes File Type Microsoft OOXML
ummmm...it's more like 'open doc format' ala office not doc or ppt... it should really rely on extension perhaps or a combination. idk i'm all confused -and haven't even looked at the package py file and need sleep :( (it definitely runs as ppt . aside from the not activating the mouseover)
mallorybobalice
commented
7 years ago by the way - these two warnings don't get clicked either by human.py
doomedraven
commented
7 years ago second one is bcz you have not enabled(marco/activex) it, it can be tricked by registry modification inside of vm/cuckoo, I can't test it till 19.06 as i told so can't help more then with advices
mallorybobalice
commented
7 years ago macros and activex are both enabled pre-exec =) alright i understand you're on holidays but maybe someone else can help?
doomedraven
commented
7 years ago no i working, but have a lot of stuff to fist before will have some spare time. that is really weird, check trusted * also
mallorybobalice
commented
7 years ago ps it's also very clearly extensible - extract the ppsx and have a look at the slide res xmls
that is really weird, check trusted * also
mmm? not entirely sure what you mean. well trusted files is not set to * via registry. but idk... i mean i can see in modified reg keys (after the file exec, sans the powershell keys)
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Resiliency\StartupItems\*+f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Resiliency\DocumentRecovery
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Resiliency\DocumentRecovery\xxx
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\ServicesManagerCache\ServicesCatalog\CacheReady
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\ServicesManagerCache\ServicesCatalog\LastRequest
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\ServicesManagerCache\ServicesCatalog\LastUpdate
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\ServicesManagerCache\ServicesCatalog\NextUpdate
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\SlideShow
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\SlideShow\RestoreSysParams
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Roaming\RoamingConfigurableSettings
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Roaming\RoamingLastSyncTime
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Roaming\RoamingLastWriteTime
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\Trusted Documents\LastPurgeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00005109110000000000000000F01FEC\Usage\ProductFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Resiliency\DocumentRecovery\xxx
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Options\AppMaximized
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Licensing\xxxx
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\General\LastAutoSavePurgeTime
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\33\xxxx\LanguageListbut i'm not sure.
mallorybobalice
commented
7 years ago hmmm interesting. apparently the enable content warning is from protected view. guess i gotta revise the settings for the guests https://www.bleepingcomputer.com/news/security/powerpoint-file-downloads-malware-when-you-hover-a-link-no-macros-required/
doomedraven
commented
7 years ago in your image first 4 sections are trusted * check there eveything should be allowed
hm interesting article
mallorybobalice
commented
7 years ago ps they're referring to protected view (bottom one from the trust center screenshots).
heh... unfortunately csb still doesn't do ole and probably won't do mouseover. unlike secret sauce commercial offerings (joe/hybrid) oh well i suppose....
doomedraven
commented
7 years ago mallorybobalice
commented
7 years ago Thanks
Hmm doesn't look like Just adding ppsx to elif "Microsoft PowerPoint" in file_type or \ file_name.endswith((".ppt", ".pot", ".pps", ".pptx", ".pptm", ".potx", ".potm", ".ppam", ".ppsx", ".ppsm", ".sldx", ".sldm")): return "ppt"
Will help.
Seems like the least harmful way is taking 'Microsoft ooxml ' out of the doc if and moving it into elseif after PowerPoint, but still bound to doc? elif "Rich Text Format" in file_type or \ "Microsoft Word" in file_type or \ "Microsoft Office Word" in file_type or \ "Microsoft OOXML" in file_type or \ "MIME entity" in file_type or \ file_name.endswith((".doc", ".dot", ".docx", ".dotx", ".docm", ".dotm", ".docb", ".rtf", ".mht", ".mso")): return "doc"
This is the easy bit. For running it, Short of xml decoding all the relationship targets out of xml.rels I can't think of anything. Either blindly or after matching to action ppaction:program.
I haven't looked what we can do for ole in the other issue. I would mind blindly extract and run
doomedraven
commented
7 years ago Seems like the least harmful way is taking 'Microsoft ooxml ' out of the doc if and moving it into elseif after PowerPoint, but still bound to doc?
no, as that is generic mime i think, as i googled it and it can be doc and here we have pptx so i think the easier way is just to remove it
i think sflock has nice package detection as it checks internals files in this case, check it if you have spare time
mallorybobalice
commented
7 years ago yep I get that ...but mmm well moving it below all the extension specific files sort of makes less bad [1/5 chance of it being correctly opened by correct handler app].
either way works, just the matter of what the fallback behaviour we want should be
doomedraven
commented
7 years ago Check sflock ident function :)
mallorybobalice
commented
7 years ago sflock is pretty great. https://github.com/spender-sandbox/cuckoo-modified/issues/422 i had a look at it a while ago for another issue (might've been msg file demuxing). unfortunately integrating it with CSB-M is way beyond my current time limits or codebase knowledge abilities.
doomedraven
commented
7 years ago well there only need to check with upstream cuckoo how they handle it ;) i will try to get a look ok it after 19.06
jbremer
commented
7 years ago What's CSB-M? I'll be happy to look at adding some additional handling/etc to sflock if you provide some samples etc.
mallorybobalice
commented
7 years ago csb-m is here =) cuckoo-modified. ummm, well either here or in doomedraven's new repo =)?
i think Sflock is only part of it . the other problem is resubmitting it in a meaningful form (unless sflock already does it for embedded files in docs)
sample wise - 1) it'd just be embedded msg (attachments from msg files) to directly demux and submit ^i think it already handles it
2) composite docs https://www.hybrid-analysis.com/sample/f628f332c20a612c2955a5c512d71640ba9d5fd789092aa9bda13a01b5bd7c68?environmentId=100 ^that embeds a wscript .js
i don't have recent examples of packager lnk files (or was it embedded powershell commands as a 'program'?) [there we major campaigns using it for a while . a few more examples can be generated with Empire as well https://enigma0x3.net/2016/03/15/phishing-with-empire/ ].
3) things embedding commands but not files
^ that's more of a mouseover action powerpoint thing not ole, not macro, not embedded doc . have a look at the xml and res files). more of a embedded command line.
a secondary concern would be keeping --unique flags for multiple submission ways for people using utils.py or api to keep duplicates to a minimum.
doomedraven
commented
7 years ago i think the best would be focus to unify all of that to sflock, so it will be easy to integrate and keep it up to date
Nwinternights
commented
7 years ago it would be useful to instruct the human.py to mouseover on screen before clicking when there is a PPT slideshow. I'm trying to play with code(inverting the action) but for the moment I've no luck. https://github.com/spender-sandbox/cuckoo-modified/blob/master/analyzer/windows/modules/auxiliary/human.py#L256
mallorybobalice
commented
7 years ago @nwn, you raise a good point try making say 20 of those, so it's easy to cross an edge and it still won't trigger with human py
I think the reason may be moving to a new xy is not the same as smooth move crossing edges. (Kinda Like tablet tap vs mouse move perhaps). Not to sure (I thought it would trigger if it leaves a label or button and enters another) Also ole is much more actively exploited in crimeware. (Embedded js) Ppsx or pps mouseover-not yet, though it is bleeding into the news for the 25-30may more targeted campaign. http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/
mallorybobalice
commented
7 years ago Well or maybe ppsx and pps mouseover made it into crimeware too https://arstechnica.com/security/2017/06/malicious-powerpoint-files-can-infect-targets-when-hovering-over-hyperlinks/
Nwinternights
commented
7 years ago by the way in my opinion @doomedraven gave the answer. I think the best way is to dissect powerpoint with sflock and making static analysis using yara , cuckoo custom signature or clamav custom sig.
mallorybobalice
commented
7 years ago For mouseover ppsx it's action button in target and xml /res inside a .zip Not sure about ole and pps. I get the feeling sflock is more for demuxing composite files for old style pps type docs. Not flat files or 2007+ zips. Happy to be corrected though
doomedraven
commented
7 years ago Not flat files or 2007+ zips
False ;)
mallorybobalice
commented
7 years ago Alight, alight, I should go read sflock source =)
doomedraven
commented
7 years ago yup there a lot of improvements, you now even can extract doc from pdf in 2 lines only
tldr - this https://www.hybrid-analysis.com/sample/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921?environmentId=100 isn't good
the correct package is powerpoint ppt not doc also, when opened it still won't autorun, until mouseovered in interactive analysis mode by human person.
thoughts? @doomedraven