Non-Standard Database

Network IP Address Project Status Date
Reason
192.169.0.0/24 192.168.0.255 Default On-Hold 01JAN1970
This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB.
192.169.0.0/24 192.168.0.1 Default Released 01JAN1970
This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB.
10.2.4.0/24 10.2.4.18 BLUEBOX Released 18AUG2019 
Processes:
   logger.bin
Installed Directory:
   /bin/log/
Network Connections:
   none observed
Hash:
   deaf1b926d6cd166bdffd5d723409c832c7aef3a2
Final Assessment:
The observed process, logger.bin, is known malware that functions as a local keylogger. The logger records keystrokes 
by capturing input as it comes from the keyboard and saves the data in the /bin/log/data text file and sends the data to 
an IP and port specified in logger.conf in the /bin/log/ directory once daily. Because the data is captured at the keyboard 
and not at system level, it is unable to log remote credentials or commands.  
Operator Recommendation:
This target should be released as the malware has no way to identify our access or actions. As the malware is not well 
hidden, its presence also indicates low administrator oversight. Continue to monitor if it is running for changes in 
administrator attentiveness. Operator also recommends capturing /bin/log/data when accessing this host.
10.123.169.0/24 10.123.169.30 BLUEBOX On-Hold 20AUG2019 
Processes:
   mscore1ib.exe   808     0       17,520 K
   mslibterm.exe   1715    0       35,680 K
Registry:
   HKLM\Software\Freeform
Installed Directory:
   C:\Program Files\MSCoreLibrary\
Network Connections:
   TCP     10.123.169.30:4327       52.43.89.11:443 ESTABLISHED     1715
Service/Persistence:
   SERVICE_NAME: msderplib
   DISPLAY_NAME: Microsoft Core Library addons
           TYPE: 10 WIN32_OWN_PROCESS
           STATE: 4 RUNNING
Hash:
   fead1b926d6ea166daffd5c56106b328c77e240f
Final Assessment:
    This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. 
Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from 
any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs.
Operator Recommendation:
    This target should be released from hold and Ops can continue on target as long as no technique used interacts 
with any browser on the system.
10.168.169.0/24 10.168.169.30 BLUEBOX On-Hold 20AUG2019 
Processes:
   mscore1ib.exe   808     0       17,520 K
   mslibterm.exe   1715    0       35,680 K
Registry:
   HKLM\Software\Freeform
Installed Directory:
   C:\Program Files\MSCoreLibrary\
Network Connections:
   TCP     10.168.169.30:4327       52.43.89.11:443 ESTABLISHED     1715
Service/Persistence:
   SERVICE_NAME: msderplib
   DISPLAY_NAME: Microsoft Core Library addons
           TYPE: 10 WIN32_OWN_PROCESS
           STATE: 4 RUNNING
Hash:
   fead1b926d6ea166daffd5c56106b328c77e240f
Final Assessment:
    This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. 
Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from 
any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs.
Operator Recommendation:
    This target should be released from hold and Ops can continue on target as long as no technique used interacts 
with any browser on the system.
10.20.169.0/24 10.20.169.122 BLUEBOX Released 25MAY2019 
Network Connections:
   TCP     10.123.169.30:4327       192.168.0.11:443 ESTABLISHED     1910 
       
   TCP     10.123.169.30:4327       192.168.0.11:443 ESTABLISHED     2015 
        
    Admin very active on device. Will run checks while first logging in and then logging off. Admin is unaware of 
Operator presence on device, will check with analysts to see if they see anything in collect that says otherwise. 
It was determined through analysts that it was the Admin's day off. Operator conducted checks to see when the Admin was off. 
Once Admin had left target, Operator conducted survey to see what the Admin had ran on device. Nothing that indicated that 
the Admin suspected/has knowledge of our operations within their network.

        
Final Assessment:

        
 Give them the stick team. Project and target are released 
        
Operator Recommendation:

        
    Recomend that this project be released from hold and target be released from hold. Admin doesnt know of our 
presence, and we have zero equity on device. Operator needs to be aware of when the Admin logins and wait until they log off 
before continuing with operations. Admin is only on for lenghts of 20 to 30 minutes before logging out
10.97.182.0/24 10.97.182.65 BLUEBOX On-Hold 03SEP2019 
Processes:
   netconmon.exe   1904    0       18,630 K
Registry:
   HKLM\Software\SAFENET
Installed Directory:
   C:\Program Files\SAFENET\
Network Connections:
   TCP     10.97.182.65:9827       10.34.98.11:443 ESTABLISHED     1904
Service/Persistence:
   SERVICE_NAME: ntconmon
   DISPLAY_NAME: SafeNet Network Connection Monitor
           STATE: 4 RUNNING
Hash:
   6e4d1b906d3ea998daffda714106c928c9beff04
Final Assessment:
    This is a third party network monitoring application/service from SafeNet Technologies. It records in the 
C:\Program Files\SAFENET\conlog.txt and remotely logs all connection information and monitors for connections to known 
bad or suspicious IPs or ports. Connections are actively monitored and recoreded, but are requested from SafeNet servers
on port 9827 on a recurring basis scheduled by the administrator. The default is daily at midnight. Because log submission 
schedules are stored remotely, we are unable to determine when the logs will be uploaded for review. Active use of the 
conlog.txt file by netconmon.exe prevents getting a read/write handle on the log file, and the operator cannot clean logs 
without using tools and techniques.
Operator Recommendation:
    This target should remain on hold until it can be tested to see if any tools/rootkits can connect in a way that will 
not be observed by the software. Additional research into identifying the log submission schedule and means to overwrite
logs are also recommended prior to release.
10.156.120.0/24 10.156.120.78 BLUEBOX On-Hold 22SEP2019 
Processes:
   Not Running in the process list
Installed Directory:
   /etc/logwatch
Network Connections:
   none
Final Assessment:
Logwatch is a program that generates Low to High level reports about logs currently saved on a device. 
The configuration sits in /etc/logwatch/conf/logwatch.conf and can be configured to either remotely send logs to a 
e-mail address (which does not generate a log file on the device) or it can save logfiles on the device in the /var/log 
directory (which is permanent) or in the /var/cache/logwatch (which is temporary). The logwatch.conf is currently 
configured to send its reports to ahmed@someemail.com from the sender of Logwatch. This device has the logwatch set to 
report on all services for a time range of all time; our ssh connection and any sudoing we have done on this target will 
be sent in the report when it goes out. Since it is set to e-mail the report the operator cannot currently clean it out. 
Operator Recommendation:
This target should be kept on hold until the Ops team can find away to mitigate the logging reports that are being sent 
out by Logwatch. Once we can do that we can safely return to this target and use it in our scheme of manuever.
10.9.210.0/24 10.9.210.22 BLUEBOX On-Hold 18SEP2019 
    Admin locally logged in and very active on device. The admin was observed running network diagnostic checks during
access and investigated log files that would have recorded our SSH connection. Admin was also observed investigating the 
process associated with our network connection. We took no additional actions on target and disconnected.
Final Assessment:
    We used legitimate SSH credentials for an authorized user so there is a chance no security change will take place. 
However, active admin pursuit will likely raise the security posture within the target network, or at least monitor the 
network more closely for the time being. Possible mandatory password changes may be instituted if the admin determines 
our access was not the authorized user. 
Operator Recommendation:
    Recomend that this project be released from hold but that the target and network remain on-hold for a minimum 
two week cool off period. After this time, recommend an operation to verify that credentials are still good. If they 
have changed, extends the cool off period in case failed logins are logged. If credentials have not changed, review admin 
logins and activity to determine the admin's current security posture before proceeding.
10.168.169.0/24 10.168.169.5 BLUEBOX On-Hold 12OCT2019 
Processes:
  0 S root      552     1  0  80   0 - 28282 do_wai 16:41 ?        00:00:00 /bin/bash /usr/include/.../bashbd.sh

Installed Directory:
   /root/brootkit/bashbd.sh
Network Connections:
Service/Persistence:
  Rootkit
 HIDE_PORT    8080,8899,443,80,22
 HIDE_FILE               br.conf,bashbd.sh,brootkit,.bdrc,brdaemon,wzt,rsyslog.conf
 HIDE_PROC               bashbd,brootkit,pty.spawn,brdaemon
 REMOTE_HOST             192.168.215.128
 REMOTE_PORT             8080
 SLEEP_TIME              60
Final Assessment:
 Rootkit on system that allows for the ability to hide from admintrator or hids, has su passwd thief, hide file 
and directories, hide process, hide network connections, connect backdoor,  multi thread port scanner, http download, 
and multi thread ssh passwd crack.
Operator Recommendation:
  Target she be put on hold and no longer accessed during operations. The rootkit can see Operator and actions 
while on target. Reccomend that project be released and target put on hold indefinitly.
192.168.15.0\24 192.168.15.26 BLUEBOX Released 05JAN2020 
Processes:
	check.py
Cron Job:
	/etc/cron.daily/checker
Hash (md5)
	7af5f68a64977b404b1bd101d1cce018
File Location:
	/root/check.py
File Contents:
	#!/usr/bin/env python
	import os
	os.system("ls -latrR /etc > /tmp/.log.txt 2> /dev/null")
	os.system("cp /tmp/.log.txt /var/log/.log.bak")
	difference = os.popen("diff /tmp/.log.txt /var/log/.log.bak").read()
	if difference:
		f = open("/root/.etc-diff.log","a")
		f.write("CHANGE IN \"/etc\" FOUND\nIF UNRECOGNIZED, SYSTEM COULD BE COMPROMISED\n")
		f.write(difference)
		f.close()
Final Assessment:
	/root/check.py is a python script that runs bash commands to look inside the /etc directory and check if anything 
has changed.  The script recursively looks inside the /etc directory and saves the output to /tmp/.log.txt.
The script then compares the recursive lookup to another file /var/log/.log.bak (the previous output of the script being ran) and
diff's the two files to see if anything has been changed. If there is a difference in the two files, the script will then save it
to /root/.etc-diff.txt. The file is owned by root and gets ran inside /etc/cron.daily. Script shows basic understanding of
Linux and python programming, root user could have higher technical knowledge than the average user
Operator Recommendation:
	The script only looks inside the /etc directory, so any changes inside of there has possibility of getting caught.
/tmp/.log.txt gets deleted after script is ran. /root/.log.bak and /root/.etc-diff.txt are the remaining log files which are both ASCII.
Future operations will need to be aware of script if changes to /etc are being made.  Script poses no threat to current operations.
Operator recommends target and project be released from hold.
 

Home   Daily Read   Guidelines

© Haxor Publishing, 2009