Non-Standard Database

Network IP Address Project Status Date
Reason
192.169.0.0/24 192.168.0.255 Default On-Hold 01JAN1970
This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB.
192.169.0.0/24 192.168.0.1 Default Released 01JAN1970
This is an example for a non-standard entry. This should include all relevant information regarding what happened on the operation and why this device has been placed on the NSDB.
10.2.4.0/24 10.2.4.18 BLUEBOX Released 18AUG2019
Processes:
   logger.bin
Installed Directory:
   /bin/log/
Network Connections:
   none observed
Hash:
   deaf1b926d6cd166bdffd5d723409c832c7aef3a2
Final Assessment:
The observed process, logger.bin, is known malware that functions as a local keylogger. The logger records keystrokes 
by capturing input as it comes from the keyboard and saves the data in the /bin/log/data text file and sends the data to 
an IP and port specified in logger.conf in the /bin/log/ directory once daily. Because the data is captured at the keyboard 
and not at system level, it is unable to log remote credentials or commands.  
Operator Recommendation:
This target should be released as the malware has no way to identify our access or actions. As the malware is not well 
hidden, its presence also indicates low administrator oversight. Continue to monitor if it is running for changes in 
administrator attentiveness. Operator also recommends capturing /bin/log/data when accessing this host. 
10.123.169.0/24 10.123.169.30 BLUEBOX On-Hold 20AUG2019
Processes:
   mscore1ib.exe   808     0       17,520 K
   mslibterm.exe   1715    0       35,680 K
Registry:
   HKLM\Software\Freeform
Installed Directory:
   C:\Program Files\MSCoreLibrary\
Network Connections:
   TCP     10.123.169.30:4327       52.43.89.11:443 ESTABLISHED     1715
Service/Persistence:
   SERVICE_NAME: msderplib
   DISPLAY_NAME: Microsoft Core Library addons
           TYPE: 10 WIN32_OWN_PROCESS
           STATE: 4 RUNNING
Hash:
   fead1b926d6ea166daffd5c56106b328c77e240f
Final Assessment:
    This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. 
Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from 
any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs.
Operator Recommendation:
    This target should be released from hold and Ops can continue on target as long as no technique used interacts 
with any browser on the system.
10.168.169.0/24 10.168.169.30 BLUEBOX On-Hold 20AUG2019
Processes:
   mscore1ib.exe   808     0       17,520 K
   mslibterm.exe   1715    0       35,680 K
Registry:
   HKLM\Software\Freeform
Installed Directory:
   C:\Program Files\MSCoreLibrary\
Network Connections:
   TCP     10.168.169.30:4327       52.43.89.11:443 ESTABLISHED     1715
Service/Persistence:
   SERVICE_NAME: msderplib
   DISPLAY_NAME: Microsoft Core Library addons
           TYPE: 10 WIN32_OWN_PROCESS
           STATE: 4 RUNNING
Hash:
   fead1b926d6ea166daffd5c56106b328c77e240f
Final Assessment:
    This malware is credit card stealing spyware that calls out to a remote server to report on extracted information. 
Research shows that the malware works by scraping memory and extracting the plaintext creditcard information straight from 
any browser it identifies and injects into. At the time of discovery There was one Chrome browser running with 5 tabs.
Operator Recommendation:
    This target should be released from hold and Ops can continue on target as long as no technique used interacts 
with any browser on the system.
10.20.169.0/24 10.20.169.122 BLUEBOX Released 25MAY2019
Network Connections:
   TCP     10.123.169.30:4327       192.168.0.11:443 ESTABLISHED     1910 
       
TCP 10.123.169.30:4327 192.168.0.11:443 ESTABLISHED 2015
        
    Admin very active on device. Will run checks while first logging in and then logging off. Admin is unaware of 
Operator presence on device, will check with analysts to see if they see anything in collect that says otherwise. 
It was determined through analysts that it was the Admin's day off. Operator conducted checks to see when the Admin was off. 
Once Admin had left target, Operator conducted survey to see what the Admin had ran on device. Nothing that indicated that 
the Admin suspected/has knowledge of our operations within their network.

        
Final Assessment:
 Give them the stick team. Project and target are released 
        
Operator Recommendation:
    Recomend that this project be released from hold and target be released from hold. Admin doesnt know of our 
presence, and we have zero equity on device. Operator needs to be aware of when the Admin logins and wait until they log off 
before continuing with operations. Admin is only on for lenghts of 20 to 30 minutes before logging out
10.97.182.0/24 10.97.182.65 BLUEBOX On-Hold 03SEP2019
Processes:
   netconmon.exe   1904    0       18,630 K
Registry:
   HKLM\Software\SAFENET
Installed Directory:
   C:\Program Files\SAFENET\
Network Connections:
   TCP     10.97.182.65:9827       10.34.98.11:443 ESTABLISHED     1904
Service/Persistence:
   SERVICE_NAME: ntconmon
   DISPLAY_NAME: SafeNet Network Connection Monitor
           STATE: 4 RUNNING
Hash:
   6e4d1b906d3ea998daffda714106c928c9beff04
Final Assessment:
    This is a third party network monitoring application/service from SafeNet Technologies. It records in the 
C:\Program Files\SAFENET\conlog.txt and remotely logs all connection information and monitors for connections to known 
bad or suspicious IPs or ports. Connections are actively monitored and recoreded, but are requested from SafeNet servers
on port 9827 on a recurring basis scheduled by the administrator. The default is daily at midnight. Because log submission 
schedules are stored remotely, we are unable to determine when the logs will be uploaded for review. Active use of the 
conlog.txt file by netconmon.exe prevents getting a read/write handle on the log file, and the operator cannot clean logs 
without using tools and techniques.
Operator Recommendation:
    This target should remain on hold until it can be tested to see if any tools/rootkits can connect in a way that will 
not be observed by the software. Additional research into identifying the log submission schedule and means to overwrite
logs are also recommended prior to release.
10.156.120.0/24 10.156.120.78 BLUEBOX On-Hold 22SEP2019
Processes:
   Not Running in the process list
Installed Directory:
   /etc/logwatch
Network Connections:
   none
Final Assessment:
Logwatch is a program that generates Low to High level reports about logs currently saved on a device. 
The configuration sits in /etc/logwatch/conf/logwatch.conf and can be configured to either remotely send logs to a 
e-mail address (which does not generate a log file on the device) or it can save logfiles on the device in the /var/log 
directory (which is permanent) or in the /var/cache/logwatch (which is temporary). The logwatch.conf is currently 
configured to send its reports to ahmed@someemail.com from the sender of Logwatch. This device has the logwatch set to 
report on all services for a time range of all time; our ssh connection and any sudoing we have done on this target will 
be sent in the report when it goes out. Since it is set to e-mail the report the operator cannot currently clean it out. 
Operator Recommendation:
This target should be kept on hold until the Ops team can find away to mitigate the logging reports that are being sent 
out by Logwatch. Once we can do that we can safely return to this target and use it in our scheme of manuever. 
10.9.210.0/24 10.9.210.22 BLUEBOX On-Hold 18SEP2019
    Admin locally logged in and very active on device. The admin was observed running network diagnostic checks during
access and investigated log files that would have recorded our SSH connection. Admin was also observed investigating the 
process associated with our network connection. We took no additional actions on target and disconnected.
Final Assessment:
    We used legitimate SSH credentials for an authorized user so there is a chance no security change will take place. 
However, active admin pursuit will likely raise the security posture within the target network, or at least monitor the 
network more closely for the time being. Possible mandatory password changes may be instituted if the admin determines 
our access was not the authorized user. 
Operator Recommendation:
    Recomend that this project be released from hold but that the target and network remain on-hold for a minimum 
two week cool off period. After this time, recommend an operation to verify that credentials are still good. If they 
have changed, extends the cool off period in case failed logins are logged. If credentials have not changed, review admin 
logins and activity to determine the admin's current security posture before proceeding.
 

Home   Daily Read   Guidelines

© Haxor Publishing, 2009