Getting DNS Client Cached Entries with CIM/WMI

in , , ,

What is DNS Cache

The DNS cache maintains a database of recent DNS resolution in memory. This allows for faster resolution of hosts that have been queried in the recent past. To keep this cache fresh and reduce the chance of stale records the time of items in the cache is of 1 day on Windows clients. 

The DNS Client service in Windows is the one that manages the cache on a system, This time Window can be modified via the registry in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters where the MaxCacheTtl property controls the time in the cache in seconds and the MaxNegativeCacheTtl property controls the time a failed response is cached.  

Why is it Important

For an attacker, it means primarily situational awareness. It allows him to know what other systems this host has accessed and the IP address of the host. This may allow identifying security platforms by the FQDNs used as well as business process systems, both internal or in the cloud. On an important note for the attacker is that if his implant/agent on the system does not include its own resolution capability it has an IOC present on the system that can be used to track its command and control infrastructure. 

For a defender, the ability to know what hosts a system may have connected to in the last 24 hours. This will permit a defender to query across his environment for hosts that are communicating or have communicated with a specific host if DNS resolution was part of the process and if the attacker is not using its own resolution method. If the attacker is “Living off the Land” and using OS tools it will still leave the femoral trace on the system until the cached entry TTL (Time to Live) expires.

MSFT_DNSClientCache class

In Windows 8/2012 Microsoft added the MSFT_DNSClientCache class into the CIM object database in Windows. The class is under the new namespace that was also added to Root\StandardCimv2 and the resources are provided as part of the DnsClientCim.dll. This allows us to query for instances of the class and get all entries for the DNS Cache database. 

Read More

RDP TLS Certificate Deployment Using GPO

in

Remote Desktop has been the Go To remote administration tool for many IT professionals and sadly many even expose it to the internet leading to brutefoce attacks and Man in the Middle attacks. I still remember the fist time I saw how easy it is from Irongeek examples using Cain & Able http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff and http://www.irongeek.com/i.php?page=security/cain-rdp-mitm-parser I have taken great care to make sure RDP connections in my network and customer networks are as secure as possible. Here is an example on how to deploy TLS certificates for use of RDP via GPO and how to configure some none Microsoft systems.

 

Read More

Creating WMI Filters and GPOs with PowerShell

In my last 2 blog post I covered the creation of group policy objects for distributing certificates to all computers in a domain and enable Network Level Authentication on them plus also covered how to create and use WMI filters to specify which machines a Group Policy Object should apply to. On this blog post I will cover how to do this with Windows 2008 R2 built in PowerShell Module and some external ones from SDM Software. The GPO that we will be creating is to disable RDP on none Vista, Windows 7 and Windows 2008 hosts since following the other  blog posts these do not support NLA on their Remote Desktop Service. We will use PowerShell on a Windows 2008 R2 Domain Controller. Since we are going to use external scripts we would first start modifying the execution policy this is done by running the Set-ExecutionPolicy command to allow local scripts to execute without the need of being signed. 

PS C:\Windows\system32> Set-ExecutionPolicy remotesigned
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
PS C:\Windows\system32>
As stated by the command this could be a potential security risk so do remember to re-run the command at the en with the execution policy of Restricted. Before we start creating group policy objects and linking them we should create a WMI Filter that we will attach to the policy. I took the liberty to write one based on another one I saw in the Microsoft Scripting Repository that will create a series of base filters for you when ran in a Domain Controller running Windows 2008 or Windows 2008 R2. You can download the script from my GitHub account at https://github.com/darkoperator/powershell_scripts/blob/master/create-wmifilters.ps1 the script will make the necessary changes to the registry to allow modification of attributes locally on the box thus allowing us to add the filters. The script is ran from a PoweShell Window providing the path like any other PowerShell script:
PS C:\Users\Administrator\Documents> .\create-wmifilters.ps1
Checking is registry key is set to allow changes to AD System Only Attributes is set.
Allow System Only Change key is not set
Creating key and setting value to 1
Starting creation of WMI Filters:
Adding WMI Filter for: Virtual Machines
Adding WMI Filter for: Workstation 32-bit
Adding WMI Filter for: Workstation 64-bit
Adding WMI Filter for: Workstations
Adding WMI Filter for: Domain Controllers
Adding WMI Filter for: Servers
Adding WMI Filter for: Windows 2000
Adding WMI Filter for: Windows XP
Adding WMI Filter for: Windows Vista
Adding WMI Filter for: Windows 7
Adding WMI Filter for: Windows Server 2003
Adding WMI Filter for: Windows Server 2008
Adding WMI Filter for: Windows Server 2008 R2
Adding WMI Filter for: Windows Vista and Windows Server 2008
Adding WMI Filter for: Windows Server 2003 and Windows Server 2008
Adding WMI Filter for: Windows 2000, XP and 2003
Finished adding WMI Filters
Disabling Allow System Only Change Attributes on server
Now you will have some WMI Filters we can use as base in our Group Policy Objects, do remember that we can have several filters linked to a single GPO. 
Once this is done we can import the GroupPolicy PowerShell module that is installed on Windows 2008 Domain Controllers when promoted and look at the available commands we get from the module:
PS C:\> Import-Module grouppolicy
PS C:\> Get-Command -Module grouppolicy | Format-Table -AutoSize
CommandType Name                       Definition
----------- ----                       ----------
Cmdlet      Backup-GPO                 Backup-GPO -Guid <Guid> -Path <String> [-Comment <String>] [-Domain <String>]...
Cmdlet      Copy-GPO                   Copy-GPO -SourceGuid <Guid> -TargetName <String> [-SourceDomain <String>] [-T...
Cmdlet      Get-GPInheritance          Get-GPInheritance [-Target] <String> [-Domain <String>] [-Server <String>] [-...
Cmdlet      Get-GPO                    Get-GPO [-Guid] <Guid> [[-Domain] <String>] [[-Server] <String>] [-All] [-Ver...
Cmdlet      Get-GPOReport              Get-GPOReport [-Guid] <Guid> [-ReportType] <ReportType> [[-Path] <String>] [[...
Cmdlet      Get-GPPermissions          Get-GPPermissions -Guid <Guid> [-TargetName <String>] [-TargetType <Permissio...
Cmdlet      Get-GPPrefRegistryValue    Get-GPPrefRegistryValue -Guid <Guid> -Context <GpoConfiguration> -Key <String...
Cmdlet      Get-GPRegistryValue        Get-GPRegistryValue -Guid <Guid> -Key <String> [-ValueName <String>] [-Domain...
Cmdlet      Get-GPResultantSetOfPolicy Get-GPResultantSetOfPolicy [-Computer <String>] [-User <String>] -ReportType ...
Cmdlet      Get-GPStarterGPO           Get-GPStarterGPO -Guid <Guid> [-Domain <String>] [-Server <String>] [-All] [-...
Cmdlet      Import-GPO                 Import-GPO -BackupId <Guid> -Path <String> [-TargetGuid <Guid>] [-TargetName ...
Cmdlet      New-GPLink                 New-GPLink -Guid <Guid> -Target <String> [-LinkEnabled <EnableLink>] [-Order ...
Cmdlet      New-GPO                    New-GPO [-Name] <String> [-Comment <String>] [-Domain <String>] [-Server <Str...
Cmdlet      New-GPStarterGPO           New-GPStarterGPO [-Name] <String> [-Comment <String>] [-Domain <String>] [-Se...
Cmdlet      Remove-GPLink              Remove-GPLink -Guid <Guid> -Target <String> [-Domain <String>] [-Server <Stri...
Cmdlet      Remove-GPO                 Remove-GPO -Guid <Guid> [-Domain <String>] [-Server <String>] [-KeepLinks] [-...
Cmdlet      Remove-GPPrefRegistryValue Remove-GPPrefRegistryValue [[-Server] <String>] -Guid <Guid> -Context <GpoCon...
Cmdlet      Remove-GPRegistryValue     Remove-GPRegistryValue [-Guid] <Guid> [-Key] <String> [[-ValueName] <String>]...
Cmdlet      Rename-GPO                 Rename-GPO -Guid <Guid> -TargetName <String> [-Domain <String>] [-Server <Str...
Cmdlet      Restore-GPO                Restore-GPO -BackupId <Guid> -Path <String> [-Domain <String>] [-Server <Stri...
Cmdlet      Set-GPInheritance          Set-GPInheritance [-Target] <String> -IsBlocked <BlockInheritance> [-Domain <...
Cmdlet      Set-GPLink                 Set-GPLink -Guid <Guid> -Target <String> [-LinkEnabled <EnableLink>] [-Order ...
Cmdlet      Set-GPPermissions          Set-GPPermissions -Guid <Guid> -PermissionLevel <GPPermissionType> -TargetNam...
Cmdlet      Set-GPPrefRegistryValue    Set-GPPrefRegistryValue -Guid <Guid> -Context <GpoConfiguration> -Key <String...
Cmdlet      Set-GPRegistryValue        Set-GPRegistryValue -Guid <Guid> -Key <String> [-ValueName <String[]>] [-Valu...
We now use the New-GPO comandlet to create a new empty GPO named DisableRDP:
PS C:\> New-GPO -Name "DisableRDP"
DisplayName      : DisableRDP
DomainName       : acme-lab.com
Owner            : ACME-LAB\Domain Admins
Id               : 31122b47-5129-420f-9fe8-241584cc516d
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 3/20/2012 7:56:43 AM
ModificationTime : 3/20/2012 7:56:44 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        :
Now that we have a Group Policy Object created we can use the commadlet to create a registry reference in the GPO that will be applied to the machines that process the GPO under the context of Computer:
PS C:\> Set-GPPrefRegistryValue -Name DisableRDP -Key "HKLM\System\CurrentControlSet\Control\Terminal Server" -ValueName fDenyTSConnections -Value 1 -Type Dword -Context computer -Action update
Now to be able to link a WMI Filter to a GPO we need some external commands provided for free by SDM Software from http://www.sdmsoftware.com/products/freeware/ and we download the SDM GPMC PowerShell Cmdlets and install them on the Domain Controller. Once installed we can load the module:
PS C:\Users\Administrator\Documents> import-module SDM-GPMC
We want to use the Add-SDMWMIFilterLink command to link our GPO with one of the WMI Filters we created for the target of the GPO. To look at examples on how to use it we use the help command with the switch for examples:
PS C:\Users\Administrator\Documents> help Add-SDMWMIFilterLink -Examples
NAME
    Add-SDMWMIFilterLink
SYNOPSIS
    Adds a WMI Filter to a particular GPO
    --------------  Example 1 --------------
    C:\PS>Add-SDMWMIFilterLink "Wireless Policy" -FilterName "Laptop Test"
    Links the WMI filter called "Laptop Test" to the GPO called "Wireless Policy"
    Filter Laptop test linked to GPO Wireless Policy
As we can see the command is quite simple to use we just need to provide it a name for the GPO and a filter name to link to the GPO. Lets link now the GPO with the WMI Filter:
PS C:\Users\Administrator\Documents> Add-SDMWMIFilterLink "DisableRDP" -FilterName "Windows 2000, XP and 2003"
Filter Windows 2000, XP and 2003 linked to GPO DisableRDP
Once done we can now link the GPO to any part of our Active Directory structure. In this case I will attach it to the entire Forest of my lab AD infrastructure:
PS C:\Users\Administrator\Documents> New-GPLink -Name DisableRDP -Target "dc=acme-lab,dc=com”
GpoId       : 31122b47-5129-420f-9fe8-241584cc516d
DisplayName : DisableRDP
Enabled     : True
Enforced    : False
Target      : DC=acme-lab,DC=com
Order       : 3
DisplayName      : DisableRDP
DomainName       : acme-lab.com
Owner            : ACME-LAB\Domain Admins
Id               : 31122b47-5129-420f-9fe8-241584cc516d
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 3/20/2012 7:56:43 AM
ModificationTime : 3/20/2012 8:18:04 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 1, SysVol Version: 1
WmiFilter        :
DisplayName      : DisableRDP
DomainName       : acme-lab.com
Owner            : ACME-LAB\Domain Admins
Id               : 31122b47-5129-420f-9fe8-241584cc516d
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 3/20/2012 7:56:43 AM
ModificationTime : 3/20/2012 7:56:44 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        :
This could be a very good way to automate the process of creating Group Policy Objects in lab and then move this to a production environment. Also you could use it for automating disaster recovery procedures. 
As always I hope you found this blog post useful and informative.




























        


        

        

  	
 

    

  




  

    


    
      

        

      

      


        
  			

  				
WMI Filters in Group Policy Objects


          

            
            
             
            
          



  			


        

        

        




  
One of the problems that we see every day in production environments is that even when we would like to have all machines on the same version of Windows many times this is not possible so we have to adapt our Group Policies to these environments.  Microsoft provides a great way to check several parameters of the box thru Windows Management Instrumentation (WMI), this allows is from checking Hardware, software, patches and many other attributes available via the Windows Management Instrumentation (WMI). Lets say we want the previous Group Policy we created to apply only to Windows 2008 R2, Windows 2008, Vista and Windows 7 and lets also make a filter for Windows XP and 2003 so if we decide to make a filter to apply a policy to only those we can apply the filter.   We start by going to the Group Policy  Management Console and choosing under the domain WMI Filters  image  We now Right Click an select New to create a new filter. We will get a screen where we will enter a name and a description for our first filter that will be for Windows 2008, Windows 2008R2, Windows Vista and Windows 7, the operating systems that support Network Level Authentication (NLA) on Remote Desktop Protocol (RDP).  image    Now we click on Add on the Queries section so as to add the WMI Query Language query we will use to filter to what Operating systems the policy is applied to:  image  We will select from Win32_OperatingSystem  the Version, this will give us a version number of 6.0 for Windows Vista and Windows 2008, 6.1 for Windows 2008 R2 and Windows 7.   we will use:  
SELECT * FROM Win32_OperatingSystem WHERE Version like "6.%"
We would click on Add type our filter and then just click on Ok:
image
We now click on save and the filter is ready to apply. 
To apply a filter we just select the policy we want to apply the filter to and select from the WMI Filtering section the WMI Filter we want from the dropdown box:
image
In the case we wanted the filter to be for earlier supported versions of Windows we would use:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.%"
If we wanted to even go more granular we could create separate filter for Product Type where:

      
  • ProductType 1 is for Client Versions of Windows
    •   
  • ProductType 2 is for Server Version of Windows operating as a Domain Controller
    •   
  • ProductType 3 for Server Version of Windows that are not a Domain Controller

If we wanted this to apply to all servers but not domain controller we could do a query like this one:
SELECT * FROM Win32_OperatingSystem WHERE (Version like "5.%" OR Version like "6.%") and ProductType<>2

As you can see there is a lot of flexibility with filters, specially since we can have several of them. As always I hope you find the post informative and useful.




























        


        

        

  	
 

    

  




  

    


    
      

        

      

      


        
  			

  				
The Moth Trojan


          

            
            
             
            
          



  			


        

        

        




  
The Moth Trojan is a very interesting trojan since it is the first one I have seen writen in WMI (Windows Management Instrumentation) a place where I have seen very little forensic information and problably this cincepts is in used in the wild. This type of trojan is easy to detect do to the way it inserts it self into the WMI namespace but lets be honest how many HIPS, AV and admins check the WMI namespace for changes?