Vulnerability management is important if you want to make life difficult for hackers. This is a follow-up of a LinkedIn post I wrote a few weeks ago (Dare to be vulnerable!) with a few more details.

Vulnerabilities are necessary for attacks to be successful. The vulnerability does not need to be a software flaw, it can also be a configuration error, or an error in the way the technology is used. When we want to reduce vulnerability exposure, we should take into account that we need to cover:

1. Software vulnerabilities (typically published as CVE’s)
2. Software configuration errors (can be really hard to identify)
3. Deviations from acceptable use or intended workflows
4. Errors in workflow design that are exploitable by attackers

A vulnerability management process will typically consist of:

1. Discovery
2. Analysis and prioritization
3. Remediation planning
4. Remediation deployment
5. Verification

Software vulnerabilities are the easiest part to perform this on, because they can be largely discovered and remediated automatically. By using automatic software updates, steps b-d in the vulnerability management process can be taken care of. If your software is always up to date, the vulnerability discovery function becomes an auditing function, used to check that patching is happening.

Create a practical policy

Sometimes, vulnerabilities exist that cannot be fixed automatically, or automation errors prevent updates from occurring. In these situations, we need to evaluate how much risk these vulnerabilities pose to our system. Because we need this evaluation to work on a large scale, we cannot depend on a manual risk evaluation for each vulnerability. Some programs will use the CVSS score for prioritization and say that everything marked as CRITICAL (e.g. CVSS > 8) needs to be patched right away. However, this may not match the business risk well – a lower scored vulnerability in a more critical system can pose a greater threat to core business processes. That is why it is useful to classify all devices by their criticality for vulnerability management. Then we can create a guidance table like this (this is just an example – every organization should make their own guidance based on their risk tolerance).

A critical element for managing this in practice is a good discovery function. There are many vulnerability management systems with this functionality, as well as various vulnerability scanners. For managing a network, we can use Wazuh, which has a built-in vulnerability discovery function. The software unfortunately does not support direct prioritization and enrichment in the default vulnerability dashboard, but it can export reports as CSV files for processing elsewhere, or we can create custom dashboards. Here’s how the default dashboard for a single agent looks.

Let’s consider the criticality of the device first:

• Normal employee laptop – with access to busines systems: MEDIUM
• LOW criticality – computer used as a guest machine only on the guest network
• HIGH criticality – the computer is a dedicated administrator workstation

The normal patch cycle is patch every 14 days. What we need to decice, is if we need to do anything outside of the normal patch cycle. First, consider a the administrator workstation, which has HIGH criticality. Do we have any vulnerabilities with higher CVSS score than 7.5?

We have 24 vulnerabilities matching HIGH or CRITICAL severity – indicating we need to take immediate action. If the computer had been a low criticality machine we would not have to do anything extra to patch (policy is to patch within 30 days, and we run bi-weekly patches in this example). For a MEDIUM case, we would need to patch if it is more than one week until the next planned patching operation.

React to changes in the threat landscape

Sometimes there are news that threat actors are actively exploiting a given vulnerability, or that there is a vulnerability without a patch being exploited. For such cases, the regular vulnerability management and patch management processes are not sufficient, especially not if we are subject to mass exploitation cases. There have been a few examples of this in 2023, such as

• BleepingComputer: CIsco warns of IOS XE zeroday
• TheHackerNews: Ransomware groups exploiting ESXi bug from two years ago

Of course, the bug that was two years old should have been patched already, but if you have not already done so, when news like this hits, it is important to take action. For a zeroday, or a very new vulnerability being exploited, you may not have had time to patch within the normal cycle yet. For example, on 25 April this year Zyxel issued a patch for vulnerability CVE-2023-28771, and on 11 May threat actors exploited this to attack multiple critical infrastructure sites in Denmark (see https://sektorcert.dk/wp-content/uploads/2023/11/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf for details).

Because of this, the prioritization needs to be extended to take current threat intelligence into account. Are there events that increase the risk significantly for a company, or for exploitation of a given set of vulnerabilities, extra risk mitigation should be established. This can be patching, but it can also be temporarily reducing exposure, or even shutting down a service temporarily to avoid compromise. To make this work, you will need to track what is going on. A good start is to monitor security news feeds, social media and threat intelligence feeds for important information, in addition to bulletins from vendors.

Here’s a suggested way to keep track of all that in a relatively manual way: create a specific social media list, or an RSS feed that you check regularly. When there are events of particular interest, such as a vulnerability being used by ransomware groups, or something similar, check your inventory if you have any of that equipment or software in your network. When you do, take action based on the risk exposure and risk acceptance criteria you operate with. For example, say you have a news headline stating that ransomware gangs are exploiting a bug in the Tor integration in the Brave browser, quickly taking over corporate networks around the globe.

With news like this, it would be a good idea to research which versions are being exploited, and to check the software inventory for installs of this. WIth Wazuh, there is unfortunately no easy way to do this across all agents, because the inventory of each agent is its own sqlite database on the manager. There is a Wazuh API that can be used to loop over all the agents, looking for a particular package. In this case, we are using the Wazuh->Tools->API Console to demo this, searching for “brave” on one agent at the time:

We can also, for each individual agent, check the inventory in the dashboard.

If this story had been real, the next actions would be to check recommended fixes or workarounds from the vendor, or decide on another action to take quickly. In case of mass exploitation, it may also be reasonable to think beyond the single endpoint; protect all endpoints from this exploitation immedaitely to avoid ransomware. In the case of a browser, a likely acceptable way to do this would be to uninstall it from all endpoints until a patch is available, for example.

The key takeway from this little expedition into vulnerability management is that we need to actively manage vulnerability exposure, in addition to having regular patching. Patch fast if the business risk is critical, and if you cannot patch, you need to find other mitigations. That also means, that if you have outsourced IT management, it would be a good idea to talk to your supplier about patching and vulnerability management, and not to just trust that “it will be handled”. In many cases it won’t, unfortunately.

The other day I listened to the Microsoft Threat Intelligence Podcast on my way to work (Spotify link). There they mentioned that the threat actor “Peach Sandstorm” had used Azure Arc as a persistence vector, but not giving much detail about how this would work. This rather unusual technique can be a bit hard to spot, especially on Linux hosts, unless you know where to look. The log file /var/opt/azcmagent/log/hidms.log is a good place to start (if it exists and you are not using Azure Arc, you may be in trouble).

I got a bit curious, so I decided to how that would work, and what kind of logs it would generate on the host (without any extra auditing enabled beyond the default server logs).

Arc Agent on Linux Server

For the first test I used a Linux VM running in Google Cloud. Then I used the Azure portal to generate an install script for a single server.

To install the agent, I ran the script on the VM, and had to authenticate it by pasting a code generated in the terminal in a browser window. After this I was able to to connect to the VM from the Azure portal. Depending on what extension you install, there are multiple options for authenticating, including using Entra ID. I chose not to install anything extra, and added a public key to the VM, and then provided the corresponding private key to the Azure portal, to connect using plain SSH from an Azure Cloud Shell.

Detecting this connection is not straightforward, as Azure Arc sets up a proxy. Running the last command will only show a login from ::1, so it is not so easy to see that this is coming from an external attacker. If you try to use netstat to see live connections, it is also not immediately clear:

tcp        0      0 10.132.0.2:22           35.235.240.112:45789    ESTABLISHED 766092/sshd: cyberh
tcp6       0      0 ::1:22                  ::1:36568               ESTABLISHED 766163/sshd: cyberh

The top connection here was from the Google cloud shell, and the bottom one was the Azure Arc logon.

Since Linux logs sudo calls in the /var/log/auth.log file, we can see the installation commands being run:

Oct 23 07:56:33 scadajumper sudo: cyberhakon : TTY=pts/0 ; PWD=/home/cyberhakon ; USER=root ; ENV=DEBIAN_FRONTEND=noninteractive ; COMMAND=/usr/bin/apt install -y azcmagent
Oct 23 07:56:33 scadajumper sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberhakon(uid=1000)
Oct 23 07:57:02 scadajumper sudo: cyberhakon : TTY=pts/0 ; PWD=/home/cyberhakon ; USER=root ; COMMAND=/usr/bin/azcmagent connect --resource-group quicktalks --tenant-id adf10e2b-b6e9-41d6-be2f-c12bb566019c --location norwayeast --subscription-id 8a8c2495-4b8c-4282-a028-55a16ef96caa --cloud AzureCloud --correlation-id fc67cc2f-7c66-4506-b2cf-2fe8cf618f25

If you suspect that an Arc agent has been installed, you can thus grep for “azmagent” in the auth.log file. From the last log line here we have quite a lot of data that helps us with attribution.

• Tenant-ID can help you identify the attacker’s Azure tenant. If you use the URL https://security.microsoft.com?tid=<tenant-id&gt; you may also get a logo if they have configured that.
• You also get the resource group and the Azure location used by the attacker

Another way to find this installation is to have a look at the running services.

systemctl list-units | grep -i azure
azuremonitor-agentlauncher.service loaded active running   Azure Monitor Agent Launcher daemon (on systemd)
azuremonitor-coreagent.service loaded active running   Azure Monitor Agent CoreAgent daemon (on systemd) loaded active running   Azure Monitor Agent daemon (on systemd)
himdsd.service loaded active running   Azure Connected Machine Agent Service

The himdsd.service is the service running the Arc agent. Overview of the Azure Connected Machine agent – Azure Arc | Microsoft Learn. In the documentation for the Azure Arc agent, we learn that there are log files generated in multiple non-standard locations. Performing an SSH-based login with private key from Azure Cloud Shell, we find the following lines in the log /var/opt/azmagent/log/hidms.log:

time="2023-10-23T11:56:35Z" level=debug msg="Connect Agent: read incoming message"
time="2023-10-23T11:56:35Z" level=debug msg="Connect Agent: pushing event to subscriber on microsoft.guestgateway"
time="2023-10-23T11:56:35Z" level=debug msg="Loading AgentConfig file from: /var/opt/azcmagent/agentconfig.json"
time="2023-10-23T11:56:35Z" level=info msg="config defaults set: &{ServiceConfigurations:[{ServiceName:SSH Port:22}] LocalAllowedPorts:[] ConnectionsEnabled:true EstsEndPoint:https://login.microsoftonline.com GnsURI:https://guestnotificationservice.azure.com ServiceBusEndpoint:.servicebus.windows.net SkipSSLCheck:false Location:norwayeast HeartBeat:60 EndPoint:/var/opt/azcmagent/socks/notify.sock LogLevel:INFO ResourceId:/subscriptions/8a8c2495-4b8c-4282-a028-55a16ef96caa/resourceGroups/quicktalks/providers/Microsoft.HybridCompute/machines/scadajumper}"
time="2023-10-23T11:56:35Z" level=debug msg="Loading AgentConfig file from: /var/opt/azcmagent/agentconfig.json"

time="2023-10-23T11:56:35Z" level=debug msg="HIS host name: gbl.his.arc.azure.com, IPv4 address: 20.50.1.196"

time="2023-10-23T11:56:35Z" level=info msg="cloud endpoint: &{Name:AzureCloud ImdsName:AzurePublicCloud ARM:https://management.azure.com ActiveDirectory:https://login.windows.net IdentityService:his.arc.azure.com GlobalIdentityService:https://gbl.his.arc.azure.com GuestConfigEndpoint: EstsEndPoint:https://login.microsoftonline.com PasEndPoint:https://pas.windows.net GnsURL:https://guestnotificationservice.azure.com ServiceBusEndpoint:.servicebus.windows.net GuestConfig:https://agentserviceapi.guestconfiguration.azure.com EndpointsToCheck:map[https://agentserviceapi.guestconfiguration.azure.com:true https://gbl.his.arc.azure.com:true https://login.microsoftonline.com:false https://login.windows.net:false https://management.azure.com:false https://pas.windows.net:false] Portal:https://portal.azure.com ArmMetadata:{Portal: Authentication:{LoginEndpoint: Audiences:[] Tenant: IdentityProvider:} Media: GraphAudience: Graph: Name: Suffixes:map[] DataplaneEndpoints:map[] Batch: ResourceManager: VMImageAliasDoc: ActiveDirectoryDataLake: SQLManagement: MicrosoftGraphResourceId: AppInsightsResourceId: AppInsightsTelemetryChannelResourceId: AttestationResourceId: SynapseAnalyticsResourceId: LogAnalyticsResourceId: OssrDbmsResourceId:}}"time="2023-10-23T11:56:35Z" level=info msg="Connect Agent: checking to see if connection is allowed with remote control plane data"

time="2023-10-23T11:56:35Z" level=debug msg="Loading AgentConfig file from: /var/opt/azcmagent/agentconfig.json"time="2023-10-23T11:56:35Z" level=info msg="config defaults set: &{ServiceConfigurations:[{ServiceName:SSH Port:22}] LocalAllowedPorts:[] ConnectionsEnabled:true EstsEndPoint:https://login.microsoftonline.com GnsURI:https://guestnotificationservice.azure.com ServiceBusEndpoint:.servicebus.windows.net SkipSSLCheck:false Location:norwayeast HeartBeat:60 EndPoint:/var/opt/azcmagent/socks/notify.sock LogLevel:INFO ResourceId:/subscriptions/8a8c2495-4b8c-4282-a028-55a16ef96caa/resourceGroups/quicktalks/providers/Microsoft.HybridCompute/machines/scadajumper}"
time="2023-10-23T11:56:35Z" level=debug msg="Loading AgentConfig file from: /var/opt/azcmagent/agentconfig.json"
time="2023-10-23T11:56:35Z" level=debug msg="HIS host name: gbl.his.arc.azure.com, IPv4 address: 20.50.1.196"
time="2023-10-23T11:56:35Z" level=info msg="cloud endpoint: &{Name:AzureCloud ImdsName:AzurePublicCloud ARM:https://management.azure.com ActiveDirectory:https://login.windows.net IdentityService:his.arc.azure.com GlobalIdentityService:https://gbl.his.arc.azure.com GuestConfigEndpoint: EstsEndPoint:https://login.microsoftonline.com PasEndPoint:https://pas.windows.net GnsURL:https://guestnotificationservice.azure.com ServiceBusEndpoint:.servicebus.windows.net GuestConfig:https://agentserviceapi.guestconfiguration.azure.com EndpointsToCheck:map[https://agentserviceapi.guestconfiguration.azure.com:true https://gbl.his.arc.azure.com:true https://login.microsoftonline.com:false https://login.windows.net:false https://management.azure.com:false https://pas.windows.net:false] Portal:https://portal.azure.com ArmMetadata:{Portal: Authentication:{LoginEndpoint: Audiences:[] Tenant: IdentityProvider:} Media: GraphAudience: Graph: Name: Suffixes:map[] DataplaneEndpoints:map[] Batch: ResourceManager: VMImageAliasDoc: ActiveDirectoryDataLake: SQLManagement: MicrosoftGraphResourceId: AppInsightsResourceId: AppInsightsTelemetryChannelResourceId: AttestationResourceId: SynapseAnalyticsResourceId: LogAnalyticsResourceId: OssrDbmsResourceId:}}"
time="2023-10-23T11:56:35Z" level=debug msg="Connect Agent: gwa: processing ingress request for SSH:22"
time="2023-10-23T11:56:35Z" level=debug msg="Connect Agent: Opened hc: a71fac9f-68a5-407b-be67-1370e650d34a, wsAddress: wss://g10-prod-am3-010-sb.servicebus.windows.net/$hc/microsoft.hybridcompute/machines/3ced11256d4ee0afd485e76e1b6ce6b287a684cb4d040e329c13529bc153d8c7/1698062195064991744/v2?sb-hc-action=accept&sb-hc-id=71bd5a85-f3d0-4636-8cbe-c7c73d2ec962_G10_G4, localConnection: {serviceName:SSH port:localhost:22 checkAllowedLocally:false}"
time="2023-10-23T11:56:35Z" level=debug msg="Connect Agent: Successfully added listener for conID: a71fac9f-68a5-407b-be67-1370e650d34a, target: localhost:22"

This log contains quite a lot of interesting inforamtion. If you want to search the log file for interesting events, grepping for “Connect Agent” is a good start.

Arc Agent on Windows server

When we try the same thing on Windows, it is a bit more obvious in sign-in events, because the authentication using the agent still generates Event ID 4624, and also shows SSH as the sign-in process.

In this case, we created a new username “hacker”, and used this to log in from Azure Arc in the portal, using hte Azure cloud shell. We see that the Logon Process is reported as sshd. On Windows this is easier to discover, as SSH is not commonly used for remote access. In fact, the SSH server is not installed by default, so we had to install it first, to make this technique work for remote access.

Also, when being logged in with GUI access, the Azure Arc agent will stand out both in the Start menu after being installed and in the list of installed applications. This test was run on a Windows Server 2022 running on an EC2 instance in AWS.

If you are not using Azure Arc yourself, and you see the “Azure Connected Machine Agent” among installed apps, there is reason to investigate further!

In summary

In summary, using Azure Arc as a persistence vector is interesting. On Linux it is more stealthy than on Windows, largely because of the localhost reference seen in the last log, whereas on Windows Event ID 4624 with sshd as logon process is typically reason to be skeptical.

The technique, when used as shown here, will leave traces of the Azure tenant ID and subscription ID, which can be used for attribution. On Linux it is interesting to note that the most useful log data will not be found in the /var/log folder, but in /var/opt/azmagent/log instead, a location where most defenders would quite likely not look for bad omens.

Note that there are forensics tools that will make browser history forensics easy to do. This is mostly for learning, but for real incident handling and forensics using an established tool will be a much faster route to results!

Basics

The edge browser history is stored in a sqlite3 database under each user profile. You find this database as C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default\History

The “History” file is a sqlite3 database, and you can analyse the database using the sqlite3 shell utility, that can be downloaded from here: SQLite Download Page.

If we list the tables in the database, we see there are quite a few.

Several of these seem quite interesting. The “urls” table seems to contain all the visited URL’s that exist in the browser history. Looking at the schema of this table shows that we can also here see the “last visited” timestamp, which can be useful.

sqlite> .schema urls

CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL);

CREATE INDEX urls_url_index ON urls (url);

It can also be interesting to check out the visit_count.  For example, in the history file I am looking at, the top 3 visited URL’s are:

sqlite> select url, visit_count from urls order by visit_count desc limit 3;

https://www.linkedin.com/|24

https://www.linkedin.com/feed/|15

https://www.vg.no/|14

Another table that is interesting is, “visits”. This table has the following fields (among many, use .schema to inspect the full set of columns):

• url
• visit_time
• visit_duration

The visits table contains mostly references to other tables:

sqlite> select * from visits where id=1;

1|1|13341690141373445|0||805306368|0|0|0|0||0|0|0|0|1|

To get more useful data out of this, we need to use some join queries. For example, if I would like to know which URL was last visited I could do this:

select visit_time, urls.url from visits inner join urls on urls.id = visits.url order by visit_time desc limit 1;

13342089225183294|https://docs.python.org/3/library/sqlite3.html

The time stamp is not very reader friendly, and it appears to be the number of microseconds since midnight January 1, 1601. sqlite – What is the format of Chrome’s timestamps? – Stack Overflow. This value has the same basis, but different counting from than Windows File Time File Times – Win32 apps | Microsoft Learn.

So.. at what times did I visit the Python docs page? The good news is that sqlite3 contains a datetime function that allows us to convert to human readable form directly in the query:

sqlite> SELECT
   ...>   datetime(visit_time / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch', 'localtime'), urls.url
   ...> FROM visits
   ...> INNER JOIN urls
   ...>   ON urls.id = visits.url
   ...> WHERE
   ...>   urls.url LIKE '%python.org%'
   ...> ORDER BY visit_time DESC
   ...> LIMIT 3;

2023-10-18 09:53:45|https://docs.python.org/3/library/sqlite3.html

2023-10-17 10:01:54|https://docs.python.org/3/library/subprocess.html

2023-10-17 09:58:51|https://docs.python.org/3/library/subprocess.html

Making some scripts

Typing all of this into the shell can be a bit tedious and difficult to remember. It could be handy to have a script to help with some of these queries. During incident handling, there are some typical questions about web browsing that tend to show up:

1. When did the user click the phishing link?
2. What files were downloaded?
3. What was the origin of the link?

If we now try to make a small Python utility to figure out when a link has been visited, this could be a useful little tool. We concentrate on the first of the questions above for now – we have a URL, and want to check if it has been visited, and what the last visit time was.

Such a script can be found here: cbtools/phishtime.py at main · hakdo/cbtools (github.com).

Phishing investigation

Consider a hypothetical case, where we know that a user has visited a phishing link from his home computer, and that this led to a compromise, that later moved into the corporate environment. The user has been so friendly as to allow us to review his Edge history database.

We know from investigation of other similar cases that payloads are often sent with links to Pastebin content. We therefore want to search for “pastebin.com” in the URL history.

We copy over the History file to an evidence folder before working on it (to make sure we don’t cause any problems for the browser). It is a good idea to document the evidence capture, with a hash, timestamp, who did it etc.

Then we run our little Python script, looking for Pastebin references in the urls table. The command we use is

python phishtime.py History pastebin.com 2

The result of the query gives us two informative lines:

2023-10-18 12:42:37  hxxps://pastebin.com/raw/k3NjT2Cp

2023-10-18 12:42:37  hxxps://www.google.com/url?q=https://pastebin.com/raw/k3NjT2Cp&source=gmail&ust=1697712137533000&usg=AOvVaw1TK8-pr8-7Xsp8BG72hbP5

From this we quickly conclude that there was a Pastebin link provided, and that the user clicked this phishing link from his Gmail account.