This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Do you like your Cisco ASA with a side of ExtraBacon ?

EricPartington
Employee
Employee

‎2016-08-22 09:12 AM

There was a little ruckus on the internet last week about some tools that may or may not be associated with Equation Group.  Regardless of their origin, some of those tools were tested and were confirmed to do be effective.  I figured that it might be an interesting training exercise to see what could be done with NetWitness packets to locate one of those exploits called ExtraBacon (which now has a Cisco CVE).

 

Hunting the internets for a suitable PCAP, I found one here to test with: xorcat: equationgroup

wireshark looks like this and matching the description from the blog post from xorcat we can see that the first 4 are the probe and auth disable and the last two are the auth re-enable.

2016-08-22_08h48_28.png

 

Taking that pcap and writing an import script to replay it into my packet decoder to so I could see what it looks like got me this which relates to the first two line in wireshark.

2016-08-22_08h47_21.png

 

So lets turn that into an application rule to warn us when we see those three snmp.oid values being queried together along with get and response actions. 

 

t1_potential_cisco_asa_snmp_exploit_oid_request4_cve
snmp.oid='1.3.6.1.2.1.1.1.0' && snmp.oid='1.3.6.1.2.1.1.3.0' && snmp.oid='1.3.6.1.2.1.1.5.0' && action='get' && action='response'

 

and for the second two lines in the wireshark output

 

t1_potential_cisco_asa_snmp_exploit_oid_auth_disable4_cve
action='get' && action='response' && snmp.oid='1.3.6.1.2.1.1.1','1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.53.255.208.97.195.144.144.144.144.144.144.144'

 

Add those to your packet decoder, alert into a metakey of your choice (I used alert)

 

Run the pcap, and check for output into the alert metakey for hits on the application rules

2016-08-22_08h55_29.png

 

So it looks like we now have something to alert on for this potential exploit.  Hopefully your SNMP and admin is done via a segmented management network which helps to mitigate this threat but if you don't....

 

What if we wanted to take this and use ESA to create a correlation rule to take these application rules and link them together ?

2016-08-22_09h00_29.png

which looks for the probe snmp command followed by the exploit snmp command for the same ip.src within one minute.  You could choose to alert as a cef log message to either NetWitness Logs or another SIEM product for further correlation, alerting or archiving.

 

How have you implemented alerting for this expoit ? discuss below ...

2 REPLIES 2

JeremyLawrence2
Employee
Employee

‎2016-08-22 07:43 PM

Great post Eric.  

 

I have just added this to a production system and will update if I run across any hits.

 

I would point out to others looking to implement these alerts, you need to make sure you have the SNMP_lua parser installed from Live as well as making the snmp.oid key searchable by adding the following to your index-concentrator-custom.xml file on your concentrator(s):

 

<key description="SNMP OID" level="IndexValues" name="snmp.oid" format="Text" valueMax="1000000"/>

0 Likes

EricPartington
Employee
Employee
In response to JeremyLawrence2

‎2016-08-22 08:37 PM

SNMP OID only needs to be indexed at values if you want to do drills and perform more than exists type queries (snmp.oid = 1.2.3.4.5 for example).  For this use case the application rule doesn't require that key to be indexed to perform the matching on those particular OID values. 

That is the beauty of application rules, you can access and perform logic on keys that are otherwise not indexed (and maybe for good performance reasons you wouldn't want to index certain keys that might be useful for specific application rules).

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.