HX 3.X Enterprise Search – Finding the Achilles Heel

There are many misconfigurations and vulnerabilities of varying criticality within a network that attackers can leverage to achieve their goals. These issues are the Achilles heels of network security. The biggest problem most organizations encounter is how to find them to eliminate them.

Enter HX Enterprise Search – a flexible query capability in FireEye’s endpoint agent. The executive blog article from Dan Reis introduces the HX 3.0 proactive inspection capabilities and this post will follow up with specific examples used to proactively protect the enterprise.

Five critical issues

Determining the most severe internal network issues is a topic that is up for debate and one that will change over time and within each environment. However, we will present five issues that Mandiant Red Teams encounter that contribute to or result in privilege escalation or host compromise – both of which are necessary to achieve any notable goal. The five issues we will focus on are the following:

1.     Processes owned by Enterprise administrators (EA) or Domain administrators (DA)
2.     Commonly misconfigured software
3.     Missing patches
4.     Systems lacking protection
5.     Unsupported operating systems

Let’s quickly break down each issue and show how to use HX Enterprise Search to hunt them down.

Processes owned by Enterprise or Domain Administrators

Even if the ultimate goal of an attacker excludes gaining EA or DA access, it is usually a prerequisite to their end goal. Thus, these accounts should be sufficiently hardened, judiciously used, and heavily monitored. The reason for judicious usage is due to the possibility that a stale running process may be left behind, thus enabling an attacker to more easily steal privileges and elevate to EA or DA. This risk greatly increases with service accounts that run with elevated privileges. Enterprise Search can find these elevated processes with the following syntax shown in the following box and in Figure 1 (be sure to user the DA or EA username in the search):

 

Host Set equals All hosts AND Process Name contains . AND Username contains <DA or EA user>

 

Figure 1:  Processes owned by Enterprise or Domain Administrators

Commonly misconfigured software

Business needs ideally determine the software installed on corporate machines; however, we all know that is not really the case. Even if there is a justified business requirement, there are certain software packages that are commonly misconfigured that lead to a potentially easy compromise. These installations include JBOSS, MS-SQL, and Tomcat. All of them are famous for being able to access administrative capability through a misconfiguration to gain operating system access. Many installations end up being unauthorized, but they just went unnoticed. HX Enterprise Search can use the following syntax shown in the box and Figure 2 to help find these software installations – rogue or otherwise:

 

Host Set equals All hosts AND Process Name equals jbosssvc.exe

Host Set equals All hosts AND Process Name equals tomcat.exe

Host Set equals All hosts AND Process Name equals sqlservr.exe

 

Figure 2:  Searching for commonly misconfigured software

Missing patches

Operating system and application patching can be a challenging task. A host can easily fall out of patching compliance and lag behind the others. Only one unpatched host is required for a compromise given the right missing patch. Take MS08-067, MS09-050 and MS10-061 for example. Enterprise Search can find these missing patches with the following syntax shown in the box and Figure 3:

MS10-061 (Windows XP):

Host Set equals All hosts AND

Registry Key Full Path equals

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB2347290

 

MS09-050 (Windows 2008):

Host Set equals All hosts AND

Registry Key Full Path equals

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages AND

Registry Key Value Text contains KB975517

 

MS08-067 (Windows XP):

Host Set equals All hosts AND

Registry Key Full Path equals

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ KB958644

 

Note: Be sure to check “Enable exhaustive search” for registry searches.

Figure 3:  Finding missing patches

Systems lacking protection

Similar to missing patches, some systems are eventually discovered to be missing basic protections that are afforded to all other systems in the network. This protection could range from antivirus to host-based IDS to firewall software. While none of these on their own is the holy grail of host-based security, they all provide a level of protection that forces the attacker to take more time and also provides the network defenders one more opportunity to detect a breach. HX can be used to flush out irregularities in missing defensive software by using the following syntax shown in the box and Figure 4. For example, looking for out of date software (assuming version 8.8.0.777 is the latest):

 

McAfee VirusScan Enterprise v8.8:

Host Set equals  All hosts AND

Registry Key Full Path equals

HKEY_LOCAL_MACHINE/Software/McAfee/DesktopProtection\szProductVer AND

Registry Key Value Text not equals 8.8.0.777

 

Note: Be sure to check “Enable exhaustive search” for registry searches.

Figure 4:  Finding systems that lack protection

Unsupported operating systems

While unsupported operating systems may or may not be an immediate danger, their risk increases over time as new vulnerabilities are discovered, published and not patched due to lack of vendor support. In vast networks it can be difficult to spot out of date operating systems; however, HX Enterprise Search can be used to easily determine installed operating systems and service packs. The most efficient way of doing this would be to use Host Sets, a topic for another post. To stick with our theme of searches, it can also be accomplished through Enterprise Search using the following syntax shown in the box and Figure 5. For example, we can search for Windows 2003 hosts:

 

Host Set equals  All hosts AND

Registry Key Full Path equals HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName AND

Registry Key Value Text contains Windows 2003

 

Note:  Be sure to check “Enable exhaustive search” for registry searches.

Figure 5:  Searching for unsupported operating systems

Conclusion

Finding critical security issues in a large network can be extremely difficult if an analyst doesn’t have the right tools available. With the help of flexible tools that provide in-depth host level insight and querying capability, a network defender can have quick reactive capabilities to incidents, but they also be proactive in remediating issues. When we look at Enterprise Search and the aforementioned examples of its capabilities, it’s clear that its power and flexibility means defenders will be able to conduct the kinds of discovery exercises necessary to maintain a high level of visibility and increase the security within their endpoints. There are many more capabilities we can expose within Enterprise Search features today, so we encourage you to stay tuned for more tips and tricks.