Skip to content

Commit

Permalink
added posts
Browse files Browse the repository at this point in the history
  • Loading branch information
Liam Jones committed Jul 12, 2023
1 parent 8fb249f commit a0928ce
Show file tree
Hide file tree
Showing 3 changed files with 378 additions and 0 deletions.
184 changes: 184 additions & 0 deletions _posts/2019-08-08-text-and-typography.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
---
title: Text and Typography
author: cotes
date: 2019-08-08 11:33:00 +0800
categories: [Blogging, Demo]
tags: [typography]
pin: true
math: true
mermaid: true
image:
path: /commons/devices-mockup.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Responsive rendering of Chirpy theme on multiple devices.
---

This post is to show Markdown syntax rendering on [**Chirpy**](https://github.com/cotes2020/jekyll-theme-chirpy/fork), you can also use it as an example of writing. Now, let's start looking at text and typography.

## Headings

<h1 class="mt-5">H1 - heading</h1>

<h2 data-toc-skip>H2 - heading</h2>

<h3 data-toc-skip>H3 - heading</h3>

<h4>H4 - heading</h4>

## Paragraph

Quisque egestas convallis ipsum, ut sollicitudin risus tincidunt a. Maecenas interdum malesuada egestas. Duis consectetur porta risus, sit amet vulputate urna facilisis ac. Phasellus semper dui non purus ultrices sodales. Aliquam ante lorem, ornare a feugiat ac, finibus nec mauris. Vivamus ut tristique nisi. Sed vel leo vulputate, efficitur risus non, posuere mi. Nullam tincidunt bibendum rutrum. Proin commodo ornare sapien. Vivamus interdum diam sed sapien blandit, sit amet aliquam risus mattis. Nullam arcu turpis, mollis quis laoreet at, placerat id nibh. Suspendisse venenatis eros eros.

## Lists

### Ordered list

1. Firstly
2. Secondly
3. Thirdly

### Unordered list

- Chapter
+ Section
* Paragraph

### ToDo list

- [ ] Job
+ [x] Step 1
+ [x] Step 2
+ [x] Step 3

### Description list

Sun
: the star around which the earth orbits

Moon
: the natural satellite of the earth, visible by reflected light from the sun

## Block Quote

> This line shows the _block quote_.
## Prompts

> An example showing the `tip` type prompt.
{: .prompt-tip }

> An example showing the `info` type prompt.
{: .prompt-info }

> An example showing the `warning` type prompt.
{: .prompt-warning }

> An example showing the `danger` type prompt.
{: .prompt-danger }

## Tables

| Company | Contact | Country |
|:-----------------------------|:-----------------|--------:|
| Alfreds Futterkiste | Maria Anders | Germany |
| Island Trading | Helen Bennett | UK |
| xyz | Giovanni Rovelli | Italy |

## Links

<http://127.0.0.1:4000>

## Footnote

Click the hook will locate the footnote[^footnote], and here is another footnote[^fn-nth-2].

## Inline code

This is an example of `Inline Code`.

## Filepath

Here is the `/path/to/the/file.extend`{: .filepath}.

## Code blocks

### Common

```
This is a common code snippet, without syntax highlight and line number.
```

### Specific Language

```bash
if [ $? -ne 0 ]; then
echo "The command was not successful.";
#do the needful / exit
fi;
```

### Specific filename

```sass
@import
"colors/light-typography",
"colors/dark-typography";
```
{: file='_sass/jekyll-theme-chirpy.scss'}

## Mathematics

The mathematics powered by [**MathJax**](https://www.mathjax.org/):

$$ \sum_{n=1}^\infty 1/n^2 = \frac{\pi^2}{6} $$

When $a \ne 0$, there are two solutions to $ax^2 + bx + c = 0$ and they are

$$ x = {-b \pm \sqrt{b^2-4ac} \over 2a} $$

## Mermaid SVG

```mermaid
gantt
title Adding GANTT diagram functionality to mermaid
apple :a, 2017-07-20, 1w
banana :crit, b, 2017-07-23, 1d
cherry :active, c, after b a, 1d
```

## Images

### Default (with caption)

![Desktop View](/posts/20190808/mockup.png){: width="972" height="589" }
_Full screen width and center alignment_

### Left aligned

![Desktop View](/posts/20190808/mockup.png){: width="972" height="589" .w-75 .normal}

### Float to left

![Desktop View](/posts/20190808/mockup.png){: width="972" height="589" .w-50 .left}
Praesent maximus aliquam sapien. Sed vel neque in dolor pulvinar auctor. Maecenas pharetra, sem sit amet interdum posuere, tellus lacus eleifend magna, ac lobortis felis ipsum id sapien. Proin ornare rutrum metus, ac convallis diam volutpat sit amet. Phasellus volutpat, elit sit amet tincidunt mollis, felis mi scelerisque mauris, ut facilisis leo magna accumsan sapien. In rutrum vehicula nisl eget tempor. Nullam maximus ullamcorper libero non maximus. Integer ultricies velit id convallis varius. Praesent eu nisl eu urna finibus ultrices id nec ex. Mauris ac mattis quam. Fusce aliquam est nec sapien bibendum, vitae malesuada ligula condimentum.

### Float to right

![Desktop View](/posts/20190808/mockup.png){: width="972" height="589" .w-50 .right}
Praesent maximus aliquam sapien. Sed vel neque in dolor pulvinar auctor. Maecenas pharetra, sem sit amet interdum posuere, tellus lacus eleifend magna, ac lobortis felis ipsum id sapien. Proin ornare rutrum metus, ac convallis diam volutpat sit amet. Phasellus volutpat, elit sit amet tincidunt mollis, felis mi scelerisque mauris, ut facilisis leo magna accumsan sapien. In rutrum vehicula nisl eget tempor. Nullam maximus ullamcorper libero non maximus. Integer ultricies velit id convallis varius. Praesent eu nisl eu urna finibus ultrices id nec ex. Mauris ac mattis quam. Fusce aliquam est nec sapien bibendum, vitae malesuada ligula condimentum.

### Dark/Light mode & Shadow

The image below will toggle dark/light mode based on theme preference, notice it has shadows.

![light mode only](/posts/20190808/devtools-light.png){: .light .w-75 .shadow .rounded-10 w='1212' h='668' }
![dark mode only](/posts/20190808/devtools-dark.png){: .dark .w-75 .shadow .rounded-10 w='1212' h='668' }

## Video

{% include embed/youtube.html id='Balreaj8Yqs' %}

## Reverse Footnote

[^footnote]: The footnote source
[^fn-nth-2]: The 2nd footnote source
107 changes: 107 additions & 0 deletions _posts/3CX Defender for Endpoint Hunting Queries.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
---
title: 3CX Defender for Endpoint Hunting Queries
author: LJ
date: 2019-08-08 11:33:00 +0800
categories: [Blogging, Demo]
tags: [typography]
pin: true
math: true
mermaid: true
image:
path: /commons/devices-mockup.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Responsive rendering of Chirpy theme on multiple devices.
---
# Introduction

3CX is a software development company with a large outreach, over 600,000 companies worldwide and around 12 million daily users. 3CX provide desktop applications which allows users to control voice calls from various different platforms.

On 29th of March 2023, CrowdStrike observed malicious activity originating from signed files in their clients' environments, the files were 3CX desktop application. Crowstrike claim that the MacOS (version 18.11.1213) and Windows (versions 18.12.407 18.12.416) platforms have currently been identified as infected.

The word signed here is particularly important. Without going on too much of a tangent, file signing is technique software vendors utilise to prove the authenticity of files. If a file is signed by a particular vendor, it *should* be safe. Malicious actors often try to imitate genuine software to evade detection but can't provide the signature of authenticity to go with it. They become unstuck here, as any keen eyed security analyst will notice the absence of such a signature.

So, why is a signed file exhibiting signs of malicious activity?

Pierre Jourdan, CISO of 3CX states in a blog post that a library bundled into their Windows Electron App has caused the issue but it is unclear at this stage as to what this library is, and as to how exactly this caused their desktop applications to become infected. We just know that this is how the attackers were able to embed malware into the genuine software.

Does it really matter anyway? Yeah it does, it matters hugely but we won't know until 3CX say so lets focus on what we do know. The attack vector:

1. The attack starts when the MSI file is downloaded from the 3CX website or an update is pushed to an already installed application.
2. MSI installer extracts two malicious files ffmpeg.dll and d3dcompiler.dll
3. Sophos state that ffmpeg is sideloaded and used to extract and decrypt a payload from d3dcomiler.
4. The decrypted shell code is executed and in-turn downloads icon files from a GitHub repository (I've left this out of the detection as the repo has long been taken down).
5. Base64 encoded strings attached to the end of these icon files are used to download a final DLL file which is used to steal information from the infected device.

---

# Detection

Onto the juicy bit. I work with the MS security stack so this detection logic is going to written in KQL. We are primarily going to be using the Device tables of Microsoft Defender for Endpoint here, so the device needs to have a Defender for Endpoint agent installed in order to see this activity.

In my mind, the first stage in detecting this is to detect if any of the computers in the organisation are running 3CX desktop applications:

```sql
DeviceProcessEvents
| where FileName contains "3CX" or InitiatingProcessFileName contains "3CX"
//Software version specific tailoring - Comment out lines 5 and 7 to search for all versions of the software
//Comment out the line below  if trying to discover devices on Windows - Line below is for Mac
| where ProcessVersionInfoProductVersion contains "18.11.1213"
//Comment out the line below if trying to discover devices on Mac - Line below iqf for Windows versions affected
| where ProcessVersionInfoProductVersion has_any ("18.12.407","18.12.416")
| distinct DeviceName, FileName, SHA256
```

With the KQL above you can search for any mention of 3CX in file names by commenting out lines detailed in the query you can search for specific windows versions, specific mac versions or (as I would recommend) do a flat search for 3CX despite what version it's on.

This first step allows you to identify any shadow IT you have by looking for where 3CX processes are running on your devices. If you don't have any results, good for you you can go relax.

If you have identified 3CX desktop apps running on your endpoints, uninstall them at your discretion. The infected 3CX versions side load two malicious dll files - **ffmpeg.dll** and **d3dcompiler.dll.** Lets detect them.

```
DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified"
| where InitiatingProcessFileName contains "msi"
| where FileName has_any ("ffmpeg.dll","d3dcompiler.dll")
```

*Note: I think Jabra use a dll called ffmpeg.dll so don't panic if you see this it might not be malicious. Check the hashes below:*

**Malicious ffmpeg.dll -** c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02

7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896

**Malicious d3dcompiler.dll -**

11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

Still with me?

Okay, lets try and identify some malicious behaviours of the application. We know that it beacons out to C2 instances. Crowdstrike have provided us with some domains that the infected software is known to be connecting to. Going forward these will be pretty futile (as the domains will likely get shut down, or the attackers will switch to avoid detection) but this could be handy if you want to detect whether any data has already been exfiltrated out of your network.

```
let maliciousDomains = dynamic(["akamaicontainer.com", "akamaitechcloudservices.com", "azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org", "msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com", "visualstudiofactory.com", "zacharryblogs.com"]);
DeviceNetworkEvents
| where RemoteUrl has_any (maliciousDomains)
| where InitiatingProcessFileName contains "3CX"
```

Finally, here is one for detection going forward let's continue to monitor whether the 3CX application is spawning any suspicious processes:

```
let susTools = dynamic(["py","bsh","dll","ps1","psh","cmd","bat", "bash"]);
DeviceProcessEvents
| where InitiatingProcessFileName contains "3CX"
| where ProcessCommandLine has_any (susTools) oThey need to move to Arcr FileName has_any (susTools)
```

I hope this can help some people out there. Remember, Keep Calm and KQL.

## Resources

Some resources I used to help me write this article:

[Bleeping Computer](https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/)

[CrowdStrike](https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/)

[TrendMicro](https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html)
87 changes: 87 additions & 0 deletions _posts/Demystifying Defender for Cloud.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
---
title: Demystifying Defender for Cloud
author: cotes
date: 2019-08-08 11:33:00 +0800
categories: [Blogging, Demo]
tags: [typography]
pin: true
math: true
mermaid: true
image:
path: /commons/devices-mockup.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Responsive rendering of Chirpy theme on multiple devices.
---

# Introduction

Defender for Cloud (DfC) is a cloud-native platform designed to protect multiple workloads, across several environments, by utilising a plethora of capabilities. Defender for Cloud isn’t new, it’s been available to the public since 2019, so why make a blog post on it now?

Since the start of 2023 Defender for Cloud has cropped up multiple times during my day-to-day, and it seems to hold an air of mystery. During this article we will expand on why I think companies are (wisely) starting to pay more attention to defender for cloud, and dive a little deeper into the architecture. We will look at how all the pieces fit together in the Defender for Cloud puzzle and also how this materialises across multiple environments.

# The Rise in Popularity

This section talks about why I think DfC has seen rise in popularity during the start of this year. I think it’s important to highlight these points before we get into the meat of the product itself.

Firstly, changes to Microsoft’s licensing model has influenced a change which creates a need for servers to be onboarded to Defender for Servers, one of Defender for Clouds capabilities.

Microsoft have now deprecated Microsoft Defender for Endpoint for Servers licensing model. This licensing model allowed organisations to onboard servers directly to Defender for Endpoint and remain compliant by purchasing a licence for the onboarded server. When the renewal date arrives, defender for endpoint for servers licensing will not be available to companies using this licensing. This means companies with more than sixty servers need to start utilising Azure-Arc and Defender for Servers.

<aside>
💬 Companies with less than 60 servers can use a licensing model called defender for business servers.

</aside>

The second point is that significant developments in recent releases of the Defender for Cloud connectors for AWS and GCP have made it much easier to connect and protect resources in multi-cloud environments.

# Architecture Overview

Part of the confusion around DfC I think is attributed to not necessarily complex architecture but a large one. Depending on the number of environments, onboarding can become overwhelming due to DfC’s requirement of connecting workloads in different environments via different methods. We will cover these in the next sections but let’s try and visualise the product’s coverage first.

![Architecture](/assets/img/EngineeringContent/DfCArchitecture.drawio-2.png)

As you can see Defender for Cloud provides security for a lot of different resources. In the sections below we will pick apart each how each of the environments are connected, but before we do that we need to pick apart Defender for Cloud itself.

Defender for Cloud is like a wrapper, containing within it individual products to protect specific workload types. For example, virtual machines and other server like resources are protected by a capability within Defender for Cloud called Defender for Servers. On the other hand, containers onboarded to Defender for Cloud are protected by Defender for Containers. We can digest this easier by looking at the visual below.

![Structure](/assets/img/EngineeringContent/DFCStructure-2.jpg)

# Onboarding Methods

For different environments and workloads, onboarding differs slightly. Let’s assume for the sake of brevity that during this section we are talking about onboarding servers.

## Direct Onboarding

Following recent feedback from the security community (and annoying during the writing of this post) Microsoft have now introduced direct onboarding. Previously you had to onboard non-azure resources to DfC via Azure Arc, a lightweight software agent which is capable of deploying various extensions to connected machines. Direct onboarding no longer makes Azure Arc a requirement.

Direct onboarding allows you to deploy defender for endpoint agents via traditional defender for endpoint onboarding methods, but utilise the Defender for Cloud capabilities* and licensing capabilities without the need for Azure Arc. It’s a great and very well welcomed option for admins with limited time and resource.

*Microsoft does allude to some features of DfS Plan 2 not working correctly without Azure Arc. See the limitations listed in the documentation here.

## Azure Arc

For on-premises Microsoft recommends using Azure Arc, a service which essentially makes your on-premises workloads an Azure resource. Once these resources are joined to Azure, Arc enables simple provisioning of extensions for software such as Defender for Endpoint or the Azure Monitor Agent for log shipping.

<aside>
💬 Azure Arc is free for onboarding purposes. Arc only becomes a paid service when you begin to manage configurations using Azure Arc. Guest configurations refer to compliance policies or operating system configurations.

</aside>

<aside>
⚠️ Check the Arc pricing before onboarding. At the time of writing connecting SQL instances with Azure Arc is the only paid service. But I wouldn’t be surprised if this changes.

</aside>

The onboarding process for Arc is different, and there are a tonne of guides out there showing the setup process, but to be honest the Azure Portal guides you through the setup fine. If you run into issues then I would always start troubleshooting the networking requirements first.

## Third-party Cloud

Third-party cloud services can be connected to Defender for Cloud through the environments tab. They are straightforward to set up and require no real maintenance. However, there are a couple of things to note with third-party services:

1. They also use Azure Arc in the backend to provision the services, so the same network connectivity is required to the target machines in the third-party cloud.
2. The extent of the coverage is not the same as Azure resources.

<aside>
⚠️ You can only protect Servers, Databases and containers in third party cloud systems.

</aside>

0 comments on commit a0928ce

Please sign in to comment.