Transparency of Attacker Tooling

Transparency of Attacker Tooling

Published on

Published on

Published on

Aug 17, 2023

Aug 17, 2023

Aug 17, 2023

Transparency of Attacker Tooling
Transparency of Attacker Tooling
Transparency of Attacker Tooling
TABLE OF CONTENTS

How Open Directories Help with Threat Hunting and Incident Response

Popular web servers are configured to list files and directories of the root directory if there is no index file. Such listings are usually called open directories or directory listings. This can lead to unexpected information disclosure when private files are exposed by an accident.

An open directory is a listing of files that can be downloaded via HTTP. Sometimes the root path of a web server is a home directory with all the files. Basically, it's a read-only FTP server that's available via HTTP.

For example, Python language has a built server that allows one to start using a server using one command:

httpshuntioimagesblogsblog-2img-1-2xwebp

Unfortunately, such simplicity comes with security problems. People usually don't understand that when you host an open directory on a popular port --- web crawlers and scanners will find it within a day. Not knowing that detail, they accidentally expose a lot of data.

httpshuntioimagesblogsblog-2img-2-2xwebp

Directory listings are popular among malicious actors. They use them to host malicious executables, payloads or download exfiltrated data from web servers to their local machines. And guess what? A lot of them do not follow operational security practices. They also don't understand that their data can be exposed and help with investigations.

Content of open directories

Malicious directories host a variety of files. By analyzing them, you can find the following data:

1 Executables, logs, and configuration files from command and control servers, such as Cobalt Strike, Sliver C2, Brute Ratel C4, Metasploit, and so on.

2 Bash history, where you can see various logs about hacking attempts, data exfiltration, information gathering, reconnaissance, and so on. Such history files can often help to find the victims of attacks and inform them.

3 Logs from RATs (remote administration tools) or informational stealer's that contains a lot of sensitive data from victims.

4 New malware that was not known before.

How to find malicious directories

Finding malicious directories can be challenging because there are many legit ones, and we must filter them out.

Here are some indicators that help us to classify open directories as malicious:

1 Pattern matching. An open directory can contain files known to be related to malware, red-team, or hacking tools.

2 An open directory hosted on the same IP as the command and control server or other malicious software.

3 The IP is blocklisted by third-party vendors.

4 The executables that an open directory hosts are malicious according to sandboxing tools or antiviruses.

Malicious open directories are often short-lived, and it's important to download all the files for further investigation.

Hunt does this automatically.

There are 400 GitHub projects tagged and it will be updated daily.

httpshuntioimagesblogsblog-2img-3-2xwebp

You can click a scan signature to see all open directories that have validated C2s on them

which looks like this:

httpshuntioimagesblogsblog-2img-4-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

Click on any malware tag and find all the files that have the same tag:

httpshuntioimagesblogsblog-2img-5-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

Do keyword searching inside of open directories to find files (it's cumulative sorted by date):

httpshuntioimagesblogsblog-2img-6-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

You can search for the same file across all open directories (by sha256 by clicking the magnifying glass by the sha256)

httpshuntioimagesblogsblog-2img-7-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

Ultimately, various strategies can be deployed to identify open directories. Utilizing pattern matching, examining IP addresses, and employing sandboxing tools can aid in identifying potentially harmful open directories. Hunt.io contributes to the proactive detection and analysis of these directories.

https://hunt.io/images/blogs/union-blue.pngApply for an account to discover more.

TABLE OF CONTENTS

How Open Directories Help with Threat Hunting and Incident Response

Popular web servers are configured to list files and directories of the root directory if there is no index file. Such listings are usually called open directories or directory listings. This can lead to unexpected information disclosure when private files are exposed by an accident.

An open directory is a listing of files that can be downloaded via HTTP. Sometimes the root path of a web server is a home directory with all the files. Basically, it's a read-only FTP server that's available via HTTP.

For example, Python language has a built server that allows one to start using a server using one command:

httpshuntioimagesblogsblog-2img-1-2xwebp

Unfortunately, such simplicity comes with security problems. People usually don't understand that when you host an open directory on a popular port --- web crawlers and scanners will find it within a day. Not knowing that detail, they accidentally expose a lot of data.

httpshuntioimagesblogsblog-2img-2-2xwebp

Directory listings are popular among malicious actors. They use them to host malicious executables, payloads or download exfiltrated data from web servers to their local machines. And guess what? A lot of them do not follow operational security practices. They also don't understand that their data can be exposed and help with investigations.

Content of open directories

Malicious directories host a variety of files. By analyzing them, you can find the following data:

1 Executables, logs, and configuration files from command and control servers, such as Cobalt Strike, Sliver C2, Brute Ratel C4, Metasploit, and so on.

2 Bash history, where you can see various logs about hacking attempts, data exfiltration, information gathering, reconnaissance, and so on. Such history files can often help to find the victims of attacks and inform them.

3 Logs from RATs (remote administration tools) or informational stealer's that contains a lot of sensitive data from victims.

4 New malware that was not known before.

How to find malicious directories

Finding malicious directories can be challenging because there are many legit ones, and we must filter them out.

Here are some indicators that help us to classify open directories as malicious:

1 Pattern matching. An open directory can contain files known to be related to malware, red-team, or hacking tools.

2 An open directory hosted on the same IP as the command and control server or other malicious software.

3 The IP is blocklisted by third-party vendors.

4 The executables that an open directory hosts are malicious according to sandboxing tools or antiviruses.

Malicious open directories are often short-lived, and it's important to download all the files for further investigation.

Hunt does this automatically.

There are 400 GitHub projects tagged and it will be updated daily.

httpshuntioimagesblogsblog-2img-3-2xwebp

You can click a scan signature to see all open directories that have validated C2s on them

which looks like this:

httpshuntioimagesblogsblog-2img-4-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

Click on any malware tag and find all the files that have the same tag:

httpshuntioimagesblogsblog-2img-5-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

Do keyword searching inside of open directories to find files (it's cumulative sorted by date):

httpshuntioimagesblogsblog-2img-6-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

You can search for the same file across all open directories (by sha256 by clicking the magnifying glass by the sha256)

httpshuntioimagesblogsblog-2img-7-2xwebp

https://hunt.io/images/blogs/union-blue.pngUse It

Ultimately, various strategies can be deployed to identify open directories. Utilizing pattern matching, examining IP addresses, and employing sandboxing tools can aid in identifying potentially harmful open directories. Hunt.io contributes to the proactive detection and analysis of these directories.

https://hunt.io/images/blogs/union-blue.pngApply for an account to discover more.

Related Posts:

Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Jun 12, 2024

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Jun 12, 2024

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Jun 6, 2024

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Jun 6, 2024

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...