Windows 10 vs. Microsoft ATA

We started to use Microsoft Advanced Threat Analytics (ATA) couple of months ago. It seems to be a pretty good toy honestly. I know what I used to be doing when pen testing internal networks and the alerts of this guy are pretty much aligned to those things. So ATA alerts have high priority on my list. However we started to receive bunch of them recently. Most of the alerts were either “Suspicion of identity theft based on abnormal behavior” or “Reconnaissance using directory services enumeration”. Let’s put the second one aside for a second – that’s a different story. The first though bugged me a lot. DISCLAIMER: this alert can be either a “High” or a “Medium” severity event. Everything in this post refers to the “Medium” alert. The highs are different and should be investigated!!

So let’s say you received a Medium alert of this identity theft thinggy. It should be something like this:

01
The alert from the ATA console

The first thing you want check is those “abnormal resources”. If you click on the link, you get the list of the accessed computers and the used protocols. If you are like me, you won’t find anything interesting among the computers. Except for the fact that in most cases  there are a lots of them. As you can see on the screenshot above, we had 123 computers just for that single alert. Pay attention to that listing though! In every single case the remote host was accessed via CIFS (445/tcp).

02
Details of those “abnormal resources”

If you are familiar with pen testing and SMB auth probes, most probably this is the last thing you want to see. A lot of SMB connections from a single computer to several others. Someone might run SMB auth sweeps on the network. On the top of that such alert indicates successful connections. Getting worse and worse…

As bad it looked, something just didn’t match. We had bunch of these alerts from a lot of different source computers and we found nothing suspicious besides these ATA alerts. So I started to check the source computers. I didn’t now what I was looking for. My first though was that it’s an application doing some weird crap. So the plan was to collect all the computers and ask desktop support to help me find something in common. While I was collecting the computers I realized all of the were Windows 10. This was no surprise as we were rolling out Win10 like crazy. However I also knew that our other division was still on Windows 7 and they saw no such alerts. Okay… so maybe it’s something with Win10, right? After searching a bit, it hit me.. crap.. it was so obvious (after I found it :)). This is the new feature of Windows 10 called Delivery Optimization. If you are not familiar with this feature, it’s basically peer2peer Windows updates. Yep, your Windows 10 can download updates from other computers. You can find a short summary of this feature here: https://privacy.microsoft.com/en-us/windows-10-windows-update-delivery-optimization

As I understand Delivery Optimization Service (DoSvc) uses dedicated ports (TCP listener on port 7680 and a UDP receiver on port 3544), however the peer discovery method uses 445/tcp, which kinda makes sense. At least this is my best guess so far, still need to do some testing.

If you want some additional details and want to look under the hood: http://windowsitpro.com/windows-10/how-does-delivery-optimization-windows-10-work

And finally, if you want to learn how to control WUDO: https://www.ghacks.net/2016/08/17/windows-10-update-delivery-optimization/

 

Advertisements

When the latest update fails you

Recently we had a pretty weird experience with the Barracuda Web Filters we are using. We noticed that a site that should be blocked is accessible for some users. The domain was tr553.com.

Here is why we believed it’s being blocked. On the Barracuda, you can check the categorization of a URL via the Content Filter Lookup functionality. As you can see the given domain was categorized as “Advertisements & Popups”.

02

On the Content Filter page, you can define whether a particular category is allowed or blocked. The advertisements category was clearly blocked on all devices.

03

But still, we could access the https://tr553.com site thru the proxy. Some of you may think, you must have had the SSL inspection turned off and that’s an HTTPS URL. Actually you are right. For various reasons (that will be another story) we have SSL inspection turned off on the web filters and that’s an HTTPS URL indeed. However, the Barracuda web filters are smart enough to enforce the content filter policies (actually all domain based restrictions) on HTTPS URLs even if you don’t have SSL inspection. And yes, usually it works just fine. But let’s go back to our little problem here. There is a pretty cool feature on the Barracuda, you can use its troubleshooting feature to test whether a particular user and/or client IP can access a page or not. As we did so with https://tr553.com, we got the following result.

05

That’s a deny!!! What Da FrozenCow?? So Barracuda says, “Hey, no worries I’m gonna block this site”, but in reality it ain’t block shit.

We tried one more thing, we visited http://533.com and guess what?! It was blocked! So if we didn’t use HTTPS, but HTTP, everything was good. I know what you’re thinking… it’s the SSL inspection. No, it’s not. Because a) I know from experience that the content filter blocks work perfectly with HTTPS sites and b) read further 🙂

This was the time when we started to test this on other devices – luckily we have a handful of Barracuda proxies :). There came the second surprise. On a different device (same settings), the request was blocked as it should have been.

06

We double checked everything, the two devices were identical in terms of configuration. My next idea was to remove the device from the rack and either burn it or sell it on eBay, then we realized the difference. We used the latest shinny firmware (version 12.whatever) on the first device, while we were still on v11 on the second device. Yes, the old firmware did its job perfectly, while the new one had a major bug.

Honestly I don’t understand this. Content filtering is a core (and basic) feature of a proxy server. How is it possible that a firmware is being released when it has a flaw in this core functionality. The only possible explanation is that these updates are tested properly. My problem is that we are talking about security products here!! In this example it was a advertisement site, so one could say “who cares?”, but the same functionality is used to block malicious sites or we have custom blacklists with plenty of domains.

What frustrates me is that the more I work on the defensive side, the more often I see things like this. It’s so disappointing.