HomeMalware Analysis
How to Set Up a Network Research Laboratory: MonikerLink (CVE-2024-21413) Case Study 
HomeMalware Analysis
How to Set Up a Network Research Laboratory: MonikerLink (CVE-2024-21413) Case Study 

Every now and then, you come across a situation where you need to get hands-on to understand how an exploit or malware works and then create a detection rule. Plus, there are times when it’s essential for the attacking machine to be on the local network to capture network traffic or utilize its own detection tools. 

In this article, we’ll show you how to set up a working environment to gather IOCs and write detection rules, using CVE-2024-21413 as an example. We’ll walk you through integrating the ANY.RUN virtual machine into a local VPN network for this purpose. To do this, we’ll: 

  1. Let’s quickly analyze the CVE and prepare a Proof of Concept (PoC). 
  1. Set up a local VPN network with the ANY.RUN machine. 
  1. Verify the functionality of the PoC and gather NTLM Hash using Impacket. 
  1. Gather IoCs and draft a detection rule. 

Sign up for ANY.RUN to follow along with the investigation 

Set up free account

Description of CVE-2024-21413 and Preparing a PoC 

 This Outlook vulnerability can lead to the leakage of an NTLM Hash, potentially enabling the execution of arbitrary code without alerting the user. 

In essence, when the victim clicks on a link within an email, a file is downloaded from a remote server and executed without any warning prompt. Additionally, during the file’s execution, there’s an attempt to authenticate against the remote server via the SMB protocol, resulting in an NTLM Hash leak. 

One telltale sign of a malicious link is the presence of an exclamation mark at the end of the file URL, enabling it to bypass security mechanisms. With this in mind, let’s draft a sample email to illustrate how to circumvent Outlook’s protection mechanism: 

Note the exclamation mark (“!”)

As depicted in the screenshot above, we appended an exclamation mark to the end of the link and followed it with random text. We designated the attacker’s server as the IP address. In our scenario, this server is a machine on the local network running Kali Linux, which we’ll integrate shortly. 

For a comprehensive demonstration, we also require a document file that, upon opening, triggers the execution of a program, such as “winver.exe” from the System32 directory. You can obtain the RTF file from this link — it leverages CVE-2017-11882 to launch an arbitrary application: 

Example of CVE-2017-11882 exploitation

Integrating of ANY.RUN into a local VPN network 

In order to integrate into the local network, we require a functional OpenVPN server, which will double as the attacker’s host. It’s crucial to exercise caution as malware could potentially gain access to this server. Setting up a VPN server is a detailed process that warrants its own article, hence it’s beyond the scope of this discussion. 

IP address of our local VPN server 

To ensure the stable operation of the internet connection, it’s important not to overlook configuring keep-alive packets in the OpenVPN server configuration file. 

Part of the OpenVPN configuration file with keep-alive option 

Next, we’ll need a client configuration file, known as “OVPN”, which will be utilized to establish the connection of the virtual machine to the network when initiating the task. 

Part of the configuration file OVPN clientOpenVPN with keep-alive option

Navigate to your profile and access the “Custom OpenVPN configs” tab to upload the OVPN client file.

Addia new client configuration to connect to OpenVPN

Create a new task, upload the sample, select our VPN configuration and run the task: 

Upload User VPN configuration in the task

As we remember, the IP address of our VPN server is “10.2.0.1”. Let’s check if it’s accessible using the “ping” utility in ANY.RUN’s virtual machine: 

Seeing the responses from the OpenVPN server confirms that the ANY.RUN virtual machine has successfully connected to the local network. 

With that, the network connection setup is finished.  

Integrate ANY.RUN in your organization 

Contact Sales

Verifying PoC and Collecting NTLM Hashes 

CVE-2024-21413 utilizes the SMB protocol to fetch a remote file, thus requiring an SMB server capable of not only serving the required files but also storing NTLM hashes. For this purpose, we’ll employ the SmbServer from the Impacket package as our server. 

First and foremost, let’s set up a directory containing an “rtf” file. (For sourcing the file, refer to the instructions above): 

Shared SMB directory on the attacker’s server

Next, let’s run impacket-smbserver: 

Launching an SMB server on the attacker’s machine

We’re now ready to click on the link within the generated email. Head over to AnyRun and select “Malicious Link”.

After a brief wait, we notice that “winver.exe” has surfaced in the processes, and the “About Windows” window has popped up on the screen, all without any warning window from Outlook despite the error. 

A process graph displayed in ANY.RUN
There’s a pop-up window and an error, but the code was executed 

Now, let’s navigate back to the server console and confirm that we have successfully collected an NTLM hash. This hash can be subsequently subjected to brute force attacks using utilities such as HashCat or John The Ripper. 

Server

Collecting IOCs and writing a signature 

From the blue team’s perspective, the main task is to collect IOCs and develop detection rules. 

One effective approach is to leverage ANY.RUN’s detection mechanism, which has already flagged numerous malicious activities, including the exploitation of CVE-2017-11882, along with various signatures, and more. 

ANY.RUN indicates malicious activities related to the vulnerability exploitation

Also, in the Network Threats tab, we observe the detection of the “Impacket SMB Server” that we utilized. Interestingly, this server is frequently employed in other attacks as well. (Read our tweet for reference). 

Detect threats with useful tags and access triggered Suricata Rules in ANY.RUN 

Sign up for free
Suricata rules triggered

However, we can also write another signature to detect potential leakage of NTLM hashes to an external network. 

The following rule tracks potential authentication data leakage via the NTLM protocol, which violates local network security policies: 

alert smb any any -> $EXTERNAL_NET any (msg: "POLICY [ANY.RUN] Possible NTLM Hash leak over SMB to External Network (NTLMSSP_AUTH)"; 
flow: established, to_server; 
content: "SMB"; offset: 5; depth: 3; 
content: "NTLMSSP|00 03 00 00 00|"; distance: 0; 
sid: 8001383; rev: 1;) 

This rule has three main conditions: 

  1. It detects SMB traffic. 
  1. It looks for access to the external network. 
  1. It checks for the presence of the NTLM identifier and authentication in the message type within the packet. 

Summary and attack prevention 

The best practice is to keep software updated promptly and to block any outgoing SMB traffic to external networks. By doing so, this type of attack would be thwarted as it would be impossible to reach the attacker’s server. 

In summary, we have explored how to integrate ANY.RUN into a local network and remotely monitor threats using ANY.RUN. 

About ANY.RUN

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for security teams. Every day, 400,000 professionals use our platform to investigate incidents and streamline threat analysis.

Advantages of ANY.RUN 

  • Real-time detection: Within roughly 40 seconds of uploading a file, ANY.RUN can detect malware and automatically identify many malware families using YARA and Suricata rules. 
  • Interactive analysis: Unlike many automated solutions, ANY.RUN allows you to interactively engage with the virtual machine directly through your browser. This interactive capability helps prevent zero-day exploits and sophisticated malware that can evade signature-based detection. 
  • Cost-Effective: For businesses, ANY.RUN’s cloud nature translates into a cost-effective solution, as it doesn’t require any setup or maintenance effort from your DevOps team. 
  • Great for onboarding new security team members: ANY.RUN’s intuitive interface allows even junior SOC analysts to quickly learn how to analyze malware and extract indicators of compromise IOCs. 

Try our sandbox with a free account → 

Electron
Leading malware analyst at ANY.RUN | Website | + posts

I'm a malware analyst. I love CTF, reversing, and pwn. Off-screen, I enjoy the simplicity of biking, walking, and hiking.

khr0x
Malware analyst at ANY.RUN at ANY.RUN | + posts

I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.

Jane
Leading network traffic analysis expert at ANY.RUN at ANY.RUN | Website | + posts

I'm ANY.RUN ambassador and a real network traffic numismatist. I also love penguins and tortoises. My motto is to do good and throw it into the sea.

electron
Electron
Leading malware analyst
I'm a malware analyst. I love CTF, reversing, and pwn. Off-screen, I enjoy the simplicity of biking, walking, and hiking.
khr0x
khr0x
Malware analyst at ANY.RUN
I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.
jane
Jane
Leading network traffic analysis expert at ANY.RUN
I'm ANY.RUN ambassador and a real network traffic numismatist. I also love penguins and tortoises. My motto is to do good and throw it into the sea.

What do you think about this post?

3 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments