Basic custom F5 APM Login Page

I’m working a lot with F5 APM these days. Last month, I’ve learnt how F5 APM & SAML works and I’ve also configured OAuth with Facebook. I’ve configured an AWS Connector and a Salesforce Connector in the F5 APM. In addition, I’ve learnt how to configure a AutoLaunch SAML resource in F5 APM. Last week, I’ve been reading how to customize the APM login page to change colours and logos from the GUI.

I would like to highlight today how to configure a basic and easy custom login page from the GUI. It’s really easy. We’ll watch in the next video we can customize the login page in two steps. Firstly, we’ll change the main image and the transcription from the Visual Policy Editor (VPE). Finally, we’ll change logo and colours from the Basic Customization section. Two steps. Really easy!

However, we can also develop a custom web page and upload it to the F5 APM. There is an advanced customization section in the APM module which is useful to make custom login page.

Advanced custom F5 APM Login Page

 

Regards my friends! Drop me a line with the first thing you are thinking!

Windows Server 2016 forensics

There are lots of information on the net for learning about forensics. Last year, I recorded a video about Fileless malware forensics because I wanted to know how this kind of malware works. It was easy to learn about it because there was a video about Fileless malware forensics in CCN-Cert channel. This week, I’ve wanted to learn more about forensics. Therefore, I’ve watched a new video in the CCN-Cert channel where there is a new forensics laboratory, thus I’ve recorded the first episode where a Windows Server 2016 is analysed. This lab has been funny and it has helped me to reinforce my knowledge about forensics.

We can watch in the video how we can check digital evidences and how we can get information from the Windows Registry and event logs. The aim of this forensics is to know how and who has leaked confidential information.

Have a nice day! Keep learning and keep studying!

Buyology

J’aime beaucoup lire. Donc, j’ai lu le livre Buyology de Martin Lindstrom pendant mes vacances de Nöel. C’est un livre très intéressant qui est basé sur un étude de neuromarketing où le cerveau des consommateurs sont scanné avec des scanners cérébraux à résonances magnétiques pour savoir qui se passe avant et pendant l’acte d’achat.

Il y a beaucoup des études dans ce livre. Je voudrais souligner un étude qui dit comme le cerveau des consommateurs qui achètent produits de la marque Apple a le même points en commun que les religieuses quand elles prient. C’est incroyable ! Il y a un autre étude qui dit comme des chercheurs, qui sont très intelligents, refusent d’essayer un pull quand quelqu’un leur dit que ce pull était d’un criminel. Même si est un mensonge.

À mon avis, c’est un livre très intéressant pour savoir pourquoi des personnes achètent souvent quelques choses dont ils n’ont pas besoin. Je vous encourage à le découvrir vous-même. Lisez ce magnifique livre !

Bonne journée!

Fileless click-fraud malware

It’s holiday today. Lots of kids will be opening presents and playing with new toys. However, I’m here as every week. I’m reading and writing about malware. I read the the evolution of the fileless click-fraud malware Poweliks last week and I wanted to read it deeply and write about it. I think this is the best way to learn and get knowledge about this kind of malware. I’ve already written about fileless malware forensics. Therefore, I know a little bit how these malware work. Today, I’m going to deep down in tricks and innovations of the fileless click-fraud malware Poweliks.

The first innovation is the registry protection. It’s a trick used by this fileless malware which inserts an extra registry subkey. This subkey contains an entry with the 0x06 byte and the 0x08 byte, which are not Unicode printable character sets, thus it is difficult to read and delete properly. For instance, we won’t be able to read and delete this subkey with the default Windows Registry Editor. Therefore, we’ll need another registry tool to handle these special characters. In addition, administrative users won’t be able to delete this subkey thus permissions must be modified in order to delete the unreadable entry.

Extra registry subkey to protect Poweliks in memory

Another innovation is the CLSID hijacking. A CLSID or Class Identifier is a globally unique identifier that is used to represent a specific instance of a program. It allows operating systems and software to detect and access software components without identifying them by their names. CLSID hijacking is used by fileless malware to implant DLLs. These DLLs will be launched legitimately by trusted and whitelisted processes such as explorer.exe, chrome, iexplorer, etc.

The third trick or innovation is the fileless persistence. Lots of malware hide a malicious executable on the compromised computer which is then executed. However, fileless malware don’t store anything on disk. They save malicious code in the Windows Registry which is executed to load malicious DLLs. For instance, the fileless malware Poweliks executes rundll32.exe with several parameters, one of them is a JavaScript code used to load the malware into the memory.

Loading JavaScript code through the registry

 

Most fileless malware need an exploit to insert the code into the Windows Registry. For instance, Poweliks was using a Windows zero-day exploit for privilege escalation. Thanks to this zero-day vulnerability, Poweliks run regedit to insert the malicious code into the Windows Registry. In addition, Poweliks was using this vulnerability to run a batch file.

Finally, how these malware put the money in the pocket? A fileless click-fraud malware is going to click lots of ads. However, the victim doesn’t know the computer is clicking too many ads. Meanwhile, attackers generates money to be paid by the advertiser to the publisher. In addition, this kind of malware can also download more malware. For instance, one of the websites visited by Poweliks resulted in Cryptowall being installed on the computer.

Poweliks advertisement request

 

To sum up. It’s holiday. There are lots of gifts and presents today. I wish you many and lots this year. However, open the eyes! Be caution! Protect your systems!!

Have a nice day!