GitHub account for Sophos IaaS offerings. Sophos IaaS has 10 repositories available. Follow their code on GitHub. Sophos Central Intercept X: Unexpected APC violation, Credential Theft, Privilege Escalation or Code Cave Exploit mitigation detections KB-000039243 Oct 8, 2020 3 people found this article helpful. Sophos provides a GitHub app which you can install to give Sophos Cloud Optix access to your repositories. You can install the app in your GitHub account or your organization’s account. The tool, released today on the SophosLabs Github, simplifies the task of obtaining either complete inbox contents (in the form of an Exchange-format.pst file) from a previously-compromised server, or partial contents based on filtering rules published by Microsoft as part of their Exchange server technical documentation.
Ongoing work by the SophosLabs Offensive Security team in creating proof-of-concept Red Team tools has borne fruit in what is likely to be the first of many releases to the Metasploit framework. The tool, called metasploit_gather_exchange is not an exploit against one of the numerous Exchange vulnerabilities Microsoft fixed this month and in December, but a post-exploitation data gathering tool that simplifies the retrieval of mailbox data from compromised Exchange servers that are undergoing penetration tests.
The tool, released today on the SophosLabs Github, simplifies the task of obtaining either complete inbox contents (in the form of an Exchange-format .pst file) from a previously-compromised server, or partial contents based on filtering rules published by Microsoft as part of their Exchange server technical documentation. It relies on, and leverages commands from, a set of PowerShell scripts that are included by default with Exchange Server installations, called the Exchange Management Shell.
There are a few caveats that are important to note: The tool cannot, by itself, extract and exfiltrate mail from the server; it requires the user to have gained at least the privilege level of a user assigned to the Organization Management role on the network. As with many Meterpreter-based exploitation and post-exploitation tools, it also requires the penetration tester to have disabled any endpoint security features on the machine running Exchange, including Windows Defender, before they begin executing the commands.
This tool doesn’t provide any advantage to actual threat actors, as they have their own set of capabilities used in the recent attacks, and in any case, Meterpreter payloads are easily detected by endpoint protection tools. Our main goal is to share it with the security community to simplify the otherwise tedious task of proving or demonstrating data exfiltration capabilities during Metasploit testing.
How does it work?
Just a couple of files comprise the metasploit_gather_exchange tool: A Ruby script, and a PowerShell script. The files work in concert to orchestrate the sets of Exchange Management Shell commands required to enumerate the inboxes hosted on the server, and then export those inboxes. Optionally, users of the tool can use the ContentFilter filtering rules to hone in on subject matter of specific interest, so they don’t have to extract (then try to figure out how to exfiltrate) the entire inbox.
The tool’s LIST command produces detailed information about the inboxes hosted on the Exchange server, and about the server itself.
The output from this command includes not just the name of the inbox, but also details about the specific version of Exchange running and the server’s internal name.
Once the Red Team discovers the email account of a person or people they’re interested in, the EXPORT command pulls data down from the Exchange server in the form of a .pst file.
Output from this is handled by the Meterpreter’s “loot” handling mechanism and stores that data in the default location configured in the Meterpreter session.
As this is a post-exploitation data retrieval tool, operators of Exchange servers can prevent threat actors from engaging in this type of data exfiltration by diligently installing security patches and updates for their Windows servers, including updates to Exchange, as soon as they are made available.
Exchange has been subjected to a lot of scrutiny in the past year, and has been patched against a significant number of remote code execution and privilege escalation bugs that could result in techniques demonstrated by a tool like this one becoming usable. The tool has been tested against on-premises installations of Exchange 2010, 2013, 2016, and 2019, and may be usable on cloud installations as well (subject to the caveats mentioned earlier).
Users of the Metasploit framework may download the tool directly from the SophosLabs Github. SophosLabs has also formally requested to have the tool included in the main Metasploit distribution in a future update.
Sophos
As I was going through the lynis suggestions, I realized that I should install an anti-virus solution on my machine. After reading a couple of sites:
I decided to try out sophos. I have used clamav in the past but apparently now it’s detection rate is pretty low:
Installing Sophos
The instructions are covered in Installing the standalone version of SAV for Linux/UNIX and also in the Sophos Anti-Virus for Linux startup guide. I downloaded the archive (the Sophos Anti-Virus for Linux/UNIX: Installing the standalone version page has good screenshots of the process) and then I extracted the archive:
Now let’s do the install:
Also as an FYI, it looks likes the UI is no longer available for sophos.
Compiling the Talpa Module
Initially the talpa module failed to compile:
I was missing the kernel source, so I installed that:
Re-running the compile worked out:
And now let’s load the module:
And to confirm it’s loaded:
Manually Updating Sophos
Sophos Github Tutorial
The update is configured to run every 60 minutes, but we can do one manually:
For good measure, let’s restart the service after the update:
I also double checked the services were enabled:
There are also a couple of services that are disabled (and I think that is okay):
Configuring Sophos Settings
You can check out the basic settings by running the following:
To get a full list you can run the following:
I enabled the option to be notified on an update:
By default the update period of 60 minutes so I decided to changed that to once a day:
Else you will see this in the logs all the time (and if you enabled the option to be emailed on an update, you will get an email every 60 minutes):
Running a quick scan manually
You can run a quick scan manually to see how clean your system is:
Setup a schedule to scan weekly
Thi is covered in Sophos Anti-Virus for Linuxconfiguration guide and Sophos Anti-Virus v9.x For Unix/Linux: Scheduled scan options. First create a folder for sheduled jobs:
Then copy the example to get started:
Modify the job to your needs:
Sophos Github Ioc
And lastly add it to the config:
Sophos Github
If you need to update it, first update the file (vi /opt/sophos-av/etc/jobs/weekly) and then update the config
To always get a summary of the scheduled savscan, you can set the following option (as per the Sophos Anti-Virus for Linux/Unix v9: Complete list of email alert settings:
That should be it, enjoy sophos.