Seeking Out Dead and Dying Servers
Published Jan 17 2023 02:47 PM 2,111 Views
Microsoft

Peruse any social media platform where InfoSec practitioners interact and share their findings, and you will likely find a mention of the latest and greatest 0-day exploit making the rounds. Although 0-days represent the cutting edge of threat activity, aside from a specific error of backdoors in easily identifiable software, these are often the result of misconfigurations, poor defense-in-depth design, or lack of regular patching and updating

 

The most sophisticated 0 days, those that don't require some error or neglect by defenders are rare and need specific conditions and a lot of luck to succeed. There are vast numbers of much more common vulnerabilities most people should investigate first. Finding out what an attacker can leverage against your organization from their perspective and seeing that platform or version numbers exist across the entire enterprise is one of the most significant advantages of using Microsoft Defender for External Attack Surface Management (MDEASM). 

 

Many organizations are shocked to find deprecated technologies that require immediate attention as part of their online presence. More importantly, they often discover deprecated assets that were previously unknown to remain online. In future Tech Community articles, we will drill deep into solving an array of shadow IT issues like this. Here, though, we'll highlight a particular type of rogue asset that can hide in plain sight: dead and dying web servers, and show you some tricks for finding these assets while excluding others that do not require immediate action. 

 

Note: To follow along in this blog, you must complete discovery in your MDEASM workspace to which you have, at minimum, read the permissions.

 

One of the most common critical findings by MDEASM customers is severely outdated versions of Apache web server and Microsoft IIS (Internet Information Services). In your MDEASM instance, once an inventory is created and the full discovery has been completed, select "Inventory" from the General section on the left. Notice the filter section at the top of the Inventory blade. This section is where our focus will be for now.

 

jtwells_0-1673631817402.png

 

MDEASM has well over 200 asset attributes to use as filters that we can combine with 18 operators for precise subsets of your external attack surface. Select 'Add filter' and select the first instance, 'Web Component Name.'

 

Note that some filters apply universally to all assets, and others only apply to some. 'Web Component Name' is listed three times under Host, Page, and IP Address asset types. Selecting any of the three instances will act upon all applicable asset types, so it does not matter which you choose.

 

After selecting the 'Web Component Name' filter, select 'Matches In' under the operator. Next, type 'IIS' and Shift+Enter. Then type in 'Apache.' See the example below and select Apply when ready. 

  

jtwells_1-1673631817404.png

 

After the results are returned, you may notice that every asset with any Apache platform or IIS, regardless of the version number or state of potential risk, is listed. We need to add another filter to refine the results further. A quick shortcut to finding the most potentially vulnerable assets is to use the 'Affected CVSSv3 Score.' Here, we add the numerical operator 'Greater Than or Equal To' and the numerical value of 9 and press Apply. 

 

jtwells_2-1673631817405.png

 

Now, let's specify that we only want web servers by clicking 'Add filter.' Under Filter, select 'Web Component Type' + 'Equals' + 'Server' like in the example below. 

 

jtwells_3-1673631817406.png

 

Together, these filters return any asset in Approved Inventory (those that MDEASM will actively monitor and present in analytics) that we have recently detected a web server technology whose name matches 'Apache' or 'IIS' and has an active CVE with a CVSSv3 score of 9 or higher. These results are a great place to start looking for assets that require investigation. Adjust the filters to suit your needs and explore across your attack surface.

 

Also, as assets are patched and updated and then rescanned automatically, the platform will expire the older component versions after several unsuccessful follow-on detections and identify new ones.

 

Bonus: Try to see if the inverse is true. Can you find active web servers on IP addresses that do not have a host associated with them but have common HTTP-related ports like 80, 443, and 8080 open?

 

Regardless of the server type or version, this would be out of place in many organizations except under specific conditions. Even then, it might warrant an investigation. Try it for yourself and see what you find. Use different filters combined with various operators to discover new things. Don't worry if nothing comes up - in most cases, that's a good thing.

 

We hope you found this blog post helpful. Please comment below with any questions, or let us know how your hunt for dead and dying servers is going! 

 

3 Comments
Co-Authors
Version history
Last update:
‎Jan 17 2023 02:47 PM
Updated by: