How to create Web Actions - Google Chrome 78.0.3904.70 (CVE-2019-13720) as an example

In this post, I will show you how to use Mandiant Security Validation (MSV) and available exploits to validate whether your internet security controls can detect and/or prevent a Chrome browser exploit.

As a Network Security Administrator or Red Teamer, your task is to validate whether your network security controls can detect and/or prevent a Remote Code Execution exploit targeting Google Chrome 78.0.3904.70 (CVE-2019-13720)The steps will be as follows:

  1. Find the exploit that will be used to test the security stack.
  2. Create network action, in this case it will be Web Action.
  3. Run the network actions between an internal actor (representing a victim PC) and a cloud actor (representing the adversary exploit kit server).
  4. Validate the efficacy of the internet security controls and address any gaps.

1-Find the exploit that will be used to test the security stack:

A quick research, you came through the exploit targeting that vulnerability (in https://www.exploit-db.com/exploits/50917)

2-Create network action

Now we have the exploit and are ready to add it to the MSV library, Go to Library then Select Add Action and Select Web, as shown in the following photo.

tameri_0-1716457580240.png

In the Add Web Action form, click on step one and add the HTTP parameters as shown in the following photo. The exploit is being delivered in an HTML file. I decided to call that file "index.html," but you can choose any name you prefer. The request header is a typical one.

tameri_1-1716457609883.png

Now pay attention to the response, as the HTTP response will deliver the exploit payload. The HTTP response will be as follows:

  • Response code: 200
  • Response header can be a standard one for basic html.
  • For the content-Length you can click on the Verify length to use the right size
  • Response Body: copy and paste the html page contains the exploit from exploit-db

tameri_2-1716457631681.png

Next Add he necessary information as per the following photo and then save the action

tameri_3-1716457642761.png

3-Run the Web Action

In the MSV library find the new action created, go through to validate the action data along with the exploit page.

tameri_4-1716457697438.png

 

tameri_5-1716457702001.png

Run the action and select source and destination as the following:

  • Source: An internal victim actor, that can be either a windows PC or a Network Actor
  • Destination: The Cloud Actor used as the adversary server

tameri_6-1716457750582.png

4-Validate the efficacy of the internet security controls and address any gaps

When the action completed you can see that the exploit has been blocked

tameri_7-1716457791964.png

When viewing the events and logs received via the integration with Palo Alto and Chronicle, you can see that the Palo Alto NGFW detected (as a Chrome vulnerability) and prevented the exploit.

tameri_8-1716457801303.png

You can also see that Chronicle (the SIEM deployed in this case) received the logs from Palo Alto NGFW.

tameri_9-1716457817497.png

 

By following these steps, you can demonstrate with evidence that your internet security controls and SIEM integration can detect and prevent remote exploits targeting the Google Chrome browser vulnerability (CVE-2019-13720).

 

1 0 296