Introduction: System Center Orchestrator / Opalis is an automation tool which has the ability to orchestrate different Microsoft Technologies such as System Center Suite, Microsoft Exchange , Microsoft Active Directory et. Orchestrator provides End-End solutions for Operating System Deployment, Application streaming , VDI , FIM by integrating infrastructure components with Programming logic. Orchestrator is an proven tool for Enterprise Computing, End-user computing and managing Data Center activities.

 

How is the Security managed with Orchestrator?  - This is the common question which most of the Stake Holders has in their mind and this post will try to clear most of the security related questions.  

 

Scenario:  

Contoso Corp has offices across the globe and they want to perform Application deployment across their offices. Contoso relied on Microsoft System Center Orchestrator to efficiently perform the Application deployment and has the centralized console to view the status of the task being executed.

 

Without the System Center Orchestrator, the deployment would still happen but, Administrators have to manually keep track of the jobs and will not be able to execute End-End solution with single task which Orchestrator performs seamlessly.

 

Below chart provides a typical implementation of System Center Orchestrator in an Organization.  

Note: The below chart should not be compared as Scaling metric.

 

Role

Operating System

Instance

Memory

Hypervisor

Windows Server 2008 R2

Physical

128 GB

Primary Domain Controller

Windows Server 2008 R2

Virtual

4 GB

Additional Domain Controller

Windows Server 2008 R2

Virtual

4 GB

Microsoft SQL Server 2008 R2

Windows Server 2008 R2

Virtual

6 GB

Microsoft SQL Server 2008 R2 - 2

Windows Server 2008 R2

Virtual

6 GB

Microsoft System Center Orchestrator Runbook Server

Windows Server 2008 R2

Virtual

6 GB

Microsoft System Center Orchestrator Runbook Server -2

Windows Server 2008 R2

Virtual

6 GB

Microsoft System Center Orchestrator Management Server

Windows Server 2008 R2

Virtual

6 GB

Microsoft System Center Configuration Manager 2012

Windows Server 2008 R2

Virtual

8 GB

 

 

 Below diagram shows the basic implementation of the System Center Orchestrator with 2 different sites separated by Cisco Routers. Below architecture is subject for testing and not strictly implemented in production and Network administrators should tie the server components in their existing infrastructure.

                        

 

 

                                                      Figure : Orchestrator Implementation

 

 

 

After performing Infrastructure readiness and collect the necessary information to perform the Operating system activities, Microsoft SQL Server, System Center Orchestrator Server ( SCORCH ) , System Center Configuration Manager server should be implemented in the existing Active directory domain. The installation of the Servers can be performed by the Server Operations Team liaising with Network Operations Center team and all the servers should be patched to latest windows updates, Service packs and any existing issues in the current environment should be resolved / managed accordingly.

 

Note: Most of the Servers defined above are implemented in the virtual infrastructure , Virtual Infrastructure team should advice on the memory allocation to the servers and manage the VLANs accordingly.

 

 

 

From a Project Management perspective, detailed Feasibility study should be performed to understand the business needs, requirements and develop high level  estimation of the project also providing the project proposal and review processes. Project Management team should define the scope of work , finalize the project schedule, resourcing , define project processes and obtain the signoff from the Client.

 

Once the Project management gets the go-ahead from Client, the Server Operation team will start building the servers which involves building and configuring the Server and applications respectively.

 

 

 

Role Delegation: Administrators can design the Delegation model which provides desired access to users and allows them to perform specific task.  The role delegation can be performed at different levels such as

 

  • Microsoft Active Directory delegation
  • SQL Server role delegation
  • SCORCH delegation model
  • SCCM delegation model

 

Each delegation model  uses Microsoft Identity and Access management to access the resources and perform the required task.

 

One of the key Authentication protocol used my Microsoft is Kerberos which provides strong encryption for the data that travels on the wire. Kerberos is proven secured authentication protocol used by Microsoft for its various applications / server applications. Microsoft System Center Orchestrator heavily relies on the Kerberos protocol to securely transmit the data on the wire. Microsoft SQL Server forms the key communication component for successful implementation and execution of SCORCH. The SCORCH Runbooks communicates with Microsoft SQL Server for all the activities / jobs. Runbooks constantly access Microsoft SQL Server for activities and store the activity related information into the SQL database.

 

With the above design , many stake holders has the question of security. How is the data transmitted on the wire ?, how is the data retrieved ?, what are the security protocols being used ? . Microsoft uses Kerberos as authentication protocol to execute the RunBook activities from Microsoft SQL Server database. When executing the Runbook, Runbook Designer provides an option to specify the credentials to be used to run the activity. As mentioned earlier, all the Runbook activity data including the credentials defined are stored in Database and any credentials defined in Runbook are stored in encrypted format. 

 

 

 

Orchestrator Runbook can be divided into

 

  • Secured Attribute field
  • Non Secure Attribute fields

 

Secured attribute fields which captures the User information followed by credentials are stored as encrypted values in the Microsoft SQL Database. Non Secured attributes takes different values which can be exposed and doesn’t cause security concerns when viewed over the wire or through expert logging on the servers.

 

When Runbook designer executes Runbooks, an average of 104-119 Dll’s gets loaded and this depends on the activities that gets referenced and loads the DLL on demand. Runbook loads the following security DLLs for any runbook instance.

 

  • ACLUI.dll – This is an Security Descriptor Editor, which stores the transporting information of a Security descriptor. Runbook designer invokes this Dll for security descriptor / DACLs being referenced
  • Crypt32.dll – Runbook designer use this Dll to perform encryption/ decryption of user sensitive data.
  • CryptBase.dll – This DLL works in conjunction with Cyrpt32.dll and performs data encryption
  • CryptSP.dll
  • Encyptionobjects.Strings.dll – This DLL performs the encryption for the strings referenced in the Runbook activities. ( eg: User, email , files, folders .. )
  • orchestratorSecurity.strings.dll

 

 

 

To understand the process and thread level activity , remote debugging techniques can be used to examine the live data / stack information. Either Windbg.exe or ADPlus.exe can be used to examine the application stack ( All the relevant pdb files should be downloaded to validate the stack information )

 

 

 

To understand the Network level activity, detailed analysis is made using the Wireshark / Netmon utility to examine the encryption mechanism invoked in the Runbook. Below examples are conduced to check the Kerberos invocation by the Orchestrator Runbook while establishing communication with Database and validate the credentials explicitly mentioned under the Runbook respectively.

 

 

 

Source IP : 192.168.39.5

 

Destination IP : 192.168.39.2

 

 

 

330         389.045917          192.168.39.5       192.168.39.2       TCP        49328 > ms-sql-s [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

TCP communication started between Orchestrator server and SQL Server

331         389.046341          192.168.39.2       192.168.39.5       TCP        ms-sql-s > 49328 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8

The TCP 3 way handshake process  

332         389.046386          192.168.39.5       192.168.39.2       TCP        49328 > ms-sql-s [ACK] Seq=1 Ack=1 Win=65536 Len=0 

333         389.046500          192.168.39.5       192.168.39.2       TDS        TDS7/8 0x12 Packet

 

SQL Server communication ( TDS = Tabular data stream protocol ) initiated. Below is the blob, the orchestrator service requests for the database connection initiation  

 06  00 00 c0 a8 27 05 c0 a8   .\F.@... ....'... 

0020  27 02 c0 b0 05 99 92 de  87 8b 69 bc c7 fc 50 18   '....... ..i...P. 

0030  01 00 cf a6 00 00 12 01  00 34 00 00 00 00 00 00   ........ .4...... 

0040  15 00 06 01 00 1b 00 01  02 00 1c 00 0c 03 00 28   ........ .......(

0050  00 04 ff 08 00 01 55 00  00 00 4d 53 53 51 4c 53   ......U. ..MSSQLS

0060  65 72 76 65 72 00 c0 09  00 00                     erver... ..  
 

334         389.047203          192.168.39.2       192.168.39.5       TDS        Response Packet

 

Response packet from the SQL Server and the blob included below  

0000  00 0c 29 c4 ef 51 00 0c  29 1d 5a cc 08 00 45 00   ..)..Q.. ).Z...E. 

0010  00 4d 4d da 40 00 80 06  dd 78 c0 a8 27 02 c0 a8   .MM.@... .x..'... 

0020  27 05 05 99 c0 b0 69 bc  c7 fc 92 de 87 bf 50 18   '.....i. ......P. 

0030  01 00 1c 3a 00 00 04 01  00 25 00 00 01 00 00 00   ...:.... .%...... 

0040  15 00 06 01 00 1b 00 01  02 00 1c 00 01 03 00 1d   ........ ........

0050  00 00 ff 0a 32 06 40 00  00 00 00                  ....2.@. ...    
 
 

335         389.048846          192.168.39.5       192.168.39.2       TDS        TDS7/8 0x12 Packet

 

Orchestrator server is querying for the database, and the blob is listed below 

0000  00 0c 29 1d 5a cc 00 0c  29 c4 ef 51 08 00 45 00   ..).Z... )..Q..E. 

0010  00 8f 46 fb 40 00 80 06  00 00 c0 a8 27 05 c0 a8   ..F.@... ....'... 

0020  27 02 c0 b0 05 99 92 de  87 bf 69 bc c8 21 50 18   '....... ..i..!P. 

0030  01 00 cf d9 00 00 12 01  00 67 00 00 00 00 16 03   ........ .g...... 

0040  01 00 5a 01 00 00 56 03  01 50 a2 d7 d3 17 b1 0a   ..Z...V. .P...... 

0050  11 bb a0 c3 5a 79 ce d6  fe 19 85 7e 07 4e a5 da   ....Zy.. ...~.N.. 

0060  29 1b 24 85 02 e9 25 b1  a8 00 00 18 00 2f 00 35   ).$...%. ...../.5 

0070  00 05 00 0a c0 13 c0 14  c0 09 c0 0a 00 32 00 38   ........ .....2.8

0080  00 13 00 04 01 00 00 15  ff 01 00 01 00 00 0a 00   ........ ........

0090  06 00 04 00 17 00 18 00  0b 00 02 01 00            ........ .....    

 

 

336         389.049466          192.168.39.2       192.168.39.5       TDS        TDS7/8 0x12 Packet

 

Below is the display of the buffer information, the blob indicates that communication is using SSL communication  

0000  00 0c 29 c4 ef 51 00 0c  29 1d 5a cc 08 00 45 00   ..)..Q.. ).Z...E. 

0010  02 91 4d db 40 00 80 06  db 33 c0 a8 27 02 c0 a8   ..M.@... .3..'... 

0020  27 05 05 99 c0 b0 69 bc  c8 21 92 de 88 26 50 18   '.....i. .!...&P. 

0030  01 00 7f ed 00 00 12 01  02 69 00 00 00 00 16 03   ........ .i...... 

0040  01 02 5c 02 00 00 4d 03  01 50 a2 d7 d3 ad d7 fc   ..\...M. .P...... 

0050  85 db 2f 03 16 f3 61 64  35 8e b7 76 e2 c8 18 08   ../...ad 5..v....

0060  a4 46 2f 2c c3 c8 6a f0  9d 20 a1 14 00 00 f1 b9   .F/,..j. . ...... 

0070  41 06 9c 26 8b 0d 96 4b  17 b8 7f 0d 2c f1 db d3   A..&...K ....,... 

0080  af 18 30 91 dc 6c 21 73  9b 80 00 2f 00 00 05 ff   ..0..l!s .../.... 

0090  01 00 01 00 0b 00 02 03  00 02 00 00 01 fd 30 82   ........ ......0. 

00a0  01 f9 30 82 01 62 a0 03  02 01 02 02 10 61 81 d6   ..0..b.. .....a.. 

00b0  23 35 0b 00 a5 45 e4 0d  d2 2b f6 48 94 30 0d 06   #5...E.. .+.H.0. 

00c0  09 2a 86 48 86 f7 0d 01  01 05 05 00 30 3b 31 39   .*.H.... ....0;19 

00d0  30 37 06 03 55 04 03 1e  30 00 53 00 53 00 4c 00   07..U... 0.S.S.L. 

00e0  5f 00 53 00 65 00 6c 00  66 00 5f 00 53 00 69 00   _.S.e.l. f._.S.i. 

00f0  67 00 6e 00 65 00 64 00  5f 00 46 00 61 00 6c 00   g.n.e.d. _.F.a.l. 

0100  6c 00 62 00 61 00 63 00  6b 30 1e 17 0d 31 32 31   l.b.a.c. k0...121 

0110  31 31 33 32 32 34 35 33  36 5a 17 0d 34 32 31 31   11322453 6Z..4211 

0120  31 33 32 32 34 35 33 36  5a 30 3b 31 39 30 37 06   13224536 Z0;1907. 

0130  03 55 04 03 1e 30 00 53  00 53 00 4c 00 5f 00 53   .U...0.S .S.L._.S 

0140  00 65 00 6c 00 66 00 5f  00 53 00 69 00 67 00 6e   .e.l.f._ .S.i.g.n 

0150  00 65 00 64 00 5f 00 46  00 61 00 6c 00 6c 00 62   .e.d._.F .a.l.l.b 

0160  00 61 00 63 00 6b 30 81  9f 30 0d 06 09 2a 86 48   .a.c.k0. .0...*.H 

337         389.050086          192.168.39.5       192.168.39.2       TDS        TDS7/8 0x12 Packet 

338         389.051762          192.168.39.2       192.168.39.5       TDS        TDS7/8 0x12 Packet

354         389.261014          192.168.39.5       192.168.39.2       TCP        49328 > ms-sql-s [ACK] Seq=362 Ack=722 Win=64768 Len=0 

360         389.295661          192.168.39.2       192.168.39.5       TCP        ms-sql-s > 49328 [ACK] Seq=722 Ack=3282 Win=65536 Len=0

362         389.296860          192.168.39.2       192.168.39.5       TDS        Response Packet 

363         389.307362          192.168.39.5       192.168.39.2       TCP        49328 > ms-sql-s [FIN, ACK] Seq=3775 Ack=1151 Win=64512 Len=0 
Orchestrator server sending FIN ACK to close the connection 

365         389.307833          192.168.39.2       192.168.39.5       TCP        ms-sql-s > 49328 [FIN, ACK] Seq=1151 Ack=3776 Win=65024 Len=0

The sql server responds with FIN,ACK and closes the connection

 

For the connections that requires Kerberos authentication, Orchestrator Server initiates the communication as shown below 

 

673         390.435280          192.168.39.5       192.168.39.2       TCP        49349 > kerberos [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 

674         390.435788          192.168.39.2       192.168.39.5       TCP        kerberos > 49349 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8 

675         390.435811          192.168.39.5       192.168.39.2       TCP        49349 > kerberos [ACK] Seq=1 Ack=1 Win=65536 Len=0 

676         390.435868          192.168.39.5       192.168.39.2       KRB5      TGS-REQ 

677         390.436309          192.168.39.2       192.168.39.5       TCP        kerberos > 49349 [ACK] Seq=1 Ack=1612 Win=65536 Len=0 

679         390.437372          192.168.39.2       192.168.39.5       KRB5      TGS-REP

 

 

 

The summary of the blob for the above packets is shown below  

A6.L..-P~}V.Je..\..L..r;._..h5..H91.:.._..N..r.....c.%$....lO.Z]...fw.d5..,.....i...l7j.Z.>Y>...z........7.....y&.wK..G\...}...^]...A.f. 6.....h<O..v......^....AGDj....xU..b........a....`Q. Z*...s ..=.,..

..*`w/1....sw.......r..".V.......Ow.......A.h.jO../........9...... 

.`d.7.o;i....b..%.#!.:..~gF.....$.TJI. ~.a.......b...3;.o. .X}...w..{]......`:...?W..SK.V.........n.-....^.U...j/Q.J<...W.C ..d.....vh....yLa.'0C./.....~..OCN."...U..%_.@p.........L.Sy....=!g... 

.........e.+r.......v.....UJ....W....v.....W~.......]..X.q,n.cHQ.p.V.....2f.$.,...|.u......2.ehS.Ir).3^..v..@......e.n@..[Z..M....\....e.?..I..z.b<....FG.....*.Q....L5....k..#z... J..51wm.....Z.GQ...c=^qX...{...o..`'....+..G.*DT.....k4..(..SFs^M.=.).R..y...u.U.D_."...=L...Y..6.bI..{f......./s..|.5.&m.. ;.h.3........f..S.^P..&...#c_...Y.3K.s.l.[..W..*.,,..C..l.TA.Xl..{........L..1".{pTg..BD...yI...8.E.k.8Vz..*..}..[=........b......#.........t*.......U. 

...6.j...a..ng....X...Z..s.n.......0..............$Ay|:.g.n.....0.6..r!T.s..CJy..F%"fDg.....lG..m`.B..,.$#...n....%.....}. 

.Mx..i..U.N...0../.%...D..!..0....Su.@#!y.f..*._.b........!oz|......0........@......CONTOSO.COM.705.......0,..MSSQLSvc. win-prhvj5grj7a.contoso.com:1433....20370913024805Z....6.....0................y...0................X..<.........pd.@.!.G....+...x....J5...B.....ht.^u'8..>...7m.....5.2.}....6.....}.m.OG[(....n...h3.=........_p. 

..h.V..=.........;8....m...0...............CONTOSO.COM..0.......0...actionsrv....a...0.. 

........CONTOSO.COM.705.......0,..MSSQLSvc. win-prhvj5grj7a.contoso.com:1433....0......................!.+...^5.o.\.UL9....V...k...../.%.F..|Q.U"..*..m....P......Y.}...G...:...,#.... Q.....'T3.([.K.3.C....7.X..Ye.....#I5m.B 

}..S..*.#...L.%...B.............7a.eW....../...F..{...:.........4."Z........)..UT...gi....L.,........qW...;..R..<.....}..kp S...`.........L)..E.5....Z.._.X.'q..)...R9o.,../,..V....!.....{.q2....,.V.;:A..X.Q......u6_(W:D-..:..~...g2.N..n8"...\...?..)Prl.....EAwg'1!......wRA....4 ....].....w#.*^+.6..z.3PsO.."...O.?..s'49.]t[.:}j4. ._`..=&v..x..W{D1.ws.[o..W.m)..:...................Yun<....#W.2a..+..~..J...~;<z.Z.tf+..*d2.....].y (...8...]56.SVf..ld 

..Xszj9%.Z.....5b........_....)+......:....{.........d..;k/...,.....2.....j@....#....Ku.. 

7qL)..<q.XD.V..=-a..=...v_a...f..q....... ........|o...Zl<........4.....-...c......N.........q.7...~..`..g}......%...XA..E.x...5...n,.+.....k....~.z..fN.xd.n...&..np....7:.x.A.d..........$.#......2....*..w.s....[7zxUiap...3 ....|MZC...0ku.4..P.W..........%d..p.w/,...y.!.qhav..j.H.f<b.............`1i....I6A....:.....e.....F.w/8.8...>7..N.;.....;.,$......wZ.....Y.0}..8L.....e...J...ea..f.Z.h-{D..pa....X`".$.NL......_...o.=.;. 

....EA...he.e....U.@...s...H..fp..0Qvi..1...........6...O....}.'....> 

6u.u3..!Ww......)....90..5........,...(..A..-w?.pv.I:<..3...... .a..2... ..i...T....P7.Ny.Yam...l...........1.y.....\..........Zy.2..S;..8......p......[.x+.....`!..L....#....`.X....}...a...g......t...... 

....x.....U....%......A'431J.YU.M.d5.X..*.}j..bRi!.f8..b......j+...g..3........HS.....3.s..E.o8~.!.../..9).`....u.].:!....;....yU

 

 

 

 

 

Summary : From the above blog we can view the server name and the SQL Server connection strings but the password information is encrypted .

 

 

 

 

 

RunBook Security

 

 

 

TCP Stream

 

 

1.       Start Of Runbook Designer

 

When we start the Runbook Designer, it queries database to connect to Runbook Server. Below is the TCPIP stream activity captured on the network. We could see the following  

  • DBO Version
  • Select statement

 

Encryption :  

  • Server names
  • Credentials

  

 

...:....s.e.l.e.c.t. .1. .f.r.o.m. .d.b.o...V.E.R.S.I.O.N......5....... .8...............................&...........2..S.E.L.E.C.T. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.U.n.i.q.u.e.I.D.]. .A.S. .U.n.i.q.u.e.I.D.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.C.o.m.p.u.t.e.r.]. .A.S. .C.o.m.p.u.t.e.r. . .F.R.O.M. .A.C.T.I.O.N.S.E.R.V.E.R.S. .W.H.E.R.E. .(.(.A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.]. .I.S. .N.O.T. .N.U.L.L.). .A.N.D. .(.D.A.T.E.D.I.F.F.(.s.s.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.].,. .g.e.t.U.T.C.D.a.t.e.(.).). .>. .4.5.).)...&........&........&.......5.........$..U.n.i.q.u.e.I.D............4.C.o.m.p.u.t.e.r.....8.R.O.W.S.T.A.T......A.C.T.I.O.N.S.E.R.V.E.R.S......................y............&..... 

........&..............&..............&..................2............&..... 

..&.. .....&........&.........".5..............y.............................&..... 

.....5..y................:....s.e.l.e.c.t. .1. .f.r.o.m. .d.b.o...V.E.R.S.I.O.N......5....... .8...............................&...........2..S.E.L.E.C.T. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.U.n.i.q.u.e.I.D.]. .A.S. .U.n.i.q.u.e.I.D.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.C.o.m.p.u.t.e.r.]. .A.S. .C.o.m.p.u.t.e.r. . .F.R.O.M. .A.C.T.I.O.N.S.E.R.V.E.R.S. .W.H.E.R.E. .(.(.A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.]. .I.S. .N.O.T. .N.U.L.L.). .A.N.D. .(.D.A.T.E.D.I.F.F.(.s.s.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.].,. .g.e.t.U.T.C.D.a.t.e.(.).). .>. .4.5.).)...&........&........&.......5.........$..U.n.i.q.u.e.I.D............4.C.o.m.p.u.t.e.r.....8.R.O.W.S.T.A.T......A.C.T.I.O.N.S.E.R.V.E.R.S......................y............&..... 

........&..............&..............&..................2............&..... 

..&.. .....&........&.........".5..............y.............................&..... 

.....5..y................:....s.e.l.e.c.t. .1. .f.r.o.m. .d.b.o...V.E.R.S.I.O.N......5....... .8...............................&...........2..S.E.L.E.C.T. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.U.n.i.q.u.e.I.D.]. .A.S. .U.n.i.q.u.e.I.D.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.C.o.m.p.u.t.e.r.]. .A.S. .C.o.m.p.u.t.e.r. . .F.R.O.M. .A.C.T.I.O.N.S.E.R.V.E.R.S. .W.H.E.R.E. .(.(.A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.]. .I.S. .N.O.T. .N.U.L.L.). .A.N.D. .(.D.A.T.E.D.I.F.F.(.s.s.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.].,. .g.e.t.U.T.C.D.a.t.e.(.).). .>. .4.5.).)...&........&........&.......5.........$..U.n.i.q.u.e.I.D............4.C.o.m.p.u.t.e.r.....8.R.O.W.S.T.A.T......A.C.T.I.O.N.S.E.R.V.E.R.S......................y............&..... 

........&..............&..............&..................2............&..... 

..&.. .....&........&.........".5..............y.............................&..... 

.....5..y................:....s.e.l.e.c.t. .1. .f.r.o.m. .d.b.o...V.E.R.S.I.O.N......5....... .8...............................&...........2..S.E.L.E.C.T. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.U.n.i.q.u.e.I.D.]. .A.S. .U.n.i.q.u.e.I.D.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.C.o.m.p.u.t.e.r.]. .A.S. .C.o.m.p.u.t.e.r. . .F.R.O.M. .A.C.T.I.O.N.S.E.R.V.E.R.S. .W.H.E.R.E. .(.(.A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.]. .I.S. .N.O.T. .N.U.L.L.). .A.N.D. .(.D.A.T.E.D.I.F.F.(.s.s.,. .A.C.T.I.O.N.S.E.R.V.E.R.S...[.H.e.a.r.t.b.e.a.t.].,. .g.e.t.U.T.C.D.a.t.e.(.).). .>. .4.5.).)...&........&........&.......5.........$..U.n.i.q.u.e.I.D............4.C.o.m.p.u.t.e.r.....8.R.O.W.S.T.A.T......A.C.T.I.O.N.S.E.R.V.E.R.S......................y............&..... 

........&..............&..............&..................2............&.... 

..&.. .....&........&.........".5..............y.............................&..... 

.....5..y.............

 

 

 

 

 

2.       Password Encryption

 

Below is the precise information about the encryption being captured. From the below blob we can see the runbook parameters being passed such as

 

  • Unique ID
  • Wait for completion
  • Wait time
  • Computer name
  • Program mode
  • User name

 
The highlighted portion below shows the clear encryption being performed

$..U.n.i.q.u.e.I.D............4.P.r.o.g.r.a.m.....8E.x.e.c.u.t.i.o.n.M.o.d.e............4 

S.t.a.r.t.u.p.D.i.r............4

P.a.r.a.m.e.t.e.r.s.....2.W.a.i.t.F.o.r.C.o.m.p.l.e.t.i.o.n.....&..W.a.i.t.T.i.m.e............4.C.o.m.p.u.t.e.r.N.a.m.e.....&..P.r.o.g.r.a.m.M.o.d.e............4.U.s.e.r.n.a.m.e............4.P.a.s.s.w.o.r.d....|..a.WI..@.M.<.B.c.s.c.r.i.p.t. .c.:.\.s.c.r.i.p.t.s.\.l.i.s.t.d.r.i.v.e.s...v.b.s.................l.o.c.a.l.h.o.s.t......2.c.o.n.t.o.s.o...c.o.m.\.a.d.m.i.n.i.s.t.r.a.t.o.r.L.\.`.d...T...~.E.c./.\.`.d...T...~.D.e./.0.0.8.5.6.1.2.5.8.A.1.E.7.7.4.E.A.7.2.5.0.8.1.A.4.F.0.F.2.F.0.D.0.1.0.0.0.0.0.0.F.6.E.5.1.7.6.1.2.1.1.5.B.D.F.A.A.3.E.D.A.9.3.F.0.D.9.7.8.E.8.7.E.1.7.C.6.2.C.7.7.8.9.B.0.6.E.8.8.F.9.6.9.8.E.C.E.3.2.3.E.B.8.9.A.6.0.3.8.4.A.6.7.3.3.7.0.5.4.2.E.5.7.F.3.E.E.F.5.9.B.F.2.5.4.A.\.`.d...T...~.D.e./..........y.............

 

 

 

 

 

Conclusion: The blog emphasizes on the security aspects of the Orchestrator and the Runbook credentials , focus on major security protocols and the DLL’s being referenced.  The examples shows the information handling on the wire.