Weitere ähnliche Inhalte Ähnlich wie Catch Me If You Can - Finding APTs in your network (20) Kürzlich hochgeladen (20) Catch Me If You Can - Finding APTs in your network2. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
2
• An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the
radar” and your AV/IDS will not let you know about it
What is an APT?
3. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
3
• targeted cyberattack in which an intruder gains access to a network
• remains undetected for an extended period of time
• traditionally has been associated with nation-state players
• in the last few years, the tools and techniques used by a few APT actors have
also been adopted by various cybercriminals groups.
What is an APT?
Key elements of an APT attack
- targeted SCADA systems and is believed to be responsible for causing
substantial damage to Iran's nuclear program (2010)
12. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
12
- Creating services that sound legit
- Task schedule
- Malware installed as Microsoft Office Add-in. When MS Word starts, malware
executed
- DLL hijacking
- and many more
APT Installation – Persistence
13. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
13
- .bash_profile and
.bashrc
- Accessibility
Features
- Account
Manipulation
- AppCert DLLs
- AppInit DLLs
- Application
Shimming
- Authentication
Package
- BITS Jobs
- Bootkit
- Browser
Extensions
- Change Default
File Association
- Component
Firmware
- Component Object
Model Hijacking
- Create Account
- DLL Search Order
Hijacking
- Dylib Hijacking
- External Remote
Services
- File System
Permissions
Weakness
- Hidden Files and
Directories
- Hooking
- Hypervisor
- Image File
Execution Options
Injection
- Kernel Modules
and Extensions
- Launch Agent
- Launch Daemon
- Launchctl
- LC_LOAD_DYLIB
Addition
- Local Job
Scheduling
- Login Item
- Logon Scripts
- LSASS Driver
- Modify Existing
Service
- Netsh Helper DLL
- New Service
- Office Application
Startup
- Path Interception
- Plist Modification
- Port Knocking
- Port Monitors
- Rc.common
- Re-opened
Applications
- Redundant Access
- Registry Run Keys
/ Startup Folder
- Scheduled Task
- Screensaver
- Security Support
Provider
- Service Registry
Permissions
Weakness
- Setuid and Setgid
- Shortcut
Modification
- SIP and Trust
Provider Hijacking
- Startup Items
- System Firmware
- Time Providers
- Trap
- Valid Accounts
- Web Shell
- Windows
Management
Instrumentation
Event Subscription
- Winlogon Helper
DLL
APT Installation – Persistence
You can find more detailed information on https://attack.mitre.org
15. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
15
PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX)
APT Installation – Persistence
reg add
HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131.
0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580
5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d
"C:UsersIEUserAppDataRoamingSubDirClient.exe"
Reference: ODDVAR MOE : https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
Persistence using the People app
16. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
16
Moving laterally inside the environment, compromising additional targets and getting
closer to high value assets using different tools and techniques:
- Enumerate password data from memory using commonly available password
dumpers (Mimikatz)
- Net.exe to connect to network shares using net use commands with compromised
credentials
- Spread through the local network by using PsExec
- Windows Management Instrumentation (WMI) to interact with local and remote
systems
APT Lateral movement
17. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
17
- Recognizing an APT attack early in the kill chain is a tough job
- The attackers prefer to work slow blending with regular network activity and using
tools already available in the environment (PowerShell, WMI, net.exe etc.)
How can I tell I’m targeted?
18. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
18
- Large outbound network traffic should raise questions, especially if the amount
transferred is out of the regular trendline
- Quite often APT attacks are detected when the data gathered already has been
exfiltrated, sometimes even months later
Data exfiltration: to late to detect?
19. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
19
The reason behind the spike
- A web shell present on a IIS server (China Chopper)
- A password encrypted RAR archive was exfiltrated
- Further analysis of the RAM memory revealed the preparation of
the data being exfiltrated
20. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
20
Are you ready to detect an APT?
Assess your
current state
• Identify your assets
• Know your
vulnerabilities
Know your
enemies
• Threat Intelligence
feeds
• Tools, tactics and
procedures used by
threat actors
Design and
implement your
vision
• Multi-layered
endpoint & network
protection
• Threat Hunting
21. Classification: //Secureworks/Public Use:© SecureWorks, Inc.
21
Let’s go Threat Hunting – look for hidden threats
Start the
hunt
Refine
the hunt
Response
Large
unexpected
data flows
Remote
access via
RDP
Scheduled
tasks
Phishing
campaigns
Encoded
PowerShell
commands
Net.exe
use