SlideShare ist ein Scribd-Unternehmen logo

Shusei tomonaga pac_sec_20171026

PacSecJP
PacSecJP

PacSec2017

Internet
1 von 76
Downloaden Sie, um offline zu lesen
Neural Network for Detecting APT Lateral Movement Shusei Tomonaga JPCERT/CC PacSec 2017
Copyright ©2017 JPCERT/CC All rights reserved. Self-introduction  Analysis Center at JPCERT/CC  Malware analysis, Forensics investigation.  Written up posts on malware analysis and technical findings on this blog and Github. ̶ http://blog.jpcert.or.jp/ ̶ https://github.com/JPCERTCC/aa-tools ※ Iʼm a malware analyst, not a data scientist. 1 Shusei Tomonaga
Copyright ©2017 JPCERT/CC All rights reserved. Difficult to prevent a network from being compromised The focus of attention is shifting towards early detection of lateral movement Development of system that records and analyzes the behavior of processes on the host is flourishing now EDR(Endpoint Detection and Response) is receiving attention 2 Trend of APT Incident Detection
Copyright ©2017 JPCERT/CC All rights reserved.3 Goals of This Presentation Proposal of a method of detecting lateral movement
Copyright ©2017 JPCERT/CC All rights reserved. Approach  The details of the lateral movement method are unknown  Investigate the method of lateral movement and create a detection method 4 In order to detect lateral movement, it is necessary to know how an attacker spreads infection.
Copyright ©2017 JPCERT/CC All rights reserved. This Presentation Topics 5 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
Copyright ©2017 JPCERT/CC All rights reserved.6 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
Copyright ©2017 JPCERT/CC All rights reserved. Research of Lateral Movement Investigating C&C servers and malware connections in five operations.  APT10 (named by FireEye)  APT17 (named by FireEye)  Dragon OK (named by Palo Alto)  Blue Termite (named by Kaspersky)  Tick (named by Symantec) 7 Research Methods
Copyright ©2017 JPCERT/CC All rights reserved. Research of Lateral Movement  Investigate how to spread infection from the commands executed by the attacker. 8 Research Methods
Copyright ©2017 JPCERT/CC All rights reserved. APT incident investigated by JPCERT/CC BKDR_ChChes (APT10) Asruex Elirks Tick Blue Termite Scanbox Winnti APT17 2013 2014 2015 1 4 7 10 1 4 7 10 1 4 7 10 2016 1 4 7 10 9
Copyright ©2017 JPCERT/CC All rights reserved. Data Set Total command execution: 16,866 Total number of infected host: 645 10 Research Overview
Copyright ©2017 JPCERT/CC All rights reserved. Data Set Total command execution: 16,866 Total number of infected host: 645 11 Research Overview Total Windows command execution: 14,268
Copyright ©2017 JPCERT/CC All rights reserved. Tools Used by Attackers at Lateral Movement  Why attackers use Windows commands and legitimate tools?  They are not detected by antivirus software. 12 Attackers use not only attack tools but also Windows commands and legitimate tools.
Copyright ©2017 JPCERT/CC All rights reserved.13 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
Copyright ©2017 JPCERT/CC All rights reserved.14 AD/ File Server Target Network 1. Infection 2. Initial investigation 3. Internal reconnaissance 4. Spread of infection 5. Sending stolen data Overview of APT Incident and Lateral Movement 6. Delete evidence
Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Initial Investigation  The most used command is tasklist.  If the infected host was a virtual machine for analysis, the attacker will escape soon. 15 •  Collect information of the infected host Initial investigation
Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Initial Investigation Rank Command Count 1 tasklist 327 2 ver 182 3 ipconfig 145 4 net time 133 5 systeminfo 75 6 netstat 42 7 whoami 37 8 nbtstat 36 9 net start 35 10 set 29 11 qprocess 27 12 nslookup 11 16
Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Internal Reconnaissance •  Look for information saved in the compromised machine and information on the network Internal Reconnaissance 17   The most used command is dir. — The attacker look around confidential data stored in the infected host.   For searching the local network, net is used.
Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Internal Reconnaissance Rank Command Count 1 dir 4466 2 ping 2372 3 net view 590 4 type 543 5 net use 541 6 echo 496 7 net user 442 8 net group 172 9 net localgroup 85 10 dsquery 81 11 net config 32 12 csvde 21 18
Copyright ©2017 JPCERT/CC All rights reserved. net Command   net view — Obtain a list of connectable domain resources   net user — Manage local/domain accounts   net localgroup — Obtain a list of users belonging to local groups   net group — Obtain a list of users belonging to certain domain groups   net use — Access to resources 19
Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Spread of Infection •  Infect the machine with other malware or try to access other hosts Spread of infection 20   The most used command is at. — “at” command is not supported on Windows 10, Windows 8.1 etc. — If “at” don’t exist, schtasks is used.   Password dump tool is always used.
Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Spread of Infection 21 Rank Command Count 1 at 445 2 move 399 3 schtasks 379 4 copy 299 5 ren 151 6 reg 119 7 wmic 40 8 powershell 29 9 md 16 10 runas 7 11 sc 6 12 netsh 6
Copyright ©2017 JPCERT/CC All rights reserved. Remote Command Execute Used Windows Command 22 at command > at [IP Address] 12:00 cmd /c "C:windowstemp mal.exe" schtasks command > schtasks /create /tn [Task Name] /tr C:1.bat /sc onstart /ru System /s [IP Address]
Copyright ©2017 JPCERT/CC All rights reserved. Remote Command Execute Used Windows Command 23 wmic command > wmic /node:[IP Address] /user:”[User Name]” / password:”[PASSWORD]” process call create “cmd /c c:WindowsSystem32net.exe user”
Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Delete Evidence •  Delete files used by the attacker and logs Delete evidence 24   The most used command is del.   For deleting the event log, wevtutil is used.
Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Delete Evidence Rank Command Count 1 del 844 2 taskkill 80 3 klist 73 4 wevtutil 23 5 rd 15 25
Copyright ©2017 JPCERT/CC All rights reserved. •  Research the attack pattern of lateral movement •  Attacker uses Windows command for lateral movement •  Lateral movement can be detected by monitoring Windows command execution 26 Summary so Far
Copyright ©2017 JPCERT/CC All rights reserved. Blacklist Scoring Machine learning 27 Method of Monitoring Malicious Windows Command Execution
Copyright ©2017 JPCERT/CC All rights reserved.28 Blacklist Detect execution of commands that are likely used by an attacker Command executed by the attacker at whoami del net use Command at schtasks klist net use … Black List whoami tasklist del dir Command executed by the attacker False NegativeDETECTED!
Copyright ©2017 JPCERT/CC All rights reserved.  Detect execution of net use, schtasks and at command  These commands may be executed by an application or user and cannot be blacklisted 29 Blacklist Can't detect an attack unless blacklisted commands are executed issue
Copyright ©2017 JPCERT/CC All rights reserved.30 Scoring Scoring executed Windows commands and detected when it is executed above the threshold Command Score at 50 schtasks 50 whoami 10 net use 30 del 5 tasklist 10 Score sheet at whoami del net use Calculation result 50 + 30 + 10 + 5 = 95 Threshold = 90 DETECTED! Command executed by the attacker
Copyright ©2017 JPCERT/CC All rights reserved.31 Scoring  Scoring Windows commands according to importance  The cost of creating a scoring table is high (Constant update required)  If an attacker executes a command with a low score, it can not be alerted issue Scoring executed Windows commands and alerted when it is executed above the threshold
Copyright ©2017 JPCERT/CC All rights reserved.        32 Machine Learning Detect maicious Windows command execution using machine learning Machine Learning at whoami del net use Result DETECTED! Command executed by the attacker
Copyright ©2017 JPCERT/CC All rights reserved.33 Machine Learning Detect anomaly Windows command using machine learning After this slide, I present the observation results of this method
Copyright ©2017 JPCERT/CC All rights reserved.34 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
Copyright ©2017 JPCERT/CC All rights reserved.  Supervised learning  Unsupervised learning  Reinforcement Learning 35 Machine Learning Machine learning is a field of computer science that gives computers the ability to learn without being explicitly programmed. - Wikipedia※ - ※ https://en.wikipedia.org/wiki/Machine_learning I use this
Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 36 Flow of Algorithm Selection for Machine Learning
Copyright ©2017 JPCERT/CC All rights reserved. Using data from five attack campaigns analyzed by research of lateral movement  APT10 (named by FireEye)  APT17 (named by FireEye)  Dragon OK (named by Palo Alto)  Blue Termite (named by Kaspersky)  Tick (named by Symantec) 37 Collection of Training Data
Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 38 Flow of Algorithm Selection for Machine Learning
Copyright ©2017 JPCERT/CC All rights reserved.39 Data Cleansing > cd intellogs > whoami > klist > net use > klist purge > ping -n 1 10.1.44.16 > ping -n 1 10.1.2.16 > net use 10.1.2.16 > dir 10.1.2.16c$users > copy bb.bat 10.1.2.16c$windowssystem32 > net time 10.1.2.16 > at 10.1.2.16 12:27 bb.bat > dir 10.1.2.16c$windowssystem32inf.txt > move 10.1.2.16c$windowssystem32inf.txt . > del 10.1.2.16c$windowssystem32bb.bat What to learn?
Copyright ©2017 JPCERT/CC All rights reserved.40 Data Cleansing > cd intellogs > whoami > klist > net use > klist purge > ping -n 1 10.1.44.16 > ping -n 1 10.1.2.16 > net use 10.1.2.16 > dir 10.1.2.16c$users > copy bb.bat 10.1.2.16c$windowssystem32 > net time 10.1.2.16 > at 10.1.2.16 12:27 bb.bat > dir 10.1.2.16c$windowssystem32inf.txt > move 10.1.2.16c$windowssystem32inf.txt . > del 10.1.2.16c$windowssystem32bb.bat Commands executed on the host (No argument) Use the executed command set as one data
Copyright ©2017 JPCERT/CC All rights reserved.41 Data cleansing at whoamidel net use tasklist dir netsh whoami schtasks echo dir del echo whoami Command Set 1 Command Set 2 Command Set 3 Command Set 4
Copyright ©2017 JPCERT/CC All rights reserved. Creating Training Data Learning Commands tasklist ver ipconfig net time cd systeminfo netstat whoami nbtstat net start set qprocess nslookup fsutil net view type net use echo net user net group net localgroup dsquery net config csvde net share quser net session query user tracert nltest at move schtasks copy ren reg wmic powershell md cscript runas sc netsh wusa icacls del taskkill klist wevtutil rd 42 Commands to be learned are narrowed down to 50, which are often executed by attackers in lateral movement based on our research
Copyright ©2017 JPCERT/CC All rights reserved.43 Creating Training Data
Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 44 Flow of Algorithm Selection for Machine Learning
Copyright ©2017 JPCERT/CC All rights reserved. Decision tree Random forest Neural network Bayesian network k-means SVM 45 Data Analysis Example of algorithm
Copyright ©2017 JPCERT/CC All rights reserved.46 Data Analysis Algorithm to evaluate Decision tree Random forest Neural network Bayesian network k-means SVM
Copyright ©2017 JPCERT/CC All rights reserved. T F 0.2 0.8 47 Bayesian Network Probabilistic model that expresses the causal relation between "cause" and "result" by graph structure and probability Rain WetGrass Sprinkler Rain T F F 0.4 0.6 T 0.01 0.99 Sup Rain T F F F 0 1 F T 0.8 0.2 T F 0.9 0.1 T T 0.99 0.01
Copyright ©2017 JPCERT/CC All rights reserved.48 Bayesian Network  When the value of the variable is decided, the probability distribution of the unknown variable can be derived  Predict the future Probabilistic model that expresses the causal relation between "cause" and "result" by graph structure and probability
Copyright ©2017 JPCERT/CC All rights reserved.  When a command is executed, it predicts whether it is an attack or not  Creating network model by learning 49 Detect Anomaly Windows Command Using Bayesian Network at ATTACK net use
Copyright ©2017 JPCERT/CC All rights reserved.50 Detect Anomaly Windows Command Using Bayesian Network Model created
Copyright ©2017 JPCERT/CC All rights reserved.51 Detect Anomaly Windows Command Using Bayesian Network Created a model > net use 10.1.2.16 > copy bb.bat 10.1.2.16c$windows system32 > at 10.1.2.16 12:27 bb.bat Flow of malware execution The flow of Lateral Movement is properly modeled by learning
Copyright ©2017 JPCERT/CC All rights reserved.52 Neural Network Network model that mimics the structure of the human brain Often used for image recognition 3 Input Output 1 2 3 4 5 6 7 8 9Handwritten digits Neural Network
Copyright ©2017 JPCERT/CC All rights reserved.53 Detect Anomaly Windows Command Using Neural Network Input: executed command Output: attack or not Input Output Neural Network at whoami del net use True or False Attack?
Copyright ©2017 JPCERT/CC All rights reserved. Design of Neural Network  Feedforward neural network — Input: 50 commands — Output: Attack or not(True or False) 54 Affine Batch Norm ReLU Affine Soft max Command Set 3-layers True False
Copyright ©2017 JPCERT/CC All rights reserved.55 Learning Result by Neural Network 0.4 0.5 0.6 0.7 0.8 0.9 1 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 accuracy epoch
Copyright ©2017 JPCERT/CC All rights reserved. Problem 56 ・ The model created by learning is a black box, and it is unknown which criteria is used ・ The criteria changes for each learning result Problem of neural network
Copyright ©2017 JPCERT/CC All rights reserved. Evaluation Criterion of Neural Network  Visualizing network  Variable importance  Activation Maximization  Sensitivity Analysis  Local Interpretable Model-Agnostic Explanations 57 There is research to investigate criteria of neural network I use this
Copyright ©2017 JPCERT/CC All rights reserved.58 Variable Importance for Neural Networks -1 -0.8 -0.6 -0.4 -0.2 0 0.2 0.4 0.6 0.8 1 dsquery cscript netsh tracert nltest nslookup wusa nbtstat ren fsutil set echo netstat copy wevtutil icacls net_share move net_session md cd schtasks csvde net_start net_time type ver systeminfo whoami ipconfig tasklist klist qprocess runas net_use reg sc net_config rd net_user taskkill wmic quser del at powershell net_localgroup net_view net_group query attack command
Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 59 Flow of Algorithm Selection for Machine Learning
Copyright ©2017 JPCERT/CC All rights reserved. Evaluation Indices Recall Those predicted as "true" among "true" results Precision "True" results among those judged as "true" F- measure Evaluation index of prediction accuracy 60 Recall=​ 𝑇 𝑃/𝑇𝑃 + 𝐹𝑁  Precision=​ 𝑇 𝑃/𝑇𝑃 + 𝐹𝑃  F-measure=​2 𝑅𝑒𝑎𝑙𝑙∗ 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛/𝑅𝑒𝑐𝑎𝑙𝑙 + 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 
Copyright ©2017 JPCERT/CC All rights reserved. Result Algorithm recall precision F-measure Bayesian Network 0.994343 0.683800 0.810337 Neural network 0.965517 0.967742 0.966628 Decision tree 0.839154 0.960347 0.895669 Random forest 0.915388 0.975964 0.944705 61 Average value repeated 1,000 times
Copyright ©2017 JPCERT/CC All rights reserved. Bayesian Network •  Low false negative rate Neural network •  The balanced algorithms Random forest •  Low false positive rate 62 Result
Copyright ©2017 JPCERT/CC All rights reserved.63 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
Copyright ©2017 JPCERT/CC All rights reserved.64 System Overview
Copyright ©2017 JPCERT/CC All rights reserved. System Overview (Client) 65 •  Collect commands executed via cmd.exe cmdlogs.bat (Shell Script) •  Send the collected logs to the server •  Confirm analysis result and display alert Invoke-DetectLM.ps1 (PowerShell)
Copyright ©2017 JPCERT/CC All rights reserved. System Overview (Server) 66 •  Save the logs Elasticsearch •  Visualize the log Kibana •  Collect logs saved in Elasticsearch, detect malicious command execution by machine learning DetectLM.py (Python)
Copyright ©2017 JPCERT/CC All rights reserved. DetectLM.py (Python)  Analyze the logs using neural network  Data exchange with Elasticsearch via REST API 67 Collect logs saved in Elasticsearch, detect malicious command execution by machine learning
Copyright ©2017 JPCERT/CC All rights reserved.68 Alert Level Logs sent from the hosts Anomaly? Alert Level 0 No Alert Level 1 Yes User reported as malicious? Alert Level 2 NoYes
Copyright ©2017 JPCERT/CC All rights reserved. •  Default Level 0 •  Logs detected as malicious by machine learning Level 1 •  Error log reported by user Level 2 69 Alert Level The log has three levels of detection level
Copyright ©2017 JPCERT/CC All rights reserved. Notice to Clients  User then can set a “ignore flag” when it’s false positive. 70 Users will be notified of logs detected as malicious (Alert Level: 1)
Copyright ©2017 JPCERT/CC All rights reserved. Kibana Dashboard 71
Copyright ©2017 JPCERT/CC All rights reserved. Demo 72
Copyright ©2017 JPCERT/CC All rights reserved. Future Work Update algorithm •  Current algorithm does not consider time series data and frequency of execution •  Some commands have to be executed in order •  Take in (consider) time series of execution 73
Copyright ©2017 JPCERT/CC All rights reserved. Conclusion Windows commands are used during lateral movement Lateral movement can be detected by monitoring malicious Windows command execution Machine learning assist detecting malicious command execution 74
Copyright ©2017 JPCERT/CC All rights reserved.75 Thank you Q&A https://github.com/JPCERTCC/DetectLM

Empfohlen

Death autopsy medico legal presentation
Death autopsy medico legal presentationDeath autopsy medico legal presentation
Death autopsy medico legal presentation
Rayan A. Hejazi
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
Sam Bowne
 
Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)
Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)
Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)
Sunil Ahirwar
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
PacSecJP
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
 

Empfohlen

Death autopsy medico legal presentation
Death autopsy medico legal presentationDeath autopsy medico legal presentation
Death autopsy medico legal presentation
Rayan A. Hejazi
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
Sam Bowne
 
Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)
Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)
Datura or deliriant poisoning by Mr.Sunil Ahirwar (Forensic Expert)
Sunil Ahirwar
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
PacSecJP
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
PacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
PacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
PacSecJP
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
PacSecJP
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
PacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
PacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
PacSecJP
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
PacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
PacSecJP
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
PacSecJP
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
PacSecJP
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
PacSecJP
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
PacSecJP
 
Villegas first pacsec_2016
Villegas first pacsec_2016Villegas first pacsec_2016
Villegas first pacsec_2016
PacSecJP
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 

Weitere ähnliche Inhalte

Andere mochten auch

Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
PacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
PacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
PacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
PacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
PacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
PacSecJP
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
PacSecJP
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
PacSecJP
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
PacSecJP
 

Andere mochten auch (20)

Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
 
Villegas first pacsec_2016
Villegas first pacsec_2016Villegas first pacsec_2016
Villegas first pacsec_2016
 

Ähnlich wie Shusei tomonaga pac_sec_20171026

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
Open Networking Perú (Opennetsoft)
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Penetration testing
Penetration testing Penetration testing
Penetration testing
PTC
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
UltraUploader
 

Ähnlich wie Shusei tomonaga pac_sec_20171026 (20)

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Ethical hacking presentation.pptx
Ethical hacking presentation.pptxEthical hacking presentation.pptx
Ethical hacking presentation.pptx
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
O p
O pO p
O p
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Penetration testing
Penetration testing Penetration testing
Penetration testing
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
 

Mehr von PacSecJP

Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
PacSecJP
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
PacSecJP
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
PacSecJP
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
PacSecJP
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
PacSecJP
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
PacSecJP
 

Mehr von PacSecJP (6)

Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
 

Kürzlich hochgeladen

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
sexy call girls service in goa
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
soniya singh
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
Escorts Call Girls
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
SUHANI PANDEY
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Sheetaleventcompany
 

Kürzlich hochgeladen (20)

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 

Shusei tomonaga pac_sec_20171026

  • 1. Neural Network for Detecting APT Lateral Movement Shusei Tomonaga JPCERT/CC PacSec 2017
  • 2. Copyright ©2017 JPCERT/CC All rights reserved. Self-introduction  Analysis Center at JPCERT/CC  Malware analysis, Forensics investigation.  Written up posts on malware analysis and technical findings on this blog and Github. ̶ http://blog.jpcert.or.jp/ ̶ https://github.com/JPCERTCC/aa-tools ※ Iʼm a malware analyst, not a data scientist. 1 Shusei Tomonaga
  • 3. Copyright ©2017 JPCERT/CC All rights reserved. Difficult to prevent a network from being compromised The focus of attention is shifting towards early detection of lateral movement Development of system that records and analyzes the behavior of processes on the host is flourishing now EDR(Endpoint Detection and Response) is receiving attention 2 Trend of APT Incident Detection
  • 4. Copyright ©2017 JPCERT/CC All rights reserved.3 Goals of This Presentation Proposal of a method of detecting lateral movement
  • 5. Copyright ©2017 JPCERT/CC All rights reserved. Approach  The details of the lateral movement method are unknown  Investigate the method of lateral movement and create a detection method 4 In order to detect lateral movement, it is necessary to know how an attacker spreads infection.
  • 6. Copyright ©2017 JPCERT/CC All rights reserved. This Presentation Topics 5 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
  • 7. Copyright ©2017 JPCERT/CC All rights reserved.6 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
  • 8. Copyright ©2017 JPCERT/CC All rights reserved. Research of Lateral Movement Investigating C&C servers and malware connections in five operations.  APT10 (named by FireEye)  APT17 (named by FireEye)  Dragon OK (named by Palo Alto)  Blue Termite (named by Kaspersky)  Tick (named by Symantec) 7 Research Methods
  • 9. Copyright ©2017 JPCERT/CC All rights reserved. Research of Lateral Movement  Investigate how to spread infection from the commands executed by the attacker. 8 Research Methods
  • 10. Copyright ©2017 JPCERT/CC All rights reserved. APT incident investigated by JPCERT/CC BKDR_ChChes (APT10) Asruex Elirks Tick Blue Termite Scanbox Winnti APT17 2013 2014 2015 1 4 7 10 1 4 7 10 1 4 7 10 2016 1 4 7 10 9
  • 11. Copyright ©2017 JPCERT/CC All rights reserved. Data Set Total command execution: 16,866 Total number of infected host: 645 10 Research Overview
  • 12. Copyright ©2017 JPCERT/CC All rights reserved. Data Set Total command execution: 16,866 Total number of infected host: 645 11 Research Overview Total Windows command execution: 14,268
  • 13. Copyright ©2017 JPCERT/CC All rights reserved. Tools Used by Attackers at Lateral Movement  Why attackers use Windows commands and legitimate tools?  They are not detected by antivirus software. 12 Attackers use not only attack tools but also Windows commands and legitimate tools.
  • 14. Copyright ©2017 JPCERT/CC All rights reserved.13 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
  • 15. Copyright ©2017 JPCERT/CC All rights reserved.14 AD/ File Server Target Network 1. Infection 2. Initial investigation 3. Internal reconnaissance 4. Spread of infection 5. Sending stolen data Overview of APT Incident and Lateral Movement 6. Delete evidence
  • 16. Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Initial Investigation  The most used command is tasklist.  If the infected host was a virtual machine for analysis, the attacker will escape soon. 15 •  Collect information of the infected host Initial investigation
  • 17. Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Initial Investigation Rank Command Count 1 tasklist 327 2 ver 182 3 ipconfig 145 4 net time 133 5 systeminfo 75 6 netstat 42 7 whoami 37 8 nbtstat 36 9 net start 35 10 set 29 11 qprocess 27 12 nslookup 11 16
  • 18. Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Internal Reconnaissance •  Look for information saved in the compromised machine and information on the network Internal Reconnaissance 17   The most used command is dir. — The attacker look around confidential data stored in the infected host.   For searching the local network, net is used.
  • 19. Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Internal Reconnaissance Rank Command Count 1 dir 4466 2 ping 2372 3 net view 590 4 type 543 5 net use 541 6 echo 496 7 net user 442 8 net group 172 9 net localgroup 85 10 dsquery 81 11 net config 32 12 csvde 21 18
  • 20. Copyright ©2017 JPCERT/CC All rights reserved. net Command   net view — Obtain a list of connectable domain resources   net user — Manage local/domain accounts   net localgroup — Obtain a list of users belonging to local groups   net group — Obtain a list of users belonging to certain domain groups   net use — Access to resources 19
  • 21. Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Spread of Infection •  Infect the machine with other malware or try to access other hosts Spread of infection 20   The most used command is at. — “at” command is not supported on Windows 10, Windows 8.1 etc. — If “at” don’t exist, schtasks is used.   Password dump tool is always used.
  • 22. Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Spread of Infection 21 Rank Command Count 1 at 445 2 move 399 3 schtasks 379 4 copy 299 5 ren 151 6 reg 119 7 wmic 40 8 powershell 29 9 md 16 10 runas 7 11 sc 6 12 netsh 6
  • 23. Copyright ©2017 JPCERT/CC All rights reserved. Remote Command Execute Used Windows Command 22 at command > at [IP Address] 12:00 cmd /c "C:windowstemp mal.exe" schtasks command > schtasks /create /tn [Task Name] /tr C:1.bat /sc onstart /ru System /s [IP Address]
  • 24. Copyright ©2017 JPCERT/CC All rights reserved. Remote Command Execute Used Windows Command 23 wmic command > wmic /node:[IP Address] /user:”[User Name]” / password:”[PASSWORD]” process call create “cmd /c c:WindowsSystem32net.exe user”
  • 25. Copyright ©2017 JPCERT/CC All rights reserved. Lateral Movement: Delete Evidence •  Delete files used by the attacker and logs Delete evidence 24   The most used command is del.   For deleting the event log, wevtutil is used.
  • 26. Copyright ©2017 JPCERT/CC All rights reserved. Windows Command Used for Delete Evidence Rank Command Count 1 del 844 2 taskkill 80 3 klist 73 4 wevtutil 23 5 rd 15 25
  • 27. Copyright ©2017 JPCERT/CC All rights reserved. •  Research the attack pattern of lateral movement •  Attacker uses Windows command for lateral movement •  Lateral movement can be detected by monitoring Windows command execution 26 Summary so Far
  • 28. Copyright ©2017 JPCERT/CC All rights reserved. Blacklist Scoring Machine learning 27 Method of Monitoring Malicious Windows Command Execution
  • 29. Copyright ©2017 JPCERT/CC All rights reserved.28 Blacklist Detect execution of commands that are likely used by an attacker Command executed by the attacker at whoami del net use Command at schtasks klist net use … Black List whoami tasklist del dir Command executed by the attacker False NegativeDETECTED!
  • 30. Copyright ©2017 JPCERT/CC All rights reserved.  Detect execution of net use, schtasks and at command  These commands may be executed by an application or user and cannot be blacklisted 29 Blacklist Can't detect an attack unless blacklisted commands are executed issue
  • 31. Copyright ©2017 JPCERT/CC All rights reserved.30 Scoring Scoring executed Windows commands and detected when it is executed above the threshold Command Score at 50 schtasks 50 whoami 10 net use 30 del 5 tasklist 10 Score sheet at whoami del net use Calculation result 50 + 30 + 10 + 5 = 95 Threshold = 90 DETECTED! Command executed by the attacker
  • 32. Copyright ©2017 JPCERT/CC All rights reserved.31 Scoring  Scoring Windows commands according to importance  The cost of creating a scoring table is high (Constant update required)  If an attacker executes a command with a low score, it can not be alerted issue Scoring executed Windows commands and alerted when it is executed above the threshold
  • 33. Copyright ©2017 JPCERT/CC All rights reserved.        32 Machine Learning Detect maicious Windows command execution using machine learning Machine Learning at whoami del net use Result DETECTED! Command executed by the attacker
  • 34. Copyright ©2017 JPCERT/CC All rights reserved.33 Machine Learning Detect anomaly Windows command using machine learning After this slide, I present the observation results of this method
  • 35. Copyright ©2017 JPCERT/CC All rights reserved.34 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
  • 36. Copyright ©2017 JPCERT/CC All rights reserved.  Supervised learning  Unsupervised learning  Reinforcement Learning 35 Machine Learning Machine learning is a field of computer science that gives computers the ability to learn without being explicitly programmed. - Wikipedia※ - ※ https://en.wikipedia.org/wiki/Machine_learning I use this
  • 37. Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 36 Flow of Algorithm Selection for Machine Learning
  • 38. Copyright ©2017 JPCERT/CC All rights reserved. Using data from five attack campaigns analyzed by research of lateral movement  APT10 (named by FireEye)  APT17 (named by FireEye)  Dragon OK (named by Palo Alto)  Blue Termite (named by Kaspersky)  Tick (named by Symantec) 37 Collection of Training Data
  • 39. Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 38 Flow of Algorithm Selection for Machine Learning
  • 40. Copyright ©2017 JPCERT/CC All rights reserved.39 Data Cleansing > cd intellogs > whoami > klist > net use > klist purge > ping -n 1 10.1.44.16 > ping -n 1 10.1.2.16 > net use 10.1.2.16 > dir 10.1.2.16c$users > copy bb.bat 10.1.2.16c$windowssystem32 > net time 10.1.2.16 > at 10.1.2.16 12:27 bb.bat > dir 10.1.2.16c$windowssystem32inf.txt > move 10.1.2.16c$windowssystem32inf.txt . > del 10.1.2.16c$windowssystem32bb.bat What to learn?
  • 41. Copyright ©2017 JPCERT/CC All rights reserved.40 Data Cleansing > cd intellogs > whoami > klist > net use > klist purge > ping -n 1 10.1.44.16 > ping -n 1 10.1.2.16 > net use 10.1.2.16 > dir 10.1.2.16c$users > copy bb.bat 10.1.2.16c$windowssystem32 > net time 10.1.2.16 > at 10.1.2.16 12:27 bb.bat > dir 10.1.2.16c$windowssystem32inf.txt > move 10.1.2.16c$windowssystem32inf.txt . > del 10.1.2.16c$windowssystem32bb.bat Commands executed on the host (No argument) Use the executed command set as one data
  • 42. Copyright ©2017 JPCERT/CC All rights reserved.41 Data cleansing at whoamidel net use tasklist dir netsh whoami schtasks echo dir del echo whoami Command Set 1 Command Set 2 Command Set 3 Command Set 4
  • 43. Copyright ©2017 JPCERT/CC All rights reserved. Creating Training Data Learning Commands tasklist ver ipconfig net time cd systeminfo netstat whoami nbtstat net start set qprocess nslookup fsutil net view type net use echo net user net group net localgroup dsquery net config csvde net share quser net session query user tracert nltest at move schtasks copy ren reg wmic powershell md cscript runas sc netsh wusa icacls del taskkill klist wevtutil rd 42 Commands to be learned are narrowed down to 50, which are often executed by attackers in lateral movement based on our research
  • 44. Copyright ©2017 JPCERT/CC All rights reserved.43 Creating Training Data
  • 45. Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 44 Flow of Algorithm Selection for Machine Learning
  • 46. Copyright ©2017 JPCERT/CC All rights reserved. Decision tree Random forest Neural network Bayesian network k-means SVM 45 Data Analysis Example of algorithm
  • 47. Copyright ©2017 JPCERT/CC All rights reserved.46 Data Analysis Algorithm to evaluate Decision tree Random forest Neural network Bayesian network k-means SVM
  • 48. Copyright ©2017 JPCERT/CC All rights reserved. T F 0.2 0.8 47 Bayesian Network Probabilistic model that expresses the causal relation between "cause" and "result" by graph structure and probability Rain WetGrass Sprinkler Rain T F F 0.4 0.6 T 0.01 0.99 Sup Rain T F F F 0 1 F T 0.8 0.2 T F 0.9 0.1 T T 0.99 0.01
  • 49. Copyright ©2017 JPCERT/CC All rights reserved.48 Bayesian Network  When the value of the variable is decided, the probability distribution of the unknown variable can be derived  Predict the future Probabilistic model that expresses the causal relation between "cause" and "result" by graph structure and probability
  • 50. Copyright ©2017 JPCERT/CC All rights reserved.  When a command is executed, it predicts whether it is an attack or not  Creating network model by learning 49 Detect Anomaly Windows Command Using Bayesian Network at ATTACK net use
  • 51. Copyright ©2017 JPCERT/CC All rights reserved.50 Detect Anomaly Windows Command Using Bayesian Network Model created
  • 52. Copyright ©2017 JPCERT/CC All rights reserved.51 Detect Anomaly Windows Command Using Bayesian Network Created a model > net use 10.1.2.16 > copy bb.bat 10.1.2.16c$windows system32 > at 10.1.2.16 12:27 bb.bat Flow of malware execution The flow of Lateral Movement is properly modeled by learning
  • 53. Copyright ©2017 JPCERT/CC All rights reserved.52 Neural Network Network model that mimics the structure of the human brain Often used for image recognition 3 Input Output 1 2 3 4 5 6 7 8 9Handwritten digits Neural Network
  • 54. Copyright ©2017 JPCERT/CC All rights reserved.53 Detect Anomaly Windows Command Using Neural Network Input: executed command Output: attack or not Input Output Neural Network at whoami del net use True or False Attack?
  • 55. Copyright ©2017 JPCERT/CC All rights reserved. Design of Neural Network  Feedforward neural network — Input: 50 commands — Output: Attack or not(True or False) 54 Affine Batch Norm ReLU Affine Soft max Command Set 3-layers True False
  • 56. Copyright ©2017 JPCERT/CC All rights reserved.55 Learning Result by Neural Network 0.4 0.5 0.6 0.7 0.8 0.9 1 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 accuracy epoch
  • 57. Copyright ©2017 JPCERT/CC All rights reserved. Problem 56 ・ The model created by learning is a black box, and it is unknown which criteria is used ・ The criteria changes for each learning result Problem of neural network
  • 58. Copyright ©2017 JPCERT/CC All rights reserved. Evaluation Criterion of Neural Network  Visualizing network  Variable importance  Activation Maximization  Sensitivity Analysis  Local Interpretable Model-Agnostic Explanations 57 There is research to investigate criteria of neural network I use this
  • 59. Copyright ©2017 JPCERT/CC All rights reserved.58 Variable Importance for Neural Networks -1 -0.8 -0.6 -0.4 -0.2 0 0.2 0.4 0.6 0.8 1 dsquery cscript netsh tracert nltest nslookup wusa nbtstat ren fsutil set echo netstat copy wevtutil icacls net_share move net_session md cd schtasks csvde net_start net_time type ver systeminfo whoami ipconfig tasklist klist qprocess runas net_use reg sc net_config rd net_user taskkill wmic quser del at powershell net_localgroup net_view net_group query attack command
  • 60. Copyright ©2017 JPCERT/CC All rights reserved. Collection of training data Data cleansing Data analysis with Machine Learning Evaluate and select the best algorithm 59 Flow of Algorithm Selection for Machine Learning
  • 61. Copyright ©2017 JPCERT/CC All rights reserved. Evaluation Indices Recall Those predicted as "true" among "true" results Precision "True" results among those judged as "true" F- measure Evaluation index of prediction accuracy 60 Recall=​ 𝑇 𝑃/𝑇𝑃 + 𝐹𝑁  Precision=​ 𝑇 𝑃/𝑇𝑃 + 𝐹𝑃  F-measure=​2 𝑅𝑒𝑎𝑙𝑙∗ 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛/𝑅𝑒𝑐𝑎𝑙𝑙 + 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 
  • 62. Copyright ©2017 JPCERT/CC All rights reserved. Result Algorithm recall precision F-measure Bayesian Network 0.994343 0.683800 0.810337 Neural network 0.965517 0.967742 0.966628 Decision tree 0.839154 0.960347 0.895669 Random forest 0.915388 0.975964 0.944705 61 Average value repeated 1,000 times
  • 63. Copyright ©2017 JPCERT/CC All rights reserved. Bayesian Network •  Low false negative rate Neural network •  The balanced algorithms Random forest •  Low false positive rate 62 Result
  • 64. Copyright ©2017 JPCERT/CC All rights reserved.63 1 Research of Lateral Movement 2 Pattern of Lateral Movement 3 Detecting Lateral Movement using Machine Learning 4 Detection System
  • 65. Copyright ©2017 JPCERT/CC All rights reserved.64 System Overview
  • 66. Copyright ©2017 JPCERT/CC All rights reserved. System Overview (Client) 65 •  Collect commands executed via cmd.exe cmdlogs.bat (Shell Script) •  Send the collected logs to the server •  Confirm analysis result and display alert Invoke-DetectLM.ps1 (PowerShell)
  • 67. Copyright ©2017 JPCERT/CC All rights reserved. System Overview (Server) 66 •  Save the logs Elasticsearch •  Visualize the log Kibana •  Collect logs saved in Elasticsearch, detect malicious command execution by machine learning DetectLM.py (Python)
  • 68. Copyright ©2017 JPCERT/CC All rights reserved. DetectLM.py (Python)  Analyze the logs using neural network  Data exchange with Elasticsearch via REST API 67 Collect logs saved in Elasticsearch, detect malicious command execution by machine learning
  • 69. Copyright ©2017 JPCERT/CC All rights reserved.68 Alert Level Logs sent from the hosts Anomaly? Alert Level 0 No Alert Level 1 Yes User reported as malicious? Alert Level 2 NoYes
  • 70. Copyright ©2017 JPCERT/CC All rights reserved. •  Default Level 0 •  Logs detected as malicious by machine learning Level 1 •  Error log reported by user Level 2 69 Alert Level The log has three levels of detection level
  • 71. Copyright ©2017 JPCERT/CC All rights reserved. Notice to Clients  User then can set a “ignore flag” when it’s false positive. 70 Users will be notified of logs detected as malicious (Alert Level: 1)
  • 72. Copyright ©2017 JPCERT/CC All rights reserved. Kibana Dashboard 71
  • 73. Copyright ©2017 JPCERT/CC All rights reserved. Demo 72
  • 74. Copyright ©2017 JPCERT/CC All rights reserved. Future Work Update algorithm •  Current algorithm does not consider time series data and frequency of execution •  Some commands have to be executed in order •  Take in (consider) time series of execution 73
  • 75. Copyright ©2017 JPCERT/CC All rights reserved. Conclusion Windows commands are used during lateral movement Lateral movement can be detected by monitoring malicious Windows command execution Machine learning assist detecting malicious command execution 74
  • 76. Copyright ©2017 JPCERT/CC All rights reserved.75 Thank you Q&A https://github.com/JPCERTCC/DetectLM