Erich Mueller gave a presentation on conquering all stages of an attack at the NTXISSA Cyber Security Conference. He outlined the typical stages an attacker will go through - initial infection, command and control, privilege escalation, internal reconnaissance, lateral movement, and damage. At each stage, he described common techniques attackers use, such as phishing and fileless malware for initial infection, domain generation algorithms for command and control, and password dumping for privilege escalation. The goal is to provide a comprehensive overview of how attackers operate throughout an attack lifecycle.
1. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
The Attack Lifecycle – Conquering
All Stages of an Attack
Erich Mueller
Solutions Engineer
Cybereason
November 10, 2017
2. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Hunting for the Adversary
2
Innovation (Tough!)
Custom
Development (Challenging)
Botnet, Hacked Server,
Hosting ($20)
Stolen Credit Card ($5)
Obfuscator ($0.05)
Rebuild Code ($0.00)
3. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Are you under attack?
3
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
4. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
External Recon
4
• People/Social Engineering
• Conferences
• Call help desk or admin
• Technology
• External scans
• Buy information & tools on black market
• Business Intelligence
• Trusted relationships
• 3rd party vendors
“Even Rao, a highly experienced cybersecurity
researcher, nearly fell for the scam, as he happened to have
recently mailed a package via UPS.”
5. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Initial Infection
5
• Phishing & spear phishing
• Vulnerability exploit
• Infected USB drive
Lateral
Movement
Recon DamageC & C
Initial
Infection
Privilege
EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
6. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Initial Infection: Process Injection
6
Running a procedure as a thread inside
another process
• Evasion
• Reading host process memory
• Affecting host process behavior
• Server persistence
Lateral
Movement
Recon DamageC & C
Initial
Infection
Privilege
EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
7. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Initial Infection: Fileless Malware
7
Malicious code launches and carries out an infection within a tool
or process
• Unlike traditional malware
• Doesn’t use a file
• Runs in memory of the device
Examples of processes/tools
• Legitimate Windows processes
• Windows management interface
• Meterpreter
• Executing remote commands
Recon DamageC &CInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
8. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Command & Control
8
Why
• Establish and maintain
connection to:
• Execute malicious code
• Update malware
• Sending back collected info
• Provide heartbeat to indicate the
attack is still alive
How
• Legitimate HTTP
• Legitimate DNS request
• Fast Flux
• TOR
• IRC
• Facebook / Twitter / YouTube
comments
• Domain Generation AlgorithmPrivilege
Escalation
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
9. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Command & Control: Domain
Generation Algorithm
9
• C&C servers quickly get blacklisted
• DGA generates 1000’s of domains
• Predictable to attacker, unpredictable to
security researcher
• One will be C&C
• When C&C domain blacklisted, attacker:
• Selects another generated domain
• Registers it
• Continues attack
Spread Damage
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
10. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Privilege Escalation
10
Why
• Gain better persistence
• Cred dump/user
impersonation
• Operate under the radar
How
• Exploit vulnerabilities
• Command line vulnerability
• Process injection
• Leverage improper
configurations
• Local admin rights for all
users
• User lockout policies
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
11. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Privilege Escalation: Exploit Windows
Vulnerabilities
11
• Windows kernel mode driver vulnerabilities
• Windows task scheduler vulnerabilities
• Vulnerabilities in Windows design
• Windows user account control (UAC)
• DLL search order
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
12. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Privilege Escalation: Exploit Windows
Vulnerabilities
12
• Windows kernel mode driver vulnerabilities
• Windows task scheduler vulnerabilities
• Vulnerabilities in Windows design
• Windows user account control (UAC)
• DLL search order
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
13. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Internal Reconnaissance
13
Why
• Paint a picture of the IT
infrastructure
• Who are the administrators?
• What steps get me closer to my
target?
• What type of services are running?
• Identify target and a path to
the target
How
• ARP scanning
• NetBIOS enumeration
• Port scanning
• Credential stealing
Initial infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
14. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Recon: Port Scanning
14
• Services use ports to
communicate
• HTTP = 80, DNS = 53, etc…
• Attacker scans the subnet to
find exposed and exploitable
services
Spread DamageC & C DamageInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
16. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Lateral Movement
16
Why
• Gain access to target
machines
• Domain controllers
• OWA
• Persistence
How
• Use legitimate tools
maliciously
• Pass The Hash/Ticket
• Shares
• PSExec
• RDP
• SSH
• PowerShell
• SCCM
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
17. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Lateral Movement: PsExec
17
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs PsExec to run a
process on a remote machine
interactively
Malicious use
Attacker runs PsExec with
stolen credential hashes to
spread their malware through
an entire network
18. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Lateral Movement: PowerShell
18
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs PowerShell to
monitor firewall
Malicious use
Attacker PowerShell with
encoded commands to spread
malware
21. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Persistence
21
Why
• Establish long term
access
• Primary goal is
often persistent
accessibly
How
• Scheduled tasks
• Autoruns
• Temp files
• Fileless malware
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
22. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Damage
22
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
• FTP/SSH
• Email
• DNS
• Dropbox
• Pastebin
o Ransomware
o Corporate
financials
o Credit card data
o System
corruption
Business Profit Sabotage
23. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Are you under attack?
23
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
24. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Total Enterprise PROTECTION
24
25. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
A Layered Approach to Security
25
26. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
26
Thank you
Hinweis der Redaktion
This is known as the triangle of pain. At the bottom of the slide are the things which are easy to detect. Hashes are trivial to detect and there are literally billions of them. IP addresses being used a little harder due to spoofing etc., domains still a little harder since they can change quickly. Network artifacts like botnets, compromised servers etc harder still, but there are still millions available in online marketplaces. But that’s where most solutions and threat intelligence services concentrate.
(Click) (Click)
But there’s a second way to look at this. There’s the cost to the attacker. It costs nothing to recompile some malware and create a new hash. It costs a few dollars to buy a stolen credit card and buy a bunch of IP addresses or domains. It costs a few dollars to buy a compromised server to launch an attack from.
(Click)(Click)
Attackers don’t have unlimited time and money though, so they re-use tools and TTPs many times over. There aren’t many of these. They’re tough to detect, but then again, they take a lot of investment from the attacker, so they have a much longer shelf life. That’s what Cybereason looks to detect. In this presentation we’ll look at some of these methods
You’re probably familiar with this slide
Advanced attacks involve many steps after an initial infection
The challenge is to detect attack behaviors at all the steps and then be able to piece together all the components of the attack
No attack follows a perfect pattern/escalation – so having a linear attack lifecycle doesn’t make sense, but most attacks will leverage these steps at one point or another throughout the attack
In this presentation, I will walk through each stage in the attack lifecycle and give examples of what we see attackers doing to advance their attacks
First, before we even get to the attack lifecycle, and attacker will conduct external recon which is essentially all the homework that an attacker will do before they begin their attack. They want to gather as much information about their target as possible in order to increase their chances of a successful attack. External Recon can consist of research on:
People - A massive amount of information can be gathered through social engineering. That includes leveraging social networks like LinkedIn, Facebook, Twitter. One example of this is UserIDs. It’s human nature to use the same ID across multiple platforms. So, if you can figure out what someone’s userID is on one platform, that will likely translate across other platforms where you can gather even more intel.
Conferences – People love to talk. You can learn a lot of information by attending a conference and striking up a conversation with a representative of the target organization.
Help desk – If you get a little information, you can start getting a help desk to answer questions. Let’s say you have that UserID, you can call a help desk and ask a number of questions that can help you get an understanding of how things are set up there.
Technology – To better understand the technological lay of the land at the target, an attacker will do:
External Scans – These are constantly happening and can provide a lot of information about an organizations IT infrastructure. For example, you can see the IP block that an organization uses, what different firewalls they have, what version of operating systems they’re on, essentially everything that is exposed to the internet – and of course that’s highly valuable information to gather inorder to plan your attack
Buy information or tools – The easier way is to just buy the intel or tools – like a botnet to gain access to the intel that you want
Business Intel – Another layer to research is the business operations
Trusted relationships – An attacker will want to understand what suppliers this organization is working with
3rd party vendors – Think “Target breach” – attackers leveraged the HVAC vendor to gain access to POS devices and embed malware that stole credit card information. Knowing what 3rd party vendors an organization is using can provide an easy avenue for breaching into a network.
http://www.darkreading.com/attacks-breaches/why-social-media-sites-are-the-new-cyber-weapons-of-choice/a/d-id/1326802
Now that I (as the attacker) have done my homework and I know what’s out there, I’m ready to make my move!
So, how are attackers making this initial infection?
The most common way is through phishing and spear phishing. As much as you tell people to NOT click on the link, someone will always click on it. It’s human nature. You get an email from your boss that says “Urgent” with a link in it, you click on it…and boom – the attacker is in.
Another common technique is a vulnerability exploit – These are things like zero days, drive-by downloads, and taking advantage of anything not patched.
Infected USB drive – Who doesn’t want a free USB?! This one is classic - Attackers will load these up with malware, drop them out around the parking lot of their target organization, and inevitably someone will pick it up and put it in their machine. Like feeding candy to a baby…
Compromised credentials –There’s a number of ways to compromise credentials – maybe an attacker is coming in from another compromised network and has compromised credentials. Remember what we said about how it’s human nature to reuse user ids – it’s certainly human nature to reusing credentials as well. So an attacker can gain access with those stolen creds.
Once an attacker has made their way in, one of the first things that they often do is process injection. This is when an attacker will take a malicious process and inject it into a legitimate process.
For example: Let’s say that someone from inside the target organization clicks on an attachment in a phishing email. It opens an excel document where the malware is embedded, but the attacker wants to be (look like) he’s in a web browser so he can make an external connection that won’t send up red flags. So, he injects into a web browser through a vulnerability in Flash or IE or Firefox... This enables him to take over and access commands and run as legitimate web browser traffic. At that point, the attacker is in.
One benefit of using this technique is that it’s challenging to detect because the attacker is running within a legitimate process. For example, let’s say the attacker injects into Internet Explorer and starts making web calls...that’s pretty normal behavior. But, if he starts making web calls from Excel, that’s weird and more likely to get detected.
Process injection is a good way to make the initial breach AND gain persistence. In particular, attackers inject into processes on servers that rarely get rebooted – e.g. Domain Controllers. Some of the hacks on Russian banks used this technique.
According to the Cybereason response team, about 60% of successful attacks use “fileless” malware - where the malware exists only in memory, and never gets written to disk as a file. These attacks are undetectable by antivirus solutions, and many can easily avoid “next gen AV” tools. Fileless malware exploits vulnerable applications or uses legitimate administrative tools like PowerShell and WMI to propagate.
Detecting fileless malware requires deep visibility and complex analytics.
Now that the attacker is in, he’s needs to set up a command and control.
WHY
Making and maintaining this connection enables the attacker to:
Execute commands and controls to the compromised systems
Update malware if/when it needs to be updated – attackers may tweak their malware in the middle of an attack and need to push out an update to the compromised machines
Send information – As data and info is collected in a compromised machine, it must be sent back to the attacker through this connection
Provide heartbeat –it’s critical for an attacker to ensure that their connection is always up and running
HOW
Establishing this connection can be done through a number of techniques including:
Legitimate HTTP – many companies still allow unfiltered access over known ports
WannaCry: A great example is the first version of WannaCry which included a static domain responsible for keeping WannaCry propagating and spreading. By registering and blocking that domain, organizations had a “kill switch” to block the ransomware.
DNS tunneling – In DNS tunneling, command and control instructions get sent and received disguised as DNS queries via compromised DNS servers out on the Internet
Fast Flux – With Fast Flux, many IP addresses get associated with a single DNS domain, and swapped around at a high frequency, making it difficult to identify and blacklist IP addresses.
TOR – TOR, or ”The Onion Router” is software designed for anonymous communication, designed to evade typical network controls. Although designed to protect anonymity of people like political dissidents in authoritarian regimes, its often used by attackers as a way to communicate with compromised hosts
IRC – Internet Relay Chat (IRC) is a client/server networking model that facilitates. Attackers often use IRC networks because they’re simple and require low bandwidth, making them widely used to host botnets
Social media – interactions with social networking sites can easily be automated and security teams are unlikely to spot offending traffic in the massive quantities of other social media sessions
Domain Generation Algorithm – Let’s dig into that more on the next slide
Before we get into how DGA works, back when malware first came out, attackers would establish C&C by including a connection to a specific IP address. As the malware was ripped apart, security teams would identify the connection and add the IP to a blacklist.
Now, malware authors have changed their approach. Instead of connecting to just one IP address that will inevitably get blocked, they create thousands of connections – and just one of them will be the C&C.
They create a ton of random DNS names. But then security teams caught on and said “Ok, any connection to a DNS without an English name, is bad.”
Attackers then started to concatenate multiple English words together. These guys are smart – so they even took it another step and decided to salt the algorithm a little bit.
One way to do this is to add the trending topic on Twitter. Now, you don’t know what I’m going to ask for tomorrow until tomorrow happens.
Even if/when their domain is blacklisted, the attacker can simply choose another generated domain, register it, and continue their attack.
In that way, DGA is a persistence mechanism to ensure the attacker maintains a connection to the compromised systems.
From the security analysts point of view, if they are look at this from the:
Network perspective: They’re going to see all the DNS requests, but not know what process made the request. But if they look at if from the…
Endpoint Perspective: They will be able to see what process is making these connections
Once the communications channel is established, the C&C server will instruct the malware on how to achieve next steps like escalating privileges…
WHY - Privileged accounts enable an attacker to more quickly and easily navigate a network to reach their ultimate target and have the access required to execute their mission (e.g. exfil sensitive data, access to shut down systems, etc)
With privileged access, an attacker has better persistence
Priv access also enables the attacker to access to system processes and run specific tools that must be run as admin/root. This can enable them to dump credentials and impersonate authorized users.
In addition, privileges enable an attacker to more easily operate under the radar of many security tools
HOW -
Exploit vulnerabilities: The most common way that attackers elevate privileges is to identify and exploit a common vulnerability.
Command line vulnerability – If a user has too many rights, an attacker can use command line to reveal information that they shouldn’t be able see. An attacker can then gain access to root or run an exploit to retrieve additional credentials in the network.
Process injection – If an attacker knows a vulnerability in an application, he will inject malicious code into the applications process to leverage the vulnerability and elevate his privileges.
In addition, if the right policies aren’t set, an attacker can elevate their privileges by leveraging improper configurations
An attacker can easily gain admin access in an organization where all users have local admin rights on their machines. And – if a domain admin has ever logged into that machine, the attacker can very easily own the entire network.
If lockout policies are not properly set, an attacker can brute force into a machine and elevate privileges.
Rootkits
Deceive the user
Replace os with malware
Windows has a number of vulnerabilities that attackers take advantage of to elevate privileges.
These include:
Kernel Mode Driver vulnerabilities – One example is when the Windows kernel-mode driver (win32k.sys or other sys files) improperly handles objects in memory
Windows Task Scheduler – One known vulnerability is the way Task Scheduler conducts integrity checks to validate that tasks run with the intended user privileges
An attacker can exploit either of these vulnerabilities by running a specially crafted application on an affected system.
Windows Design – there are a number of inherent vulnerabilities in the way Windows is designed
UAC – There are many methods to bypass UAC. UAC is designed to enable a program to elevate its privileges to perform a task under administrator-level permissions. Attackers abuse this by injecting malicious software into a trusted process to gain elevated privileges. And they often elevate privileges this way without even notifying the user - if the UAC protection level is set to anything but the highest level, certain programs can elevate privileges without prompting the user through the UAC notification box.
DLL search – Attackers take advantage of the Windows DLL search order to modify or replace an existing DLL with a malicious DLL. One example is DLL preloading (also called binary planting attacks) which is when an attacker places a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. If a search order-vulnerable program is configured to run at a higher privilege level (such as any DLL running in kernel), then the malicious DLL that is loaded will also be executed at the higher level granting the attacker elevated privileges.
One exploit is hot potato (MS16-075) which takes advantage of a number known issues with NTLM relay (HTTP->SMB relay) and NBNS spoofing. By exploiting these Windows design “features”, an attacker can elevate his privileges from an unprivileged user to NT AUTHORITY/SYSTEM.
Hot potato: https://github.com/foxglovesec/Potato
https://pentestlab.blog/2017/04/24/windows-kernel-exploits/
Windows has a number of vulnerabilities that attackers take advantage of to elevate privileges.
These include:
Kernel Mode Driver vulnerabilities – One example is when the Windows kernel-mode driver (win32k.sys or other sys files) improperly handles objects in memory
Windows Task Scheduler – One known vulnerability is the way Task Scheduler conducts integrity checks to validate that tasks run with the intended user privileges
An attacker can exploit either of these vulnerabilities by running a specially crafted application on an affected system.
Windows Design – there are a number of inherent vulnerabilities in the way Windows is designed
UAC – There are many methods to bypass UAC. UAC is designed to enable a program to elevate its privileges to perform a task under administrator-level permissions. Attackers abuse this by injecting malicious software into a trusted process to gain elevated privileges. And they often elevate privileges this way without even notifying the user - if the UAC protection level is set to anything but the highest level, certain programs can elevate privileges without prompting the user through the UAC notification box.
DLL search – Attackers take advantage of the Windows DLL search order to modify or replace an existing DLL with a malicious DLL. One example is DLL preloading (also called binary planting attacks) which is when an attacker places a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. If a search order-vulnerable program is configured to run at a higher privilege level (such as any DLL running in kernel), then the malicious DLL that is loaded will also be executed at the higher level granting the attacker elevated privileges.
One exploit is hot potato (MS16-075) which takes advantage of a number known issues with NTLM relay (HTTP->SMB relay) and NBNS spoofing. By exploiting these Windows design “features”, an attacker can elevate his privileges from an unprivileged user to NT AUTHORITY/SYSTEM.
Hot potato: https://github.com/foxglovesec/Potato
https://pentestlab.blog/2017/04/24/windows-kernel-exploits/
WHY - At multiple points along the attack lifecycle, the attacker will conduct reconnaissance to understand where they are in the network and what other systems may be within reach. Recon enables an attacker to answer questions that he may have about the network/IT infrastructure
Admins? I want access to those accounts to advance my attack
Steps? Where do I go next?
Services? Maybe I can exploit one of those to advance my attack
Recon also enables the attacker to identify their target machines (or at least what machines are likely to hold the information/data they are after.) and helps them identify the path to get to those target machines.
HOW - There are a number of ways that attackers can conduct recon including:
Look at different ARP tables - The Address Resolution Protocol (ARP) is a telecommunication protocol used for resolution of network layer addresses into link layer addresses. ARP is used to convert an IP address to a physical address such as an Ethernet address (also known as a MAC address)
NetBIOS enumeration – With NetBIOS enumeration, especially in Windows networks, you can use in-built operating system functions to understand what resources are available on a given network. This can contain very useful information like machine names or open shares.
Port Scanning & Credential Stealing – I’ll explain more on those on the next couple slides…
Port scanning is one method to conduct recon
Services use ports to communicate (HTTP = 80, or DNS = 53 which is good because it’s usually always open)
Once an attacker has established a foothold on a computer, he will scan the subnet to find exposed and exploitable services on other computers and platforms.
The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK
In the past this was used indiscriminately to discover potentially vulnerable services, but that is a very noisy way to communicate. These days it’s more about understanding the machines around you so you know which tools you can use to move laterally, e.g. looking for open https servers, DNS servers, PSExec, NetBIOS ports. So you’ll see more targeted port scanning, selectively testing ports associated with legitimate tools.
Credential theft is another way that an attacker will conduct recon and plan for his next steps. Some ways that an attacker will steal credentials include:
Mimikatz – open-source tool that extracts Windows credentials and is used in a number of attack techniques like pass the hash, pass the ticket, and golden ticket
WCE is an older but still functional tool designed for system administrators to make password management a bit easier. But of course attackers and pentesters can use this tool, too.
Lazagne - The LaZagne project is an open source password recovery tool used to retrieve passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases and so on). This tool has been developed for the purpose of finding these passwords for the most commonly-used software
With stolen credentials, an attacker is ready to move laterally and/or escalate privileges to continue his attack
http://www.blackhillsinfosec.com/?p=4667
WHY –
Attackers will conduct lateral movement for a number of reasons. Later in the attack lifecycle, they may be moving to gain access to their target machine. A common target in advanced attacks is a domain controller - As soon as an attacker accesses a DC, they can easily own the entire domain.
Another common purpose for lateral movement is to gain persistence. With access through multiple accounts/machines, if one is shut down, the attacker can easily pivot to another to continue his attack.
HOW
So, once the attacker knows where he wants to go, he’ll make his move – often by using legitimate tools in order to stay under the radar of the security team.
And, because these tools are legitimate, a security analyst you cant’ prevent these from running. But that doesn’t mean you can’t detect lateral movement. What you want to pay attention to is why the tool is run and where it’s run from
Think of it like a shovel which is a legitimate gardening tool. If Bob is using that shovel to dig a hole and plant a tree, that’s a valid use of the tool. BUT if Bob is standing behind Billy and it looks like he’s going to hit him over the head with that shovel, as a security analyst I can say, “that’s a malicious use of the shovel – and something I’d want to stop”.
PSExec is a good example:
Let’s first look at the legitimate use of PsExec –
Remote tool
It’s really common behavior for IT admins to run PsExec and execute commands on remote systems (e.g. to do installations/updates on servers)
Now let’s look at a malicious use of PsExec -
1) An attacker will glean administrator credentials from earlier attack stage (eg. mimikatz, WCE)
2) The attacker will then use credentials with PsExec for remote execution of code.
Examples:
Open up an interactive command shell for direct interaction with remote system
Create a scheduled task on remote machine for persistence or tool acquisition
Proliferate malware
etc..
PowerShell is another legitimate tool that attackers are leveraging
IT admins legitimately use PowerShell all of the time
IT admins will write scripts, commonly using PowerShell, to automate routine maintenance and monitoring
The malicious use of PowerShell is also occurring at an increasing rate
Attackers use PowerShell because it’s typically difficult to detect what they’re doing within PowerShell – it helps them look legitimate
They may run PowerShell with the intent of downloading and executing malware, moving laterally, or various other post-exploitation activities, but there are a few ways to tell the difference from the legitimate use and the malicious use:
One is where it’s running from: If you see Powershell running from a parent process of Microsoft office…that’s not normal.
Another thing to monitor are the network connections originating from Powershell – You may be able to indicate a malicious use of Powershell if you see it making connections to a suspicious IP.
The other thing to look at are encoded commands – a normal IT admin will not usually use encoded commands. Attackers often will because it’s a way to avoid AV and other prevention tools.
So if you see a bunch of encoded commands, that’s an indication that there’s something strange happening – so again, looking at the how, why, and where these legitimate tools are being used can enable you to detect an attacker at this stage.
Another everyday, legitimate protocol that attackers exploit is Kerberos
Built into the windows infrastructure, Kerberos authentication is happening behind the scenes every single day.
It looks complicated but it’s really simple:
A user authenticates at the beginning of the day by requesting a ticket from the Key Distribution Center (KDC)/Domain Controller (DC).
The KDC confirms that you are who you say you are, and sends you back a Ticket Granting Ticket (TGT)
Then, when the user wants to access other systems, or in this case an application server, he must request a Ticket Granting Service (TGS)
So, the users TGT (the users proof that he is who he says he is) is sent back to the KDC/DC and the KDC generates a Ticket Granting Service (TGS) which enables the user to access the application server
That’s the legitimate use, but attackers are exploiting Kerberos with Pass the hash and pass the ticket attacks…
What the attacker is doing is stealing the users Ticket Granting Ticket (TGT)
In Kerberos, this isn’t the users password, but it essentially acts as the users password for as long as it’s valid (typically 8 to 10 hours)
So, with the stolen Ticket, the attacker can request access to the application server by presenting the stolen TGT to the DC. Because that TGT appears to be legitimate, the DC will generate a TGS for the attacker and grant him access to the application server.
In these attacks, the attacker only has the ticket (or hash in PtH) – they don’t even need a credential in order to gain access to any system that the user has access to and fly under the radar.
Detection of this is interesting:
Prevention won’t stop these types of attacks, but with good detection, you can spot them.
What you’re looking for (as the security analyst) is for anyone who has logged into a system without passing a UserID and password. You can see this by looking at API calls and logs that show that information.
WHY
Throughout the attack lifecycle, an attacker will maintain presence on the system to ensure he always has access - no matter what happens (e.g. system restarts, credentials are lost, remote access tool fails/restarts). It’s important for an attacker to open as many doors as possible to ensure that if one is shut, or leads to nothing, they still have a foothold and another avenue to advance their attack.
Persistence is also a common initial goal of an attack. Once that’s established, the secondary goal (damage of some sort) will be determined – but it rarely happens overnight. Advanced attacks occur over many months/years so establishing persistence is critical to an attacks’ success.
Some ways that attackers are maintaining persistence include:
Scheduled tasks – Windows Task Scheduler and other utilities can be used to schedule programs or scripts to be executed at a specified date and time. An adversary will use this to execute programs at the system startup or on a regular basis to maintain persistence. This way, anytime the system reboots, it will also reboot the malware/attackers’ access to the compromised system.
Autoruns – Similarly, it’s very common for attackers/malware authors to configure their malware to run during system bootup or logon to maintain persistence.
Temp files – Temp files are often used in conjunction with “just-in-time” compiling techniques. The payload is in a temp file, and then the system compiles the data in the temp file “on the fly” to create a process that only exists in memory, thus evading any scanners. Plus, whatever it creates has a unique hash since it’s compiled for one time use.
Fileless malware – Fileless malware keeps the malware infection concealed while it triggers the intended actions
Multiple ways to cause damage:
Business
Many advanced attackers will cause their damage by exfiltrating sensitive data like intellectual property (IP), or personally identifiable information (PII), etc
Profit
Instead of stealing information, some attackers go directly for money by quickly getting in, encrypting data, and holding it hostage for a price
Some attackers will steal financial information (earnings reports) before they’re publicly available and conduct insider trading based on the stolen information
Another method for profit is to steal credit card information for reuse or for sale
Sabotage
Other attackers seek to cause damage – sometimes we see this in industrial controls
Attackers have been known to use self-propagating wipers (e.g. shamoon) to disable any and all machines that they reach
Another method is to replace firmware to corrupt systems
http://www.itworld.com/article/2861675/cyberattack-on-german-steel-factory-causes-massive-damage.html
As you’ve seen in this presentation, there are many steps and moves that attackers make in order to carry out their mission.
One of the best ways to defend is to conduct behavioral analysis to identify what attackers are doing, if and when they’re exploiting vulnerabilities, how and when they’re using legitimate tools, etc.
Your IT environment is so big and complex that the number of events happening in split seconds is endless. (you can’t get there by doing it with analysts asking questions)
Invented our own tech from scratch: graph database + graph processing that is dynamic and real-time. Bigger and stronger than any technology out there.
Central to that question is detection, because You can’t protect against what you can’t detect. You can’t block it, you can’t prevent it, you can’t investigate, you can’t respond. And we detect better than anyone else.
Cybereason pitch / what we do here / how what you just saw relates to how we prevent attacks