Suche senden
Hochladen
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
•
0 gefällt mir
•
257 views
RootedCON
Folgen
RootedCON https://www.rootedcon.com Marzo/March 5-7 2020 Madrid (Spain)
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 33
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
Assume Compromise
Assume Compromise
Zach Grace
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
Securing Hadoop with OSSEC
Securing Hadoop with OSSEC
Vic Hargrave
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
Empfohlen
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
Assume Compromise
Assume Compromise
Zach Grace
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
Securing Hadoop with OSSEC
Securing Hadoop with OSSEC
Vic Hargrave
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
Automating Malware Analysis
Automating Malware Analysis
securityxploded
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
Positive Hack Days
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
Bipin Upadhyay
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
Guglielmo Scaiola
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
1000 to 0
1000 to 0
Sunny Neo
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
A Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
Linux Virus
Linux Virus
Akhil Kadangode
Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed Monkey
Stefano Maccaglia
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
Weitere ähnliche Inhalte
Was ist angesagt?
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
Automating Malware Analysis
Automating Malware Analysis
securityxploded
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
Positive Hack Days
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
Bipin Upadhyay
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
Guglielmo Scaiola
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
1000 to 0
1000 to 0
Sunny Neo
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
A Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
Linux Virus
Linux Virus
Akhil Kadangode
Was ist angesagt?
(20)
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
Automating Malware Analysis
Automating Malware Analysis
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
1000 to 0
1000 to 0
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
A Threat Hunter Himself
A Threat Hunter Himself
Linux Virus
Linux Virus
Ähnlich wie Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed Monkey
Stefano Maccaglia
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
Insecure magazine - 52
Insecure magazine - 52
Felipe Prado
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
APNIC
Making Threat Management More Manageable
Making Threat Management More Manageable
IBM Security
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdf
Stefano Maccaglia
Security Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
TzahiArabov
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
Muhammad FAHAD
Domain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter Hacking
ShivamSharma909
CEH Domain 4.pdf
CEH Domain 4.pdf
infosec train
CTI Report
CTI Report
Alex Deac
Nuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack Chain
IBM Security
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
From SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
EMC
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdf
RifDhy22
DarkWeb
DarkWeb
Prof John Walker FRSA Purveyor Dark Intelligence
Advanced Threats In The Enterprise
Advanced Threats In The Enterprise
Priyanka Aash
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Stefano Maccaglia
Ähnlich wie Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
(20)
Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed Monkey
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
Insecure magazine - 52
Insecure magazine - 52
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Making Threat Management More Manageable
Making Threat Management More Manageable
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdf
Security Operation Center Fundamental
Security Operation Center Fundamental
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
Domain 4 of CEH V11: Network and Perimeter Hacking
Domain 4 of CEH V11: Network and Perimeter Hacking
CEH Domain 4.pdf
CEH Domain 4.pdf
CTI Report
CTI Report
Nuts & Bolts of the Dynamic Attack Chain
Nuts & Bolts of the Dynamic Attack Chain
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
From SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdf
DarkWeb
DarkWeb
Advanced Threats In The Enterprise
Advanced Threats In The Enterprise
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Mehr von RootedCON
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
RootedCON
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
RootedCON
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
RootedCON
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
RootedCON
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
RootedCON
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
RootedCON
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
RootedCON
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
RootedCON
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
RootedCON
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
RootedCON
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
RootedCON
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
RootedCON
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
RootedCON
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
RootedCON
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
RootedCON
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
RootedCON
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
RootedCON
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
RootedCON
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
RootedCON
Mehr von RootedCON
(20)
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Kürzlich hochgeladen
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
Evaluating the top large language models.pdf
Evaluating the top large language models.pdf
ChristopherTHyatt
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
Kürzlich hochgeladen
(20)
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
Evaluating the top large language models.pdf
Evaluating the top large language models.pdf
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
1.
1 ©2019 RSA
Security, LLC., a Dell Technologies business THE ENEMY OF MY ENEMY IS NOT MY FRIEND… Stefano Maccaglia Senior Principal Consultant A tale of computer thievery
2.
2 ©2019 RSA
Security, LLC., a Dell Technologies business I am a Senior Principal Consultant for Incident Response and a leading figure of the RSA IR Team. I begun my ICT career in 1997 in Digital Corp, but I started to crack software in 1985 with a Commodore C64… I decided to get out of the cracking scene in 2000 and for about three years I remained focused on Networking and System administration… until Nimda and Blaster came out and testing network and system security became an interesting career… I worked on the testing and offensive side until 2009 when I jumped into the IR bandwagon. Since then I got busy with engagement around the world… covering investigation in banks, military, governments and telco companies. WHO AM I
3.
3 ©2019 RSA
Security, LLC., a Dell Technologies business THE RSA INCIDENT RESPONSE TEAM APT Criminal Activity Internal Threats Commodity Malware Loss of Intellectual Property or PII/PHI Non-Disclosure Agreements require that RSA not release information regarding our customers, but the following demonstrates a sampling of our clients and associated verticals: Fortune 50, 100 and 500 companies Financial Institutions Utility Companies Government Agencies Law Firms Global Practice responsible for Reactive Incident Response, Proactive Incident Discovery, general IR expertise, support, and enablement services. We are specialized in these types of incident:
4.
4 ©2019 RSA
Security, LLC., a Dell Technologies business OUR APPROACH TO INVESTIGATIONS In time, we have organized our investigation process developing a methodology organized in parallel streams involving host forensics and malware analysis upon all suspicious artifacts. In addition, thanks to our network forensics solution, we can deeply analyze the traffic and trace any suspicious or malicious communication by dissecting the payloads with direct observation or through rules and IOCs that we can input in it. Network visibility System visibility Malware visibility Network, system and log indicators. Classification and attribution. Incident surface. Triage planned from a tailored set of strategic actions.
5.
5 ©2019 RSA
Security, LLC., a Dell Technologies business©2019 RSA Security, LLC., a Dell Technologies business THE ENEMY OF MY ENEMY IS HERE! LET’S BEGIN…
6.
6 ©2019 RSA
Security, LLC., a Dell Technologies business Advanced actors are extremely active in Middle East and their operations often go unnoticed. The area is becoming more and more attractive for both locals and foreign attackers. In our case, a Government Agency requested assistance once her staff discovered an internal system storing a significant set of sensible data stolen from protected servers. RSA provided onsite support to the Customer starting on October 8, 2018. The Customer presented evidences of a system compromise dated back to August 2018. During the initial call, we verified the presence of our gear on the environment because, while we can run an investigation without it, the presence of our technologies speed up the process consistently. In this case, NWP and NWE were already installed, but were not configured to achieve an optimal visibility, especially for the endpoints. IN ITIA L STATU S THE CASE
7.
7 ©2019 RSA
Security, LLC., a Dell Technologies business
8.
8 ©2019 RSA
Security, LLC., a Dell Technologies business
9.
9 ©2019 RSA
Security, LLC., a Dell Technologies business
10.
10 ©2019 RSA
Security, LLC., a Dell Technologies business
11.
11 ©2019 RSA
Security, LLC., a Dell Technologies business
12.
12 ©2019 RSA
Security, LLC., a Dell Technologies business Once we got the opportunity to review the system, we identified a handful of interesting events… K EY SYSTEM: A SFOU R INVESTIGATION Somebody does not like logs… Somebody likes network shares… Unfortunately no records of December 2017 actions were available as the NWE agent was installed only on January 2018
13.
13 ©2019 RSA
Security, LLC., a Dell Technologies business C O N F I D E N T I A L ASFOUR is a desktop belonging to a System Administrator and allowed to access the Agency Data Center Servers. Reviewing logs, IOCs and Tracking data via NWE, we highlighted a number of sessions and IP addresses used by the adversary to access this System. Thanks to the review of network traffic and logs we were able to track the host that was used as bridgehead to the environment: the host HAKIMI. The owner of the system (a laptop), a lead developer, was moving back and forth from the environment. NWE was installed on January 2018 on this host, so we missed the chance to directly track the initial infection. But, the persistence mechanism of the second stage was generating some alerts (IIOCs) on NWE server and we were able to dig quickly into this. K EY SYSTEM: A SFOU R INVESTIGATION
14.
14 ©2019 RSA
Security, LLC., a Dell Technologies business PATIENT ZERO %APPDATA%LocalMicrosoftMedia NvidiaUpdate upd.vbs dn.ps1 Instant IOC (IIOC) The host presented these files: Once executed upd.vbs as a task is camouflaged under the name: It drops the file dn.ps1 in:
15.
15 ©2019 RSA
Security, LLC., a Dell Technologies business The macro executes upd.vbs which, once started, attempts to download a file (dn.ps1) from its hardcoded C2 The file requested from upd.vbs is dn.ps1 4 Dropzone 83.142.230.138 When the xls file is executed and macros are enabled, the victim is presented with a decoy document. 2 upd.vbs dn.ps1 is downloaded and processed by the victim completing the first stage of the infection 5 dn.ps1 Victim The attachment is a decoy document with a macro that injects upd.vbs 1 3 The attack started with a spear phish email sent to a number of internal users (5). RSA was able to collect the malicious attachment, but not the original email. Nevertheless, the infection mechanism is illustrated below: INITIAL INFECTION OILR IG IN FEC TION
16.
16 ©2019 RSA
Security, LLC., a Dell Technologies business C2 Once activated, dn.ps1 creates a task to run upd.vbs recursively and uses DNS to communicate with the C2 (using hardcoded domains). dn.ps1 Victim 6 INITIAL INFECTION OILR IG IN FEC TION The attacker can now interact with the victim via DNS messages. 7 The executed command to create the task will be: schtasks enables an administrator to create, delete, query, change, run and end scheduled tasks on a local or remote system. schtasks /create /F /sc minute /mo 2 /tn "NvidiaUpdate" /tr %APPDATA%LocalMicrosoftMediaupd.vbs 46.183.221.233 Based on this confirmation, we have been able to identify which system still was presenting the file and the persistence mechanism by querying for “NvidiaUpdate”:
17.
17 ©2019 RSA
Security, LLC., a Dell Technologies business NETWITNESS ROLE Asfour host Asker host TR A C IN G LATER A L MOVEMEN TS Hakimi host Once we identified infected systems, it was easy through our NWP platform to identify lateral movements as the attacker was noisy...
18.
18 ©2019 RSA
Security, LLC., a Dell Technologies business NETWITNESS ROLE Hakimi host Attacker C2 TRACING C2 S …as its malware was: In time we identified three C2s
19.
19 ©2019 RSA
Security, LLC., a Dell Technologies business
20.
20 ©2019 RSA
Security, LLC., a Dell Technologies business THE REMEDIATION PHASE In about eight days we were able to review all compromised hosts based on the IOCs and to attribute the attack to the Oilrig APT, by the tools and techniques identified. We supported the Customer’s staff to build a proper Remediation plan aimed to expel the attacker with as single and well arranged maneuver, including: − Removal and rebuild of all compromised machines − Full Domain password reset − Removal of unused services accounts − Review and removal of local authentication − Adoption of Two-Factors authentication for VPN and access to public facing resources There was only one item that wasn’t fitting properly into the analysis, nor it was easy to frame into the Oilrig attack… it was this weird and outdated virtual box driver with revoked certificate:
21.
21 ©2019 RSA
Security, LLC., a Dell Technologies business
22.
22 ©2019 RSA
Security, LLC., a Dell Technologies business
23.
23 ©2019 RSA
Security, LLC., a Dell Technologies business
24.
24 ©2019 RSA
Security, LLC., a Dell Technologies business
25.
25 ©2019 RSA
Security, LLC., a Dell Technologies business EPIC TURLA IMPLANTS Turla Skipper package The traffic was generated by a new Trojan composed of two DLL files: GeoLocate.dll SEOcache.dll These two files were found in 4 systems. The Trojan contains two export functions named 1W and 2W. The 1W function is used to install the backdoor, and during the setup it calls the 2W function activating the network socket. The DLLs persisted via a scheduled task:
26.
26 ©2019 RSA
Security, LLC., a Dell Technologies business MALWARE FALLS BACK As we can imagine, a sophisticated attacker such as Epic Turla, is not relying only on a potentially detectable host, originally belonging to a different attacker. So when we blocked the communication to the C2 on one host, we immediately noticed its fallback mechanism attempting to communicate with another host: Thanks to that and based on the IOCs we collected, we were able to trace additional infected systems using this second server as main C2. This is the moment we cut the communication with the primary C2
27.
27 ©2019 RSA
Security, LLC., a Dell Technologies business
28.
28 ©2019 RSA
Security, LLC., a Dell Technologies business In conclusion, we found a very interesting Webshell implanted onto the OWA Servers of the Agency A K A … H OW TO U PD ATE MY D ATA B A SE OF YOU R C R ED EN TIA LS… HOW TO KEEP AN EYE UPON THE TARGET Thanks to this webshell, the attacker was able to obtain credentials every time a user logged on OWA. The credentials were stored on a file “LocalCache.hve” encrypted with Rijndael encryption. Every now and then, the attacker collected the stolen credentials by collecting .hve files dropped onto specific folders of the OWA Web Server… howerver the functionality was tricky…
29.
29 ©2019 RSA
Security, LLC., a Dell Technologies business The webshell contained a form of authentication in it by only responding to requests that contained a specific Cookie HTTP header (OWA-Auth) with a value that matches the predefined key. This configuration ensures that if anyone other than the attacker tries to access this webshell, will fail to invoke the webshell functionality: TH E PR OTEC TION METH OD HOW TO KEEP AN EYE UPON THE TARGET The webshell performed a specific set of actions as specified in the Content-Type HTTP header. The following logic in the webshell determines the valid actions: if(h.ContentType=="text/get") { else if(h.ContentType=="text/del") else if(h.ContentType=="text/exec") else if(h.ContentType=="text/put") else if(h.ContentType=="text/dump")
30.
30 ©2019 RSA
Security, LLC., a Dell Technologies business HOW TO KEEP AN EYE UPON THE TARGET Here is a sample session when the actor retrieved this password file: The reason why the authentication process goes through owaauth.aspx is because the attackers also modified file logon.aspx to include a reference to owaauth.aspx: TH E PR OTEC TION METH OD
31.
31 ©2019 RSA
Security, LLC., a Dell Technologies business
32.
32 ©2019 RSA
Security, LLC., a Dell Technologies business LESSON LEARNED Do not assume Customer “remediation” carried out before was necessarily a success… Do not rely on the assumption an apparently unrelated infection can be investigated lately Do not assume sophisticated attacker is limited to the use of a dedicated infrastructure Do not expect Epic Turla to behave like more common APT groups… Think positive…
33.
33 ©2019 RSA
Security, LLC., a Dell Technologies business©2019 RSA Security, LLC., a Dell Technologies business THANK YOU
Jetzt herunterladen