Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

•

1 like•104 views

This document discusses tactics and techniques related to the FIN7 threat group. It mentions that FIN7 has been known to use PHP Mailer in phishing campaigns for initial access. It also notes that FIN7 has used legitimate services like Google Docs and Pastebin for command and control. The document further states that FIN7 generally uses existing credentials and built-in remote access applications to move laterally within networks.

Technology

Security
Analytics
Alert
Triage and
Investigation
Investigation
Hunting Leads
Threat
Hunting
(Intel, hypothesis,
IoA, etc.)

Threat
Intelligence
• “FIN7 has been known to use PHP Mailer in their
phishing campaigns”
Initial Access
• “FIN7 has been seen using legitimate services like
Google docs and Pastebin for C2 in recent
activity”
Command and Control (C2)
• “FIN7 generally uses existing credentials and
built-in remote access applications to move
laterally”
Lateral Movement

Tools
• Email Logs
• Zeek
• Elasticsearch / Kibana

Data Analyzers
pastebin.com
No text analyzers applied
Requires exact match for search
pastebin com
“Tokenizer” applied
Allows for full-text search

Developer
Time!
???
What do you call the log
entry for:
Source IP Address

Initial Access
“FIN7 has been
known to use PHP
Mailer in their
phishing campaigns”

EXEC
172.32.21.0/24
Globo-FW-01
Globo-SW-01
ISP
Globo-SW-02
AD/DNS
172.32.245.20
Email
172.32.245.222
Elasticsearch
172.32.245.125
Datacenter
172.32.245.0/24
Engineering
172.32.24.0/24
HR
172.32.22.0/24
Globo-FW-EXT
Ascension Ops
Admin
172.32.37.0/24
Finance
172.32.23.0/24
Azure Cloud
Storage
Globomantics Research Facility Network Diagram
Globo-R-01
172.32.1.0/24

User Agents
Software Making
Requests for a User
• Web Browsers
• Email Readers
• Shell Applications

Email Headers
• Experimental or
Extensions of the
standard email header
• X-Original-To
• X-Campaign
• X-Mailer

Command and
Control (C2)
• “FIN7 has been seen
using legitimate
services like Google
docs and Pastebin for
C2 in recent activity”

Bidirectional Command and Control (C2)
Commands sent Feedback/results

meowmix.ironcatfood.com
pastebin.com
Phishing email
Beacon C2
C2

Lateral
Movement
• “FIN7 generally uses
existing credentials
and built-in remote
access applications to
move laterally”

The complications
of analyzing
internal
communication

Lateral Movement
Administrative credentials compromised
Malware: Keylogger or Mimikatz

Review, Automate, and Improve
Intel
Identify
Protect
Detect
Respond
Recover
Emulate

Similar to Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Python-Assisted Red-Teaming Operation

Satria Ady Pradana

Powering up on PowerShell - BSides Charleston - Nov 2018

Fernando Tomlinson, CISSP, MBA

BRKSEC-3144.pdf

HaitamSouissi1

Discover advanced threats with threat intelligence - Jeremy Li

Jeremy Li

Extending Zeek for ICS Defense

James Dickenson

InfoSec analysts are all somewhat familiar with Honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly; when deployed and monitored properly, Honeypots and Honey Tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using Honeypots and actively defend their network using indicators generated from an internal Honeynet? The answer is Honeypots for Active Defense. There are currently many open source security tool distributions that come pre-loaded with Honeypots among other useful tools, however the Honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage Honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the Honeypots with the production environment. When deploying Honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network before they become the next headline.

Honeypots for Active Defense

Greg Foss

Powering up on power shell avengercon - 2018

Fernando Tomlinson, CISSP, MBA

Learning the basics of Apache NiFi for iot OSS Europe 2020

Timothy Spann

As organizations operationalize diverse network sensors of various types, from passive sensors to DNS sinkholes to honeypots, there are many opportunities to combine this data for increased contextual awareness for network defense and threat intelligence analysis. In this presentation, we discuss our experiences by analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes as well as enrichments from PDNS and malware sandboxing. We talk through how we can answer the following questions in an automated fashion: What is the profile of the attacking system? Is the host scanning/attacking my network an infected workstation, an ephemeral scanning/exploitation box, or a compromised web server? If it is a compromised server, what are some possible vulnerabilities exploited by the attacker? What vulnerabilities (CVEs) has this attacker been seen exploiting in the wild and what tools do they drop? Is this attack part of a distributed campaign or is it limited to my network?

Distributed Sensor Data Contextualization for Threat Intelligence Analysis

Jason Trost

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...

AlienVault

Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition

MichaelPortera2

Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis. Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur. The Benefits: Increase events-responded-to an estimated 30X over. Substantially reduce or eliminate damage from breaches. Create a dramatically more effective and efficient security team. Maximize current security infrastructure investment. Be far more confident that your network is actually secure. OUR DIFFERENTIATORS: Understands the truth of what is happening on your network. Detects advanced attacks that have breached perimeter defenses. Develops a complete, near real-time understanding of suspicious behaviour. Develops a battleground understanding of your entire security situation. Augments current security solutions. Proven speed, scale and effectiveness on the largest, most attacked networks on earth.

Novetta Cyber Analytics

Novetta

soctool.pdf

nitinscribd

Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...

in.security Ltd.

ELK in Security Analytics

nullowaspmumbai

Filar seymour oreilly_bot_story_

EndgameInc

Osint, shoelaces, bubblegum

JamieMcMurray

4055-841_Project_ShailendraSadh

Shailendra Sadh - CISSP

PRESENTATION of CEH Tools.pptx

AadityaSaxena12

Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...

RootedCON

Similar to Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf (20)

Python-Assisted Red-Teaming Operation

Powering up on PowerShell - BSides Charleston - Nov 2018

BRKSEC-3144.pdf

Discover advanced threats with threat intelligence - Jeremy Li

Extending Zeek for ICS Defense

Honeypots for Active Defense

Powering up on power shell avengercon - 2018

Learning the basics of Apache NiFi for iot OSS Europe 2020

Distributed Sensor Data Contextualization for Threat Intelligence Analysis

How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...

Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition

Novetta Cyber Analytics

soctool.pdf

Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...

ELK in Security Analytics

Filar seymour oreilly_bot_story_

Osint, shoelaces, bubblegum

4055-841_Project_ShailendraSadh

PRESENTATION of CEH Tools.pptx

Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...

More from Brandon DeVault

Unleash the power of scheduled tasks and uncover hidden secrets in Windows! Did you know that lurking beneath the surface are approximately 150 scheduled tasks by default, with over 40 set to hidden by default? Prepare to dive deep into the fascinating (aka, frustrating) world of these elusive artifacts! Join me as we embark on an enthralling journey, delving into the intricate details and challenges surrounding scheduled tasks. Discover how Microsoft typos, baffling naming schemes, and cryptic execution details make detecting anomalies a “thrilling” pursuit. But fear not, for there is hope! This captivating presentation will arm you with potent PowerShell scripts, powerful Elasticsearch dashboards, and an enhanced understanding of hunting down malicious persistence. Get ready to transform your perspective on scheduled tasks and become a hero in shining a spotlight on their hidden mysteries!

grrcon-2023-scheduled-tasks.pdf

Brandon DeVault

Welcome to the world of “Toolkit Titans,” where a global lack of funding, limited manpower, and inadequate support doesn’t stop us from saving the world! In this action-packed talk, we’ll dive into the depths of defensive security operations to build a toolkit that serves your needs. Security analytics, incident response, and adversary emulation – I’ll focus on the cost-effective integration of powerful open-source tools like Elastic, Zeek, Suricata, and Jupyter Notebooks. I’ll demonstrate how these tools can be combined to form a flexible solution for state response, in-garrison support, or austere operations. The best part? I’ve done a lot of the work for you and all the resources will be provided via a GitHub project during the presentation. So gear up, brave Titan, and let’s build the ultimate cyber defense!

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Brandon DeVault

I always thought scheduled tasks fell into the category of low-level adversaries. Did you know that a standard build of Windows 10 or 11 contains about 150 scheduled tasks by default? Did you know over 40 of these tasks are hidden by default? Cue misery… In this talk, I’ll explore the various details we can extract about scheduled tasks and why it’s so difficult to find anomalies. Everything from Microsoft typos, inconsistent naming schemes, and obfuscated execution details. And don’t worry, it’s not all doom and gloom. You’ll leave this presentation with PowerShell scripts, Elasticsearch dashboards, and a better understanding on how to hunt for malicious persistence.

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Brandon DeVault

Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened. In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods. This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection. We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain. I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.

Log4Shell Case Study - Suricon2022.pdf

Brandon DeVault

Level up your SOC - Guide for a Resilient Education Program.pdf

Brandon DeVault

Log4j vulnerability - CCC - Workshop.pdf

Brandon DeVault

Log4j vulnerability - CCC - Talk.pdf

Brandon DeVault

Dealing with the fallout from a massive exploit is everyone’s nightmare. Time and time again these vulnerabilities are found in open-source software. Does this mean we can’t trust open-source and should be developing everything from scratch? No, it’s not feasible or sustainable for anyone’s environment. So how do you handle this code that is embedded everywhere? In this talk, I’ll discuss the concerns open-source code and dependencies bring to any environment. We’ll start off by taking a historical look at vulnerabilities and their impact. Through this, we’ll look at methods for discovery, triage, and remediation. I focus on core tenants of remaining flexible, scalable, and integrating automation with the overall goal of reducing both risk and operational costs. The tradeoff between productivity, cost, and security doesn’t have to be a pick 2, lose 1 type scenario.

Handling Open-Source Code - ISF 2022.pdf

Brandon DeVault

CircleCityCon - Threat Hunting with the Elastic Stack

Brandon DeVault

Alamo ACE - Threat Hunting with CVAH

Brandon DeVault

BSides JAX 2019 - Threat Hunting with the Elastic Stack

Brandon DeVault

How Microsoft will MiTM your network

Brandon DeVault

More from Brandon DeVault (12)

grrcon-2023-scheduled-tasks.pdf

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Log4Shell Case Study - Suricon2022.pdf

Level up your SOC - Guide for a Resilient Education Program.pdf

Log4j vulnerability - CCC - Workshop.pdf

Log4j vulnerability - CCC - Talk.pdf

Handling Open-Source Code - ISF 2022.pdf

CircleCityCon - Threat Hunting with the Elastic Stack

Alamo ACE - Threat Hunting with CVAH

BSides JAX 2019 - Threat Hunting with the Elastic Stack

How Microsoft will MiTM your network

Recently uploaded

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors

A Domino Admins Adventures (Engage 2024)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Boost PC performance: How more available memory can improve productivity

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Axa Assurance Maroc - Insurer Innovation Award 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Strategies for Landing an Oracle DBA Job as a Fresher

The 7 Things I Know About Cyber Security After 25 Years | April 2024

MINDCTI Revenue Release Quarter One 2024

Data Cloud, More than a CDP by Matt Robison

Apidays New York 2024 - The value of a flexible API Management solution for O...

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

presentation ICT roal in 21st century education

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

GenAI Risks & Security Meetup 01052024.pdf

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

2. Security Analytics Alert Triage and Investigation Investigation Hunting Leads Threat Hunting (Intel, hypothesis, IoA, etc.)

3. CARBON SPIDER --- FIN7

5. Threat Intelligence • “FIN7 has been known to use PHP Mailer in their phishing campaigns” Initial Access • “FIN7 has been seen using legitimate services like Google docs and Pastebin for C2 in recent activity” Command and Control (C2) • “FIN7 generally uses existing credentials and built-in remote access applications to move laterally” Lateral Movement

6. Tools • Email Logs • Zeek • Elasticsearch / Kibana

7. Data Analyzers pastebin.com No text analyzers applied Requires exact match for search pastebin com “Tokenizer” applied Allows for full-text search

8. Developer Time! ??? What do you call the log entry for: Source IP Address

9. Data Normalization

10. Initial Access “FIN7 has been known to use PHP Mailer in their phishing campaigns”

11. EXEC 172.32.21.0/24 Globo-FW-01 Globo-SW-01 ISP Globo-SW-02 AD/DNS 172.32.245.20 Email 172.32.245.222 Elasticsearch 172.32.245.125 Datacenter 172.32.245.0/24 Engineering 172.32.24.0/24 HR 172.32.22.0/24 Globo-FW-EXT Ascension Ops Admin 172.32.37.0/24 Finance 172.32.23.0/24 Azure Cloud Storage Globomantics Research Facility Network Diagram Globo-R-01 172.32.1.0/24

12. User Agents Software Making Requests for a User • Web Browsers • Email Readers • Shell Applications

13. Email Headers • Experimental or Extensions of the standard email header • X-Original-To • X-Campaign • X-Mailer

14. Demo! SMTP Email Headers Analysis

15. Command and Control (C2) • “FIN7 has been seen using legitimate services like Google docs and Pastebin for C2 in recent activity”

16. Bidirectional Command and Control (C2) Commands sent Feedback/results

17. Demo! Hunting through Certificates

18. meowmix.ironcatfood.com pastebin.com Phishing email Beacon C2 C2

19. Lateral Movement • “FIN7 generally uses existing credentials and built-in remote access applications to move laterally”

20. The complications of analyzing internal communication

21. The Kingdom

22. Demo! Remotely Desktopping

23. “Trusted” Connections

24. Lateral Movement Administrative credentials compromised Malware: Keylogger or Mimikatz

25. Review, Automate, and Improve Intel Identify Protect Detect Respond Recover Emulate

26. Questions? • https://github.com/Pluralsight-SORCERI • www.devaultsecurity.com • linkedin. • twitter. devaultsecurity.com • github. • brandon-devault@pluralsight.com • https://app.pluralsight.com/profile/author/brandon-devault }

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Recommended

Recommended

More Related Content

Similar to Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Similar to Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf (20)

More from Brandon DeVault

More from Brandon DeVault (12)

Recently uploaded

Recently uploaded (20)

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf