Catch Me If You Can - Finding APTs in your network
•1 like•304 views
Report
Share
Download to read offline
Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive
More Related Content
What's hot
What's hot(20)
Similar to Catch Me If You Can - Finding APTs in your network
Similar to Catch Me If You Can - Finding APTs in your network(20)
![Chapter 9 system penetration [compatibility mode]](https://cdn.slidesharecdn.com/ss_thumbnails/chapter9systempenetrationcompatibilitymode-160414004635-thumbnail.jpg?width=768&fit=bounds)
More from DefCamp
More from DefCamp(20)
![We will charge you. How to [b]reach vendor’s network using EV charging station.](https://cdn.slidesharecdn.com/ss_thumbnails/dmitryskljarcphexport1-190531064504-thumbnail.jpg?width=768&fit=bounds)
Recently uploaded
Recently uploaded(20)
Catch Me If You Can - Finding APTs in your network
- 1. Classification: //Secureworks/Public Use:© SecureWorks, Inc. DefCamp Adrian Tudor Leo Neagu November 2018 1 Catch Me If You Can – Finding APTs in your network
- 2. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 2 • An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the radar” and your AV/IDS will not let you know about it What is an APT?
- 3. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 3 • targeted cyberattack in which an intruder gains access to a network • remains undetected for an extended period of time • traditionally has been associated with nation-state players • in the last few years, the tools and techniques used by a few APT actors have also been adopted by various cybercriminals groups. What is an APT? Key elements of an APT attack - targeted SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program (2010)
- 4. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 4 • Focus on • Delivery • Exploitation • Installation • Command and Control • Action and Objectives APT attack mechanism
- 5. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 5 APT attack mechanism
- 6. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 6 • Vector of compromise APT attack mechanism - Delivery
- 7. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 7 Exploitation with malicious links APT Exploitation and Installation
- 8. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 8 APT Exploitation and Installation
- 9. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 9 Quasar RAT – Easy to use/deploy NetWire malware APT Exploitation and Installation
- 10. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 10 Quasar RAT – Easy to use/deploy - Demo APT Exploitation and Installation
- 11. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 11 APT Installation
- 12. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 12 - Creating services that sound legit - Task schedule - Malware installed as Microsoft Office Add-in. When MS Word starts, malware executed - DLL hijacking - and many more APT Installation – Persistence
- 13. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 13 - .bash_profile and .bashrc - Accessibility Features - Account Manipulation - AppCert DLLs - AppInit DLLs - Application Shimming - Authentication Package - BITS Jobs - Bootkit - Browser Extensions - Change Default File Association - Component Firmware - Component Object Model Hijacking - Create Account - DLL Search Order Hijacking - Dylib Hijacking - External Remote Services - File System Permissions Weakness - Hidden Files and Directories - Hooking - Hypervisor - Image File Execution Options Injection - Kernel Modules and Extensions - Launch Agent - Launch Daemon - Launchctl - LC_LOAD_DYLIB Addition - Local Job Scheduling - Login Item - Logon Scripts - LSASS Driver - Modify Existing Service - Netsh Helper DLL - New Service - Office Application Startup - Path Interception - Plist Modification - Port Knocking - Port Monitors - Rc.common - Re-opened Applications - Redundant Access - Registry Run Keys / Startup Folder - Scheduled Task - Screensaver - Security Support Provider - Service Registry Permissions Weakness - Setuid and Setgid - Shortcut Modification - SIP and Trust Provider Hijacking - Startup Items - System Firmware - Time Providers - Trap - Valid Accounts - Web Shell - Windows Management Instrumentation Event Subscription - Winlogon Helper DLL APT Installation – Persistence You can find more detailed information on https://attack.mitre.org
- 14. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 14 • PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence
- 15. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 15 PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence reg add HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131. 0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580 5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:UsersIEUserAppDataRoamingSubDirClient.exe" Reference: ODDVAR MOE : https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ Persistence using the People app
- 16. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 16 Moving laterally inside the environment, compromising additional targets and getting closer to high value assets using different tools and techniques: - Enumerate password data from memory using commonly available password dumpers (Mimikatz) - Net.exe to connect to network shares using net use commands with compromised credentials - Spread through the local network by using PsExec - Windows Management Instrumentation (WMI) to interact with local and remote systems APT Lateral movement
- 17. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 17 - Recognizing an APT attack early in the kill chain is a tough job - The attackers prefer to work slow blending with regular network activity and using tools already available in the environment (PowerShell, WMI, net.exe etc.) How can I tell I’m targeted?
- 18. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 18 - Large outbound network traffic should raise questions, especially if the amount transferred is out of the regular trendline - Quite often APT attacks are detected when the data gathered already has been exfiltrated, sometimes even months later Data exfiltration: to late to detect?
- 19. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 19 The reason behind the spike - A web shell present on a IIS server (China Chopper) - A password encrypted RAR archive was exfiltrated - Further analysis of the RAM memory revealed the preparation of the data being exfiltrated
- 20. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 20 Are you ready to detect an APT? Assess your current state • Identify your assets • Know your vulnerabilities Know your enemies • Threat Intelligence feeds • Tools, tactics and procedures used by threat actors Design and implement your vision • Multi-layered endpoint & network protection • Threat Hunting
- 21. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 21 Let’s go Threat Hunting – look for hidden threats Start the hunt Refine the hunt Response Large unexpected data flows Remote access via RDP Scheduled tasks Phishing campaigns Encoded PowerShell commands Net.exe use
- 22. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 22 QUESTIONS? THANK YOU!