Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Catch Me If You Can - Finding APTs in your network


Published on

Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Catch Me If You Can - Finding APTs in your network

  1. 1. Classification: //Secureworks/Public Use:© SecureWorks, Inc. DefCamp Adrian Tudor Leo Neagu November 2018 1 Catch Me If You Can – Finding APTs in your network
  2. 2. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 2 • An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the radar” and your AV/IDS will not let you know about it What is an APT?
  3. 3. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 3 • targeted cyberattack in which an intruder gains access to a network • remains undetected for an extended period of time • traditionally has been associated with nation-state players • in the last few years, the tools and techniques used by a few APT actors have also been adopted by various cybercriminals groups. What is an APT? Key elements of an APT attack - targeted SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program (2010)
  4. 4. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 4 • Focus on • Delivery • Exploitation • Installation • Command and Control • Action and Objectives APT attack mechanism
  5. 5. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 5 APT attack mechanism
  6. 6. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 6 • Vector of compromise APT attack mechanism - Delivery
  7. 7. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 7 Exploitation with malicious links APT Exploitation and Installation
  8. 8. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 8 APT Exploitation and Installation
  9. 9. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 9 Quasar RAT – Easy to use/deploy NetWire malware APT Exploitation and Installation
  10. 10. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 10 Quasar RAT – Easy to use/deploy - Demo APT Exploitation and Installation
  11. 11. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 11 APT Installation
  12. 12. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 12 - Creating services that sound legit - Task schedule - Malware installed as Microsoft Office Add-in. When MS Word starts, malware executed - DLL hijacking - and many more APT Installation – Persistence
  13. 13. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 13 - .bash_profile and .bashrc - Accessibility Features - Account Manipulation - AppCert DLLs - AppInit DLLs - Application Shimming - Authentication Package - BITS Jobs - Bootkit - Browser Extensions - Change Default File Association - Component Firmware - Component Object Model Hijacking - Create Account - DLL Search Order Hijacking - Dylib Hijacking - External Remote Services - File System Permissions Weakness - Hidden Files and Directories - Hooking - Hypervisor - Image File Execution Options Injection - Kernel Modules and Extensions - Launch Agent - Launch Daemon - Launchctl - LC_LOAD_DYLIB Addition - Local Job Scheduling - Login Item - Logon Scripts - LSASS Driver - Modify Existing Service - Netsh Helper DLL - New Service - Office Application Startup - Path Interception - Plist Modification - Port Knocking - Port Monitors - Rc.common - Re-opened Applications - Redundant Access - Registry Run Keys / Startup Folder - Scheduled Task - Screensaver - Security Support Provider - Service Registry Permissions Weakness - Setuid and Setgid - Shortcut Modification - SIP and Trust Provider Hijacking - Startup Items - System Firmware - Time Providers - Trap - Valid Accounts - Web Shell - Windows Management Instrumentation Event Subscription - Winlogon Helper DLL APT Installation – Persistence You can find more detailed information on
  14. 14. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 14 • PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence
  15. 15. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 15 PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence reg add HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131. 0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580 5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:UsersIEUserAppDataRoamingSubDirClient.exe" Reference: ODDVAR MOE : Persistence using the People app
  16. 16. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 16 Moving laterally inside the environment, compromising additional targets and getting closer to high value assets using different tools and techniques: - Enumerate password data from memory using commonly available password dumpers (Mimikatz) - Net.exe to connect to network shares using net use commands with compromised credentials - Spread through the local network by using PsExec - Windows Management Instrumentation (WMI) to interact with local and remote systems APT Lateral movement
  17. 17. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 17 - Recognizing an APT attack early in the kill chain is a tough job - The attackers prefer to work slow blending with regular network activity and using tools already available in the environment (PowerShell, WMI, net.exe etc.) How can I tell I’m targeted?
  18. 18. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 18 - Large outbound network traffic should raise questions, especially if the amount transferred is out of the regular trendline - Quite often APT attacks are detected when the data gathered already has been exfiltrated, sometimes even months later Data exfiltration: to late to detect?
  19. 19. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 19 The reason behind the spike - A web shell present on a IIS server (China Chopper) - A password encrypted RAR archive was exfiltrated - Further analysis of the RAM memory revealed the preparation of the data being exfiltrated
  20. 20. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 20 Are you ready to detect an APT? Assess your current state • Identify your assets • Know your vulnerabilities Know your enemies • Threat Intelligence feeds • Tools, tactics and procedures used by threat actors Design and implement your vision • Multi-layered endpoint & network protection • Threat Hunting
  21. 21. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 21 Let’s go Threat Hunting – look for hidden threats Start the hunt Refine the hunt Response Large unexpected data flows Remote access via RDP Scheduled tasks Phishing campaigns Encoded PowerShell commands Net.exe use
  22. 22. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 22 QUESTIONS? THANK YOU!