Catch Me If You Can - Finding APTs in your network

Classification: //Secureworks/Public Use:© SecureWorks, Inc.
DefCamp
Adrian Tudor
Leo Neagu
November 2018
1
Catch Me If You Can – Finding APTs in your network

2
• An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the
radar” and your AV/IDS will not let you know about it
What is an APT?

3
• targeted cyberattack in which an intruder gains access to a network
• remains undetected for an extended period of time
• traditionally has been associated with nation-state players
• in the last few years, the tools and techniques used by a few APT actors have
also been adopted by various cybercriminals groups.
What is an APT?
Key elements of an APT attack
- targeted SCADA systems and is believed to be responsible for causing
substantial damage to Iran's nuclear program (2010)

4
• Focus on
• Delivery
• Exploitation
• Installation
• Command and Control
• Action and Objectives
APT attack mechanism

5
APT attack mechanism

6
• Vector of compromise
APT attack mechanism - Delivery

7
Exploitation with
malicious links
APT Exploitation and Installation

8

9
Quasar RAT – Easy to use/deploy NetWire malware

10
Quasar RAT – Easy to use/deploy - Demo

11
APT Installation

12
- Creating services that sound legit
- Task schedule
- Malware installed as Microsoft Office Add-in. When MS Word starts, malware
executed
- DLL hijacking
- and many more
APT Installation – Persistence

13
- .bash_profile and
.bashrc
- Accessibility
Features
- Account
Manipulation
- AppCert DLLs
- AppInit DLLs
- Application
Shimming
- Authentication
Package
- BITS Jobs
- Bootkit
- Browser
Extensions
- Change Default
File Association
- Component
Firmware
- Component Object
Model Hijacking
- Create Account
- DLL Search Order
Hijacking
- Dylib Hijacking
- External Remote
Services
- File System
Permissions
Weakness
- Hidden Files and
Directories
- Hooking
- Hypervisor
- Image File
Execution Options
Injection
- Kernel Modules
and Extensions
- Launch Agent
- Launch Daemon
- Launchctl
- LC_LOAD_DYLIB
Addition
- Local Job
Scheduling
- Login Item
- Logon Scripts
- LSASS Driver
- Modify Existing
Service
- Netsh Helper DLL
- New Service
- Office Application
Startup
- Path Interception
- Plist Modification
- Port Knocking
- Port Monitors
- Rc.common
- Re-opened
Applications
- Redundant Access
- Registry Run Keys
/ Startup Folder
- Scheduled Task
- Screensaver
- Security Support
Provider
- Service Registry
Permissions
Weakness
- Setuid and Setgid
- Shortcut
Modification
- SIP and Trust
Provider Hijacking
- Startup Items
- System Firmware
- Time Providers
- Trap
- Valid Accounts
- Web Shell
- Windows
Management
Instrumentation
Event Subscription
- Winlogon Helper
DLL
You can find more detailed information on https://attack.mitre.org

14
• PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX)

15
PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX)
reg add
HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131.
0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580
5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d
"C:UsersIEUserAppDataRoamingSubDirClient.exe"
Reference: ODDVAR MOE : https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
Persistence using the People app

16
Moving laterally inside the environment, compromising additional targets and getting
closer to high value assets using different tools and techniques:
- Enumerate password data from memory using commonly available password
dumpers (Mimikatz)
- Net.exe to connect to network shares using net use commands with compromised
credentials
- Spread through the local network by using PsExec
- Windows Management Instrumentation (WMI) to interact with local and remote
systems
APT Lateral movement

17
- Recognizing an APT attack early in the kill chain is a tough job
- The attackers prefer to work slow blending with regular network activity and using
tools already available in the environment (PowerShell, WMI, net.exe etc.)
How can I tell I’m targeted?

18
- Large outbound network traffic should raise questions, especially if the amount
transferred is out of the regular trendline
- Quite often APT attacks are detected when the data gathered already has been
exfiltrated, sometimes even months later
Data exfiltration: to late to detect?

19
The reason behind the spike
- A web shell present on a IIS server (China Chopper)
- A password encrypted RAR archive was exfiltrated
- Further analysis of the RAM memory revealed the preparation of
the data being exfiltrated

20
Are you ready to detect an APT?
Assess your
current state
• Identify your assets
• Know your
vulnerabilities
Know your
enemies
• Threat Intelligence
feeds
• Tools, tactics and
procedures used by
threat actors
Design and
implement your
vision
• Multi-layered
endpoint & network
protection
• Threat Hunting

21
Let’s go Threat Hunting – look for hidden threats
Start the
hunt
Refine
the hunt
Response
Large
unexpected
data flows
Remote
access via
RDP
Scheduled
tasks
Phishing
campaigns
Encoded
PowerShell
commands
Net.exe
use

22
QUESTIONS?
THANK YOU!

Catch Me If You Can - Finding APTs in your network

More Related Content

What's hot

Similar to Catch Me If You Can - Finding APTs in your network

More from DefCamp

Recently uploaded

Catch Me If You Can - Finding APTs in your network