32. How to Detect ?
• Initial access
• Phishing
• Path, cmdline, signature, …
• Exploit
• General exploit cmdline, parent process
33. How to Detect ?
• Initial access
• Phishing
• Path, cmdline, signature, …
• Exploit
• General exploit cmdline, parent process
• Execution
• General exploit cmdline
• Parent process name
• File name
34. How to Detect ?
• Persistence
• Service create, autorun registry, startup folder, …
• Account create
• DLL side-loading
• Privilege Escalation
• Treasure
• General exploit cmdline
35. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
36. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
• Lateral movement
• Microsoft protocol: RDP, SMB, RPC, …
• General exploit cmdline
37. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
• Lateral movement
• Microsoft protocol: RDP, SMB, RPC, …
• General exploit cmdline
• Exfiltration
• Rarely seen cmdline
39. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
40. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
41. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
42. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
43. Suspicious Behaviors
• Obviously, it was a common web exploitation.
• The server is Exchange server, maybe it was a dated Exchange suffered from
Exchange CVEs.
46. Nothing else is interesting.
Just recommend our user to update their Exchange and resolve this incident (?)
However, there is a little bit different from the feature of known CVEs…
47. Access Log Review ‒ ProxyShell
• Recall the ProxyShell
Ref: Actually, your blue team is red. Stealing your red move from the blue side, Hitcon, 2022.
55. ProxyNotShell Mitigation
• Recommended Regex: (?=.*autodiscover)(?=.*powershell)
• Change the input {REQUEST_URI} to {UrlDecode:{REQUEST_URI}}
Ref: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
56. Conclusion
• As long as continuously monitoring and tuning the detection rules, suspicious
behaviors can be detected in large amount of logs.
• Be curious about every abnormal events/incidents/logs so that we can make
decision more precisely.
• Despite the fact that we cannot make sure it was a unknown 1day or 0day attack
at that time, we successfully detected and mitigated it.
• Now we knew that it was a 0day attack.
• That is…
We defeated the 0day Attack!