Topic 2 - Ransomware Techniques.pptx

1. Topic 2 - Lateral Movement,
Accounts and Vulnerabilities

2. • Office 365 account
• VPN endpoint
• Webshell on perimeter
• Stand-alone workstation
• Corporate workstation (home or office)
• Get on the network
• Access broker – purchase access
• Where to from here?
Where does ransomware land?

3. • Office 365 account
• Internal phishing for more credentials
• Deliver malicious files
• VPN endpoint
• Scan and identify neighbouring hosts
• Determine privileges
• Find vulnerabilities
• Webshell on perimeter
• Scan and identify neighbouring hosts
• Determine privileges
• Find vulnerabilities
Next steps – lateral movement

4. • Stand-alone workstation
• Scan and identify neighbouring hosts
• Determine privileges
• Find vulnerabilities
• Corporate workstation - Active Directory domain member
• Determine local privileges
• Scan and identify neighbouring hosts
• Determine privileges on neighbouring hosts
• Collect credentials
• Local admin - jackpot
Next steps – lateral movement

5. • Ransomware operator has an account (most likely for low-
level access)
• Account in local admin?
• If yes then extract hashes (more credentials – recent
admin?)
• Workgroup or domain joined
• Tools
• Mimikatz
• JTR
Determining local privileges

6. • VPN or workstation
• Looking for services open on the network
• Ports
• Windows networking 135, 139, 445
• Remote desktop 3389
• Web services 80/443
• Tools
• Nmap - NSE
• Masscan
Scanning for neighbouring hosts

7. • Use existing credentials
• Local admin
• Domain users or everyone in admin group
• Interactive user in admin group
• C$ or Admin! overly shared
• Interactive user in admin group
• Tools - Metasploit
• SMB auxiliary scanner
• Username / password / domain / IP range
• PSExec auxiliary scanner
• Meterpreter payload
• Will load the psexecsvc.exe on target host
Accessing identified hosts

8. • Local admin
• Domain users or everyone in admin group
• Interactive user in admin group
• C$ or Admin! Overly shared
• Interactive user in admin group
• Tools
• Powershell
• Computer manager msc
Misconfigured or overlapping permissions

9. • Scripts
• Excel file
• CPASSWORD!
• SAM file in files system
• Disk images can be mounted
• Search tools
• Findstr
• Explorer
Credentials in plaintext files or backups

10. Wormable vulnerabilities
• LSASS – MS11-014
• Conficker - MS08-067
• Eternal blue – MS17-010
• Bluekeep – CVE-2019-0708
Local credential harvesting
• Print nightmare - CVE-2021-34527
• Hive nightmare - CVE-2021-36934
• Tools
• Metasploit
Unpatched workstations and servers

11. • Keep workstations and servers patched
• Vulnerability scanner (network or on-box)
• CIS https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Limit local admin
• Strong passwords
• Expiring passwords?
• Password managers
• IPS between network zones
Protection measures

12. • Education, no graphical representation of passwords
• Education, don’t store backups where everyone can see them
• Lateral movement testing
• Antivirus
• Endpoint detection and response
• Network detection and response
Protection measures

13. • Kali Linux
• Windows 8.1 IE11 image from Microsoft
• VirtualBox (NAT network or bridged)
• Password discovery
• File discovery
• Metasploit
• Mimikatz (kiwi)
• Secrets dump
• Windows Defender and Windows Firewall
CTF workstation – 5 flags for exam