attack methodologies paper 1

8/3/2019 Attack Methodologies Paper 1

1/12

Assumptions:

ACLs exist on most Enterprise equipment to limit where they can be administered from.However, as the laptops that we are attempting to attack are routinely plugged into IPsubnets that are permitted via ACLs, they can be used to administer

routers/switches. Target laptop included in that ACL. Policy exists for email. Rarely, if ever, is it enforced. It is not uncommon for people tohave auto-forwarding from home to work enabled. If email filtering devices don't fire, anattacker can sneak malicious mail in (and out).

Most of the administrators live on non-NAT'd address space. Network Access Protection (NAP) is not used. HIPS standard rules are in place.

Attack Methodologies:

Figure 1 Attack Methodologies (Kzsancyian, 2011)


2/12

Initial Infiltration (Social Engineering):

By using Follow Company in LinkedIN the attacker ascertains that SPAWAR Barling Bayhouses a primary node for administration. (Figure 2) As displayed in figure two, the attackersees new activity the company just posted. Being very skilled with social engineering the

attacker determines that there is a high probability that a new -hire has probably not been madeaware of the corporate security policies. As such, the attacker is banking on social engineeringskills to trick him into installing a backdoor software application thus defeating the securitytechnology put into place at SPAWAR.

Figure 2

The attacker does some quick searches on Linkedin using a LinkedIN Hack to determine thesecurity engineers working in SPAWAR at Barling Bay. In addition the CEO of said location isalso determined. Less than 5 minutes pass by and the attacker now has several IT staff member

names to choose from. (Figure 3)

The following LinkedIn hack is used to quickly narrow down LinkedIn search for only BarlingBay SPAWAR employees with adequate clearance.

site:www.linkedin.com intitle:linkedin (Barling Bay AND security AND SPAWAR) -intitle:profile -intitle:updated -intitle:blog -intitle:directory -intitle:jobs -intitle:groups -intitle:events -intitle:answers


3/12

Figure 3

Target (Robert Ashworth) receives a spoofed welcome email from attacker masquerading as theSPAWAR CEO (Bob Bush) via LinkedIn system. Being a new employee and eager to please hisnew boss, Robert immediately opens the email. Payload is now delivered to BIOS on targetlaptop.


4/12

LinkedIn Search Results:

SPAWAR President Barling Bay:


5/12

SPAWAR Target:


6/12

Foothold:

The stealth payload from target laptop email is delivered to BIOS of target laptop(s) and apersistent agent is installed. See Compromised Workstations (Figure 4). When installed, thedeployed agent registers itself as a normal windows service using the name "Remote Procedure

Call (RPC) Net". This name, with slight variations, is also used by Windows to refer otherlegitimate services as "Remote Procedure Call (RPC)" , used to provide the endpoint mapper andother RPC Services along with "Remote Procedure Call (RPC) Locator" which is in charge of managing the RPC name service database. In this way, the registered service could be easilyconfused with legitimate Windows services, except for its lack of a description. The service isimplemented on the rpcnet.exe or rpcnetp.exe _le.

Figure 4


7/12

Exfiltration:

Exfiltrate To surreptitiously move personnel or materials out of an area under enemy control.

In computing terms, exfiltration is the unauthorized removal of data from a network (Kzsancyian, 2011).

Figure 5 Exfiltration Methodology


8/12

Persistence:

Victim conducted thorough remediation by: System rebuilds Changed all local and domain passwords

Implemented enhanced network controls and Segmentation Implemented enhanced host-based controls.

Attacker re-infiltrates by regaining access to environment several months later. CompromisedServers are now accessed for data. Sleeper malware is now activated to avoid detection.(Figure 6)

Data collection Strategy: Examine and filter in-place

o Probe for data of interesto Obtain recursive directory listingso Return later to retrieve small sets of specific files

Figure 6 (Kzsancyian, 2011)


9/12

Staging Area: Locations will aggregate data before sending it out

o Easier to track tools and stolen datao File size will be minimized

Fewer connections to external drops will minimize detection

Using Servers will ensure persistent use

Staging points: (Kzsancyian, 2011)

%systemdrive%\RECYCLER Recycle Bin maps to subdirectories for each user SID Hidden directory Root directory shouldnt contain any files

%systemdrive%\System Volume Information Subdirectories contain Restore Point folders Hidden directory Access restricted to SYSTEM by default Root directory typically only contains tracking.log

%systemroot%\Tasks Special folder Windows hides contents in Explorer Root directory only contains scheduled .job files, SA.dat and desktop.ini

Optional Locations: %systemroot%\system32 %systemroot%\debug User temp folders Trivial to hide from most users Staging points vary on OS, attacker privileges

File Extensions:

Attacker avoide custom HIPS rule blocking of RAR file creation by changing data file extension.


10/12

Exfiltration Techniques: (Kzsancyian, 2011)

Exfiltration via outbound encrypted (HTTPS) Keep It Simple Silly (KISS)

Out-of-band: distinct from C2 channels and endpoints (Figure 7)o Maintain separate external drop pointso C2 resilience if data exfil channel detected

Figure 7 Outbound HTTPS


11/12

Figure 8 All malware traffic is encrypted (Kzsancyian, 2011)


12/12

BibliographyKzsancyian, R. (2011). Methods and Defenses for Data Exfiltration. Black Hat DC 2011 (p. 57). DC:

Mandiant.

attack methodologies paper 1

Documents