evolutions in apt tactics - · pdf fileon the perpetrators and protecting our customers with...
TRANSCRIPT
![Page 1: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/1.jpg)
1
Evolutions in APT Tactics
Lee Lawson
SecureWorks –
Counter Threat Unit
![Page 2: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/2.jpg)
Lee LawsonCounter Threat Unit
Special Operations
• The CTU operates in the field of cyber intelligence, researching new cyber-threats and gathering intelligence on the perpetrators and protecting our customers with that knowledge
• The Special Operations team is dedicated to responding toattacks from hostile Nation States and other advanced adversaries on a daily basis
![Page 3: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/3.jpg)
3
A Moving Battlefield
“All great changes are preceded by chaos”- Deepak Chopra
![Page 4: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/4.jpg)
Throughout history we have always had
This is nothing new…
However we are allowing it to occur in the cyber world with impunity, at large scale, with low risk to the attackers…
Conflict Defenders Attackers
Spy Agencies
Law Enforcement
Security Vendors
Anarchists
Criminals
Spy AgenciesCrime
War
Competition
Civil Unrest
they are also very successful.
![Page 5: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/5.jpg)
In times of rapid change, experience could be your worst enemy.
- J. Paul Getty
Static approach | evolving threat
The most dangerous phrase in the language is, ‘We’ve always done it this way.’
- Rear Admiral Grace Murray Hopper
![Page 6: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/6.jpg)
Motivated
Mission Oriented
Maintain AccessExfiltrate Data
Acquire Target
Destroy
Spearphish
Watering Hole
Expand
Exploit
![Page 7: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/7.jpg)
7
Recent Evolutions in TTPs
“Living off the land” VirtualisationDefensive Evasion
![Page 8: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/8.jpg)
8
Defensive Evasion
“If you’re not hunting, you’re the hunted.” Unknown
![Page 9: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/9.jpg)
9
• The threat actors realised they were being detected and instead of running away, they began to investigate
• They started by disabling the “Cylance PROTECT” service on the system that was compromised
Disabling Security Products
![Page 10: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/10.jpg)
10
• Following eviction and re-entry the adversary collected data on the defenders
Hunt the Hunter
WinRAR
WinRAR
![Page 11: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/11.jpg)
11
Hidden in the Crowd
![Page 12: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/12.jpg)
12
![Page 13: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/13.jpg)
13
Living off the land
“The opportunity to secure ourselves against defeat lies in our own hands.” Sun Tzu
![Page 14: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/14.jpg)
14
Living Off The Land
E V O L U T I O NR
“The use of built-in tools to achieve goals”
![Page 15: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/15.jpg)
15
Downloading Tools
Oracle Exploit
bitsadmin.exe
Direct IP
![Page 16: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/16.jpg)
16
Downloading Tools
Malware
bitsadmin.exe
DropBox
![Page 17: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/17.jpg)
17
PowerShell & WMI
![Page 18: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/18.jpg)
18
WMI Architecture
Clients
Powershell
WMIC.exe
WSH
WBEMtest
C++ via COM
win*.exe
Query
Language
WQL
CQL
Protocol
DCOM
WinRM
WMI Service
WMI Providers
cimwin32.dll stdprov.dll WMI Repository
Classes
Win32_Process
Win32_ClockProvider
Win32_StartupCommand
CIM_Process
CIM_RemoteFileSystem
![Page 19: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/19.jpg)
19
WMI Architecture
WMI Repository
![Page 20: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/20.jpg)
20
WMI Architecture
WMI Repository
Class
Instance/Object
Properties
Methods
Action
Event
Binding
Consumer
Time Active Script Event Consumer
malware.vbs
Win32_ClockProvider
Win32_ClockProvider
MOF files provide the schema in which the generated data is formatted
![Page 21: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/21.jpg)
21
Time Active Script Event Consumer
malware.vbs
WMI Architecture
WMI Repository
Class
Instance/Object
Properties
Methods
Action
Event
Binding
Consumer
Win32_ClockProvider
Win32_ClockProvider
MOF files provide the schema in which the generated data is formatted
![Page 22: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/22.jpg)
22
Time Active Script Event Consumer
malware.vbs
WMI Architecture
WMI Repository
Class
Instance/Object
Properties
Methods
Action
Event
Binding
Consumer
Win32_ClockProvider
Win32_ClockProvider
MOF files provide the schema in which the generated data is formatted
Active Script
Event Consumer
• LogFileEventConsumer
• Writes event data to a specified log file
• ActiveScriptEventConsumer
• Executes an embedded VBScript or JScript script payload
• NTEventLogEventConsumer
• Creates an event log entry containing the event data
• SMTPEventConsumer
• Sends an email containing the event data
• CommandLineEventConsumer
• Executes a command-line program
![Page 23: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/23.jpg)
23
WMI + APT = OMG
![Page 24: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/24.jpg)
24
WMI + APT = OMG
Binary MOF
• At 11:03pm every night, the WMI event triggered and executed the script
• Enabled Guest and Administrator accounts
• Set same password on both accounts
• Checked in with Command & Control server
1. Copied ActiveScriptEventConsumer to “ASEventConsumerdr”
2. Used WMI class “Win32ClockProvider”
3. Used WMI consumer “ASEventConsumerdr”
4. Created WMI event binding to execute an embedded VBS script
Custom Class
![Page 25: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/25.jpg)
25
![Page 26: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/26.jpg)
26
Hiding in virtual shadows
“…defeated warriors go to war first and then seek to win.” Sun Tzu
![Page 27: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/27.jpg)
27
• In April 2016, the SecureWorks Counter Threat Unit(TM) research team was alerted to suspicious behaviour via the Advanced Endpoint Threat Detection - Red Cloak(TM) platform
Pre-Built Virtual Machine
Install script
wget.exe
![Page 28: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/28.jpg)
28
Download
Start Virtual Machine
Install script Installation Actions
Clean Up
![Page 29: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/29.jpg)
29
• Endpoint agent
• Anti-Virus
• Event Logging• No visibility
• No Anti-Virus
• No logging
• Remote Access
• Network Countermeasures
![Page 30: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/30.jpg)
30
![Page 31: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/31.jpg)
31
What Can Be Done?
“Never interrupt your enemy when he is making a mistake.” Napoleon Bonaparte
![Page 32: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/32.jpg)
32
• As the adversary evolves, so must we
• People, process, and technology must change to reflect the threat
– People
– Knowledge + training = an understanding of what adversaries are capable of
– Process
– Ensure that you are looking for these types of evolutions
– Technology– Ensure that your security products are capable of finding these threats
and are capable of fast threat detection evolution
Re-Tool for the Battlefield
![Page 33: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/33.jpg)
33
• SecureWorks Red Cloak Advanced Endpoint Threat Detection watchlist approach
Fast & Flexible Threat Detection
If Parent Program [=] Winword.exe
If Program [ends with] .exe
Then ALERT!!
If Program [!=] splwow64.exe
Detects Dridex and many other Word macro droppers
![Page 34: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/34.jpg)
34
Fast & Flexible Threat Detection
If Program [ends with] wmic.exe
Then ALERT!!
If Command [contains]
“process call create”
If Command [contains]
“/node”
If Command [!contain]
“/node:127.0.0.1”
Detects remote execution with WMI
![Page 35: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/35.jpg)
35
Fast & Flexible Threat Detection
If Command [list] lsadump::cache
lsadump::lsa lsadump::sam
lsadump::secrets
Then ALERT!!
Detects Mimikatz activity
![Page 36: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/36.jpg)
36
Fast & Flexible Threat Detection
If Parent Program [=]
psexecsvc.exe
If Program [ends with]
cmd.exe
If Command [list] whoami
net group
Then Alert!!
Detects suspicious PsExec activity
![Page 37: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/37.jpg)
37
Fast & Flexible Threat Detection
![Page 38: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/38.jpg)
38
Fast & Flexible Threat Detection
![Page 39: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/39.jpg)
39
Fast & Flexible Threat Detection
![Page 40: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/40.jpg)
40
Fast & Flexible Threat Detection
![Page 41: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/41.jpg)
41
Fast & Flexible Threat Detection
![Page 42: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/42.jpg)
42
Fast & Flexible Threat Detection
Detections based on behaviour
![Page 43: Evolutions in APT Tactics - · PDF fileon the perpetrators and protecting our customers with ... Acquire Target Destroy Spearphish ... 21 Time Active Script Event Consumer](https://reader034.vdocument.in/reader034/viewer/2022051723/5ab77e957f8b9aa6018b8359/html5/thumbnails/43.jpg)
43
• Your adversary is evolving• Defensive Evasion
• Living off the Land
• Virtualisation
• Threat detection focus on behaviour• Behaviour of programs & people
• Threat detection solutions must now be• Fast – quickly deploy new detections
• Flexible – can match an evolving threat