1

Evolutions in APT Tactics

Lee Lawson

SecureWorks –

Counter Threat Unit

Lee LawsonCounter Threat Unit

Special Operations

• The CTU operates in the field of cyber intelligence, researching new cyber-threats and gathering intelligence on the perpetrators and protecting our customers with that knowledge

• The Special Operations team is dedicated to responding toattacks from hostile Nation States and other advanced adversaries on a daily basis

3

A Moving Battlefield

“All great changes are preceded by chaos”- Deepak Chopra

Throughout history we have always had

This is nothing new…

However we are allowing it to occur in the cyber world with impunity, at large scale, with low risk to the attackers…

Conflict Defenders Attackers

Spy Agencies

Law Enforcement

Security Vendors

Anarchists

Criminals

Spy AgenciesCrime

War

Competition

Civil Unrest

they are also very successful.

In times of rapid change, experience could be your worst enemy.

- J. Paul Getty

Static approach | evolving threat

The most dangerous phrase in the language is, ‘We’ve always done it this way.’

- Rear Admiral Grace Murray Hopper

Motivated

Mission Oriented

Maintain AccessExfiltrate Data

Acquire Target

Destroy

Spearphish

Watering Hole

Expand

Exploit

7

Recent Evolutions in TTPs

“Living off the land” VirtualisationDefensive Evasion

8

Defensive Evasion

“If you’re not hunting, you’re the hunted.” Unknown

9

• The threat actors realised they were being detected and instead of running away, they began to investigate

• They started by disabling the “Cylance PROTECT” service on the system that was compromised

Disabling Security Products

10

• Following eviction and re-entry the adversary collected data on the defenders

Hunt the Hunter

WinRAR

WinRAR

11

Hidden in the Crowd

12

13

Living off the land

“The opportunity to secure ourselves against defeat lies in our own hands.” Sun Tzu

14

Living Off The Land

E V O L U T I O NR

“The use of built-in tools to achieve goals”

15

Downloading Tools

Oracle Exploit

bitsadmin.exe

Direct IP

16

Downloading Tools

Malware

bitsadmin.exe

DropBox

17

PowerShell & WMI

18

WMI Architecture

Clients

Powershell

WMIC.exe

WSH

WBEMtest

C++ via COM

win*.exe

Query

Language

WQL

CQL

Protocol

DCOM

WinRM

WMI Service

WMI Providers

cimwin32.dll stdprov.dll WMI Repository

Classes

Win32_Process

Win32_ClockProvider

Win32_StartupCommand

CIM_Process

CIM_RemoteFileSystem

19

WMI Architecture

WMI Repository

20

WMI Architecture

WMI Repository

Class

Instance/Object

Properties

Methods

Action

Event

Binding

Consumer

Time Active Script Event Consumer

malware.vbs

Win32_ClockProvider

Win32_ClockProvider

MOF files provide the schema in which the generated data is formatted

21

Time Active Script Event Consumer

malware.vbs

WMI Architecture

WMI Repository

Class

Instance/Object

Properties

Methods

Action

Event

Binding

Consumer

Win32_ClockProvider

Win32_ClockProvider

MOF files provide the schema in which the generated data is formatted

22

Time Active Script Event Consumer

malware.vbs

WMI Architecture

WMI Repository

Class

Instance/Object

Properties

Methods

Action

Event

Binding

Consumer

Win32_ClockProvider

Win32_ClockProvider

MOF files provide the schema in which the generated data is formatted

Active Script

Event Consumer

• LogFileEventConsumer

• Writes event data to a specified log file

• ActiveScriptEventConsumer

• Executes an embedded VBScript or JScript script payload

• NTEventLogEventConsumer

• Creates an event log entry containing the event data

• SMTPEventConsumer

• Sends an email containing the event data

• CommandLineEventConsumer

• Executes a command-line program

23

WMI + APT = OMG

24

WMI + APT = OMG

Binary MOF

• At 11:03pm every night, the WMI event triggered and executed the script

• Enabled Guest and Administrator accounts

• Set same password on both accounts

• Checked in with Command & Control server

1. Copied ActiveScriptEventConsumer to “ASEventConsumerdr”

2. Used WMI class “Win32ClockProvider”

3. Used WMI consumer “ASEventConsumerdr”

4. Created WMI event binding to execute an embedded VBS script

Custom Class

25

26

Hiding in virtual shadows

“…defeated warriors go to war first and then seek to win.” Sun Tzu

27

• In April 2016, the SecureWorks Counter Threat Unit(TM) research team was alerted to suspicious behaviour via the Advanced Endpoint Threat Detection - Red Cloak(TM) platform

Pre-Built Virtual Machine

Install script

wget.exe

28

Download

Start Virtual Machine

Install script Installation Actions

Clean Up

29

• Endpoint agent

• Anti-Virus

• Event Logging• No visibility

• No Anti-Virus

• No logging

• Remote Access

• Network Countermeasures

30

31

What Can Be Done?

“Never interrupt your enemy when he is making a mistake.” Napoleon Bonaparte

32

• As the adversary evolves, so must we

• People, process, and technology must change to reflect the threat

– People

– Knowledge + training = an understanding of what adversaries are capable of

– Process

– Ensure that you are looking for these types of evolutions

– Technology– Ensure that your security products are capable of finding these threats

and are capable of fast threat detection evolution

Re-Tool for the Battlefield

33

• SecureWorks Red Cloak Advanced Endpoint Threat Detection watchlist approach

Fast & Flexible Threat Detection

If Parent Program [=] Winword.exe

If Program [ends with] .exe

Then ALERT!!

If Program [!=] splwow64.exe

Detects Dridex and many other Word macro droppers

34

Fast & Flexible Threat Detection

If Program [ends with] wmic.exe

Then ALERT!!

If Command [contains]

“process call create”

If Command [contains]

“/node”

If Command [!contain]

“/node:127.0.0.1”

Detects remote execution with WMI

35

Fast & Flexible Threat Detection

If Command [list] lsadump::cache

lsadump::lsa lsadump::sam

lsadump::secrets

Then ALERT!!

Detects Mimikatz activity

36

Fast & Flexible Threat Detection

If Parent Program [=]

psexecsvc.exe

If Program [ends with]

cmd.exe

If Command [list] whoami

net group

Then Alert!!

Detects suspicious PsExec activity

37

Fast & Flexible Threat Detection

38

Fast & Flexible Threat Detection

39

Fast & Flexible Threat Detection

40

Fast & Flexible Threat Detection

41

Fast & Flexible Threat Detection

42

Fast & Flexible Threat Detection

Detections based on behaviour

43

• Your adversary is evolving• Defensive Evasion

• Living off the Land

• Virtualisation

• Threat detection focus on behaviour• Behaviour of programs & people

• Threat detection solutions must now be• Fast – quickly deploy new detections

• Flexible – can match an evolving threat