Upload
lytruc
View
217
Download
2
Embed Size (px)
Citation preview
1
Evolutions in APT Tactics
Lee Lawson
SecureWorks –
Counter Threat Unit
Lee LawsonCounter Threat Unit
Special Operations
• The CTU operates in the field of cyber intelligence, researching new cyber-threats and gathering intelligence on the perpetrators and protecting our customers with that knowledge
• The Special Operations team is dedicated to responding toattacks from hostile Nation States and other advanced adversaries on a daily basis
3
A Moving Battlefield
“All great changes are preceded by chaos”- Deepak Chopra
Throughout history we have always had
This is nothing new…
However we are allowing it to occur in the cyber world with impunity, at large scale, with low risk to the attackers…
Conflict Defenders Attackers
Spy Agencies
Law Enforcement
Security Vendors
Anarchists
Criminals
Spy AgenciesCrime
War
Competition
Civil Unrest
they are also very successful.
In times of rapid change, experience could be your worst enemy.
- J. Paul Getty
Static approach | evolving threat
The most dangerous phrase in the language is, ‘We’ve always done it this way.’
- Rear Admiral Grace Murray Hopper
Motivated
Mission Oriented
Maintain AccessExfiltrate Data
Acquire Target
Destroy
Spearphish
Watering Hole
Expand
Exploit
7
Recent Evolutions in TTPs
“Living off the land” VirtualisationDefensive Evasion
8
Defensive Evasion
“If you’re not hunting, you’re the hunted.” Unknown
9
• The threat actors realised they were being detected and instead of running away, they began to investigate
• They started by disabling the “Cylance PROTECT” service on the system that was compromised
Disabling Security Products
10
• Following eviction and re-entry the adversary collected data on the defenders
Hunt the Hunter
WinRAR
WinRAR
11
Hidden in the Crowd
12
13
Living off the land
“The opportunity to secure ourselves against defeat lies in our own hands.” Sun Tzu
14
Living Off The Land
E V O L U T I O NR
“The use of built-in tools to achieve goals”
15
Downloading Tools
Oracle Exploit
bitsadmin.exe
Direct IP
16
Downloading Tools
Malware
bitsadmin.exe
DropBox
17
PowerShell & WMI
18
WMI Architecture
Clients
Powershell
WMIC.exe
WSH
WBEMtest
C++ via COM
win*.exe
Query
Language
WQL
CQL
Protocol
DCOM
WinRM
WMI Service
WMI Providers
cimwin32.dll stdprov.dll WMI Repository
Classes
Win32_Process
Win32_ClockProvider
Win32_StartupCommand
CIM_Process
CIM_RemoteFileSystem
19
WMI Architecture
WMI Repository
20
WMI Architecture
WMI Repository
Class
Instance/Object
Properties
Methods
Action
Event
Binding
Consumer
Time Active Script Event Consumer
malware.vbs
Win32_ClockProvider
Win32_ClockProvider
MOF files provide the schema in which the generated data is formatted
21
Time Active Script Event Consumer
malware.vbs
WMI Architecture
WMI Repository
Class
Instance/Object
Properties
Methods
Action
Event
Binding
Consumer
Win32_ClockProvider
Win32_ClockProvider
MOF files provide the schema in which the generated data is formatted
22
Time Active Script Event Consumer
malware.vbs
WMI Architecture
WMI Repository
Class
Instance/Object
Properties
Methods
Action
Event
Binding
Consumer
Win32_ClockProvider
Win32_ClockProvider
MOF files provide the schema in which the generated data is formatted
Active Script
Event Consumer
• LogFileEventConsumer
• Writes event data to a specified log file
• ActiveScriptEventConsumer
• Executes an embedded VBScript or JScript script payload
• NTEventLogEventConsumer
• Creates an event log entry containing the event data
• SMTPEventConsumer
• Sends an email containing the event data
• CommandLineEventConsumer
• Executes a command-line program
23
WMI + APT = OMG
24
WMI + APT = OMG
Binary MOF
• At 11:03pm every night, the WMI event triggered and executed the script
• Enabled Guest and Administrator accounts
• Set same password on both accounts
• Checked in with Command & Control server
1. Copied ActiveScriptEventConsumer to “ASEventConsumerdr”
2. Used WMI class “Win32ClockProvider”
3. Used WMI consumer “ASEventConsumerdr”
4. Created WMI event binding to execute an embedded VBS script
Custom Class
25
26
Hiding in virtual shadows
“…defeated warriors go to war first and then seek to win.” Sun Tzu
27
• In April 2016, the SecureWorks Counter Threat Unit(TM) research team was alerted to suspicious behaviour via the Advanced Endpoint Threat Detection - Red Cloak(TM) platform
Pre-Built Virtual Machine
Install script
wget.exe
28
Download
Start Virtual Machine
Install script Installation Actions
Clean Up
29
• Endpoint agent
• Anti-Virus
• Event Logging• No visibility
• No Anti-Virus
• No logging
• Remote Access
• Network Countermeasures
30
31
What Can Be Done?
“Never interrupt your enemy when he is making a mistake.” Napoleon Bonaparte
32
• As the adversary evolves, so must we
• People, process, and technology must change to reflect the threat
– People
– Knowledge + training = an understanding of what adversaries are capable of
– Process
– Ensure that you are looking for these types of evolutions
– Technology– Ensure that your security products are capable of finding these threats
and are capable of fast threat detection evolution
Re-Tool for the Battlefield
33
• SecureWorks Red Cloak Advanced Endpoint Threat Detection watchlist approach
Fast & Flexible Threat Detection
If Parent Program [=] Winword.exe
If Program [ends with] .exe
Then ALERT!!
If Program [!=] splwow64.exe
Detects Dridex and many other Word macro droppers
34
Fast & Flexible Threat Detection
If Program [ends with] wmic.exe
Then ALERT!!
If Command [contains]
“process call create”
If Command [contains]
“/node”
If Command [!contain]
“/node:127.0.0.1”
Detects remote execution with WMI
35
Fast & Flexible Threat Detection
If Command [list] lsadump::cache
lsadump::lsa lsadump::sam
lsadump::secrets
Then ALERT!!
Detects Mimikatz activity
36
Fast & Flexible Threat Detection
If Parent Program [=]
psexecsvc.exe
If Program [ends with]
cmd.exe
If Command [list] whoami
net group
Then Alert!!
Detects suspicious PsExec activity
37
Fast & Flexible Threat Detection
38
Fast & Flexible Threat Detection
39
Fast & Flexible Threat Detection
40
Fast & Flexible Threat Detection
41
Fast & Flexible Threat Detection
42
Fast & Flexible Threat Detection
Detections based on behaviour
43
• Your adversary is evolving• Defensive Evasion
• Living off the Land
• Virtualisation
• Threat detection focus on behaviour• Behaviour of programs & people
• Threat detection solutions must now be• Fast – quickly deploy new detections
• Flexible – can match an evolving threat