SlideShare une entreprise Scribd logo

Catch Me If You Can - Finding APTs in your network

Télécharger en tant que PPTX, PDF
DefCamp
DefCamp

Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Technologie
1  sur  22
Classification: //Secureworks/Public Use:© SecureWorks, Inc. DefCamp Adrian Tudor Leo Neagu November 2018 1 Catch Me If You Can – Finding APTs in your network
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 2 • An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the radar” and your AV/IDS will not let you know about it What is an APT?
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 3 • targeted cyberattack in which an intruder gains access to a network • remains undetected for an extended period of time • traditionally has been associated with nation-state players • in the last few years, the tools and techniques used by a few APT actors have also been adopted by various cybercriminals groups. What is an APT? Key elements of an APT attack - targeted SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program (2010)
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 4 • Focus on • Delivery • Exploitation • Installation • Command and Control • Action and Objectives APT attack mechanism
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 5 APT attack mechanism
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 6 • Vector of compromise APT attack mechanism - Delivery
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 7 Exploitation with malicious links APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 8 APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 9 Quasar RAT – Easy to use/deploy NetWire malware APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 10 Quasar RAT – Easy to use/deploy - Demo APT Exploitation and Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 11 APT Installation
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 12 - Creating services that sound legit - Task schedule - Malware installed as Microsoft Office Add-in. When MS Word starts, malware executed - DLL hijacking - and many more APT Installation – Persistence
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 13 - .bash_profile and .bashrc - Accessibility Features - Account Manipulation - AppCert DLLs - AppInit DLLs - Application Shimming - Authentication Package - BITS Jobs - Bootkit - Browser Extensions - Change Default File Association - Component Firmware - Component Object Model Hijacking - Create Account - DLL Search Order Hijacking - Dylib Hijacking - External Remote Services - File System Permissions Weakness - Hidden Files and Directories - Hooking - Hypervisor - Image File Execution Options Injection - Kernel Modules and Extensions - Launch Agent - Launch Daemon - Launchctl - LC_LOAD_DYLIB Addition - Local Job Scheduling - Login Item - Logon Scripts - LSASS Driver - Modify Existing Service - Netsh Helper DLL - New Service - Office Application Startup - Path Interception - Plist Modification - Port Knocking - Port Monitors - Rc.common - Re-opened Applications - Redundant Access - Registry Run Keys / Startup Folder - Scheduled Task - Screensaver - Security Support Provider - Service Registry Permissions Weakness - Setuid and Setgid - Shortcut Modification - SIP and Trust Provider Hijacking - Startup Items - System Firmware - Time Providers - Trap - Valid Accounts - Web Shell - Windows Management Instrumentation Event Subscription - Winlogon Helper DLL APT Installation – Persistence You can find more detailed information on https://attack.mitre.org
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 14 • PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 15 PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence reg add HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131. 0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580 5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:UsersIEUserAppDataRoamingSubDirClient.exe" Reference: ODDVAR MOE : https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ Persistence using the People app
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 16 Moving laterally inside the environment, compromising additional targets and getting closer to high value assets using different tools and techniques: - Enumerate password data from memory using commonly available password dumpers (Mimikatz) - Net.exe to connect to network shares using net use commands with compromised credentials - Spread through the local network by using PsExec - Windows Management Instrumentation (WMI) to interact with local and remote systems APT Lateral movement
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 17 - Recognizing an APT attack early in the kill chain is a tough job - The attackers prefer to work slow blending with regular network activity and using tools already available in the environment (PowerShell, WMI, net.exe etc.) How can I tell I’m targeted?
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 18 - Large outbound network traffic should raise questions, especially if the amount transferred is out of the regular trendline - Quite often APT attacks are detected when the data gathered already has been exfiltrated, sometimes even months later Data exfiltration: to late to detect?
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 19 The reason behind the spike - A web shell present on a IIS server (China Chopper) - A password encrypted RAR archive was exfiltrated - Further analysis of the RAM memory revealed the preparation of the data being exfiltrated
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 20 Are you ready to detect an APT? Assess your current state • Identify your assets • Know your vulnerabilities Know your enemies • Threat Intelligence feeds • Tools, tactics and procedures used by threat actors Design and implement your vision • Multi-layered endpoint & network protection • Threat Hunting
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 21 Let’s go Threat Hunting – look for hidden threats Start the hunt Refine the hunt Response Large unexpected data flows Remote access via RDP Scheduled tasks Phishing campaigns Encoded PowerShell commands Net.exe use
Classification: //Secureworks/Public Use:© SecureWorks, Inc. 22 QUESTIONS? THANK YOU!

Recommandé

Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
Industry Best Practice against DDoS Attacks
Industry Best Practice against DDoS AttacksIndustry Best Practice against DDoS Attacks
Industry Best Practice against DDoS AttacksMarcelo Silva
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Frank Lesniak
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewSymantec
 

Recommandé

Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
Industry Best Practice against DDoS Attacks
Industry Best Practice against DDoS AttacksIndustry Best Practice against DDoS Attacks
Industry Best Practice against DDoS AttacksMarcelo Silva
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Frank Lesniak
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewSymantec
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Sophos Benelux
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Jeff Suratt
 
Tech f43
Tech f43Tech f43
Tech f43SelectedPresentations
 
Network security
Network securityNetwork security
Network securitySri Manakula Vinayagar Engineering College
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year ProjectMOHAMMEDELALAM1
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionDavid Perkins
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access ControlPace IT at Edmonds Community College
 
Vpn
VpnVpn
VpnLan & Wan Solutions
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Check Point designing a security
Check Point designing a securityCheck Point designing a security
Check Point designing a securityGroup of company MUK
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Quick Heal Technologies Ltd.
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksDr. Ahmed Al Zaidy
 
Forti web
Forti webForti web
Forti webLan & Wan Solutions
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníMarketingArrowECS_CZ
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Digital Bond
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 

Contenu connexe

Tendances

Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Sophos Benelux
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Jeff Suratt
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionDavid Perkins
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Quick Heal Technologies Ltd.
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksDr. Ahmed Al Zaidy
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníMarketingArrowECS_CZ
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Digital Bond
 

Tendances (20)

Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers 
 
Tech f43
Tech f43Tech f43
Tech f43
 
Network security
Network securityNetwork security
Network security
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
My Final Year Project
My Final Year ProjectMy Final Year Project
My Final Year Project
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access Control
 
Vpn
VpnVpn
Vpn
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
Check Point designing a security
Check Point designing a securityCheck Point designing a security
Check Point designing a security
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering Attacks
 
Forti web
Forti webForti web
Forti web
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešení
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
 

Similaire à Catch Me If You Can - Finding APTs in your network

Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docpraveena06
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacksijdmtaiir
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based SecurityJohn Wiley
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkataamiyadutta
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksMaarten Van Horenbeeck
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 

Similaire à Catch Me If You Can - Finding APTs in your network (20)

Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based Security
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
Is Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacksIs Troy Burning: an overview of targeted trojan attacks
Is Troy Burning: an overview of targeted trojan attacks
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 

Plus de DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 

Plus de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 

Dernier

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Catch Me If You Can - Finding APTs in your network

  • 1. Classification: //Secureworks/Public Use:© SecureWorks, Inc. DefCamp Adrian Tudor Leo Neagu November 2018 1 Catch Me If You Can – Finding APTs in your network
  • 2. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 2 • An Advanced Persistent Threat (APT) is a cyberattack that will “fly under the radar” and your AV/IDS will not let you know about it What is an APT?
  • 3. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 3 • targeted cyberattack in which an intruder gains access to a network • remains undetected for an extended period of time • traditionally has been associated with nation-state players • in the last few years, the tools and techniques used by a few APT actors have also been adopted by various cybercriminals groups. What is an APT? Key elements of an APT attack - targeted SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program (2010)
  • 4. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 4 • Focus on • Delivery • Exploitation • Installation • Command and Control • Action and Objectives APT attack mechanism
  • 5. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 5 APT attack mechanism
  • 6. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 6 • Vector of compromise APT attack mechanism - Delivery
  • 7. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 7 Exploitation with malicious links APT Exploitation and Installation
  • 8. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 8 APT Exploitation and Installation
  • 9. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 9 Quasar RAT – Easy to use/deploy NetWire malware APT Exploitation and Installation
  • 10. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 10 Quasar RAT – Easy to use/deploy - Demo APT Exploitation and Installation
  • 11. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 11 APT Installation
  • 12. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 12 - Creating services that sound legit - Task schedule - Malware installed as Microsoft Office Add-in. When MS Word starts, malware executed - DLL hijacking - and many more APT Installation – Persistence
  • 13. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 13 - .bash_profile and .bashrc - Accessibility Features - Account Manipulation - AppCert DLLs - AppInit DLLs - Application Shimming - Authentication Package - BITS Jobs - Bootkit - Browser Extensions - Change Default File Association - Component Firmware - Component Object Model Hijacking - Create Account - DLL Search Order Hijacking - Dylib Hijacking - External Remote Services - File System Permissions Weakness - Hidden Files and Directories - Hooking - Hypervisor - Image File Execution Options Injection - Kernel Modules and Extensions - Launch Agent - Launch Daemon - Launchctl - LC_LOAD_DYLIB Addition - Local Job Scheduling - Login Item - Logon Scripts - LSASS Driver - Modify Existing Service - Netsh Helper DLL - New Service - Office Application Startup - Path Interception - Plist Modification - Port Knocking - Port Monitors - Rc.common - Re-opened Applications - Redundant Access - Registry Run Keys / Startup Folder - Scheduled Task - Screensaver - Security Support Provider - Service Registry Permissions Weakness - Setuid and Setgid - Shortcut Modification - SIP and Trust Provider Hijacking - Startup Items - System Firmware - Time Providers - Trap - Valid Accounts - Web Shell - Windows Management Instrumentation Event Subscription - Winlogon Helper DLL APT Installation – Persistence You can find more detailed information on https://attack.mitre.org
  • 14. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 14 • PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence
  • 15. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 15 PERSISTENCE USING UNIVERSAL WINDOWS PLATFORM APPS (APPX) APT Installation – Persistence reg add HKCUSoftwareClassesActivatableClassesPackageMicrosoft.People_10.1807.2131. 0_x64__8wekyb3d8bbweDebugInformationx4c7a3b7dy2188y46d4ya362y19ac5a580 5e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:UsersIEUserAppDataRoamingSubDirClient.exe" Reference: ODDVAR MOE : https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ Persistence using the People app
  • 16. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 16 Moving laterally inside the environment, compromising additional targets and getting closer to high value assets using different tools and techniques: - Enumerate password data from memory using commonly available password dumpers (Mimikatz) - Net.exe to connect to network shares using net use commands with compromised credentials - Spread through the local network by using PsExec - Windows Management Instrumentation (WMI) to interact with local and remote systems APT Lateral movement
  • 17. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 17 - Recognizing an APT attack early in the kill chain is a tough job - The attackers prefer to work slow blending with regular network activity and using tools already available in the environment (PowerShell, WMI, net.exe etc.) How can I tell I’m targeted?
  • 18. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 18 - Large outbound network traffic should raise questions, especially if the amount transferred is out of the regular trendline - Quite often APT attacks are detected when the data gathered already has been exfiltrated, sometimes even months later Data exfiltration: to late to detect?
  • 19. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 19 The reason behind the spike - A web shell present on a IIS server (China Chopper) - A password encrypted RAR archive was exfiltrated - Further analysis of the RAM memory revealed the preparation of the data being exfiltrated
  • 20. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 20 Are you ready to detect an APT? Assess your current state • Identify your assets • Know your vulnerabilities Know your enemies • Threat Intelligence feeds • Tools, tactics and procedures used by threat actors Design and implement your vision • Multi-layered endpoint & network protection • Threat Hunting
  • 21. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 21 Let’s go Threat Hunting – look for hidden threats Start the hunt Refine the hunt Response Large unexpected data flows Remote access via RDP Scheduled tasks Phishing campaigns Encoded PowerShell commands Net.exe use
  • 22. Classification: //Secureworks/Public Use:© SecureWorks, Inc. 22 QUESTIONS? THANK YOU!