鍵盤福爾摩斯的觀落陰真經

Transcript

1. ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts Keyboard007 鍵盤福爾摩斯的

   觀落陰真經

2. Speaker Keyboard007

3. Today’s Menu IR案例及趨勢分享 Living Off The Land Att&ck Matrix Adversary

   Emulation

4. ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts IR案例及趨勢分享

5. TWITTER Command and Control 方便 C&C Infra 變更

6. Google Drive RAT

7. 針對性MAIL題材 • 常見的反轉字元(RTLO) • 塞入大量NOP繞過檢測

8. 供應鏈廠商攻擊

9. 合法工具 = 駭客的最愛 ?! • SoftEther VPN • 北韓網軍LAZURUS攻擊事件也使用該VPN工具作為跳板使用 •

   當我們Bridge在一起

10. 模仿網軍後門技巧 10

11. 滅證 • Sdelete • ClearEventLog • https://github.com/Rizer0/Log-killer • https://github.com/hlldz/Invoke-Phant0m

12. ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts Living Off

    The Land

13. Definition Only pre-installed software is used by the attacker and

    no additional binary executables are installe d onto the system Attackers are using what’s already available to attack you • Less new files on disk → more difficult to detect attack • Use off-the-shelf tools & cloud services → difficult to determine i ntent & source • These tools are ubiquitous → hide in plain sight • Finding exploitable zero-day vulnerabilities is getting more diffic ult • → use simple and proven methods such as email & social engine ering

14. Windows LOLBIN (1) https://lolbas-project.github.io/

15. Windows LOLBIN (2) Certutil https://lolbas-project.github.io/lolbas/Binaries/Certutil/

16. UNIX LOLBIN https://gtfobins.github.io/

17. 參考資料 • https://liberty-shell.com/sec/2018/10/20/living-off-the-land/ • http://www.irongeek.com/i.php?page=videos/derbycon8/track- 1-01-lolbins-nothing-to-lol-about-oddvar-moe • https://www.slideshare.net/OddvarHlandMoe/lolbins-nothing-t o-lol-about •

    Living Off the Land: A Minimalist’s Guide to Windows Post-Expl oitation –BsidesAugusta 9/14/2013 with Matt Graeber(http://ob scuresecurity.blogspot.com/p/presentation-slides.html) • http://www.hexacorn.com/blog/category/living-off-the-land/ • https://blog.barkly.com/what-are-lolbins-living-off-the-land-bin aries • https://www.symantec.com/content/dam/symantec/docs/securi ty-center/white-papers/istr-living-off-the-land-and-fileless-attac k-techniques-en.pdf

18. 企業資安防護痛處 • WAF • 繞過後遭植入WEBSHELL • 防毒 • 特徵碼偵測可輕易繞過 •

    防火牆 • 常見服務後門可繞過 • IPS or APT Gateway • 內網橫向攻擊不易定位 • SOC • 定位威脅需較多階段

19. ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts MITRE ATT&CK

20. MITRE ATT&CK 框架 • 描述駭客從偵蒐、攻擊、橫向攻擊、控制系統各階段的技巧 • https://attack.mitre.org • 將各階段的手法工具技術整合為一個知識庫 •

    之後可以將各網軍、攻擊族群的知識收集並建立側寫

21. MITRE ATT&CK 框架

22. MITRE ATT&CK 框架

23. MITRE ATT&CK 框架

24. 組織側寫

25. 組織側寫

26. How to use it: threat-informed def ense, but for real

27. ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts Adversary Emulation

28. ADVERSARY EMULATION GOAL ADVERSARY EMULATION目的共有兩項: • 駭客進入到內網後能作到甚麼樣程度的攻擊? • 公開的APT攻擊手法，貴單位是否能 預防?

    偵測? 反應?

29. 企業資安防護追求目標 Types of Indicators • Tactics, Techniques and Procedures (TTPs)

    • Tools • Network Artifacts/Host Artifacts • Domain Names • IP Addresses • Hash Values

30. 模擬駭客攻防 https://attack.mitre.org/resources/adversary-emulation-plans/

31. APT3 Adversary Emulation Field Manual https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Ma nual.xlsx

32. List of Adversary Emulation Tools • https://github.com/mitre/caldera • https://github.com/MotiBa/Invoke-Adversary •

    https://github.com/endgameinc/RTA • https://github.com/uber-common/metta • https://github.com/redhuntlabs/RedHunt-OS • https://github.com/NextronSystems/APTSim ulator • https://github.com/guardicore/monkey • https://github.com/alphasoc/flightsim • https://github.com/redcanaryco/atomic-red-t eam • https://github.com/jymcheong/AutoTTP • https://github.com/mubix/post-exploitation

33. More Red Team Tips • Vysecurity one-page Red Team Tips

    • https://vincentyiu.co. uk/red-team-tips/ • 3gstudent/Pentest-and-D evelopment-Tips • https://github.com/3 gstudent/Pentest-and -Development-Tips • DDHS Red Team Tips • https://docs.google.c om/document/d/1j4V QZ1LNXzCJuEx1WBM T5iu8jBgj4TpI7DJQV6 O6myY/edit?usp=shar ing

34. ATT&CK Evaluations https://attackevals.mitre.org/

35. Thank You