鍵盤福爾摩斯的觀落陰真經

ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts Keyboard007 鍵盤福爾摩斯的
觀落陰真經

Speaker Keyboard007

Today’s Menu IR案例及趨勢分享 Living Off The Land Att&ck Matrix Adversary
Emulation

ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts IR案例及趨勢分享

TWITTER Command and Control 方便 C&C Infra 變更

Google Drive RAT

針對性MAIL題材 • 常見的反轉字元(RTLO) • 塞入大量NOP繞過檢測

供應鏈廠商攻擊

合法工具 = 駭客的最愛 ?! • SoftEther VPN • 北韓網軍LAZURUS攻擊事件也使用該VPN工具作為跳板使用 •
當我們Bridge在一起

模仿網軍後門技巧 10

滅證 • Sdelete • ClearEventLog • https://github.com/Rizer0/Log-killer • https://github.com/hlldz/Invoke-Phant0m

ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts Living Off
The Land

Definition Only pre-installed software is used by the attacker and
no additional binary executables are installe d onto the system Attackers are using what’s already available to attack you • Less new files on disk → more difficult to detect attack • Use off-the-shelf tools & cloud services → difficult to determine i ntent & source • These tools are ubiquitous → hide in plain sight • Finding exploitable zero-day vulnerabilities is getting more diffic ult • → use simple and proven methods such as email & social engine ering

Windows LOLBIN (1) https://lolbas-project.github.io/

Windows LOLBIN (2) Certutil https://lolbas-project.github.io/lolbas/Binaries/Certutil/

UNIX LOLBIN https://gtfobins.github.io/

參考資料 • https://liberty-shell.com/sec/2018/10/20/living-off-the-land/ • http://www.irongeek.com/i.php?page=videos/derbycon8/track- 1-01-lolbins-nothing-to-lol-about-oddvar-moe • https://www.slideshare.net/OddvarHlandMoe/lolbins-nothing-t o-lol-about •
Living Off the Land: A Minimalist’s Guide to Windows Post-Expl oitation –BsidesAugusta 9/14/2013 with Matt Graeber(http://ob scuresecurity.blogspot.com/p/presentation-slides.html) • http://www.hexacorn.com/blog/category/living-off-the-land/ • https://blog.barkly.com/what-are-lolbins-living-off-the-land-bin aries • https://www.symantec.com/content/dam/symantec/docs/securi ty-center/white-papers/istr-living-off-the-land-and-fileless-attac k-techniques-en.pdf

企業資安防護痛處 • WAF • 繞過後遭植入WEBSHELL • 防毒 • 特徵碼偵測可輕易繞過 •
防火牆 • 常見服務後門可繞過 • IPS or APT Gateway • 內網橫向攻擊不易定位 • SOC • 定位威脅需較多階段

ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts MITRE ATT&CK

MITRE ATT&CK 框架 • 描述駭客從偵蒐、攻擊、橫向攻擊、控制系統各階段的技巧 • https://attack.mitre.org • 將各階段的手法工具技術整合為一個知識庫 •
之後可以將各網軍、攻擊族群的知識收集並建立側寫

MITRE ATT&CK 框架

組織側寫

How to use it: threat-informed def ense, but for real

ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts Adversary Emulation

ADVERSARY EMULATION GOAL ADVERSARY EMULATION目的共有兩項: • 駭客進入到內網後能作到甚麼樣程度的攻擊? • 公開的APT攻擊手法，貴單位是否能預防?
偵測? 反應?

企業資安防護追求目標 Types of Indicators • Tactics, Techniques and Procedures (TTPs)
• Tools • Network Artifacts/Host Artifacts • Domain Names • IP Addresses • Hash Values

模擬駭客攻防 https://attack.mitre.org/resources/adversary-emulation-plans/

APT3 Adversary Emulation Field Manual https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Ma nual.xlsx

List of Adversary Emulation Tools • https://github.com/mitre/caldera • https://github.com/MotiBa/Invoke-Adversary •
https://github.com/endgameinc/RTA • https://github.com/uber-common/metta • https://github.com/redhuntlabs/RedHunt-OS • https://github.com/NextronSystems/APTSim ulator • https://github.com/guardicore/monkey • https://github.com/alphasoc/flightsim • https://github.com/redcanaryco/atomic-red-t eam • https://github.com/jymcheong/AutoTTP • https://github.com/mubix/post-exploitation

More Red Team Tips • Vysecurity one-page Red Team Tips
• https://vincentyiu.co. uk/red-team-tips/ • 3gstudent/Pentest-and-D evelopment-Tips • https://github.com/3 gstudent/Pentest-and -Development-Tips • DDHS Red Team Tips • https://docs.google.c om/document/d/1j4V QZ1LNXzCJuEx1WBM T5iu8jBgj4TpI7DJQV6 O6myY/edit?usp=shar ing

ATT&CK Evaluations https://attackevals.mitre.org/

Thank You

鍵盤福爾摩斯的觀落陰真經

鍵盤福爾摩斯的觀落陰真經

More Decks by jack chou

Other Decks in Technology

Featured

Transcript