Target Attack & Incident Response

Transcript

1. APT Target Attack & Incident Response in0de

2. AIS3 ★ Introduction - What’s APT ‣ Purpose, Target ‣

   Case study ★ Red Team Technical ‣ Discovery ‣ Lateral movement ‣ Privilege escalation Content ★ Basic Forensic ‣ System Forensic ‣ Traffic Forensic ‣ Malware Reverse

3. AIS3 ★ Advanced Persistent Threat ★ A stealthy threat actor,

   which gains unauthorized access to a computer network and remains undetected for an extended period. [ ★ Cyber crime VS APT group VS security researcher What’s APT

4. AIS3 ★ Background ★ Intend ★ Ability - https://attack.mitre.org/tactics/enterprise/ APT

   Group

5. AIS3 Cyber Crime - Twitter Hack 2020/07/16

6. AIS3 Cyber Crime - Twitter Hack 2020/07/16 電話釣⿂ 內部部分⼯具權限 取得⾼階內部⼯具權限

   詐騙內部 IT ⼈員 竊取政商名⼈帳號權限 發送假訊息 攻擊者加密貨幣錢包

7. AIS3 ★ Supply chain attack ★ Could reach to millions

   of computers Real World Incident: Shadow Hammer ASUS ASUS Live Update is an online update driver. It can detect whether there are any new versions of the programs released on the ASUS Website and then automatically updates your BIOS, Drivers, and Applications.

8. AIS3 ★ Supply chain attack ★ Could reach to millions

   of computers Real World Incident: Shadow Hammer ASUS LIVEUPDATE installer download ASUS Website ASUS ASUS

9. AIS3 ★ Supply chain attack ★ Inject shellcode into PE

   Real World Incident: Shadow Hammer ASUS Live Update PE Inject shellcode Code signing Publish the malicious

10. AIS3 ★ Supply chain attack ★ Could reach to millions

    of computers Real World Incident: Shadow Hammer Installer Setup.exe Normal Code Shellcode Compare mac addr Create a log file Access a domain & Download shellcode Targeted mac addr md5 list

11. AIS3 Real World Incident: Shadow Hammer Installer Setup.exe Normal Code

    Shellcode Compare mac addr Create a log file Access a domain & Download shellcode Targeted mac addr md5 list https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

12. AIS3 ★Chinese APT group Winnti Chinese Group

13. AIS3 Cyber Attack Targets Taiwan JAN DEC NOV JUL SEP

    AUG OCT JUN MAY APR MAR FEB 中油勒索病毒攻擊 ASUS (ShadowHammer)：https://www.ithome.com.tw/news/129588 中油 (APT41)：https://medium.com/cycraft/taiwan-ransomware-1-23b7e7e17270 醫療單位：https://www.ithome.com.tw/news/134108 Garmin (Evil Corp)：https://netmag.tw/2020/07/30/garmin證實遭駭客勒索軟體攻擊-深入剖析全球服務⼤當 台塑勒索病毒攻擊 Garmin 勒索病毒攻擊 仁寶勒索病毒攻擊 2018 2019 2020 台積電產線中毒 ASUS 供應鏈攻擊 研華勒索病毒攻擊 鴻海勒索病毒攻擊 立成勒索病毒攻擊 22間醫療單位勒索病毒攻擊

14. AIS3 Red Team https://www.ired.team/offensive-security/

15. AIS3 1. Download 2 vmdk image 2. Create new VM

    Environment Setup - vmware

16. AIS3 Environment Setup 3. Select (Windows Server 2012 or win7)

    4. Select Legacy Bios

17. AIS3 Environment Setup 5. (important) select existing virtual disk &

    select the vmdk image 6. check the image is correct

18. AIS3 Environment Setup 7. Create new network 8. Set subnet

    IP

19. AIS3 Environment Setup - AD Windows 7 IP: 10.10.10.XXX account:

    IIS password: AIS3mylab

20. AIS3 Environment Setup - AD Windows server 2012 IP: 10.10.10.130

    account: server password: AIS3myadmin

21. AIS3 General Company Network

22. AIS3 Basic Windows Knowledge - Protection Ring ★ 作業系統上的權限分級 ★

    ⽤⼾層 VS 系統層 https://en.wikipedia.org/wiki/Privilege_(computing)

23. AIS3 ★ Enterprise intranet ★ AD (Active Directory) ★ DS

    (Domain Service) Basic Windows Knowledge AD DS Manager AD DS Manager AD DS Manager AIS3.com office.AIS3.com Sales.AIS3.com

24. AIS3 Basic Windows Knowledge Active Directory IIS server data storage

    Normal user Manager ★Computers ★ Builtin - groups ★ Users

25. AIS3 Basic Windows Knowledge Active Directory IIS server data storage

    Normal user Manager ★Computers ★ Builtin - groups ★ Users Account: DS Password: XXXX Accept

26. AIS3 Basic Windows Knowledge ★Computers ★ Builtin - groups ★

    Users

27. AIS3 Basic Windows Knowledge Active Directory

28. AIS3 Basic Windows Knowledge Active Directory

29. AIS3 General Attacking Workflow Lateral Movement Privilege escalation Credential Dump

    Persistence Critical Area Internal Network Initial Access Recon. Collection Discovery

30. AIS3 General Attacking Workflow Initial Access Inside Information gathering Lateral

    Movement Privilege escalation Credential Dump Credential Dump Backdoor Recon. Critical Area Internal Network ★ Scanning ★ Gathering host information

31. AIS3 General Attacking Workflow Initial Access Inside Information gathering Lateral

    Movement Privilege escalation Credential Dump Credential Dump Backdoor Recon. Critical Area Internal Network ★ 服務漏洞 (Exploit application) ★ ⽔坑式攻擊 （Water Holing） ★ ⿂叉式攻擊 （Spear Phishing） ★ 供應鏈攻擊 （Supply chain attacks）

32. AIS3 Initial Access ★ 服務漏洞 (Exploit application) ★ ⽔坑式攻擊 （Water

    Holing） ★ ⿂叉式攻擊 （Spear Phishing） ★ 供應鏈攻擊 （Supply chain attacks） 1. exploit the website 2. download the modified resource

33. AIS3 Initial Access ★ 服務漏洞 (Exploit application) ★ ⽔坑式攻擊 （Water

    Holing） ★ ⿂叉式攻擊 （Spear Phishing） ★ 供應鏈攻擊 （Supply chain attacks） 1. Gathering user info. 1.send fake email to user

34. AIS3 Initial Access Lateral Movement Privilege escalation Credential Dump Persistence

    Critical Area Internal Network Initial Access Recon. Collection Discovery ★ Account discovery ★ Permission discovery ★ System information discovery

35. AIS3 ★ Find Domain ★ Find AD ip address ★

    Find all user in the domain LAB0 - Find ME

36. AIS3 ★ whoami ★ wmic process list brief ★ systeminfo

    ★ net share ★ net user <user name> /domain Some command

37. AIS3 ★ ipconfig /all ★ net config workstation ★ net

    group “ Domain Controllers” /domain Some command

38. AIS3 General Attacking Workflow Lateral Movement Privilege escalation Credential Dump

    Persistence Critical Area Internal Network Initial Access Recon. Collection Discovery ★ Interal spear phishing ★ Exploitation of remote services ★ Remote services

39. AIS3 General Attacking Workflow Lateral Movement Privilege escalation Credential Dump

    Persistence Critical Area Internal Network Initial Access Recon. Collection Discovery ★ Autostart execution ★ Compromise software binary ★ Create Account

40. AIS3 Persistence ★ Create account ★ Autostart execution ★ Compromise

    software binary ★ Inject service

41. AIS3 Persistence ★ Create account ★ Autostart execution ★ Compromise

    software binary ★ Inject service https://www.minitool.com/news/check-registry-for-malware-and-remove-it.html

42. AIS3 Persistence ★ Create account ★ Autostart execution ★ Compromise

    software binary ★ Inject service

43. AIS3 General Attacking Workflow Lateral Movement Privilege escalation Credential Dump

    Persistence Critical Area Internal Network Initial Access Recon. Collection Discovery ★ Valid account ★ Policy misconfig ★ Hijack execution flow ★ Scheduled Task ★ Exploitation

44. AIS3 ★ Valid account ★ Policy misconfig ★ Hijack execution

    flow ★ Scheduled Task ★ Exploitation Privilege Escalation

45. AIS3 ★ Valid account ★ Policy misconfig ★ Hijack execution

    flow ★ Scheduled Task ★ Exploitation Privilege Escalation

46. AIS3 ★ Try to read the secret.txt and get flag

    LAB1 - Privilege Escalation (local system)

47. AIS3 ★ Windows misconfiguration ★ If admin enabled this feature,

    windows will use system mode to install .msi installer ★ Path: Local group policy edit -> admin templete -> windows installer -> Always install with elevated privileges AlwaysInstallElevated

48. AIS3 ★ msiexec.exe handle .msi installer AlwaysInstallElevated

49. AIS3 ★(old) https://github.com/PowerShellEmpire/PowerTools ★(new) https://github.com/PowerShellMafia/PowerSploit/ ★ A collection of Microsoft

    PowerShell modules that can be used to aid penetration testers during all phases of an assessment Powerup

50. AIS3 ★ cd C:\Users\IIS.MYAIS3\Desktop\package\PowerTools-master ★ into powerup folder ★ Import-Module

    PowerUp.ps1 ★ Write-UserAddMSI Powerup

51. AIS3 CVE-2020-0787 https://nvd.nist.gov/vuln/detail/CVE-2020-0787

52. AIS3 ★ Background Intelligent Transfer Service（BITS，後端智能傳輸服務） ★ For download files

    from or upload files to HTTP web servers and SMB file shares ★ Privileged file operation abuse CVE-2020-0787 https://www.anquanke.com/post/id/200742

53. AIS3 ★ Com object ★ 微軟提供的⼀套進程間的通訊標準 ★ 每個物件定義⾃⼰的溝通介⾯ CVE-2020-0787 https://zh.wikipedia.org/wiki/组件对象模型

54. AIS3 ★ COM security: Impersonation ★ https://docs.microsoft.com/en-us/windows/win32/com/impersonation CVE-2020-0787

55. AIS3 ★ Download PoC ★ Get SYSTEM shell !! CVE-2020-0787

56. AIS3 General Attacking Workflow Lateral Movement Privilege escalation Credential Dump

    Persistence Critical Area Internal Network Initial Access Recon. Collection Discovery ★ Archive collected data ★ Man-in-the-middle ★ Data capture

57. AIS3 General Attacking Workflow Lateral Movement Privilege escalation Credential Dump

    Persistence Critical Area Internal Network Initial Access Recon. Collection Discovery ★ Credentials from password stores ★ Forge web credentials ★ Input cpature ★ Steal application access token

58. AIS3 ★ Domain administrator share folder: mydata ★ Try to

    read the share folder & get flag LAB2 - Privilege Escalation (Domain Admin)

59. AIS3 ★ Mimikatz ★ log hash.txt ★ privilege::debug ★ sekurlsa::logonpasswords

    Mimikatz

60. AIS3 ★ Powerful password dump tools Mimikatz https://github.com/gentilkiwi/mimikatz/wiki

61. AIS3 ★ Run CMD or powershell as Domain Administratior ★

    open \\server\flag.txt Get Flag Administrator password: !@12qwas

62. AIS3 General Attacking Workflow Lateral Movement Privilege escalation Credential Dump

    Persistence Critical Area Internal Network Initial Access Recon. Collection Discovery

63. AIS3 General Attacking Workflow ref: https://github.com/Yeti-791/APT-Guide

64. AIS3 ★ https://osint-labs.org/apt/ ★ https://github.com/Yeti-791/APT-Guide REF

65. AIS3 Blue Team Side

66. AIS3 What’s incident response Threat Hunting Malware Analysis Threat Investigation

    Threat Intelligence A B C D D C B A Endpoint detection Tech. to discover potential threat Validate, understand, and react to events happening simultaneously in an environment Manual reverse to understand the behavior and purpose of a suspicious file Information about threats and threat actors that helps mitigate harmful events in cyberspace

67. AIS3 Attack Model ★ Different Cyber Kill Chain https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf

68. AIS3 Att&ck attack model

69. AIS3 Incident Response Path Who When Where How What ‣

    Attacker & victims ‣ Attack period ‣ Number of infected computer ‣ Any files or things leave in the computer ‣ What kind of attack method & technical ‣ Communicate with C2

70. AIS3 ★ Networking ★ Process & Memory ★ Files When

    a Attack Happen - What

71. AIS3 ★ Malware Reverse When a Attack Happen - How

    Installer Setup.exe Normal Code Shellcode Compare mac addr Create a log file Access a domain & Download shellcode Targeted mac addr md5 list

72. AIS3 ★ Malware Reverse ★ Log Analysis When a Attack

    Happen - How

73. AIS3 ★ Sysmon ★ Windows Audit Log ★ ELK (

    Elasticsearch + Logstash + Kibana ) Tools

74. AIS3 Sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

75. AIS3 ★ Download from website ★ Install security patch KB3033929,

    KB2533623 for fixing signature issue ★ ‘sysmon -accepteula -i’ ✦ Install with default settings (process images hashed with sha1 and no network monitoring) Install sysmon https://social.technet.microsoft.com/Forums/en-US/81dc8039-224a-4709-a14f-32f6a052cf9b/sysmon-1041-installation-issue? forum=miscutils

76. AIS3 ★ Open event log ★ Applications and Services Logs

    -> Microsoft -> Windows -> Sysmon -> Operational Install sysmon

77. AIS3 ★ Open event log as admin ★ Enter administrator

    Install sysmon

78. AIS3 Install sysmon

79. AIS3 ★ https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf ★ https://jpcertcc.github.io/ToolAnalysisResultSheet/ Windows Event Log Reference

80. AIS3 ★ Find CVE-2020-0787 execution path ★ Find Mimikatz Password

    & hash dump log Leb3: Let’s Hunting

81. AIS3 Summary APT group IR team

82. AIS3 ★ https://www.facebook.com/DDHS.TW/ ★ https://www.anquanke.com ★ https://www.freebuf.com Extended Link for

    Learning Security