005. Is It Difficult to Spot a Russian APT?

Hello everyone! Let's continue to talk about APTs. I think many of you read this report by Volexity, where they introduced the Nearest Neighbor Attack.

APTs often use very sophisticated techniques to obtain the initial access to the target network and the Nearest Neighbor Attack is a good example. But it's almost impossible to be very sophisticated throughout the attack lifecycle. What's does it mean for defenders? Detection opportunities!

For example, the adversary attempted to extract the Security Account Manager (SAM) database from the Registry with Reg:

reg save hklm\sam C:\ProgramData\sam.save

reg save hklm\security C:\ProgramData\security.save

reg save hklm\system C:\ProgramData\system.save

Quite noisy and suspicious behaviour, isn't it?

Another noisy technique is abusing cipher.exe:

cmd.exe /c cipher /W:C

Abusing this tool allowed threat actors to overwrite deleted data and make it difficult for incident responders to recover their toolset. 

It's not the first time this tools was used by adversaries. If you are tracking ransomware gangs, you should have seen it at least a few times, for example, MegaCortex.

Finally, the adversary copied the ntds.dit file from the volume shadow copy:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit [dest]

This is another quite noisy technique, which allows the threat actors to obtain credential material.

So, APTs may exploit zero-days and use other sophisticated techniques to jump into your network, but to acheive their goals they need to do a ot more - and it's your chance to spot them!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!