pass

[Stages of APT]DATA EXFILTRATION

After a successful asset discovery adversaries try to exfiltrate data from the compromised network. In many cases the initial C&C is used as the drop-off point. However, other systems and technologies might be involved [1]. The actual approach of the exfiltration depends on APT group’s tactics, data amount and other circumstances.

[Stages of APT]ASSET DISCOVERY

In most cases the goal of an APT campaign is the theft of intellectual property, confidential information [1] or access to specific systems within the target organization’s network. For example, adversaries usually target for patented technologies, diplomatic information or access to computers of researchers and executives in order to monitor their activity. Due to the fact that the asset of interest is usually in digital form it’s hard to detect the theft which allows the adversaries to conduct the crime without being noticed.

[Stages of APT]PRIVILEGE ESCALATION

After the initial host compromise, malicious actors attempt to move laterally within the compromised organization and focus their efforts on internal reconnaissance, credential harvesting and attack of internal system. It is common that built-in tools are used during this step in order to avoid detection, because tools like Microsoft’s PowerShell and WMI are white-listed and their activity is often not part of the security log review process [1]. The avoidance of detection on the network is a key aspect of long term, persistent campaigns.

[Stages of APT]PRIVILEGE ESCALATION

Once the initial foothold is established, the attackers seek for ways to spread through the network. It’s often the case that the initial compromise happens on a computer which is not a matter of importance in regards of the APT’s campaign. Therefore, attackers try to escalate their privileges on this machine so that they can start moving through the target’s infrastructure in order to find and compromise systems on the network that store valuable information.

AutoSploit的简单分析

https://github.com/NullArray/AutoSploit

        api = shodan.Shodan(SHODAN_API_KEY)