一隅

手握三尺青锋,平尽天下不平事

[Stages of APT]DATA EXFILTRATION

原文地址 https://azeria-labs.com/

After a successful asset discovery adversaries try to exfiltrate data from the compromised network. In many cases the initial C&C is used as the drop-off point. However, other systems and technologies might be involved [1]. The actual approach of the exfiltration depends on APT group’s tactics, data amount and other circumstances.

[Stages of APT]ASSET DISCOVERY

原文地址 https://azeria-labs.com/

In most cases the goal of an APT campaign is the theft of intellectual property, confidential information [1] or access to specific systems within the target organization’s network. For example, adversaries usually target for patented technologies, diplomatic information or access to computers of researchers and executives in order to monitor their activity. Due to the fact that the asset of interest is usually in digital form it’s hard to detect the theft which allows the adversaries to conduct the crime without being noticed.

[Stages of APT]PRIVILEGE ESCALATION

原文地址 https://azeria-labs.com/

After the initial host compromise, malicious actors attempt to move laterally within the compromised organization and focus their efforts on internal reconnaissance, credential harvesting and attack of internal system. It is common that built-in tools are used during this step in order to avoid detection, because tools like Microsoft’s PowerShell and WMI are white-listed and their activity is often not part of the security log review process [1]. The avoidance of detection on the network is a key aspect of long term, persistent campaigns.

[Stages of APT]PRIVILEGE ESCALATION

原文地址 https://azeria-labs.com/

Once the initial foothold is established, the attackers seek for ways to spread through the network. It’s often the case that the initial compromise happens on a computer which is not a matter of importance in regards of the APT’s campaign. Therefore, attackers try to escalate their privileges on this machine so that they can start moving through the target’s infrastructure in order to find and compromise systems on the network that store valuable information.

[Stages of APT]COMMAND AND CONTROL

原文地址 https://azeria-labs.com/

During the APT campaign adversaries need to maintain active connections with the compromised infrastructure. While the initial malware plays an important role, it’s important for the attackers to establish a Command and Control (C&C) infrastructure in order to interact with the infected host. C&C provides means of upgrading the malware, performing further attacks and facilitates during the data exfiltration stage. Therefore, attackers make sure that the C&C is stealth, not blocked by the target’s network monitoring systems and is resilient to takedowns [1].

[Stages of APT]PERSISTENCE

原文地址 https://azeria-labs.com/

To secure the access to a compromised system, attackers use persistence in order to make sure their backdoor remains installed and running across system reboots. This allows intruders to control the infected system in the future and proceed with further exploitation of the target or its infrastructure. The sophistication of the persistence method used by the attackers usually depends on the system access rights they have gained and their tactics. The higher the access level, the more sophisticated and stealthy persistence can be applied.

[Stages of APT]INITIAL COMPROMISE

原文地址 https://azeria-labs.com/

In order to gain initial foothold within the target infrastructure APTs drop a malicious program during the point of entry step. While there are multiple ways of deploying malicious payloads the most common cases are malicious email attachments or exploits against the user’s web browser which are embedded into the websites the victim is usually browsing or is forced to browse to [1]. The approach the APTs choose to use depends on the resources they possess or time that is available for carrying out the attack.

[Stages of APT]RECONNAISSANCE

原文地址 https://azeria-labs.com/

If I had six hours to chop down a tree, I’d spend the first four sharpening the axe.
– Abraham Lincoln

One of the differences between a targeted attack and a wide spread malware campaign is the effort and time spent on preparation for attacking a specific target. Preparation, especially in the form of reconnaissance, is the first and most important phase in the APT life-cycle.

ADVANCED PERSISTENT THREATS (APTS)

原文地址 https://azeria-labs.com/

The cyber espionage “investigations” has become popular within the information security industry and resulted in easy marketing opportunities of research reports about Advanced Persistent Threats along with headlines of “nation-state attack”. Apart from the purpose of APT research report marketing, the term “APT” itself got generalized for the sake of convenience. However, this was done at the expense of accuracy and greater