CASSIDIAN CyberSecurity Blog

2014/12/02

APT Kill chain - Part 5 : Access Strenghtening and lateral movements

Being successful at compromising one or several workstations and/or servers from a targeted company is an important step for APT attackers. Just after the initial compromise step, there are 2 possible situations:

  • The attacker managed to gain high privileges on the system.
  • The attacker only managed to compromise machines with regular user privileges.

More often than one would think of, normal user rights can be enough for an APT attacker. This is the case when the attacker has aimed for a particular machine/user which he knows to store the information he wants, or an access to it. The most common situation here is when the attacker has been pushing his reconnaissance phase far enough to know exactly which user is working on a project he wants to steal. He can either aim for the users e-mail box, or decide to go for a compromise of the user's computer.

However, it is more common for APT attackers to want to get a lot more information. Therefore, they aim at compromising the whole information system, and the best way to do that is to elevate their privileges and go for an Active Directory complete dump.

So how does the attacker do, not to be stuck in one workstation with usual user rights ? Well, he does just the same as a penetration tester would do at this step, and this is what this blog post is about.

Continue reading...

2014/06/20

APT Kill chain - Part 4 : Initial compromise

This blog post is part of a series on APT killchain. In the previous step, we've seen how the attacker used reconnaissance techniques to collect data on its target. Now we will focus on the initial compromise.

At this stage, the APT attackers have a solid knowledge of their target and its key employees. The attackers have everything they need to start looking for an entry point to the company’s network and establish one or several permanent backdoor accesses.

Continue reading...

2014/05/23

APT Kill chain - Part 3: Reconnaissance

This blog post is part of a series on APT killchain. On this blog post we focus on the reconnaissance step. All the information written here comes directly from our observations and experience on APT incident handling and APT pentest simulations.

Time for action has started. The attackers have chosen one target, now they have to start working on it.

It does not mean they will rush into the attack as soon as they have a target name. There is no interest in blindly attacking a company’s servers. Like in a lot of other subjects, a good attack is an attack which has been prepared carefully.

The longer the attackers spend time in knowing their target and its online presence, the easiest it will be to find efficient ways to penetrate that company’s systems. This is a bit like penetration testing. If you have ever been involved in such an activity, you know that there are different kinds of pentests, mostly depending on the perimeter to evaluate. Some pentests will cover a narrow part of a company’s network infrastructure (web server for example) while some others will cover a wider area. In the widest case (probably the most interesting one if you have enough time), such a pentest will consist of getting only a company’s name and digging for any vulnerability one can find. The pentester has to find several ways to attack the system, and penetrate it successfully before showing his results to the system’s owner.

After all, technically speaking, in which aspect is the beginning of an APT attack different to a penetration test?

The penetration tester will try to find as many vulnerabilities as he can, to report it to the customer. The APT attacker will try to find one or several vulnerabilities to penetrate the system. The APT attacker won’t search for all the vulnerabilities: one or two are enough for him.

The first phase of an APT is similar to the first phase of a penetration testing service; it is the reconnaissance phase, which can also be called “information gathering” phase.

Continue reading...

2014/05/07

APT Kill chain - Part 2 : Global view

Last week we defined what an APT is. As we have seen, there are different definitions, and I bet nearly all companies working on APT incident handling do have their own definition.

What every experienced APT incident responder agrees on, is the way APT attacks are conducted.

The APT kill chain can be presented with some variations, depending on the detail level you want to show, yet its content is always the same. We chose to show here the easiest kill chain we could draw, not to panic anyone with technical details (yet). We will really go deep into every process of an APT attack in this serie of blog posts, yet we believe it is good to start explaining it from a distant point of view.

Continue reading...

2014/04/28

APT Kill chain - Part 1 : Definition

Today we decided to release a serie of blog posts regarding the APT kill chain, in an effort to share our experience and knowledge on this hot topic.

For starters, “APT” stands for Advanced Persistent Threat.

Some people do not use this word at all, considering that this acronym is just a buzzword, created by some creative marketing wizard –or even a team of wizards- to describe a computer attack aimed at companies. These three words do strike the spirit of anyone who is inexperienced in computer security and immediately raise fear, not to mention terror. A sure thing is that it does not leave anyone indifferent. People do imagine a lot of different things behind these words, depending on their knowledge and experience. It basically goes from “well, another attack” to “attackers are everywhere in the system, they’re inside all the computers, ALARM ! ALARM ! HELP !”

Yet, there have been different definitions for APT, which we will now explore briefly.

Continue reading...

2014/03/11

Prefetch file parser in pure Python

During our forensics investigations regarding Microsoft Windows operating systems, extracting information from the several Prefetch files can be pretty useful in many cases. Indeed, these files contain, amongst other values, the last time the program was launched, a counter of how many times it has been used, the full path where the EXE file was, etc.

Unfortunately, the best tool we have found so far is pf from TZWorks LLC but it is closed-source. And even if there are some documentations on the Internet about those files, they were either incomplete or we found mistakes in them. All things together lead us to implement an opensource parser in Python for those files.

Today we are releasing our tool and this blog post is going to describe the Prefetch file format in details.

Continue reading...

2014/01/20

Introducing MftCrawler, a MFT parser with $i30 carving capabilities

During Incident Response missions, we have to use forensics tools either on a local system or at the company scale. For different reasons, we could not use the available MFT parsers available and we needed to do live $I30 carving as well.
So we decided to create our own. We named it MftCrawler.

MftCrawler is a MFT parser written in Lua with $i30 carving capabilities.
It can be used to parse offline MFT (saved MFT file) or Live (Windows & Linux).

When running in live mode MftCrawler can carve $i30 records and try to resurrect deleted file entries.

MftCrawler was designed with these goals in mind:

  • Simple & easy to modify
  • Fast (*)
  • Low memory consumption (*)

(*) The $i30 carving does impact the performance.

This is still a work in progress (read BETA, so bugs will happen) and several features are still missing (owner SID, non resident attribute spanning several records,...)

Source & documentation can be found here: http://bitbucket.cassidiancybersecurity.com/mftcrawler

Feedback & bug reports highly appreciated !