CASSIDIAN CyberSecurity Blog

Tag - APT kill chain

Entries feed

2014/12/02

APT Kill chain - Part 5 : Access Strenghtening and lateral movements

Being successful at compromising one or several workstations and/or servers from a targeted company is an important step for APT attackers. Just after the initial compromise step, there are 2 possible situations:

  • The attacker managed to gain high privileges on the system.
  • The attacker only managed to compromise machines with regular user privileges.

More often than one would think of, normal user rights can be enough for an APT attacker. This is the case when the attacker has aimed for a particular machine/user which he knows to store the information he wants, or an access to it. The most common situation here is when the attacker has been pushing his reconnaissance phase far enough to know exactly which user is working on a project he wants to steal. He can either aim for the users e-mail box, or decide to go for a compromise of the user's computer.

However, it is more common for APT attackers to want to get a lot more information. Therefore, they aim at compromising the whole information system, and the best way to do that is to elevate their privileges and go for an Active Directory complete dump.

So how does the attacker do, not to be stuck in one workstation with usual user rights ? Well, he does just the same as a penetration tester would do at this step, and this is what this blog post is about.

Continue reading...

2014/05/07

APT Kill chain - Part 2 : Global view

Last week we defined what an APT is. As we have seen, there are different definitions, and I bet nearly all companies working on APT incident handling do have their own definition.

What every experienced APT incident responder agrees on, is the way APT attacks are conducted.

The APT kill chain can be presented with some variations, depending on the detail level you want to show, yet its content is always the same. We chose to show here the easiest kill chain we could draw, not to panic anyone with technical details (yet). We will really go deep into every process of an APT attack in this serie of blog posts, yet we believe it is good to start explaining it from a distant point of view.

Continue reading...