Post on 03-Aug-2020
3
4
•
•
•
•
5
6
7
8
•
•
•
•
•
•
Добавлены в мониторинг
новые индикаторы IoCs: IP адрес + 12 345
FQDN/URI + 2 356
Реестр + 34
File Hash + 145
Email + 1 257
Process + 48
Добавлено новых exit нод
TOR-сети:+ 256
9
IP адрес
FQDN/URI
Реестр
File Hash
Process
10
11
Агрегация индикаторов TI/IOC и фидов
Добавление в базу TI
Релевантная информация?
ДА
Real-time мониторинг
Ретроспективный анализ
Блокирование на СЗИЗапуск процесса
реагированияТестирование: эмуляция заражения/
атаки и ее детектирование
Выявлены в инфраструктуре?
ДА
12
•
☺
•
•
13
Категория Tech.ID Ссылка на описание
Process DLL Injection Privilege Escalation T1055 https://attack.mitre.org/techniques/T1055/,https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md
Remote File Copy with BITSadmin Defense Evasion, Persistence T1197 https://attack.mitre.org/techniques/T1197/
VShadow Code Execute Defense Evasion, Execution T1218 https://attack.mitre.org/techniques/T1218/
Create Junction Folders Persistence https://wikileaks.org/ciav7p1/cms/page_13763373.html
CLSIDs Registry Modification Defense Evasion, Persistence T1122 https://attack.mitre.org/techniques/T1122/,https://wikileaks.org/ciav7p1/cms/page_13763373.html
SCM and DLL Hijacking Process Lateral Movement https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
Normal.dotm changed Persistence https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/
Control Panel Items Defense Evasion, Execution T1196 https://attack.mitre.org/techniques/T1196/
InstallUtil Defense Evasion, Execution T1118 https://attack.mitre.org/techniques/T1118/
Signed Script Proxy Execution Defense Evasion, Execution T1216 https://attack.mitre.org/techniques/T1216/
DHCP Callout DLL Defense Evasion T1073 https://attack.mitre.org/techniques/T1073/,https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
DNS Server Plugin has been loaded Defense Evasion https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
Compiled HTML File Execution T1223 https://attack.mitre.org/techniques/T1223/
Indicator Removal on Host Defense Evasion T1070 https://attack.mitre.org/techniques/T1070/
Indirect Command Execution Defense Evasion T1202 https://attack.mitre.org/techniques/T1202/
Signed Binary Proxy Execution Execution T1218 https://attack.mitre.org/techniques/T1218/
Change Default File Association Persistence T1042 https://attack.mitre.org/techniques/T1042/
UAC Bypass Dll Hijacking File ModificationDefense Evasion T1088 https://attack.mitre.org/techniques/T1088/,https://github.com/hfiref0x/UACME
UAC Bypass Dll Hijacking Process StartDefense Evasion T1088 https://attack.mitre.org/techniques/T1088/,https://github.com/hfiref0x/UACME
UAC Bypass Dll Hijacking Process InjectionDefense Evasion T1088 https://attack.mitre.org/techniques/T1088/,https://github.com/hfiref0x/UACME
Process execution as System Privilege Escalation T1068 https://attack.mitre.org/techniques/T1068/
UAC Bypass with wusa.exe Defense Evasion T1088 https://attack.mitre.org/techniques/T1088/,https://github.com/hfiref0x/UACME
UAC Bypass Sysprep WinSxS Defense Evasion T1088 https://attack.mitre.org/techniques/T1088/,https://github.com/hfiref0x/UACME
UAC Bypass Shim Redirection Defense Evasion T1088 https://attack.mitre.org/techniques/T1088/,https://github.com/hfiref0x/UACME
UAC Bypass Parent Process Start Defense Evasion T1088 https://attack.mitre.org/techniques/T1088/,https://github.com/hfiref0x/UACME
14
15