版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
Malware
ThreatReport2021
BeyondTrustLabsAnalysisofRansomwareandPhishingTrends&HowtoMitigateThem
JamesMaude
LeadCybersecurityResearcher
BeyondTrust
TABLEOFCONTENTS
ExecutiveSummary
3
SecurityChallengesof2020-2021
4
TheIncreasedAttackSurface-BringingThreatsHom
e
4
TheNewPerimeter
7
MorePrivileges,MoreProblems
9
PrivilegedApplicationVulnerabilities
11
SummaryofSecurityChallenges
13
MaturityoftheMalwareEcosystem
14
Human-OperatedRansomware
16
B
eyondTrustMalwareLabs-AnalysisofMalwareThreats
21
OverviewofMalwareStrains
22
CommonDenominators
27
MostCommonTechniquesAfterInitialMalwareExecution
29
Lab-TestingBeyondTrustTrustedApplicationProtectionAgainstTopMalwareStrains
31
DivingIntoMITREATT&CK?FrameworkDefinitions&Mitigation
s
34
T1047WindowsManagementInstrumentation(WMI)
35
T1204.002UserExecution:MaliciousFile
36
T1059.001PowerShellusedforinitialexecution
37
T1059.003WindowsCommandShell(CMD)
38
OtherTechniques
39
The5CriticalStepstoCompleteEndpointSecurity
40
AdditionalResources
43
Appendix:ThreatSamplesTest
ed
44
Note:Thelab-basedresearchinthisreportpertainsonlytoWindowsdesktopsandservers.
2
MalwareThreatReport2021
>
ExecutiveSummary
Thisresearchreportprovidesinsightsandanalysis
intothreatsandprivilegedaccountmisuseon
Windowsdevicesacrosstheglobe.Thisresearchis
fromthesameBeyondTrustLabsteamthatpublishestheannual
MicrosoftVulnerabilitiesReport
.
Thisreportisbasedonreal-worldmonitoringand
analysisofattacksbetweenQ12020andQ12021
discoveredinthewildbytheBeyondTrustLabsteam,
withcollaborationfromcustomersandincident
responseteamsusingBeyondTrust’sproducts.In
additiontogeneralinsightsintothethreatlandscape,thereportalsodivesintoreoccurringthreatthemes
andmapsoutTools,Techniques,andProcedures(TTPs)againstthe
MITREATT&CK?EnterpriseFramework
.
BeyondTrustLabsexploredthe58techniquesinthe
MITREATT&CKFrameworklistsforCobaltStrike
(threatemulationsoftware),and66%ofthetechniqueseitherrecommendusingPrivilegedAccount
Management,UserAccountManagement,and
ApplicationControlasmitigationsorlistAdministrator
/SYSTEMaccountsasbeingaprerequisitefor
thetechniquetosucceed.Therefore,thecontrolof
privilegesandapplicationexecutionisakeydefensivemeasureinmitigatingCobaltStrikeandtools/malwarewithsimilarcapabilities,byreducingtheattacksurfaceanddenyingcodeexecutionandprivilegedrights.
KEYFINDINGS
1Absenttherightprotection,malwarewilldisableendpointsecuritycontrolsand
undermineyoursecurityinvestment.
2Weareobservingagrowing
trendintheuseofnativetoolstoperformfilelessattacksintheinitialstagesuntilastrongfootholdandpersistence
mechanismisestablishedandsecuritycontrolshavebeen
disabled.
3TheMITREATT&CKFrameworkprovidesaneffectivewayto
distillawiderangeofmalwarestrainsandcyberattacksintocomponenttechniques,whichcanthenbemitigated.
4BeyondTrust’sout-of-the-boxpoliciesproactivelydisruptedall150different,common
attackchainstestedinouranalysis.
5Removalofadminrightsandimplementationofpragmaticapplicationcontrolaretwoofthemosteffectivesecuritycontrolsforpreventingandmitigatingthemostcommonmalwarethreats.
3
MalwareThreatReport2021
SecurityChallengesof2020-2021
TheIncreasedAttackSurface:BringingThreatsHome
Securitystaplessuchasnetworkmonitoringandfirewall
technologiesarebecominglesseffectiveastheperimetershiftsfromthecorporateofficetothehomeoffice,or“workfromanywhere”forthatmatter.
Overthepasttwodecades,organizationsinvested
significantlyinshoringuptheircyberdefenses.Someoftheseinvestmentshavebeenrenderedfarlesseffective,evenobsolete,duetothechangesusheredinbythe
pandemic.
Emailfatigueisgreaterthanever.Thedailycommunicationsthatoncehappenedin-person,orovertheofficephone,
haveshiftedincreasinglytoemails,onlinemeetings,andothercommunicationtools.
Thismeansthatusersarenotonlyseeinghighervolumesofemails,butalsoreceivingemailsfromawiderrangeofsources,suchas:
IColleaguestheyhavenevermetIProspectivesuppliers
INewclients
IOtherdepartmentsaboutpolicies,tools,andinformationneededtosupporthomeworking
4
MalwareThreatReport2021
Despitetheriseofmoderncollaborationsoftware,most
officecommunicationstillrevolvesheavilyaroundsendingandreceivingemailswithdocuments,links,orother
attachments.Forexample,anHRteamexpectstoreceiveresumes,andafinancedepartmentexpectsinvoicesorcontracts.
Theexpectationofreceivinglegitimatecommunications
viaemail—oftenfromsourcesunknownorunanticipated—makesiteasyforanattackertotailoranemailphishing
campaignandachieveahighsuccessrate.Departmentswithaccesstothemostdocumentsanddataareoftenthemostlikelytofallvictimtophishingefforts,subsequentlyleadingtoaransomwareorothermalwareattack.
Figure1Exampleof
COVID-19themedphishingemail
linkingtomaliciousWorddocument
5
MalwareThreatReport2021
Consequently,threatactorslaunchedhighlysuccessfulcampaignsthatusetargetedphishingemailstosociallyengineertheoverwhelmedremoteworkerintoenteringtheircredentialsoropeninganinfecteddocument.
>InBeyondTrustLabs,
weobserveda200%increaseinphishingemailswiththemajoritybeingCOVID-19themed.
Thethreatactorssendingemailsimpersonatedavariety
ofgovernmentandnon-governmentorganizations,fromtheWorldHealthorganization(WHO)and
CenterforDiseaseControl(CDC)togovernmentdepartmentsandpharmaceuticalcompanies.
TheseemailcampaignspromptedtheDepartmentof
HomelandSecurity(DSH),Cybersecurity&InfrastructureSecurityAgency(CISA)andtheWorldHealthOrganization(WHO)toissuecommunicationswarningusersofthe
risks.TheUnitedKingdomNationalCyberSecurity
Centrealsolaunchedacampaigntobe“CyberAware”followingthetakedownof2,000scams,including471fakeonlineshopsforCOVID-19relatedservices.
WHOCommunicationWarningUsersof
PhishingTechniques
TheWorldHealth
Organizationwill:
INeveraskforyour
usernameandpasswordtoaccesssafety
information
INeveremailattachmentsyoudidn’taskfor
INeverchargemoneytoapplyforajob,registerforaconference,or
reserveahotel
INeverconductlotteriesorofferprizes,grants,certificatesorfundingthroughemail
6
MalwareThreatReport2021
>
TheNewPerimeter
“JustliketheicewallinGameofThrones,
organizationsspentyearsbuildinga
technologicalperimeterwalltokeepthreats
out.Despitecriesthat“theperimeterisdead,”theyhavecontinuedtoplacealotoffaith(andinvestment)init.Therapidtransitiontoremoteworking,andthesuddendissolutionofthe
perimeter,hasforcedanabruptshifttofocusonsecuringidentitiesandend-userdevices.ITdepartmentsareunderpressuretoupgrade
capacitiesfastandthisresultsinchangingorreplacingexistingsystemswithlittletimetodothoroughsecuritytests.Vulnerabilitiesintheremoteaccessinfrastructureandaccessprotocolsmayremainundetectedandcanbeexploitedincyberattacks.”
InternationalMonetaryFund:
CybersecurityofRemoteWorkDuringthePandemic
Toadapttosocialdistancinginitiativesorwork
fromhomepolicies,businesseswereforcedto
acceptunprecedentedrisksthatwouldhavebeeninconceivableafewmonthsprior,justtocontinueoperatingandkeepusersproductive.
Insomecases,olddesktopmachinesthatnooneever
imaginedleavingthecorporatenetwork,werebeing
loadedintocarsandtakenhometopotentiallyvulnerablenetworksthattheywereneverintendedtojoin.
Awiderangeofremote
accesstoolsandcloud
serviceswerehastilyspunup,sometimesovernightoroveralong,sleepless
weekend.
Inmanycases,duetothe
speedofthedeployments,userswereallgivenbroad
accesstodataandsystemsasbusinesserredonthesideoffreedomandflexibilitytoensurethatuserswereabletoworkremotely.
7
MalwareThreatReport2021
Attackersoverwhelminglyseekouttheeasytargets
thatwillyieldafastpayday.Thus,cybercriminalsquickly
capitalizedonthissuddenshift,rapidlyidentifyingthat
notonlyhadtheattacksurfacevastlyincreased,butso
didtheaccesstodataandsystems.Oneoftheoutcomesofthesefactorswasreflectedinthesurgeofsuccessful
ransomwarecampaigns,asattackerswereabletolandandexpandwithnewfoundease.Sincethepandemic,therehasbeenathirdmoreransomwarefamiliesand560,000new
piecesofmalwaredetectedeveryday(DataProt,2021).
>BeyondTrustLabshasalso
witnessedanincreasedin
specialistRansomware-as-a-Service(RaaS)operators,whichnotonly
provideservicesthatlowerthetechnicalbarriersforwould-becyber-criminalsbutarealsofarmorecapableoftakingdownlargeenterprises.
Inthisenvironment,
it’shardlysurprising
thatmultimillion
dollarransomsarenowcommonplace.These
ransomsarenotjust
quickcashpayouts,
butseedroundsforthe
ransomwareoperators,whocontinuetoinvestinbetterinfrastructureandleveragingzero-
dayexploits.
Manyorganizationswhopreviouslyhadrobustmonitoringinplaceontheinternalnetwork—helpingtoidentifymalwaretrafficandlateralmovement—havebeenblindtothenew
andevolvingattacktechniques.Thisisbecausesomany
endpointsnowoperatepartiallyorfullyoutsideofthe
network.Tocompoundthisproblem,therewasanearly
900%surgeinfilelessmalwareattacks(InternetSecurity
ReportforQ42020,WatchGuardTechnologies)which
ofteninvolveattackersexploitingnativeapplications,like
PowerShell,toperformtasks.Thisreducesthechanceof
detectionasmanysolutionsarelookingfornewapplicationsappearingratherthanexisting,legitimate,toolslaunching.
8
MalwareThreatReport2021
MorePrivileges,MoreProblems
Overthepastfewyears,mostorganizationshavebeenadvancingtowardaleastprivilegeapproach,where
usersareonlyallocatedtheprivileges/privilegeaccesstheyneedtodotheirrole.Inmanyindustries,thisis
nowmandatory(NIST,PCI,HIPAA,etc).Duetothe
effectivenessofthissecuritycontrol,itisexpectedthatcompaniesinotherindustrieswillfollow.
Supportingthenewlyremoteworkforcepresented
organizationswithmanychallengesaroundprivileged
access.Forinstance,seeminglytrivialtasks,like
installingprinterdriversforthedeviceinthehomeoffice,orthesoftwareneededforanewwirelessheadset,or
updatingthelocaltimeonalaptop,requiredlocaladminrightsthatusersdidn’thave.Tocontinuefunctioning
withoutoverwhelmingsupportdeskswithcallsand
tickets,manyorganizationsgaveusersaccesstolocaladminrightsonatemporaryorpermanentbasis,vastlyincreasingthesecurityrisk.
TheInternationalMonetaryFund(IMF)addressedthis
topicinaspecialseriesofnoteswarningofthepotentialcybersecurityrisksbroughtaboutbyremoteworking
duringthepandemic.ThisincreasedpervasivenessoflocaladminrightshasmadeitsignificantlyeasierforcommonmalwarestrainstousesimpleElevationofPrivilege(EoP)techniquestonotonlygainaccesstoprivilegesonthesystem,butalsousetheseprivilegestodisableorbypassexistingsecuritycontrols.
Thus,it’scriticaltoremovelocaladminrightsandapplymoregranularityaroundprivilegedaccesssecuritycontrols.
Wewereupagainstthe
clockonthisoneand
endedupissuingwork
fromhomelaptopswith
localadminrightsfortheolddesktopusergroups.
Wealsohadtoreactto
aninfluxofsupportcalls
bygrantingtemporary
adminprivilegestoour
existinglaptopusergroups.Thiswasallbecausewe
didn’thaveasolutioninplaceatthetime.PrivilegeManagementhasquickly
becomeourtoppriority.
HeadofITOps,EngineeringFirm
9
MalwareThreatReport2021
>“Employeesshouldnothaveadministration
rightsonfirm-ownednotebooks,security
hardenedconfigurationsandup-to-date
endpointsecuritysolutionsshouldbeinplace,
connectionsecurityparametersshouldbesetaccordingtogoodpracticesandshouldbelocked,andthecorporateremoteaccessinfrastructureshouldbetightlycontrolled.”
InternationalMonetaryFund:
CybersecurityofRemoteWorkDuringthePandemi
c
10
MalwareThreatReport2021
PrivilegedApplicationVulnerabilities
Alongsidetheincreaseinuserswithadminrights,wehaveobservedarisingtrendinsoftwarethatdoesnotproperlymanageprivileges.
The2021editionoftheBeyondTrustLabsannual
MicrosoftVulnerabilitiesReport
foundthefollowing:
IElevationofPrivilege(EoP)vulnerabilitiesincreased3xfrom2019to2020
ITheseaccountedfor44%ofthe1,268criticalMicrosoftvulnerabilitiessurveyedin2020
IRemoteCodeExecution(RCE)wasthenexthighestcategory(27%ofthecriticalvulnerabilities)
Theissueofimproperprivilegemanagementhas
beenhighlightedbyMITRE,whoincludedCWE-269–ImproperPrivilegeManagementintheir“2020CWETop25MostDangerousSoftwareWeaknesses.”
3X
INCREASE
EoPvulnerabilitiesYoY2019-2020
44%
EoPYoYincrease2019-2020
CWE-269:
ImproperPrivilegeManagement
Thesoftwaredoesnot
properlyassign,modify,track,orcheckprivilegesforanactor,creatinganunintendedsphereof
controlforthatactor.
MITREATT&CKFramework
11
MalwareThreatReport2021
Asshowninthechartbelowthisweaknesshasbeentrendingupwardsalmostexponentiallysince2016.
Thus,itismoreimportantthanevertocontrolthe
privilegesgranted,notonlyattheuserlevel,butattheapplicationlevel,topreventthatsphereofcontrolbeingcreatedforathreatactor.
VulnerabilityTypeChangebyYear
However,theissuesofimproperprivilegemanagementarenotjustaWindowsproblem,asthedatashown
abovetrackscommonweaknessesagainstavarietyofsoftwareandoperatingsystems.Whileitisnotalwayspossibletocontrolhowthesoftwareitselfhandlesprivileges,theprincipleofleastprivilege(POLP)canbedirectlyappliedtotheapplicationtocontrolrisk.
Fromrestrictedtokens,tocontrollingchildprocess
inheritance,thereareavarietyofwaysarobustendpointprivilegemanagementsolutioncanmitigatetherisk
ofimproperprivilegemanagementbyapplications.
Figure2CWE-269
ImproperPrivilegeManagement
hasbeenvastly
increasingsince2016
Source:
NIST
Thisvisualizationisa
slightlydifferentview
thatemphasizeshowtheassignmentofCWEshaschangedfromyeartoyear.
12
MalwareThreatReport2021
Summaryof
SecurityChallenges
In2020,theattacksurfaceexpandedmassivelydueto:
ITheexpansioninusecasesforgrantingaccesstoprivileges
IAnincreaseinsoftwarebeingvulnerabletodangerousvulnerabilities
IThewidespreaduseofremoteaccessthatresultedfromamassiveshifttoremoteworking
Attackersshrewdlyexploitedthesenewcyberexposures,often
usingelevationofprivilegeattacksandsophisticatedmalware
campaigns,frequentlyplayingontheemotionsandfearsofusers.
Threatactorsworkceaselesslytoevolvetheiroperationsandhavematuredsignificantlyoverthepastyear.Inournextsection,wewillexplorethecontinuingevolutionofthecybercrimeindustry.
13
MalwareThreatReport2021
Maturityofthe
MalwareEcosystem
>Paralleltolegitimatesoftware
companiesandthetrendtowardsSaaS,threatactorsareshiftingtoMalware-as-Service(MaaS)
modelswithspecialistsemergingindifferentareas,including
enterprisecredentialsales,initialaccesstoatargetorganization,lateralmovementcapability,orpayloaddelivery.
Aswithanygrowthindustry,wehaveseenalotofchangesinmalwareecosystemsandtheireconomicmodels.
Today,thereareoftenmanydifferentpiecesofmalware
thatcometogetherinanattack.Amodernransomwareattackcouldbecomprisedofmultiplethreatactors,tools,andplatforms.
14
MalwareThreatReport2021
Forexample:
IThreatactorsrenttheNecursbotnetanduseittodistributemaliciousspam
ISpamcontainsmaliciousdocumentsthatlaunchesTrickbot
ITrickbotisusedtoharvestcredentials,accessemails,andforlateralmovementacross
thenetwork
IWithwidespreadcompromiseofthetarget
network,thethreatactorsellsbackdooraccesstothenetworktothehighestbidder
IThebuyerthendeploysRYUKransomware
viatheTrickbotcommandandcontrolservers
Thisspecializationnotonlydrivesinnovationthroughcompetition,butalsoreducesthethreatactor’srisk.Ifonepartofthechainistakendown,theotherpartscanquicklyshifttoanothersupplier.
Alternatively,ifyou’reathreatactorlookingtoavoidbeingblockedbyantivirus(AV)tools,thenyoucan
justbuyaccesstosystemswhereTrickbothasalreadybreachedthenetworkanddisabledtheAVsoftware.
Thisapproachmakesmodernmalwareconsiderablymoreresilienttotakedownattempts,whilealso
settingthetechnicalbarforillicitentrymuch
lower.Afterall,anattackernolongerhastobean
accomplisheddeveloper,socialengineer,orskilled
hacker.Theycannowbuy,ratherthanbuild,toolsandusetheMaaSplatformstoorchestratesophisticatedmalwarecampaigns.
Inthischainofevents,
wecanseeseveral
malwareplayersandtheirtoolswithintheirown
specialties.Thismodularapproachallowsthe
malwareauthorstofocusonexcellenceinonearea.
15
MalwareThreatReport2021
Human-OperatedRansomware
Asthreatactorsseektomaximizethedisruptionto
organizationsandextractthehighestransompayments,theransomwaremodelisshiftingtowardshuman-driven,enterprise-wideattacks.
Ratherthancreateanautomatedwormthatself-
propagatesacrossthenetwork,thelatestgenerationofransomware-as-a-service(RaaS)willtreadlightly,
establishingafootholdinthenetworkofalargeorganization.
Usingcommonpenetrationtestingtools–suchas
CobaltStrikeorPowerShellEmpire–theythensurveythenetworkandspreadusingprivilegeescalationstogaincontrolofcriticalsystemsanddisablesecurity
controls,beforefinallyencryptingkeysystemsandexfiltratingdata.
Human-operated
ransomwarecampaignsposeasignificant
andgrowingthreat
tobusinessesand
representoneofthemostimpactfultrendsincyberattackstoday.
Inthesehands-on-
keyboardattacks,whicharedifferentfromauto-spreadingransomwarelikeWannaCryor
NotPetya,adversaries
employcredentialtheftandlateralmovement
methodstraditionally
associatedwithtargetedattackslikethosefromnation-stateactors.
Human-operated
RansomwareAttacks:
APreventableDisaster
16
MalwareThreatReport2021
TheEvolutionofRansomware
ArchievusRevetonCryptolockerWannacryREvilDarkside
200520122013201720192021
BasicRansomware:Automated,singleendpoint
BusinessRansomware:Automated,singleendpoint
EnterpriseRansomware:Automated,multipleendpoints
TailoredRansomware:Manuallyorchestrated
2005IndividualTargeting
Archievususesasymetric
encryptiontoencryptfilesin“Documents”folder,forcingusertobuydecryption
throughwebsitepurchases.
2013BusinessTargeting
Cryptolockerstartsusing
professionalemailstotargetbusinesses.Ransomsdataonasingleendpoint.
2017EnterpriseWorm
Wannacryexploits
CVE-2017-0145topropogate
acrossnetworks.Ransoms
dataacrosstheentirenetwork.
2019TailoredOperations
Maximizingbusinessdisruptionsandpressuretopayaransom,attacks
becomemoretailoredandless
automated.Humansusingpen-testingtoolssearchthenetworkfortargets.
Overthepast15years,ransomwareattackshave
shiftedfromtargetingafewfiletypesinasinglefolderononeendpoint,towidespreadencryptionofentirenetworksofsystems.Whiletakingdownabignetworkandmanysystemscanresultinamoredevastating
attackandgreaterbusinessimpact,italsolengthenstheattackchain,providingmoreopportunitiesto
detectandpreventtheattack.
Figure3Howransomwarehasevolvedasitseeksoutmore
criticaldataandsystemsashighervaluetargets
Fromadefensivepointofview,thislatestevolution
ofransomwaremakesitfarmoredifficulttoidentify
attacksbyusingtraditionaldetectiontools,astheyarelesslikelytouseagenericpayload.Instead,human-
operatedransomwareattacksinvolvearealpersonusingprofessionaltools.
17
MalwareThreatReport2021
Thishands-onapproachcanwageahighlytailoredattackonthetargetthatfrequentlyinvolves
obfuscatingcodeandleveragingfilelesstechniquestomaintainalightfootprintandtoavoidtriggeringalarmbellswhiletheyexplorethesystems.
FilelesstechniquesmayexploitnativeapplicationslikePowerShellor.NETdevelopertoolstorunscriptsandlaunchpayloads,avoidingintroducingnewapplicationstodiskthatmaybedetectedorblocked.
Figure4Below,exampleof
ahuman-operated
ransomwarecampaignobservedinthewild
AttackChainPhase
MITREFrameworkExample
>TheRoleof
PrivilegeManagementforWindows
PreventsPowershellfrombeinglaunchedfromaphishing
attachment
Preventsaccesstolocaladminrights,mitigatingcredentialaccess,
privilegeescalation
anddefensiveevasion
Preventsmalwarepayloadexecuting
HumanOperatedAttackChain
Access
Environment
T1566Phishing
InitialAccess
Trickbotviaphishingemail
T1548.002UACBypass
Execution&LocalElevation
CobaltStrikeorPowerShellEmpire
Persist,Recon,Traverse
andSpread
T1134AccessTokenManipulation
T1003&T1003.001CredentialDumping
CredentialAccess
UsingLaZange,Mimikatzorothertools
T1055ProcessInjection
PrivilegeEscalation
ControloverValidAdminAccounts
T1053ScheduledTask/Job
T1078ValidAccounts:DomainAccounts
Persistence
NewDomainAdmin(DA)Accounts
T1087AccountDiscovery
T1033SystemOwner/UserDiscovery
Discovery
ReconandenumerationusingBloodhound
T1035ServiceExecution
LateralMovement
PsExecorothertools
T1562ImpairDefenses
DefenseEvasion
TamperingwithA/V&securityservices
Execute
Objective
T1086DataEncryptforImpactImpact
InvokeRyukransomwarepayload
18
MalwareThreatReport2021
Asshowninthepreviouspageattackchainchart,therearemanystagesinahuman-operated
ransomwarecampaignastheattackerseeksdeeperaccessandcontrolofthenetwork.
>Startingfromthephishing
email,theattackwillexploit
privilegesandtheability
toexecuteapplicationslike
PowerShellto“l(fā)andandexpand,”
eventuallyleadingtototal
compromiselargeenterprises.
Professionaltools,suchasCobaltStrike,offeranattacker
severaltechniquesforexecutingcode,capturingcredentials,andmovinglaterallywithinanetwork.Suchtoolsare
popularwiththreatactors.APT29,WizardSpider,and
ChimeraarejustafewofthecybercrimegroupsthathavebeenobservedusingCobaltStrikeaspartoftheirattacks.
MITREhas
mappedthefunctionality
ofCobaltStrikeandrecommendsPrivilegedAccountManagement
M1026andExecutionPreventionM1038asmitigationsagainstarangeofthetool’stechniques.
Infact,ifwetakeadeeperlookatthe58techniquesMITRElistsforCobaltStrike,66%ofthemeitherrecommend
usingPrivilegedAccountManagement,UserAccountManagement,andApplicationControlasamitigation,orlistAdministrator/Systemaccountsasbeinga
prerequisiteforthetechniquetosucceed.Therefore,
thecontrolofprivilegesandapplicationexecutionisakeydefensivemeasureinmitigatingthisspecifictool,
andonessimilartoit,throughareductionintheattack
surfaceanddenyingcodeexecutionandprivilegedrights.
Trickbot,andthe
Ryukoperators,alsotakeadvantageof
usersrunningaslocaladministratorsin
environmentsandusethesepermissionstodisablesecuritytoolsthatwouldotherwiseimpedetheiractions.
Human-operated
RansomwareAttacks:
APreventableDisaster
19
MalwareThreatReport2021
>Whileransomwarehasclearlyevolved,
thefundamentalneedstoexecutecode
andleverageprivilegeshavelargely
remainedconsistent.Whetheritisthebasicransomwarehittingasingleendpoint,orasophisticated,tailoredattack,thebenefitsofproactivelyreducingtheattacksurfacebyremovingadminaccountsandcontrollingapplicationexecutionareuniversal.
Whenitcomestohuman-operatedransomware,oneoftheattacker’skeyobjectivesistofindaccountswithlocaladminrights.Attackersexploittheseaccountstodisablesecuritycontrolsandstealcredentialsthatallowthemtomovelaterally,deeperanddeeperintoanenvironment.
TheexampleattackchainshowninFigure4couldhavebeenthwartedatanearlystagebysimplypreventingthephishingdocumentfromlaunchingPowerShellandeliminating
thelocaladminrightstopreventcredentialdumping.
Wealsowanttohighlighttheimportanceofmitigatingcredentialdumpingtechniquesastheseareoften
criticalstepsforanattackertoperformdiscovery,lateralmovement,persistence,anddefensiveevasion.
Theattacker’sgoalisto“l(fā)andandexpand”—asimplepathtoprivilegedcredentialsmakesthisfareasier
toachieve.Whenyoumitigatetheattacker’sabilitytoexecuteandperformcredentialdumping,youdon’tjustmitigatethosetechniques,butalsoabroadrangeof
otheronesthathingeoncredentialaccesstosucceed.
20
MalwareThreatReport2021
BeyondTrustMalwareLabs
AnalysisofMalwareThreats
(May20
溫馨提示
- 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 2024版菁離婚后子女撫養(yǎng)權(quán)爭(zhēng)議調(diào)解合同樣本202篇
- 2024版醫(yī)療器械抵押借款合同范文解讀3篇
- 2024年度上海體育場(chǎng)館改造工程合同
- 2024年度充電樁設(shè)備安裝、運(yùn)營(yíng)與維護(hù)合同范本3篇
- 2024年商鋪場(chǎng)地租賃合同范本:含無(wú)人機(jī)航拍服務(wù)租賃協(xié)議3篇
- 2024年度白酒產(chǎn)品售后服務(wù)與質(zhì)量保證合同3篇
- 2024年度互聯(lián)網(wǎng)企業(yè)人力資源外包工資模板及績(jī)效考核合同3篇
- 2024版?zhèn)€人貸款保險(xiǎn)合同范本3篇
- 2024年物流行業(yè)碳排放管理合同3篇
- 2024外墻漆購(gòu)銷與施工過(guò)程環(huán)保監(jiān)測(cè)及治理合同3篇
- 參展商實(shí)務(wù)(第二版)
- 臨時(shí)用電配電箱日常檢查表
- 錄井技術(shù)服務(wù)方案與技術(shù)措施
- 2022年二年級(jí)上冊(cè)語(yǔ)文復(fù)習(xí)計(jì)劃
- 小學(xué)語(yǔ)文人教課標(biāo)版(部編)三年級(jí)下冊(cè)習(xí)作:我的植物朋友 1
- 西師大版六年級(jí)數(shù)學(xué)上冊(cè)《比和按比例分配的整理與復(fù)習(xí)》課件
- 房屋租賃合同終止協(xié)議書(shū)格式(3篇)
- PPT成功的秘訣——勤奮
- 建設(shè)工程監(jiān)理概論(PPT)
- 土地整治業(yè)務(wù)培訓(xùn)
- 澳大利亞教育質(zhì)量保障框架ppt課件
評(píng)論
0/150
提交評(píng)論