gbhackers.com
Open in
urlscan Pro
2606:4700:3034::ac43:a5ec
Public Scan
URL:
https://gbhackers.com/soc-defense-attack-chain/
Submission: On September 07 via manual from IN — Scanned from DE
Submission: On September 07 via manual from IN — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://gbhackers.com/
<form method="get" class="td-search-form" action="https://gbhackers.com/">
<div class="td-search-close">
<a href="#"><i class="td-icon-close-mobile"></i></a>
</div>
<div role="search" class="td-search-input">
<span>Search</span>
<input id="td-header-search-mob" type="text" value="" name="s" autocomplete="off">
</div>
</form>GET https://gbhackers.com/
<form method="get" class="tdb-search-form" action="https://gbhackers.com/">
<div class="tdb-search-form-inner"><input class="tdb-head-search-form-input" placeholder=" " type="text" value="" name="s" autocomplete="off"><input type="hidden" value="post" name="post_type"><button
class="wpb_button wpb_btn-inverse btn tdb-head-search-form-btn" type="submit"><span>Search</span></button></div>
</form>POST https://gbhackers.com/wp-comments-post.php
<form action="https://gbhackers.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<div class="clearfix"></div>
<div class="comment-form-input-wrap td-form-comment"><textarea placeholder="Comment:" id="comment" name="comment" cols="45" rows="8" aria-required="true"></textarea>
<div class="td-warning-comment">Please enter your comment!</div>
</div>
<div class="comment-form-input-wrap td-form-author">
<input class="" id="author" name="author" placeholder="Name:*" type="text" value="" size="30" aria-required="true">
<div class="td-warning-author">Please enter your name here</div>
</div>
<div class="comment-form-input-wrap td-form-email">
<input class="" id="email" name="email" placeholder="Email:*" type="text" value="" size="30" aria-required="true">
<div class="td-warning-email-error">You have entered an incorrect email address!</div>
<div class="td-warning-email">Please enter your email address here</div>
</div>
<div class="comment-form-input-wrap td-form-url">
<input class="" id="url" name="url" placeholder="Website:" type="text" value="" size="30">
</div>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"><label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="27396" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
</form>POST
<form method="post">
<label class="mctb-label" for="mailchimp-top-bar__email"><b>Sign-up For Cyber Security News Letter</b></label>
<input type="email" name="email" placeholder="Your email address.." class="mctb-email" required="" id="mailchimp-top-bar__email">
<input type="text" name="email_confirm" placeholder="Confirm your email" value="" autocomplete="off" tabindex="-1" class="mctb-email-confirm">
<input type="submit" value="Subscribe" class="mctb-button">
<input type="hidden" name="_mctb" value="1">
<input type="hidden" name="_mctb_timestamp" value="1694058372">
</form>Text Content
* Home * Threats * Breaches * Vulnerability * SOC * Infosec * Tools * Kali * Top 10 Search * Home * Threats * Breaches * Vulnerability * SOC * Infosec * Tools * Kali * Top 10 Search Home SOC SOC First Defense – Understanding The Cyber Attack Chain – A Defense... * SOC * SOC Resources SOC FIRST DEFENSE – UNDERSTANDING THE CYBER ATTACK CHAIN – A DEFENSE WITH/WITHOUT SOC By Bhuvanesh Prabhakaran - June 26, 2023 This article will help you to understand the SOC modern cyber threats and the most commonly used attack surfaces behind any malware/cyber-attacks. Most times, cyber-attacks are getting executed in stages. So the SOC team must understand the attack patterns and the attack chain. So breaking the attack chain and averting the criminal’s intent to stop their goal, will reduce the business impact of the data being lost. This will not give you 100% defense steps or blue-team guides to your organization. It’ll provide a piece of brief information on the attack vectors and every SOC team must create a defense mechanism for it to have an initial stage of security monitoring. These steps can be followed by any Network Security Teams or small-scale industries or smaller firms who cannot afford SOC, which will help to create a defense wall with this. Also, you can find Complete – Cyber Attack Intrusion Training for SOC Analyst 3 MAJOR FACTS YOU NEED TO KEEP IN MIND. Cybercriminals always plan ahead of security controls. 1.) Don’t give everything easily to the attacker; make it harder for him to get. (Control Measures in the network) 2.) Don’t enable legitimate vulnerable applications if not in use, attackers always use legit applications in the network. (Abuse of LOLBins) 3.) Don’t think that attackers create only a single piece of code, they always rely on attack stages with more commands and functionalities. (Cyber Kill Chains) So, the defense mechanisms you have to build are based on your environment. 1.) Defending against the malware delivery – Entering your organization’s network 2.) If malware is delivered successfully, how are you going to defend its lateral movement and persistence? – Moving inside your organization network. 3.) If the attacker accomplished all his activities, his final stage will be exfiltrated or breached – Leaving your organization’s Network. Fig: This is not Cyber Kill Chain. It’s a basic phase of the attack. Let’s break down the stages and see the defense mechanisms of it to ensure security from common infection vectors. STAGE 1: DELIVERY OF MALWARE/MALSPAM In every organization, firewalls/IPS and email gateways play a vital role in defending against malware delivery to your organization. But in recent times, these techniques are easily getting defeated by Cyber attackers. The modern-day cyber attacks aren’t a single stage, they deliver malware to any organization in stages of infections. First, the attacker lures the victim to click any non-malicious urls and it redirects to CnC and drops the payloads. These stages cannot be blocked by traditional defense systems. Major Two Ways: 1.) Email Delivery – MalSpam, Spear phishing, Email Campaigns 2.) RDP Entry Points A.) Commonly used Email attachments in most email campaigns. 1 .vbs (VBScript file) 2 .js (JavaScript file) 3 .exe (executable) 4 .jar (Java archive file) 5 .docx, .doc, .dot (Office docs) 6 .html, .htm (webpage files) 7 .wsf (Windows script file) 8 .pdf 9 .xml (Excel file) 10.rtf (rich text format file, used by Office). Block unwanted and unauthorized email attachment extensions. Gmail blocked these extensions and it can be blocked in your organizations too. .ade, .adp, .bat, .chm, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .ins, .isp, .jar, .js, .jse, .lib, .lnk,.mde, .msc, .msi, .msp, .mst, .nsh .pif, .scr, .sct,.shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh B.) Restrict the employees to run the scripts at the endpoint level. C.) User Awareness of spam emails and adequate training. RDP – Remote Desktop Protocol (Port 3389) Identifying servers with vulnerable RDP connections (port 3389 is the default) has been made incredibly easy thanks to scanning tools like Shodan and Masscan. From there, it’s simply a matter of applying brute-forcing tools like NLBrute to crack the RDP account credentials, and attackers are in. Alternatively, if attackers are feeling especially lazy they can simply head over to the underground DarkMarket xDedic, where RDP access to a compromised server can cost as little as $6. RDP has become a favorite infection vector for ransomware criminals, in particular, with the actors behind SamSam, CrySiS, LockCrypt, Shade, Apocalypse, and other variants all getting in on the act. Defense Mechanism of RDP Abuse: • Restrict access via firewalls • Use strong passwords and 2FA/MFA • Limit users who can log in using RDP • Set an account lockout policy to encounter brute force attacks. STAGE 1A: RETRIEVAL OF PAYLOADS FROM COMMAND & CONTROL SERVERS. In recent variants, emails are viable options for cyber attackers to lure the victim to click any malicious links with attractive words or images. In some scenarios, the email is the 1st stage to lure the victim to run any scripts from the email, which will abuse the user’s applications and download any payloads for the 2nd stage of infection. Disabling or restricting those legitimate resources from downloading files from the Internet can help prevent payload retrieval. Cyber Attackers always love to abuse legitimate Microsoft Office applications to accomplish their goals. Because 1.) Office applications are universally accepted. Most attachment names used by attackers in an email (Invoice, Spreadsheet, Reports, Balance Sheets, Documents, Tenders) 2.) Office apps are easy to weaponize. Microsoft’s in-built capabilities are attracted by attackers and they utilize them in more ways. HOW DO ATTACKERS ABUSE MICROSOFT APPLICATIONS TO RETRIEVE PAYLOADS? A.) Macros – Disable or restrict B.) Object Linking and Embedding (OLE) – Disable or restrict C.) Dynamic Data Exchange (DDE) – Functionality removed from Word, still needs to be disabled in Excel and Outlook D.) Exploiting Equation Editor – CVE-2017-11882 – Functionality removed in January 2018 Windows Security Update Not only Microsoft Office applications, attackers also use legitimate applications and Windows in-built tools to retrieve payloads. A.) VBScript and JavaScript – Disabling it if not needed B.) Powershell – Disabling or reducing the capabilities by using Applocker or Windows Software Restriction Policy (SRP). C.) Abusing certutil.exe, mshta.exe, regsvr32.exe, bitsadmin.exe, and curl.exe – Blocking the application and block from making outbound requests. Legitimate Applications The Following Can Be Used To Circumvent Application Whitelisting: Either Blocking or Under Monitoring is recommended. Fig: Reference STAGE 2: ENSURE THE MALWARE IS NOT GETTING EXECUTED AND SPREAD OVER THE ORGANIZATION Traditionally, organizations have relied on antivirus (AV) software to prevent malware from running. Attacks have evolved to bypass/evade AV. To be effective, endpoint protection software should utilize machine learning for smarter file analysis and real-time system activity analysis designed for detecting and blocking malicious behaviors. Application whitelisting is another good layer but can be difficult to maintain. Attackers can also bypass whitelisting and AV by injecting malicious code into approved processes. Attackers can also bypass whitelisting and many AV/NGAV solutions by injecting malicious code into the memory space of a legitimate process, thereby hijacking its privileges and executing under its guise. There are a variety of malicious injection techniques attackers can utilize; DLL Injection, Reflective DLL Injection, Process Hollowing, Process doppelgänging, AtomBombing, etc. Defense against the malware execution in your environment is, 1.) Endpoint protection. 2.) Application whitelisting 3.) If possible, disable or restrict users from running scripts 4.) Windows Control over Folders 5.) To prevent injection techniques, monitoring processes, and API calls. STAGE 3: ENSURE YOUR DATA AREN’T EXFILTRATED OR BREACHED AT/AFTER THE FINAL STAGE OF THE ATTACK CHAIN Once attackers have initial access, their attention turns to post-exploitation activities To continue operating under the radar, attackers prefer “living off the land,” using legitimate tools and processes already present on the system. One of the first goals of post-exploitation is typically privilege escalation, the process of gaining additional rights and access To achieve persistence. Attackers can abuse system tools and functionality to create various load points, including storing scripts in the registry. A growing number of malware variants are designed to propagate automatically, often by abusing remote administration tools. The strategy of abusing legitimate programs and built-in functionality in order to carry out malicious activities without raising red flags. Some of the most commonly abused tools are PowerShell, Windows Management Instrumentation (WMI), and remote administration tools like PsExec. ATTACKER TECHNIQUES AND DEFENSE MECHANISMS: 1.) Abusing programs designed to auto-elevate a.) Use the highest UAC enforcement level whenever possible. b.) Enable Admin Approval Mode. c.) Remove users from the local admin group. 2.) DLL hijacking a.) Endpoint protection software. b.) Disallow loading of remote DLLs. c.) Enable Safe DLL Search Mode. 3.) Privilege escalation exploits (token stealing, exploiting NULL pointer dereference vulnerabilities, setting security descriptors to NULL, etc.) a.) Endpoint protection software with user space, kernel space, and CPU-level visibility. 4.) Dumping credentials a.) Disable credential caching. b.) Disable or restrict PowerShell with AppLocker. c.) Practice the least privilege, and avoid credential overlap. d.) Endpoint protection software that protects LSASS and other credential stores 5.) Lateral movement techniques (abusing remote administration tools, etc.) a.) UAC settings recommendations. b.) Network segmentation best practices (ref: SANS) c.) Two-factor authentication (2FA). 6.) Hiding malicious scripts in the registry a.) Monitor with Autoruns. 7.) Creating malicious scheduled tasks a.) Monitor for Windows Security Log Event ID 4698. 8.) Abusing WMI to trigger script execution based on events (at startup, etc.) a.) Create defensive WMI event subscriptions. a.) When possible, set a fixed port for remote WMI and block it. CONCLUSION This is all about the basic understanding of what kind of threat vectors and attack surfaces we might encounter in our organization and building a defense wall at a basic level. This will not provide you 100% safe against all threats, there are more unique ways emerging, and more correlations of the malware patterns arise. So we must ensure that we are already safe against the known pattern of cyber attacks based upon the above recommendations. * SOC Second Defense Phase – Understanding the Cyber Threat Profiles * SOC Third Defense Phase – Understanding Your Organization Assets * SOC Fourth Defense Phase – Importance of Cyber Threat Intelligence * TAGS * SIEM * SOC * SOC analyst * soc operation * SOC Resources Facebook Twitter Pinterest WhatsApp Bhuvanesh Prabhakaran https://gbhackers.com RELATED ARTICLESMORE FROM AUTHOR DIVING DEEPER INTO WINDOWS EVENT LOGS FOR SECURITY OPERATION CENTER (SOC) – GUIDE SOC FOURTH DEFENSE PHASE – CYBER THREAT INTELLIGENCE GUIDE INTRUSION DETECTION SYSTEM (IDS) – A DETAILED GUIDE & WORKING FUNCTION -SOC/SIEM LEAVE A REPLY CANCEL REPLY Please enter your comment! Please enter your name here You have entered an incorrect email address! Please enter your email address here Save my name, email, and website in this browser for the next time I comment. PATCH MANAGER PLUS MANAGED WAF FIND ON GOOGLE NEWS RECENT POSTS RUSSIAN APT28 HACKING GROUP ATTACKING CRITICAL POWER INFRASTRUCTURE September 6, 2023 HACKERS USE FLIPPER ZERO DEVICE TO ATTACK NEARBY IPHONES WITH NOTIFICATION... September 6, 2023 HACKERS STEAL OVER $5,700 FROM ATMS USING RASPBERRY PI September 6, 2023 CALDERA: A NEW SECURITY TOOL TO EMULATE ATTACKS IN CRITICAL INFRASTRUCTURE September 6, 2023 HACKERS USING BLUESHELL MALWARE TO ATTACK WINDOWS, LINUX, AND MAC SYSTEMS September 6, 2023 Load more ABOUT US GBHackers on security is a Cyber Security platform that covers daily Cyber Security News, Hacking News, Technology updates, and Kali Linux tutorials. Our mission is to keep the community up to date with happenings in the Cyber World. Contact Us: admin@gbhackers.com FOLLOW US © GBHackers on Security 2016 - 2023. All Rights Reserved Sign-up For Cyber Security News Letter ▲