How to detect cyberattacks and prevent money theft

According to Positive Technologies, 42% of cyberattacks against companies are carried out with the aim of obtaining direct financial benefits. An attack can be detected at its various stages - from penetration into the network to the moment when hackers start withdrawing money. We analyze how to recognize intruders at each stage and minimize risks.





Penetration into the company network

Phishing newsletter

Most often, cybercriminals penetrate the local network by sending phishing emails with malicious attachments. According to our data , this is how 9 out of 10 APT groups start their attack. 





In most cases, phishing emails use a .doc, .docx, .xls, .xlsx document with one of the types of payload: a VBA or Excel 4.0 macro, or an exploit for a vulnerability in a Microsoft Office component, for example CVE-2017-0199, CVE- 2017-11882, CVE-2018-0802. 





Before launching a document, you should first conduct a static analysis, which may already show that the file is malicious. The most reliable will be the analysis of code sections, during which it is possible to identify a characteristic sequence of operations, encryption features and other patterns.





— , . , , . , CreateProcessA CreateProcessW, NtCreateUserProcess NtCreateProcessEx. 





-

— - . , , , 86% -. 





Windows ID 4688 Sysmon ID 1. , cmd.exe, w3wp.exe ( OWA). , , . 





- , .asmx, .jsp, .php, .aspx .





(, Path Traversal) . 





, . , , . 





(Password Spraying)

— . , , — . Password Spraying — , . 





Password Spraying . :





  • 4625 « » , , , , OWA;





  • 4771 « Kerberos» 06 « » 018 « »;





  • 4776 « » NTLM-, C0000064 « » C000006A « , ».





. . . 





, , . , Password Spraying:





  • ( ) , ;





  • ( 5—10 ), .





, , . — . 





Sysmon 12 « » 13 « » , .





Sysmon 11 « » C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp .lnk, .vbs, .js, .cmd, .com, .bat, .exe.





, . . , WINREG (Windows Remote Registry Protocol), HKCU\Software\Microsoft\Windows\CurrentVersion\Run. 





, SMB. , BAT- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp .





, , . , , . : , , ; , , , . 





System Information Discovery PowerShell Windows, Sysmon. :









  • net.exe net1.exe config,





  • wmic.exe os, qfe, win32_quickfixengineering, win32_operatingsystem;





  • systeminfo.exe, 





  • ipconfig.exe,





  • netstat.exe,





  • arp.exe,





  • reg.exe; 





  • \Software\Microsoft\ Windows\CurrentVersion; 





  • PowerShell, WMI-, .





Permission Groups Discovery net.exe net1.exe localgroup, group /domain group /dom. 4688, Sysmon — 1.





. LDAP, SAMR. LDAP searchRequest filter.





( ) , Kerberos. 





Kerberoasting

Kerberoasting , . Kerberos- , . , , . 





TGS- ( 4769 « Kerberos»): IP-, , , IP- TGS- . 





: RC4 — Kerberoasting.





Active Directory, . , , TGS- . , , LDAP servicePrincipalName .





SMB/Windows

, C$, ADMIN$, IPC$ . , .





, : 





  • 4624 « »;





  • 5140 5145 – ;





  • 7045 « »;





  • 4688 « », — services.exe.  smbexec , services.exe.





. SVCCTL . 





, . , , KRBTGT. Kerberos- .





DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set.





4662 « » , 4624 « », . 





-just-dc-user secretsdump DCSync . , .





Directory Replication Service (DRS) Remote Protocol, RPC-, — DRSUAPI RPC interface. DRSGetNCChanges, . , , DCSync. 





KRBTGT, Kerberos , , . Golden Ticket





DOMAIN ACCOUNT ID:





  • 4624 « »; 





  • 4634 « »;





  • 4672 « , ». 





Golden Ticket : . : RC4, . , Golden Ticket TGT (Event ID 4769) .





Kerberos TGT . AS-REQ , AS-REP TGT. Golden Ticket TGT , AS-REQ/AS-REP, , . , .





, . RTM. , , . .





, VNC: TightVNC, UltraVNC, RealVNC, VNC Connect. , .





, .

















(SetWindowsHookEx) (CreateCompatibleDC, CreateDIBSection, BitBlt, GetDIBits)









(SetWindowsHookEx) , (GetKeyboardState, SetKeyboardState, GetAsyncKeyState)









(GetCursorPos) (SetCursorPos) , (SetWindowsHookEx)









(GetClipboardData) (SetClipboardData) , SetClipboardViewer









RFB. , (5900-5906),





— . , , , . :









. , «» , .









«1c_to_kl.txt». , , RTM. CreateFileW WriteFile, 0x40 PAGE_EXECUTE_READWRITE VirtualProtect, .





, VirtualProtect PAGE_EXECUTE_READWRITE , CreateFileW WriteFile. SetWindowsHookExA.









. BlueNoroff, SWIFT Alliance, . 





. VirtualProtectEx PAGE_EXECUTE_READWRITE , WriteProcessMemory .









: , Buhtrap ClipBanker Electrum Bitcoin. %appdata%\eLectrUm*\wAllEts\ %appdata%\BiTcOin\wAllEts\walLet.dAt.





. FindFirstFile FindNextFile. , CreateFileA, . , .





. , , , - . , , . 








All Articles