Lecture 08

00:10

[Music]

00:14

uh main thing that we want to do today

00:15

is how to map uh to uh ATD nck framework

00:20

from raw data uh so uh let's first

00:25

uh look at a few things but before that

00:30

uh let's do this

00:32

so use

00:35

m.com and with the code number 45

00:42

97457 and answer the

00:46

questions so which of the following is

00:48

not on sorry it should have been a

00:52

procedure for uh external remote service

00:56

we we talked about external remote

00:58

service last time

01:00

it's uh technique Number 1133 and you

01:03

have three choices one is uh stealing an

01:06

employees VPN credential and use that to

01:10

access the network second is compromise

01:14

a vulnerable web service to get a remote

01:17

shell

01:18

access and third is uh fishing followed

01:22

by a backd door uh infection to obtain

01:28

access okay okay so this is going good

01:32

few

01:33

more so stealing an employees VPN

01:37

credential and

01:38

access is an example of external remote

01:41

Service as a technique for initial

01:44

access right so we are talking about

01:46

initial access the second one you want

01:50

to compromise a vulnerable web service

01:54

to get a remote shell access this is

01:57

also an like last time we talked about

02:00

payroll service that was used to access

02:04

so this is kind of external remote

02:06

service but when you do fishing your

02:09

initial access is through fishing right

02:11

so it's initial access is not through

02:13

external remote Service uh you may use

02:17

external remote service later for uh

02:20

further access but your initial access

02:23

is already done so that is not an

02:26

external remote service

02:28

procedure uh

02:30

we talked about

02:32

sticks so what is sticks format used to

02:42

communicate okay so this is going

02:45

well all right so that's sticks is for

02:49

cyber threat intelligence and we'll

02:51

actually later in the course we'll

02:53

actually look at the sticks format in

02:55

detail you know how sticks files are

02:57

created for cyber threat intelligence

03:01

now an attacker uses command injection

03:04

to execute command on web server host

03:07

which tactic is

03:09

it is it initial access

03:12

reconnaissance

03:14

execution and

03:26

persistence so in this case it is

03:29

executing a command so it's an execution

03:32

but it may also be initial access

03:33

because that's probably how the uh

03:36

attacker got in to the system so but

03:40

execution is certainly uh the tactic so

03:43

certain Behavior can actually have

03:45

multiple tactics that's something you

03:47

have to look at they might combine two

03:50

tactics in one action right okay so you

03:55

observe that one of your devices is

03:57

establishing a TCP connection to a

03:59

suspicious IP what is the uh

04:09

tactic so if your device is establishing

04:12

TP connection to a suspicious

04:15

IP that means some

04:18

unwanted executable is already executing

04:21

inside your device

04:23

right so uh that

04:27

executable has executed but but we do

04:30

not know whether it has established

04:32

persistence because persistence means

04:34

that you establish yourself in such a

04:37

way so that binary will be executed no

04:39

matter whether you reboot your system or

04:41

not right so if you just uh execute once

04:46

doesn't mean that you are persistent if

04:48

you actually shut down your machine and

04:51

uh restart it may be gone right so it

04:55

depends on whether it's so from this

04:58

information we do not know whether

04:59

assistance has been established but we

05:01

know that it is communicating with some

05:05

Service uh somewhere which is a

05:08

suspicious IP probably there is a list

05:11

of there is a abuse ipdb database where

05:15

the uh where we can look and see whether

05:17

this IP has been listed as suspicious by

05:21

somebody uh then we will say that it's

05:23

command and control right okay this

05:27

should be happening but uh how do we

05:30

check if command and control connects

05:32

are connections are

05:44

happening okay so uh command and control

05:48

uh communication may use uh various uh

05:51

types of protocols right so if uh it is

05:56

using an HTTP protocol

05:59

then it is possible that the Comm

06:02

communication will be mediated by your

06:05

web server and maybe it will be in the

06:07

web server log but it is uh not uh

06:11

necessarily in the web server log

06:14

because you can actually have

06:15

application Level protocol that has been

06:19

spe specifically designed to communicate

06:22

with the uh command and control server

06:24

it could be a DNS uh it could be uh some

06:28

some other Direct TCP connection and all

06:31

kinds of stuff so so Network intrustion

06:34

detection is probably your best bet to

06:36

actually check whether command control

06:38

is happening if you are going to do host

06:42

intution detection in every

06:44

host then there is a likelihood that you

06:46

will also see it in the collective

06:48

collected logs of all hosts intuition

06:51

information at the uh host intuition uh

06:54

detection manager right but your best

06:57

bet is certainly a networking nutrition

07:00

detection so you monitor all the network

07:03

traffic

07:05

and you know whenever you see an IP

07:08

address you don't recognize you

07:10

automatically look it up from an abuse

07:13

IP database so that way you can actually

07:16

or URL uh you might have certain

07:18

algorithms for uh figuring out the URL

07:21

is suspicious so Network intution

07:24

detection is probably most likely place

07:27

where you will find this so when I say

07:30

persistence what kind of things you

07:32

think

07:40

about oh I think uh I have a Deja view

07:44

we already ask this question

07:53

before yeah so uh more or less uh it

07:56

gives some uh of this thing persist is

08:00

uh about ensuring that you uh the

08:04

executable stays irrespective of uh uh

08:08

you know reboot cycles and uh that most

08:12

of the time persistence is done through

08:14

uh writing the executable inside your uh

08:18

startup folder or uh you know inject

08:21

itself into a known process which is

08:24

always running uh so so this kind of

08:26

stuff or uh you know changing a registry

08:30

entry for auto run so there are several

08:33

ways to do persistence uh so that's uh

08:36

something the reason why I am asking

08:38

this is that uh see what happens is that

08:41

uh when you are taking a cyber security

08:44

course the goal of a cyber security

08:46

course is to actually transform the

08:48

person right the person who was not

08:52

worried about uh uh things that could

08:55

happen to their phones and their uh

08:57

desktops or their servers uh or their

08:59

Network their home

09:02

Wi-Fi they they start thinking about

09:04

those things right so you uh the idea is

09:06

to make you a little Ultra aware of

09:10

possible threats right so the word

09:13

persistence in general might mean many

09:16

things right so persistence that's why

09:17

some people wrote that Virat because uh

09:21

he got a lot of zeros and then he comes

09:24

back or whatever you may want to think

09:27

uh I don't like him so I don't know what

09:29

his persistence but but in any case uh

09:32

in real life persistence would mean

09:35

somebody who is uh not easily you know

09:38

stopped right like remains persistent

09:41

right it happens when we give grids uh

09:45

and then people come and be very

09:47

persistent that they need a higher grade

09:49

right so that is a real world use of uh

09:53

persistent but as cyber security

09:55

professional your uh uh view of

09:57

persistence would usually mean uh you

10:00

know something to do with uh you know

10:04

unwanted executables making itself

10:06

persistent on onto the system so that it

10:10

remains there sometimes it also evades

10:13

defense uh so it may turn out antivirus

10:17

it may actually uh hide itself inside a

10:20

dlll or some executable by injecting

10:23

itself inside executable so so there are

10:26

many ways that uh this kind of

10:28

persistence is uh made by by uh unwanted

10:32

executables but uh uh the idea is that

10:36

uh the uh most nation state attackers

10:40

their goal is not to make a spectacular

10:43

attack like the Russians did in case of

10:46

uh power cut in Ukraine right so that

10:50

that kind of attack usually become

10:53

spectacular but it is immediately

10:55

understood that there has been an attack

10:57

and and people will start removing all

11:00

the uh uh malware and and block all the

11:04

IPS and and and do their best to

11:06

actually stop that from happening again

11:09

the nation state attackers don't do that

11:12

very often they usually would do that if

11:14

there is a war or something but in

11:16

general they they want to remain

11:18

persistent so you will find that most

11:21

critical infrastructure in India

11:24

probably have persistent uh executables

11:27

from various countries and

11:29

unless they actually find these things

11:32

properly like our C ports or our power

11:35

system operators or uh Telecom operators

11:39

and so on if they're not doing their

11:40

cyber security properly they're probably

11:43

having this persistent uh uh agents who

11:46

are very very stealthy they communicate

11:49

to their command and control very uh

11:52

obscurely through very obscure uh

11:54

protocols and if there is no network

11:57

monitoring if there is no uh uh you know

12:00

endpoint monitoring Etc most people

12:03

wouldn't know that this is happening and

12:05

if this is happening the reason is that

12:08

at some point the command and control

12:10

will ask the uh agents that are sitting

12:13

in various places to actually do some

12:16

action right so that's the whole idea

12:18

that to position yourself so that uh you

12:21

can actually execute a command or series

12:24

of commands at the time when it is

12:26

required and usually this will be

12:28

required when when there is a real

12:31

conflict real war like Ukraine and and

12:33

Russia uh or what is happening between

12:36

hamus and Israel things like that that's

12:39

the that's the time when these things

12:42

happen so so uh and you might have read

12:45

that uh the Iranian uh gas stations were

12:50

attacked uh in large number recently and

12:53

that were probably be by Israel and uh

12:57

because Iranians are giving uh implicit

12:59

support to their opponents so they

13:02

actually had probably agents uh sitting

13:05

in those facilities and they basically

13:07

uh executed some commands so so this is

13:10

the uh idea of persistence so uh if you

13:14

are cyber security professional you have

13:16

to think in those terms rather than in

13:20

terms of regular everyday meaning of uh

13:24

persistence now uh the last question

13:27

what comes to your mind when you hear

13:28

res resource

13:44

development now this is

13:50

interesting Andhra

13:54

Pradesh fancy defense

14:00

oh somebody has given a very nice answer

14:02

adding

14:08

resources higher

14:11

experts okay so uh this one is uh

14:15

everybody seems to be spectacularly

14:17

wrong right so remember nobody has gone

14:22

back and went to the at and CK website I

14:25

think right so what is happening is that

14:28

um in CKC when we discuss cyber kill

14:31

chain we said that there are seven

14:33

stages first stage was reconnaissance

14:36

second stage was weaponization right now

14:41

in ATN CK we if we look at 12 tactics

14:45

that starts from initial access it

14:48

basically says what happens after

14:50

initial access right initial access then

14:52

execution then persistence and and

14:55

privilege escalation and so on right but

14:57

I said uh uh several times that there

15:01

are two more before them right one is

15:05

same as CC

15:07

reconnaissance and second one is same as

15:10

weaponization but they call it resource

15:13

development right so the attacker once

15:16

it does reconnaissance it figures out

15:19

that this is the weak spot which I have

15:22

to attack through right it could be a

15:24

weak uh employee who doesn't know about

15:26

fishing EML or it could be web server

15:30

that is uh that is that has

15:32

vulnerability uh or it could be a

15:35

another service that is running on a

15:38

particular port and we figured out that

15:40

it is running an unpatched version and

15:42

and therefore it has a remote code

15:45

execution so I'm going to use it but to

15:47

do all this I have to develop an exploit

15:49

right to do a fishing I have to write an

15:53

email which looks believable and then I

15:56

also have to either create a link which

15:59

will take him to a malware infested

16:01

website or I have to actually attach a

16:04

malware infested Word file or J file and

16:07

so on so this whole process of creating

16:11

this resources which we'll use for

16:14

attacking uh the the the doing the

16:17

initial access what is called resource

16:19

development or in case you are going to

16:22

exploit you know internet facing service

16:24

you have to design the payload you have

16:26

to design the exploit right so all these

16:29

things are in CKC we call weaponization

16:31

in here we are calling it resource

16:34

development right that's a terminology

16:36

difference so the right answer here

16:39

would have been weaponization right but

16:42

but you are still thinking in the from

16:44

the defender's point of view so all

16:46

these answers here is actually from a

16:48

defender's point of view the defender is

16:50

uh doing hardening uh Defender is doing

16:53

sustenance Defender is creating

16:55

reliability Defender is upgrading the

16:57

system taking backups so you're are

17:00

thinking in terms of uh Defender but

17:03

atnc is about the offender right so the

17:07

person who is attacking them we're

17:09

trying to understand what all he

17:11

does so we have to accordingly fill our

17:16

mind from an attacker's perspective

17:18

right so that's why most cyber Security

17:22

Professionals are in some sense

17:24

schizophrenic they have to always think

17:26

in terms of attacker and then they have

17:28

to think how I can defend against that

17:30

attack right if you cannot imagine what

17:32

the attacker would do or then you cannot

17:35

defend yourself right so that's a basic

17:37

idea okay so that's about this uh these

17:42

questions now I want to uh before I go

17:45

into the raw data uh aspects I want to

17:48

just go back and see where we uh left

17:51

off so we actually did the uh we

17:55

actually figured out the verbs in the

17:57

report uh uh then uh we tried to figure

18:00

out the behavior we did research the

18:03

behavior from attn C website and maybe

18:07

other resources on the Internet or books

18:10

or whatever you reference then we assign

18:13

to each Behavior what tactic it might be

18:16

and if I figure out the tactic well then

18:19

I can also try to figure out what

18:22

technique is being used and then I have

18:26

a whole mapping of the TAC and

18:29

techniques now the question is that uh

18:33

what this is going to uh uh so then we

18:37

said that uh there is an

18:39

exercise uh here uh which is called uh

18:44

the Cobalt Kitty

18:46

report and you can go to this

18:50

place so let

18:52

me let me show you where it is

19:15

so here if you go to this uh ATN c

19:19

training and if you go to this uh

19:29

mapping from finished reporting so this

19:31

is the Cobalt Kitty report right and

19:35

this is a uh highlights only version of

19:38

the report which

19:41

basically has all the highlights but you

19:43

have to go through this to figure

19:47

out what tactics and what techniques is

19:50

this so here you do not have to like say

19:53

okay I'm I'm what am I looking for am I

19:56

looking for the verbs and all stuff this

19:59

report is already

20:02

prefilled with uh the places where you

20:04

need to find the tactics and techniques

20:07

right so this is uh the uh one

20:10

version so this will help you to uh go

20:14

through this uh in a you know much

20:16

faster manner than if you have to

20:18

actually go through the entire report by

20:20

yourself and figure out where the

20:23

behaviors fragments are and what to do

20:25

with this behavior and so on and this

20:28

report already has a lot of things that

20:31

that are already explained in terms of

20:34

uh the things that you want to find for

20:37

example here is a section called C2

20:39

communication so you can figure out that

20:42

most of the things tactics here would be

20:44

about C2C command and control

20:46

communication right it might probably

20:49

have the internal reconnaissance right

20:52

now what is internal reconnaissance so

20:55

from the uh locked Martin kchain you

20:57

might get an idea that reconnaissance

20:59

happens first then weapon once you find

21:03

where to attack you find do the

21:04

weaponization once you do that you know

21:07

you come inside and you do initial

21:09

access Etc

21:10

right but many times once the malware is

21:13

inside it will again scan it has a it

21:16

has the code for scanning it will scan

21:19

the network and figure out uh you know

21:22

which network is running what open ports

21:25

internal open ports and so on right so

21:28

there could be reconnaissance again

21:30

right and that is the reason why at C is

21:33

not a sequence like CC cc is a sequence

21:37

at CK is a set of tactics which can

21:40

happen multiple times in a kilch in an

21:42

attack analysis right so internal

21:44

reconnaissance that's talking about so

21:46

this will give you also additional hints

21:49

as to what are the different uh tactics

21:52

and techniques could be because the

21:55

headings the lateral movement right so

21:56

it is already telling you that here are

21:58

discussing how the uh the uh malware

22:02

moved literally uh they Ed this mimicat

22:05

to they do probably uh see they do uh

22:08

credential dumping right so so these are

22:11

the kind of things that happened here

22:13

right but the point is that if you do

22:16

this at home uh you know you will get

22:20

some um understanding of how this is

22:23

done right now there is another version

22:26

here uh let me go go back there is

22:30

another version of the same thing which

22:33

is called tactic hints so it's the same

22:36

document but now the tactics are already

22:39

given you have to just find the

22:41

techniques so you might actually first

22:44

try the one without no without any hints

22:46

only highlights then you try with t if

22:51

you do well when in that then you are

22:54

you are already you know have gotten a

22:56

good understanding if you do not then

22:59

you actually use the one with the tactic

23:02

hints already there right so and then

23:04

you try these uh and

23:12

then and here at the answers uh do not

23:16

look at the

23:18

answers uh see here all this uh not only

23:23

the um tactic but the techniques are

23:25

also listed so this is the answer for

23:29

this

23:30

one now uh you can

23:33

also look at the original report so if

23:36

you're if you want to take a challenge

23:38

you do not use either the highlights or

23:41

the

23:42

hints uh tactic hints and do not look at

23:45

the answers and try this on the raw

23:48

report if you can do it on the raw

23:51

report and then you go and match it

23:52

against what is the answer uh uh key

23:55

then you will probably feel much more

23:57

comfortable uh that you can do this in

24:00

the exam or in the homework right uh so

24:04

that is the reason why I want you to do

24:06

this uh you know uh it's not a formal

24:09

homework but if you do not do this right

24:12

now you will have a problem later

24:14

because you will have to do this in

24:16

homework it may some fragments of this

24:19

could be in the exam and then uh if you

24:21

try to learn this in the at the uh you

24:24

know this is these things require time

24:26

right these things do not happen like I

24:28

just go and and you know somebody might

24:30

be uh uh very good at this thing

24:33

somebody might be uh might have to do a

24:36

little bit struggle uh look up the uh

24:39

website to figure out what techniques

24:41

are there for each tactic for the

24:43

tactics that they identify so it might

24:46

take some time but eventually if you try

24:48

hard uh you will get there right now so

24:53

that is uh something I wanted you to uh

24:56

do and uh if you look at this uh the

25:00

cobal kitty report once you do

25:03

that and you have now your groups and

25:07

this inside the group you do this and

25:09

then you discuss and see how what are

25:12

the differences uh in terms of groups

25:14

somebody came to me and said uh we want

25:17

to have my wing Mets in the group and uh

25:22

I have in intentionally asked students

25:25

to not choose the groups because what

25:28

happens in group projects is that

25:31

students uh like if there are three

25:33

people one or two will work the other

25:36

guy will be a Freel loader but if

25:38

they're Wing Mets they will never say

25:40

that this guy is a free loader but if

25:42

they don't know the guy very well they

25:44

will come and tell us that this guy is a

25:46

freeloader and then we'll you know

25:48

disting differentiate between them right

25:52

so this is uh done intentionally so uh

25:55

you might uh the other thing is that you

25:58

know when you go out in the real world

26:00

you will not find your wing Mets in your

26:02

projects right it's highly unlikely uh

26:06

so

26:07

uh you have to learn to diversify and

26:10

work with uh people who you uh know only

26:13

professionally right this these are the

26:16

some of the

26:17

things

26:19

uh now uh uh so comparison wise so you

26:23

will you know if you do it from the from

26:25

the hinted report then it is unlikely

26:28

that you will be very different right

26:30

because you are actually filling in the

26:32

same boxes if you do it from the raw

26:34

report it might you two of you might

26:36

have a very different sets of uh uh

26:39

things not not necessarily uh you know

26:43

uh uh either of you are wrong you might

26:46

be mistaken about something or you might

26:49

miss might have missed some behavior

26:51

that can happen so uh but it is worth a

26:55

try and if you do not try and do it

26:57

first time in the exam it's unlikely

26:59

that you will do very

27:02

well now in the Cobalt Kitty

27:06

report uh there are actually uh I would

27:10

say uh how many

27:14

uh so

27:16

22 techniques have been used right at

27:19

least according to their analysis so 22

27:22

techniques you have to identify from

27:24

that report and if you do that uh you

27:27

will be in better

27:30

shape so you can also uh there in that

27:34

same place in the same

27:36

website you have uh more uh such

27:41

reports and in the next homework what

27:43

we'll do is that will give you 31

27:48

reports each group has one report and

27:52

each group has to do the mapping and

27:55

there will be no uh highlights or hints

27:59

right and uh our ts are pretty ruthless

28:04

so you better do work on

28:07

that so I think uh I have given uh

28:11

enough hints about the next homework now

28:13

let's go to the next uh sub uh sub

28:17

module which is mapping atck from raw

28:22

data if you are trate Intel analysts in

28:25

a company it is likely that nobody is

28:28

going to give you a finished report when

28:30

an incident happens

28:33

right uh when an incident happens you do

28:36

forensics you go and look at various

28:39

places like you look at the logs you

28:41

look at the network uh packet Trace uh

28:44

at the time when incident happened you

28:46

look at firewall logs you look at wave

28:47

server log you look at uh look for newly

28:51

created binaries at the at the end

28:53

points and so on and you collect them

28:56

and then you are asked to do a root

28:58

cause

28:59

analysis and uh uh and then you have to

29:03

actually uh uh explain it in terms of

29:06

ATN

29:08

CK uh the reason why uh now now you

29:11

might ask me that uh well then why are

29:14

you ask why are you teaching us about

29:16

how to map it from finished report

29:19

because in my job I may not get a

29:21

finished report uh because I the one who

29:23

will actually do the finished report

29:25

right so how how can I get a finished

29:27

report

29:28

so the reason is

29:30

that you do not become uh thread Intel

29:33

analyst uh overnight right you have to

29:37

understand uh what the attackers do now

29:40

when you read the in theory that there

29:41

are like all this 14 tactics there are

29:44

these these techniques and so on that is

29:47

one thing and actually reading a good

29:50

threat Intel report from uh from firey

29:54

mandiant uh Microsoft uh Etc is another

29:58

thing right so so you they do a very

30:00

thorough

30:01

analysis now you know that eventually

30:04

you have to do the attc mapping from

30:06

your raw data but by doing this uh you

30:11

know conversion you actually can uh get

30:15

a lot of uh learning about how this uh

30:19

you know uh tactics and techniques are

30:22

used for attacks but there is another

30:25

reason so uh if you have uh if you have

30:29

thousands of this kind of

30:31

reports and you want to create a

30:34

database of tactics and techniques used

30:37

by various AP

30:40

groups now why do I want to create a

30:42

such a

30:45

database what is what good is such a

30:50

database so I have like uh let's say I I

30:54

take 20 attacks from

30:56

ap28 and I map them to uh uh you know

31:00

tactics techniques and procedures I take

31:03

uh 15 attacks from ap3 I map them so I

31:07

have a database AP groups what what

31:12

attacks they use and in what Manner like

31:15

in what sequence and so on so forth

31:18

right so what what comes to your mind uh

31:22

what can I do with such a

31:24

data such data

31:34

so I can actually uh try to

31:38

learn with machine learning

31:41

right how to distinguish between various

31:44

uh attack groups right because

31:48

eventually uh I want to know whether the

31:51

attack that I just just had is from a

31:55

nation state attacker or some Hobby

31:57

haacker

31:58

second thing I want to know is that if

32:00

it is a nation state hacker which one it

32:01

is

32:03

right so uh to do that this process is

32:06

called attribution EP attribution so you

32:09

want to know which AP it is so I may

32:13

want to create this uh

32:16

database and uh that um database can be

32:20

used for uh learning this so one of my

32:23

PhD student has done this right so uh

32:27

and what is the uh what is the accuracy

32:30

we are

32:32

getting yeah so uh so uh in her uh work

32:37

she also used natural language

32:40

processing to actually use this reports

32:43

to extract the mapping automatically so

32:47

you do not have to do it you know by uh

32:51

you know manually reading everything

32:53

does it work for all

32:55

reports yeah so so these are the kind of

32:58

things that uh you know are happening

33:01

but in any case coming back to the raw

33:03

data so uh so most of the time you will

33:06

be facing raw

33:09

data uh so uh now uh this uh uh data is

33:16

uh requires you to understand some

33:20

technology uh commands and so on right

33:23

so you need a much more knowledge and

33:26

expertise to interpret the raw data as

33:29

Behavior than uh finished reports so

33:33

you'll you'll see what you are given are

33:36

what kind of shell commands have been

33:37

used what kind of malware has been used

33:40

what kind of uh they might give you a

33:42

forensic dis image and you have to uh

33:44

use a forensic analysis tool to find

33:49

reconstruct what happened before what

33:51

you might get some packet uh information

33:54

and so on so process of mapping here

33:58

is you have to understand uh of course

34:01

ATN CK now from whatever you are given

34:05

or whatever your forensic people G give

34:08

you you find a

34:10

behavior then again you have to research

34:13

the behavior then you have to translate

34:15

the behavior into tactic and then uh

34:18

figure out what technique happened and

34:20

compare your results with the other

34:22

analysts like before so here is an

34:26

example of what the uh forensic people

34:29

found after an attack so they found that

34:32

the attacker used these commands so

34:35

first he use an IP config

34:37

command then he uses uh uh SC uh command

34:42

in Windows then he found that there is

34:45

some uh two-way

34:49

interaction between an external IP

34:51

address and internal IP address like uh

34:56

10.2.3 44 and whatever this 128 29

35:01

324 and in this machine like uh

35:05

128 29 you are accessing the port

35:09

443 443 is a port for https protocol

35:14

right and then you see that in the

35:16

registry keys in Windows when you to

35:19

take a registry dump you find that uh

35:22

that there is some new entries in the

35:25

registry so these are the

35:28

things that are given uh to you by you

35:31

are a threat Intel analyst and the

35:33

forensic guy is giving you information

35:36

this this may not be all the information

35:37

we are just showing a fragment of what

35:40

is given to you just to show you the

35:42

kind of work you have to do to interpret

35:46

this so ip config ip config you all know

35:50

right you want to look at the uh uh Mac

35:54

addresses and IP addresses the uh all

35:56

this information but this is somebody

35:59

who is doing it inside right not out

36:01

from outside you cannot do it from

36:03

outside so you are you're already inside

36:05

the uh system in inside the network and

36:08

you have uh as malware or remote shell

36:12

uh it might be a remote shell or it

36:14

might be a

36:15

malware uh somebody is doing ip config

36:18

uh to figure out uh the various

36:21

interfaces network

36:22

interfaces AC is a command for creating

36:26

Services service create um command in

36:30

Windows and you can also query and other

36:32

stuff in but in the what we saw there it

36:35

was trying to create a service in the

36:37

the command that we saw it was trying to

36:39

create service so we have to now figure

36:41

out what service it was trying to create

36:44

but we'll get there but SC is the

36:46

command now as as a threat Intel analyst

36:49

you have to know this right or you have

36:50

to research well what is SC command for

36:53

right so here is uh you know how the SC

36:56

command is used you have to basically uh

36:58

say uh a particular you know computer uh

37:03

name uh then you have to do create then

37:05

you have to say which binary has to run

37:09

right when you create the service so it

37:11

will tell you like if you try like AC

37:14

your computer name and create then it

37:17

will ask you like you know you you

37:19

haven't completed you have to give me

37:21

the binary path and things like that

37:24

right so the analyst is now as a

37:27

straight analy list you actually have to

37:30

get a little bit of expertise on many

37:32

things like network uh interpret network

37:36

uh packet traces some forensics uh

37:39

something about what malware are all

37:42

about uh what how they work and things

37:44

like that how to how to analyze a

37:46

malware uh command line uh what are the

37:49

different uh command line you know

37:52

commands in command line executables in

37:54

Windows or whatever the machine is uh it

37:57

may actually have uh multiple uh data

38:01

sources from which it has to figure out

38:04

so the first thing is that if you do not

38:06

know what ip config all is or you want

38:09

to see whether there is a tactic related

38:12

to this command you go to atck and

38:15

search ip config for all and you are

38:18

getting this system network

38:21

configuration Discovery right so this is

38:24

the uh technique that is uh coming up

38:28

and it is also showing you examples of

38:30

various attack groups that have used

38:33

this kind of a uh command so they're

38:36

trying to discover the network

38:38

configuration of the system on which

38:41

they are uh there why they want to know

38:45

the system configuration because they

38:46

want to know which interfaces are

38:48

connected to let's say w Lan or uh some

38:52

other uh wired Lan or Wi-Fi Lan and and

38:55

they might want to use it for doing

38:58

literal movement Etc so here the next

39:02

thing that we saw is that in the SC

39:05

command they gave a binary a path to a

39:08

binary this is recycler

39:10

exe and then it is saying that you know

39:13

for this command here are the flags and

39:16

here are the inputs there are some input

39:19

you know directory or input files uh and

39:23

there is something called uh they're

39:25

talking about a vsdx file

39:28

so you are confused right recycler is

39:31

supposed to be a benign program right so

39:34

why would they want to create a recycler

39:36

service if you are malicious so you

39:40

actually say okay uh let's see if the

39:43

this recycler uh exe binary is already

39:48

in this machine the the compromise

39:50

machine and you run

39:52

it when you run

39:55

it you see that it is not the recycler

39:58

it's a renamed executable it is actually

40:00

the

40:01

RAR binary right RAR is for compression

40:06

and encryption of files right so so

40:09

somebody for defense evation somebody

40:11

has renamed this executable to avoid

40:14

suspicion right so you figure out that

40:17

based of the analysis now we can Google

40:20

the flags the flags for RAR not for

40:23

Recycler these flags are for the RAR and

40:27

determine that uh that it is being used

40:29

to compress and encrypt the file so

40:32

whatever is the this input file here

40:35

this is being compressed and

40:38

encrypted okay so we figure out now we

40:42

figure out what is this file and then

40:44

you do a Google Search and you find that

40:47

vsdx is actually a Vio uh Microsoft Vio

40:51

file but doesn't mean that it has to be

40:54

a viso you can you can re rename any

40:56

file with any

40:58

uh any kind of uh you know suffix right

41:01

it's just that uh when you try to load

41:04

that in Visio you might get an error

41:06

that this is not according to format you

41:09

can take an executable file and call it

41:11

PDF right so it's obvious so so what is

41:14

uh what we find is from this we are

41:17

figuring out that a file is being

41:20

compressed and encrypted and it might be

41:23

a v diagram but uh it is probably

41:27

in the name of a v it is probably

41:29

exfiltrating some data when do you

41:32

compress and encrypt a files you want to

41:37

do something with the file right I mean

41:38

you are not just trying to encrypt and

41:40

compress unless you are a ransomware

41:42

attacker in that case you will encrypt

41:44

everything right but here they're

41:46

encrypting and compressing one file

41:48

which means this file probably has some

41:50

intelligence some information that they

41:53

want to send to command and control

41:56

server and compression is required

41:59

because you want to flow below the radar

42:01

if you start sending gigabytes of uh

42:04

files somebody will notice right some

42:07

firewall alarm will go off or some

42:09

intution detection will go off but if it

42:11

is a small few uh kilobytes or you know

42:14

small low megabytes file it can go like

42:18

a regular email and everything right so

42:20

nobody will get suspicious it will not

42:23

be considered an anomaly so we find that

42:26

uh that through ip config what they were

42:29

trying to do is system network

42:32

configuration

42:34

Discovery so this is in the discovery

42:36

tactic so one of the tactics out of the

42:40

14 tactics is called Discovery because

42:43

most attacker when they first make their

42:45

foothold in the system in one of the

42:47

devices they try to figure out they do

42:50

internal reconnaissance or something to

42:52

figure out where I am what is the

42:54

structure you know what is this machine

42:56

connected to

42:57

and and figure out whether I am actually

43:00

running as root all this stuff is about

43:03

Discovery

43:04

right so so one tactic here is

43:08

Discovery and also it is being run

43:12

therefore it is also execution right

43:14

although this is a benign binary ip

43:17

config is a benign program but at least

43:19

it is being executed on behalf of a

43:22

malicious uh malicious actor so so it's

43:27

a part of an attack tactic so it will

43:29

also fall under

43:32

execution now here we found that uh in

43:35

this uh larger SC uh you know service

43:38

create command we figured out that vsx

43:42

is vco so moderate confidence that this

43:45

is

43:46

exfiltration because we are trying to

43:48

compress and encrypt the file it is

43:50

likely to be com compression uh likely

43:53

to be exfiltration and then it is being

43:57

seen to run by a cismon which is

44:01

basically execution right so so this is

44:04

how we are mapping the

44:07

tactics so here you see that we are

44:09

actually

44:10

going uh more from technique to uh

44:13

tactic rather than tactic in the other

44:15

one we went from tactic to technique

44:17

here since we are looking at the

44:19

commands it's likely that we'll we'll

44:21

find the technique first and then we'll

44:23

find the tactic okay so we have it's

44:27

time so we'll get from here in the next

44:30

class uh uh because uh uh this will take

44:34

some time about discussing about the

44:37

techniques and concurrent techniques and

44:39

so on but you start getting the idea

44:42

right so you I think you should you

44:44

should by now have a good idea about how

44:46

to uh do this from uh finished reports

44:50

and you are starting to get some idea

44:52

about how to do it in with raw data so

44:55

by the by the time uh we are uh here uh

44:59

next week we'll actually uh do more on

45:02

the raw data okay

45:05

[Music]

45:20

[Music]

45:25

[Music]