![]() ![]() Masquerading: Match Legitimate Name or Location ( T1036.005 ): Execute an AttackIQ executable using the name of a legitimate Microsoft application.Īfter the malware is executed the first time, persistence is set up using a Scheduled Task with the name “Local Session Updater.” The final payload is decrypted from the trojanized tool and communication is established with the command-and-control server over port 443. Ingress Tool Transfer ( T1105 ): Download and save the original samples of the actor’s trojanized executables. ![]() Once initial access is achieved, the actor’s trojanized Sysinternals tools are saved to disk and executed using the tool’s legitimate filenames. This first Attack Graph starts immediately after Log4Shell exploitation and initial access by the adversary. Continuously validate detection and prevention pipelines beyond the Log4Shell exploit as actors will swap initial access methods but still perform similar behaviors post compromise.Īttack Graph – Log4Shell Exploitation leads to Scheduled Task Persistence and Reconnaissance – Victim 1.Assess the security posture of common living off the land discovery techniques that adversaries use to blend in with administrative activity.Evaluate security control performance against multiple paths the same actor may take after their initial compromise. ![]() By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to: Validating your security program performance against these specific threat actor behaviors is paramount in reducing risk. The security alert identified two separate victims who were both compromised by the same initial infection vector but observed different methods of persistence and lateral movement. This added content not only seeks to validate signature-based protection but also recreates the actions taken by the adversary to validate our customers’ security posture against anomalous behavior including malicious network activity. Today we follow that release with two new full-featured attack graphs that emulate the initial post-compromise behaviors used by those threat actors. Late last week we published a blog post that announced new malware-based scenarios associated with nation-state adversaries that are actively exploiting the Log4Shell vulnerability in VMware Horizon systems as reported in US-CERT Alert AA22-174A. Sectors Targeted: Defense Industrial Base, Financial Services, Education, Hospitality Adversary Emulation Attack Graph Response to US-CERT Alert (AA22-174A): Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems Published June 28, 2022ĪttackIQ has released two new fully featured attack graphs emulating the tactics, techniques, and procedures (TTPs) used by likely nation-state adversaries that continue exploiting the Log4Shell vulnerability in VMware Horizon Systems. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |