Analysis on legit tools abused in human-operated ransomware
SANS Ransomware Summit 2023
Analysis on legit tools abused in human-operated ransomware
Speakers:
Toru Yamashige, Senior Incident Response Consultant, Trend Micro Inc.
Keisuke Tanaka, Principal Incident Response Consultant, Trend Micro Inc.
As the detection logics of AV vendors improve, threat actors employ countermeasures to evade them. One of the most common ways in which threat actors hide from detection and carry out their malicious activities is by abusing legitimate tools. We believe that “legitimate tools“ can be classified into three categories below, with a marked increase in the number of cases in which “commercial tools“ are being abused: - MS native tools, such as PsExec, PowerShell, and WMI. - Legitimate penetration testing tools, including Cobalt Strike, Metasploit, and Mimikatz. - Commercial tools, such as Atera, AnyDesk, and Splashtop. Regarding MS native tools, techniques such as LOLBAS and LOLBIN are well-researched, while AV vendors are making efforts to detect penetration testing tools. We feel that threat actors are likely to abuse commercial tools these days as the tools are highly functional and commonly used in corporate operations. There is, however, little research on the exact functionalities of these tools, the traces they leave behind when abused, and countermeasures to prevent such abuse. Therefor, in this presentation, we will focus on actual incident cases where commercial tools were abused and try to explain the details based on the following three points: Chapter 1: Introducing actual incident response cases we have supported in which commercial tools were abused and describing their functionalities. Chapter 2: Explaining the traces and artifacts left behind when the tools are abused in an attack, so that the audience can use this information in their actual incident response investigations. Chapter 3: Describing effective countermeasures against attacks that exploit the tool, which will be useful for containment during incident response and for considerations during normal operations.
View upcoming Summits:
1 view
205
44
5 months ago 00:15:43 1
Russia Will Only Accept The Capitulation Of Ukraine. Military Summary And Analysis For
5 months ago 00:09:46 1
Golden Ratio = Mind Blown!
5 months ago 00:10:44 1
Zelensky just got EMBARRASSED by U.S. Congress in shameful money grab | Redacted with Clayton Morris
5 months ago 00:30:58 1
How an common anti-fungal drug could help stop brain disease
5 months ago 00:12:59 1
Donetsk ATTACKED with U.S. Himars in new escalation | Redacted with Clayton Morris
5 months ago 00:18:27 1
“For Julian Assange and the CIA this could change EVERYTHING“ | Redacted with Clayton Morris
5 months ago 00:06:29 1
When Chinese Industrial Espionage Goes Wrong
5 months ago 00:01:20 1
Canada pulls plug on AIIB, probes Chinese influence | World Business Watch
5 months ago 00:15:47 1
Максимальное потребление кислорода. Все болезни и даже смерть можно свести к одному показателю.
5 months ago 01:09:12 1
Do not stop speaking about Palestine
5 months ago 00:00:42 1
RTX 4060 vs. GTX 1060 vs. RTX 2060 - Starfield Graphics Benchmark!
5 months ago 00:11:13 1
This is DISGUSTING and Biden is about to sign it into law | Redacted with Clayton Morris
5 months ago 00:02:33 1
’Gangs have joined forces to terrorise London - as they mock ’weak’ UK and flaunt guns’ | The Sun
5 months ago 00:32:53 1
This Will Blow Your Mind: The Startling Truth Behind the University Presidents!
5 months ago 00:14:02 1
Portugal goes WOKE and cancels its national symbol, ashamed of its history | Redacted
5 months ago 00:17:54 1
She’s EXPOSING the child trafficking happening RIGHT BEFORE OUR EYES | Redacted with Clayton Morris
5 months ago 00:14:58 1
BREAKING! Poland just backed down to Ukraine, police removing trucker blockade | Redacted News
5 months ago 00:09:52 1
RFK JR ON TUCKER: US Has Bio-Labs In Ukraine For Making ’Bio-Weapons’ | Rising Reacts
5 months ago 00:20:21 1
ABC World News Tonight with David Muir Full Broadcast - Dec. 15, 2023
5 months ago 00:04:52 1
It’s Not “Muslims vs Jews”, It’s European Colonizers vs Arab Christians, Muslims & Jews
5 months ago 00:13:27 1
dream meaning of fire
5 months ago 00:07:25 1
’The Five’ slams Biden’s border crisis: ’System is broken’
5 months ago 00:09:40 1
Hannity: Biden’s White House is in panic mode
5 months ago 00:08:38 1
It’s Over | Batman And Flash Joined The Russian Army. Military Summary And Analysis For