Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Scenario

In this training scenario, we will execute a piece of “stealer” malware in order to perform the first stage of an attack, credential theft. Unlike the RAT scenario, this one does not use the same behaviors as ransomware. Instead, this is a part of Cyber Crucible’s growing identity protection capabilities.

Often before an extortion even occurs, the first steps an attacker will do are to worm around the network and gain access to as many credentials as possible. In some cases this is an AD username/password combo, in other cases they are API keys grabbed out of browser sessions.

Identifying it

For now, lets dig in to some of what abnormal access looks like to the admin.

Identity data accesses are very cut and dry, if the admins don’t recognize a program, it shouldn’t be accessing that data! This immediately stands out as something suspicious going on.

What’s the flip side of this the attacker sees? Plaintext!

These responses are not responses like traditional data extortion events, so they are not actions of automated suspension. Instead, they are more like process injections, where Cyber Crucible did not stand in the way. As our analytics have been growing out, we have learned what “normal” access to identity stores look like for various types of applications. By 2023 we will enable our proteciton feature, which will restrict access, at the kernel level, to various forms of identity databases and only allow the associated software to access them.

Relevant documentation

  • No labels