You can come as close to the front as possible, cuz this will make the experience much more better for you. It's almost like an interactive reality show. The more close you are, the more experience you get this session is really, I think it's really important for you to start understanding the techniques that attackers use and to do that. I'm gonna take you through the journey of a real world ransomware attack that actually happened to an organization and they have given me permission on their behalf to come and tell you their story. And very rarely do you get organizations that's actually willing to share their story because most people don't want to tell you they become a victim. They want to hide it. They want to cover it up. They wanna get back to business and they don't want people to know that they've been a victim.
So they're been able to allow me to take you through their journey and I'm gonna share with you. I'm actually gonna take you through a almost exact replica of the attack techniques that the actual criminals used to gain access to their networks, to move around, to do reconnaissance and to elevate up to full privileges. And it's almost the every time I see an instant response, it's almost the exact same basically techniques, how they get in usually varies a little bit and how they get in that door, how they get the initial access or the credentials. Sometimes you take a little bit different paths, but once they're on their network, it's almost basically just like a playbook that they follow. So it's really important for you to understand those techniques. And I've got a live demo here. I hope it works. You never know demo demo gods, please be kind to me today.
So let me take us through that journey. So as mentioned under chief security scientist, a lot of my work is doing research and helping organizations to understand about how to actually defend and put the right strategies in place, how to reduce the risk, cuz ultimately that's our goal is reducing the risk and helping organizations become resilient and helping them actually be able to make security, become usable, help it become an innovation or enabler for the business. So let's go ahead and started to start with, I've got a bit of slides here just to give you a bit of context, just to get you into the, what was happening at the time, what was the thought process? And then what I'll do is I'll put on the, the bad guy or person hat, whoever it was. I don't know if it's male or female, honestly, I don't know the attacker gender or I do have ideas about their origin, but we'll leave it at that.
So I'm gonna put my head on at that point and then I'll take you through that mindset side. So let's go ahead and get started. So first of all, who is this type of session intended for? It's really helped people. Who's actually really in it. You might be in penetration testing and you might be understanding about how you can actually better test organization security. You might be in response. You might be there to respond to incidents and you want to be able to make sure that you're actually better prepared in order to do investigations. You might be an it or system administrator who's responsible for managing that infrastructure. And you wanna make sure that you're not doing misconfigurations or mistakes that might make it easy for attackers to gain access. You might be in security thinking about best practices and policies about what you can do to better make your organization's resilience.
You might be in it auditing, or it might be just like me. I love technology. So I just love being hands on and technology and sharing ideas and getting into the research. Also, I wanna make sure that this is actually understanding that this is an ethical way. That's what difference sees myself while I'm primarily a security researcher. And I do a lot of research. I am an ethical hacker and the reason I always put ethical in front of it, cuz sometimes it's misleading when use the term hacker is most hackers out, there are good people doing their work for good. And there's a few out there that actually do it criminal wise. So important part here is that what I'm gonna be sharing with you is real techniques. I actually will be sharing with you. The real scripts. The attackers use the exact same ones.
I have modified them slightly in order to make sure that, of course it doesn't reveal anything sensitive. The passwords that I use in this session have also been changed and simplified than the ones that was used in the victim, but make sure, have you ever gone to repeat this? Always do it with authorization, always the intention. My goal is always to do no harm. It's always follow the law cuz every country can have different laws. So you always wanna make sure you stay by the law. And also I want to educate you. I wanna share this knowledge with you. So to help, you know, the reason why I've been given permission to do this is so that other organizations won't be the same incident. They won't have the same financial impact. They won't have the same impact. So it's really helped share the word and help organizations better protect.
So this journey starts, it was about seven, eight months after the pandemic started. And all of a sudden this organization, all of a sudden had this pop up under screens. So this is actually a, this is one of the earlier versions of what we now know as ransomware as a service. So this is where the actually ransomware creators are not necessarily the same people who actually deploy it into the victim's networks. They actually provided what's called as affiliate program. So they actually have, it's almost like a business model where they actually make this available to their channel, to their partners, their customers, and it's their customers who then break into the networks and then deploy it. This particular variant is known as cry lock and it's cry lock 2.0. And the former version of this was actually known as cackle Carle went up to version 1.6.
It was a very nasty piece of ransomware, but in the version of 1.6 in cackle, it did have very weak encryption capabilities. And actually eventually law enforcement was able to actually discover actually decryption key and be able to give victims a description key to recover their data. But cry lock had learned from their lessons. They've definitely improved their encryption capability, the performance and the ability to make sure that it was very efficient and very effective, unlike the previous flaws and earlier versions. So this is actually something and, and they do quite change it quite a bit. So even if you're using things like antivirus, antiviral software, they will actually use techniques to bypass detection of that. So this is what this organization faced with. They actually ransom demands in the millions. So if you're an organization, you have, you know, few million spur and you want don't wanna have to deal with ransomware.
It can be quite costly. So the next thing is, how do you typically get notified? How do you get informed? How do you know that you've become a victim? And these are the different methods. Sometimes law enforcement will contact you. They will reach out and say, we have found your data in another breach or we're actually doing an investigation or, or we've taken down the command and control off this criminal or gang. And we find and discovered you're a victim. Or you find that circuit researchers have, you know, hacked into the ransomware gang, find their chat logs and their evidence logs and disclosed them. And you may have been a victim who's paid and you might be basically been disclosed because the, the criminal gang has been taken down. You might even get it from third party customers or partners who actually discover their machines.
We've seen large suppliers, MSP providers in the last year become victims and their customers become victims as well. Attackers might contact you this incident, the attackers emailed the actually it team and said, Hey, do you know, we have taken over your system and network. And now you're a victim of ransomware. Here's the steps, how you contact our support team and they will help you pay the ransom and recover your data. They actually contacted them. They actually already knew their telephone numbers. Their email addresses all the roles and they actually reached out to the entire it department said, Hey, we just thought we'd be nice to let you know early enough so that you can have a bit of time to respond to this something. That's what typically you end up finding is they will reach out proactively. Sometimes they might even just put it on their social media channel, telegram Twitter, and you might find out that way.
You also might find out from your employees. They sometimes the first people to find out as they're working, all of a sudden, they get popped up, screen a message. In this case, when employees logged on their actually devices, the actually policy corporate policy notification they have in windows actually had been replaced with announcement saying your organization has become a victim of rents and your data's been locked. So they actually changed the login policy to actually indicate that they become a victim or you might find out from security researchers. I always find that this incident is always, there's quite a funny piece in it. As I was responding to the incident during the evidence gathering process, I was able to actually find in when I'm doing the investigation, you're looking at the logs, you're gathering all the information. And as I was looking through the logs, I started finding that the attackers simply did copy paste.
They took another attack and they copied the information and brought it over and then reused it in this victim. And what I ended up finding was evidence evidence of another victim. I find their credentials, their servers, their information, their user names, all within the evidence as I'm looking through. And I thought, oh, I have a responsibility here to make sure that I actually inform the other victims. So I thought I'll be a nice ethical hacker security researcher. I'm gonna reach out to this other victim, say, Hey, just to let you know, I'm in doing an investigation. And I find evidence that you've become a victim of renter. And they came back and said, no, we haven't like not possible, no way I thought, huh. And I, then I, I responded to that. I was like, are you sure? I mean, maybe, maybe this is a good chance that they're actually on your network and they haven't deployed it yet.
Maybe you should be proactive and start, you know, looking for the here's indicators of compromise to help you. And it went silent at that point, no response. And so I thought, okay, I I've, I've been proactive or reached out and I've formed them what I have, but they're just not willing to cooperate. So at the end of this incident investigation, I had together, all the evidence that I worked on, all the dynamic analysis, reverse engineering at the, the, the, the ransom variant, all of the evidence logs, all the archives, everything I had to pack it all up. And I said, I was informed by the victim to hand it over to one is the, the legal investigators who was gonna follow up. And that also meant also putting into a law enforcement archive. So I thought as I'm doing that, I might as well inform the other victim that you know, was not responding, that I'm having the handover, that data, that includes information about you to law enforcement.
They came back within minutes saying, yes, we were a victim. We don't want anyone to know about it. Therefore, please try to keep it ascribed. So it's really interesting that you do end up finding a lot of other victims when you're actually investigating other incidents and many organizations don't want to, you know, don't want you to hear about it. They don't want to be public because it can be quite financially impacting. And it's quite interesting how much those types of cases occur. So of course, if you become an in a victim, you will actually trigger your response plan. And this is one of the major lessons for this organization. And many of your organizations might be also in the same situation as you're going through. And you're doing this response. Many of you've probably prepared, and you've got an in response plan. You've got your checklist, you've done your due diligence you went through.
And you've probably about a year and a half ago. You've got ready and you've got this checklist and you've gotta how you respond to incidents. But this organization find a very important lesson. There's one thing about having an instant response plan, which typically it's something like this, where it's got, who's the ownership who communicates who's responsible for the different things. What's the contact list. How do you deal with different types of incidents, whether it being renter versus DDoS versus data, data, extraction, exploration, in-house capabilities about who's gonna help you externally third parties, containment, process, evidence gathering, and so forth. So this is what a typical in instant response checklist and plan is. But there's a big difference between having a plan. When I got into this organization, I asked them, where is your plan? It's encrypted.
And you're thinking, okay, well, you know, that's, that's the first lesson is make sure that you do have an offline copy, but there's a big difference between having an instant response plan and actually being instant response. Ready? That's a big difference. It's such a big difference about simulating even many organizations here. You probably work across multiple time zones. And one of the things, first things I'll ask you, okay, we now I need to go and actually do image collection, raw image collection of these impacted infected devices. What time format should I store them in? Like, what do you mean? It's like, well, we need to synchronize across what time format we're gonna use. Because as we gather the logs and evidence, we're gonna need to create a super timeline to understand about how, how the first attack gathered to the end. And we need to have a time zone and many organizations who basically work across multiple time zones.
Haven't even thought of those simple things in this response readiness plan, even naming conventions about what to name the machines and, and the images and so forth about how you make sure you knew where it originally came from. You get into also about the storage. I've seen organizations in the middle of an instant response plan, sitting on an Amazon webpage, ordering hard discs because they didn't realize how much space they're gonna need in order to store all these images, terabytes tens of hundreds of terabytes that you might even need, depending on how many machines that you have. So you need to think about also, do you have prepared, you know, the storage capabilities in order to place all of these images also, do you have, you know, when you're thinking about an answer instant response, it's not an it response. It's not a security team response today.
It's a business response. You need the whole business to work together because the business is impacted. The business has stopped. So you need to make sure your HR team is informed about how they communi communicate with employees. Is the employees data impacted? Is it leaked? Is it actually been taken out? How sensitive is that information? Do you need to notify your data protection office about the breach itself? So you really need to understand about how this all works together in a business sense. Do you have corporational law enforcement to help you, maybe even law enforcement is already working in other similar cases and can provide you actually early information about indicators of compromise containment efforts, and also potentially sometimes that might even have a key to help you. So always make sure you have those relationships as well. How is the, the instant responders going to respond?
Almost every single instant I've responded to including this one? I was given the same credentials the attackers had access to in order to do the forensics evidence gathering. They had no separation of duties. They had no other accounts that set up that was archived and actually reserved in order to be enabled in order to actually do the evidence gathering. And when you're not situation, what you're end up doing is if it is responders using the same active directory and the same credentials that the attackers potentially have access to you're contaminating evidence. And it means that your evidence gathering process can be very contaminated, meaning that even if it goes to a legal case later, how to differentiate those active attackers and your responders into the actions, it gets very blurry and muddy, even a go bike. This is one of the most stressful things you'll ever be in working very long days in a very stressful environment.
And it's so important to make sure that your actually team have the support. They need to respond. Having somebody who can just order pizza order, basically sleeping bugs and pillows, cuz it's gonna be a long night and you're gonna be sleeping in the data center. You're gonna be sleeping in the office. You're basically gonna need bars or chocolate. You're gonna need something warm. You're gonna need something to be able to, to, to have the team rest. This is one of the most stressful, and this is one of the reasons that many it teams and security teams leave organizations is within the months after an incident because they get burned out very quickly. So you also have to think about even having a psychologist or having somebody later who can actually, you know, advise them and be there because this can be very stressful, both work wise and also personal Lifewise as well, alternative communications.
I can't tell you many organizations, all of a sudden their phones don't work. Their messaging systems don't work. They are failing to how they, we communicate to employees to tell 'em don't connect to the network because your machine's gonna be impacted. Alternative means that communication employees is critical. So you make sure that all of a sudden, you don't have this domino effect of people, all of a sudden connecting their devices and all of a sudden all your machines start becoming victims as well. Having to help desk team prepared as well. Cuz you're gonna get an influx of calls from worried customers and partners and companies. And also again, keep this updated simulated practice. It do instant response. Even we don't have an incident just to make sure that you're fresh root skills. And I do recommend that, you know, get a external party who does this as a specialty, have access to don't, don't be in this situation where all of a sudden, when you're an incident, you're not looking for expertise and they're not available or they're very expensive, have a retainer, have a relationship so you can bring them on board quickly when you do have an incident.
So the next thing you're gonna think about was what things you need to coordinate. What's the effort plans you wanna get into. What's the mandatory requirements that you must collect. You need to think about. Who's responsible for manys in this whole process. Who's responsible for documentation, the timeline creation at this point in time, I think we had about 20, 25 people working in this particular incident, all coordinated, all having different actions. I was doing dynamic analysis of the malware to try and understand about what other capabilities was it, credential harvesting. Did it have a command and control? Where was those command control efforts? What type of encryption it was using? So I was actually doing the reverse engineering of the malware itself and the ransomware. And they had all those people that was actually then doing things like log to timeline or place, which is taking all of the logs and events and then creating these super timelines to understand basically the entire timeline from start to finish what was happening. And it's really interesting when you do those things, as you mentioned, I started uncovering other victims in other locations, but you start finding as you're doing an instant response and the evidence gathering process, you start finding other areas of crime in the business as well. We did find numerous machines that were running things like crypto mining software.
Yeah. At that point in time, I'm like, okay, I'll pass it over. That's up to your organization to determine what you wanna do with that. But you do find a lot of those things. You do find that employees might have installed a crypto mining to use company resources, to make a bit of money on the side and you know, run up your organization's electricity bill and overheat their, their GPUs. You do find that quite often. So in this incident, yes, we did find that for a long period of time, there was crypto mining software. We even did a calculation into what the potential energy cost for that company was. It was quite high. So these are the things you tend to find as well. You wanna understand about what's the recovery operations side of things what's impacted. How long have these attackers been in? Are you dealing with multiple attackers as well?
So, so getting into you also wanna align it with the minor attack framework as well. This is something that I do in order to try and understand about the common techniques. And this is where I take basically the demonstration for, from, for today and take you through some of those techniques and show you it's important to align it, to understand how you can mitigate what areas you might need to invest from a security strategy in order to mitigate the attackers path itself. This is a great one. This is the there's. The minor attack framework was the static one. This is an interactive one. You can actually go and customize and, and, and apply it and actually mark dine. So this one's on GitHub. So it is, you also wanna understand the indicators compromise. It's really interesting after an attack, when you're going through and looking at log files and audit files, sometimes it's almost like, whoa, I mean, didn't you see the smoke?
Like there's fires burning everywhere. What you looking and in organizations, there's basically a lot of cases. A lot of these indications that something was bubbling away. Something was happening in the background, but they just were not gathering that information that we're not actually proactively looking at the logs to try and determine if there was an active attack. Most organizations don't look, they don't actively look at the logs. They don't go and try and look for these indicators, a compromise after the fact, when you go through and you're like, okay, PS exec was running it basically Saturday, early morning at three o'clock in the morning, why would it be running? Why would it be a credential being created at that time? Why was a passer reset? Why did the server basically all of a sudden drop off the network for four minutes, just four minutes. It just dropped off.
What was, what was the reason we're like, ah, but it's back and running. Now it's running. Why did I need to look at it? Just waste. My time may have just been like a reboot or something else. So looking at these indications, compromise auto logs are so critical when you're doing in response. The worst thing that happens is an in responder is you, you get in and the executive, team's going to you. What happened? Show me the entire thing. I wanna understand what this entire T path was and you're looking at it. And it's almost like they've given you a 10,000 piece DL puzzle and you've got 200 pieces of that DHL puzzle remaining. And you're trying to understand what that big picture was. And you can put those little pieces together and try to assume the other pieces, because what happens in a ransomware case is they actually ransomware, encrypts the logs.
And if you're not having central archiving and bringing those into a central seam or, you know, central solution, what happens is those logs get lost and you lose sight of what was actually truly happening in the network. So it's really important to make sure you are archiving those logs and be able to after an attack and really get that full picture of what was really happening. So these are some of the indicators to compromise that it helped you go and actually take a look and see what potentially is happening in the network. You'll also be faced with the decision. Do you actually shut down your business? This organization was sitting on a Sunday morning. Servers were basically dropping one by one, their entire customer database, their entire asset inventory, their entire financial information, all encrypted and what they made the decision was so actually preserve data on their cus their employees, machines that were at home and lucky enough that a lot of those machines had actually in the Friday, they taken them home, shut them down and they were able to say, we need to shut down the business.
So they actually on the Sunday, pulled it, plugged to the internet and shut everything down to prevent it from even moving into their cloud environment. So they were able to isolate on premise from that decision. If they had to let it longer, the attackers would've been able to escalate it into their cloud environment as well, and potentially impact more of their employees machines. So you have to make that quick decision. And, and this is also data is also leaving the organization as well. That was actually a database that was about 150 gigs in size that was actively leaving the organization. And we're looking, we're like, okay, that's the main decision you gotta, you gotta sever that you gotta stop that data from leaking. So we were able to stop it. And it was about 40 gigs at the time, lucky enough that was that corrupted or transfer and made whatever data they got on usable.
So there's some things in save depending what timing you get. So I always ask the question and this is where I create my attack path and put my attacker hat on is what did they have access to? Cuz this really teaches me about what is the impact to the business? Did they have access to domain controller? Did they have access to all systems applications on premise and cloud? How long? So to give you an indication of how long this attack was going on for the actually credentials that was actually used in the attack actually basically had been compromised seven months prior, most likely by another access broker, somebody who specializes in just obtaining access to organizations, they very likely just, there was a few instances of check, like three checks over the seven month period verified that they were still authentic and still valid. And then they were so likely in the dark net to another criminal guy that criminal guy had then basically as part of a ransom, as a service had purchased the affiliate to get access to cry lock.
And then they also had an external help desk team who helped them actually communicate because their native language was not English and they were communicating through an external to the actually it team for the ransomware. So the active keyboard side of things was about two weeks period tech come in, hands on keyboard using the credentials and basically did enumeration elevation over a period of two weeks and then were able to actually elevate up the full domain and deploy the ransomware. So it was very, very difficult. These are the things, evidence that I looked for and I'll show you some of the techniques that was used. Eventually this organization had three choices of recovery and I asked them, okay, what's the state of your backup it's encrypted. So because it was on a flat network and it used the same credentials as production. And that is so common because organizations don't have a ransomware disaster recovery strategy, they have a hardware failure or a data failure, disaster recovery policy.
They want to recover fast when a production system goes down. So they typically have the backup system on a flat network on the same network as a production. They don't have an offline backup. And it meant that literally they were considering option two because the backup was no longer available. So option two came into consideration. My recommendation was always not to pay a ransom because it just makes my job more difficult in the future and also means that you're more likely to become a victim of rents more again, but even if you think about in today's political scenario, a lot of these criminals, they're not software criminals. They're organized gangs. A lot of these organized gangs are also actually participating in drug trade, human trafficking, weapons, trade terrorism. So if you're going to pay a ransom R to these organizations, you're very likely funding other types of criminal activities.
And that was proven when things like part of the gang was taken down in Russia, which was more honestly a PR stunt when you're seen that were also involved in drug trade as well. So it's really important to understand if you do consider paying the ransom that you're not just paying software criminals, you're paying organized crime that do fund other types of criminal activities. The other option is do nothing rebuild. Can you rebuild quickly? This organization decided that they were fortunate. They were so lucky. They actually did a migration of a machine because of a hardware was not suitable to run the new software. So one year prior, they actually did a migration of an old machine to upgrade the software and that machine, which was due to be decommissioned lucky enough, they were not very resourceful that that machine was still sitting on their desk gathering dust.
So we used that as the baseline to recreate their entire environment. We used that machine basically, as we migrated it just like they did before onto new hardware. And then we spent two and a half months with data Analyst scraping all the data from USB drives from hard drives, from email addresses, from paper and recreating. One year's worth of lost data, which this whole thing run into millions of costs. So that's what you're trying to find best option is have a backup. Don't be in the scenario that most organizations are in, have an offline backup. So one thing I do is find a simpler crypto. I'm gonna move on quickly here. So one of the things I like to understand, Joe sandbox is a great ability to show you dynamic analysis off the crypto itself. So this helps you understand what it is you're dealing with.
It will actually tell you things about, does it have command and control? Does it steal credentials? So this is a really great tool. If you're actually response and you wanna know quickly about what it is you're dealing with, you simply upload a sample and it will run it in a sandbox and tell you details. The next thing you wanna understand is why did your existing security controls not work? This organization had security in place. They did all the check boxes. They met all the compliance needs, but they still became a victim. And when we actually ran, when I uploaded the variant into virus, total only three AV vendors came back indicating that it was actually a malicious software three at that time, because they had done basically observation. They actually rerun it through, it was a new variant. It was a new version that was never detected.
And the reason when actually looking at the investigation, they had six other variants of ransomware that they could have chosen, but they chose cry lock because this was the one that bypassed their security defenses. They had antivirus running anti-malware protection, multifactor authentication, VPNs, firewalls, patch management, but the attackers were able to determine what was the easiest and success to be able to take them down. So are you ready to get stuck into the journey? This is the where we get really into the demo portion. So let me, this is still working. So as I switch over, I'll explain what I'm going through here is I've got my virtual machines here and I'm gonna go. I don't. The only thing we don't know for concrete is we know that credentials were compromised. We can only assume multiple ways on how those credentials were compromised. It could have been through a fishing campaign.
It could have came through that. The, the employee used another site that was compromised and they reuse those credentials. But I'm gonna show you some example, techniques that attackers commonly use in order to gain access to credentials. So when I get up to the point where I do the remote desktop side, everything from that point onwards is the actual exact techniques the attackers used. Okay. So one technique that attackers use is when they're able to get a, basically a windows hash or a user account host, and this is an TM V two hash. So sometimes they get this through either compromised databases or disclosures, or they are able to get the employee to go a site and enter the credentials in. But simply one, you get this hash. If it's a user chosen, if it's, this is a password that a human created, it is very easy to crack.
Now, again, these passwords I'm showing here are quite simple, but they're not the ones that was used in the real one, but the ones that was an real one, we're also easy to crack. They were not very well chosen passwords. They did have the policy, they did have opera case, lowercase number and a special character that all have, but it was very predictable for me, our human decision making of how to guess work that, so this simple one I'm gonna do here is I'm gonna take this hash and I'm basically gonna run it through hashtag and simply in my machines, I've got these cracking machines that I use in my home lab. You're able to correct these within about 25 minutes. So you can see here, this one of course is very easy, but it allows you to reverse and get that password and clear text.
Now, another comment technique. Now, if I was sitting here just to show you, I'm gonna clear this out right now. So another technique is, so for example, in this conference, I could have my machine running here as an attacker and I would run something like responder. I would connect to the public, the wifi that you are all probably using and I would simply run responder. So let's go ahead and get it running. Now, what responder does, it does basically net bias and LLM in our poisoning. So it means that if you're machine, if you're on the same network that I'm on and all of a sudden your machine let's move over to the victim machine here. So I'm gonna log into the victim machine. Let's go and maximize that. So I'm the user Neo and I log in and I'm basically on the, the machine and I'm playing around. And if you have things like map drives are all of a sudden, you basically need to go to a network share, and you simply basically go and enter in, let me get this right. It could be any IP address.
Simply that action here will then send. Basically my machine is saying, I've got that network share here, send me your network hash. And I will give you access to that share. And if basically net bias and element are, is basically enabled in this, in your machines, you will basically send me the network until I'm hash. And again, if that's a password that you've created and you've chosen from your mind, it's very easy for attacker to go and actually look at your password history of previously compromised credentials and go, and actually do reconnaissance and actually create word lists based on your life. That eventually to be able to take that credential, move it over here, which you can see here. This is the actually network telling hash you're gonna pass in the mode saying this mode's 5,600. I will pass a word list. And eventually it is only a matter of time before the machine cracks the password and gains access.
So here I get simply switched by machine to the wifi network. I can sit here all day, waiting for your machines to share your network CAEs. And then if your password is something that is that you created, it's only a matter of time before somebody's able to correct that another option. This is the one that we believe is the most likeliness scenario is that it was a brute force. So this organization to explain what had happened was they used VPN. They had multifactor authentication, but there was an accountant. And this accountant was very important and the accountant had a financial database that they needed to have access to. And during the pandemic, they weren't able to travel to the office location. So this accountant decided to call up the hosting provider directly and said, Hey, I'm having my machines in your network and I need to have access to them. I need remote access. So the hosting provider, outside of the knowledge of the it team went and enabled RDP access for the accountant
Because they had authority. The accountant paid the bills, the hosting provider's going, oh, that's the first we send the invoice to. So we don't wanna upset that person. So they got remote access and remote access was enabled. And then it's only a matter of time before an access broker goes and runs brute force. And this brief force will run and run and run. And eventually at some point they will get a hit and eventually they'll be able to get their credentials off this machine. So now what they'll end up doing. So again, this happens seven months prior to the attack occurring. So now what the attacker is able to do is simply they know, they know you have actual credentials. So can I go log on to this machine under, to disguise of a user? Now at this point in time, can you delve the difference between the attacker and the accountant
Now, same
Credentials, same credentials. So now as the attacker, I've logged in, what I'm gonna start doing is reconnaissance. I'm gonna start looking at this machine. I'm gonna start understanding about what software's running. This was actually interesting. What the attackers actually went and did was they ran GMR and GMR, we know is basically a root kit detector. So we typically use it in a security practice and to try and find root kits that are actually hidden within machines, but actually interesting what the attackers are using it for is to find antivirus software. So they're using GMR in order to find our basically protection. That's hidden in the kernel, that's gonna defend against them. So they're using GMR to try and understand about, well, what security controls in place. So now they're able to determine how they can bypass them. So before they get into really doing anything malicious, they're gonna look around.
They're gonna see in this real life case, there was a file that I find called important stuff on the desktop. And when I clicked in it and you look in it, they had the credentials to the financial system and they had the credentials to the database in clear text with all the credentials sitting in a tax file. I'm not kidding you. This is real. This is real. So after everything from the RDP access, this is exactly the evidence that was gathered. I've changed the IPS and stuff in here, but this is the file that I find in the desktop. So the next thing, what the attacker does is what, what does browsers love? What's apart from cookies, passwords, passwords, browsers, love to store. When you go to website, what does the browser say? Hey, passwords here, split the passwords here. We'll save your life from all this problems in the future. We'll even select difficult ones. So people can't correct them, but unfortunately, what does, what does browsers not have by default security?
So this is a default installation of Firefox that the actually accountant was using. And simply by going to passwords, now, the attackers access to all the passwords that that person chosen, even the complex ones that the browsers created, that simply I can go and go reveal and see those passwords. And now the attacker not only has access to this machine, but they've also access to all the per person's personal email address, personal social media, other accounts and things. Lucky enough, there's a few things that did have multifactor authentication, but now they actually also see their previous password choices. And I will take those, put them into my wordless creation and start trying to guess other password choices that that person might use. So again, this is another practice that you end up saying, and this was actually from the incident itself. So next thing the attacker's gonna do, they're gonna be looking and saying, well, who am I?
What, what, what types of privileges do I have? So I'm Neo and I'm on the matrix. Okay, great. But what type of promotions do I have in this machine? And this basically organization thought that this is an important person. So we'll give them local administer access. And this is basically the attacker's dream. This is like, it's almost like hitting the lottery tickets. They're like, Hey, fantastic. Cuz organizations, they misunderstand it. When you give at a person local minister rights, they assume it's local. They assume it's that's local. It says it's local. Can't use it anywhere else. But it means what you're doing is giving the attacker permissions to make configuration changes to this machine. And this is what they want to be able to do. So now as a local administrator, what I can now do is I can start. And of course they will. If this machine isn't the local minister, they're gonna use things like blood hound. They're gonna start looking at active directory and they're gonna be looking to where to find those local administrator accounts. Cuz they want to stay stealthy. They wanna stay hidden. They wanna stay under coverage, but they wanna look for those accounts cuz they that's their ability to actually elevate up. It's only a few steps from when they get that access to moving up. So yes. Do you
Mind if I ask just quick the real guy, the admin guy, he could be happily logged in as himself, somewhere else.
Yes. Yeah,
No idea.
He doesn't know. Doesn't know. So now I know that I've got local minister access to the machine. Now I'm starting to think, okay, what I can then do with local minister access is I can now go and download my automation scripts. And these are the real scripts that was actually used by attackers. So these are the exact ones. So I'll try and large them here and explain what they are. So the disabled script. So the disabled script as a local minister, I can even show you inside this open, open it up. So what this script does is actually increase this size.
So this actually goes through as a local minister, it will actually disable all the security in that machine. So after running GMR and they know what security controls you're running in the machine, they will now go and customize the script to disable all the windows, defender security, malware defense, and what it appears. So this will run and it will actually stop all of those services and then basically clean itself up. So now allows the attacker to now be able to make changes that will go under the radar of the organization. These sessions tend to last about four minutes long. Hence, when we were looking at indicators of compromise machines were dropping off for four minutes from the security, like it just, all of a sudden wasn't communicating for four minutes. Why? Because this is the window of opportunity for attackers to make those changes just to make the configuration.
So what happens is even if you see those little sessions, the maximum session prior in the two weeks was eight minutes. The maximum that they took, once they do their changes, they, they and look for things like fine password. So they'll start searching the machine for other types of credentials in the registry and on the hard drive, maybe there's developers code scripts, maybe there's unattended scripts on there. Maybe the search's keys and a registry for auto log. Maybe there's backup scripts, all Hayden. So they'll do searches for those. They'll go and make sure that they can actually get persistent access. So they'll actually go and disable and make firewall and changes to this machine. They'll actually add terminal service connection to the RDP session. They will might even go and do things like sticky keys and they actually use sticky keys in this. So if you're not familiar with sticky keys, what sticky keys is, is when you go to login prompt in windows.
If I actually run sticky keys and I go to here, ease of use and I click in it, you'll see, it actually brings up like full terminal prompt. And if I go, who am I? I'm actually the full authority system in this machine. So I'm actually the administrator on this machine simply by going here. And now I can go from a, without even having a user in this machine, I can go and create another local administrator and gain access. So this is one of the things they use because they were afraid if the user ever changes their password. At that point in time, they're afraid the user might change their password and they wanna have persistent access. And this is a way to create that backdoor. They'll also might create a user. They didn't create a new user until a bit later in the attack.
So a new user was created much later, but they did have this in their backlog. They had another script that was launch attack and the launch attack was, did two things. It created staging servers. So it took all the tools from here and it put another machine. And then that on the machine was then used to launch the attack immediately. So they had these basically hierarchy of staging machines that you were using. And then also the clean script was really cool cuz the clean script, what it did was it cleaned up the last four minutes of activity.
So if anyone went to investigate and they logged in this machine, all of a sudden the log was disappeared for the last four minutes, no activity. So they, all of a sudden, maybe you think that, okay, maybe the server just had a problem just basically stopped working. And that was it. But the attackers had a nice script to be able to do that. So neither disabled they've created back tour. The next step that they go and do is go and launch MI cats cuz Mimi cats. And I execute in this machine because the antivirus and all the software is actually security is disabled. So they'll download it from another machine, typically using parcel and download it from a cloud hosting machine. They'll extract it and then they'll do a couple things here. One is they'll go and enable creds. So by default, after windows 2012, SB one, this was actually changed by default.
So the default setting here is that credentials are not stored in clear tax and memory, but with a simple registry change, which they are able to do with local minister rights, they can go make that change here by adding different security providers and also change the user login credential, which changes this back to passwords and clear text that will end up making that change. They might run dump credentials at this point in time, dump credentials built basically look at the operating system, determine 64 bit or 32 bit, and then determine which mini caps to run and then try and extract the passwords and hashes. Now the first time they do this, it's very unlikely that they're gonna get any credentials other than the one they already have, because it only basically will able to do the clear tax after that change has been made. So what the attackers tend to do is they'll basically go and run.
They'll say, okay, I didn't find any credentials more than what I have. I'll come back here. I'm gonna do my automation script. I'll run the clean script. After that, I will actually make some problems in this machine. I might delete a few files that makes an application fail. I might make a little bit of noise in the event log and then I'll log off. And what they're hoping for is that little action of making problems on that machine. The help desk administrator goes, huh? The account is not calling me up and saying that this machine has problems. Something's not working. They're getting error messages. So the help desk worker, what do they do? They go on troubleshoot. So they come back to the server. They go into the, the machine that has the problems they'll log in what they log in with domain credentials, use your domain administrator.
And actually, unfortunately there was another problem in this environment was that there was a database running and there was actually a backup job. There was a PS exec script running and that PS exec script was running, was actually connecting into the server and taking it back the database. And that script was actually using domain admin credentials. So it was only a matter of time before that backup job had ran. And then the attacker couple of days later comes back in. They come into, they do the same process. They go through the same steps, disabled security, run the scripts, go into MI cats, go and look at the credentials again. And eventually after running this a few times, I'm waiting for that backup job to run. It literally is only a matter of time before eventually if I can find it here, see that they end up getting a domain administrator credential and this, this is the worst case scenario at this point in time, it's literally hours before they will deploy the SMER.
Cuz now they have the ability to go and do further things they can. Now, now they've got credentials to the domain admin. I can go and do things like scan the network. So in this case they actually use network scanner and they basically ran the scan against the network. So go and discover all the machines in the environment. And what do you love to do? What do you call your SQL server? What's the name of it? SQL server. What's your backup server called? What's your E R P system called SAP. What's your, what do we like to name machines? What it does and when an attacker scans it, they're able to see your names and you make it easy targets for them and what they're able to do here. They did a lot of automation using network scanner. So simply if I go to the domain controller, I can right click here.
And they actually did a lot of automation here. So I actually had to have this translated, this actually the original text that was in, I was permitted to say it was actually acrylic Russian language. So this was the only indication of origin of the attackers was this was actually in Russian acrylic language. So I had it translated. And what you can see here is things like turn security off, create users, download packages, create staging machines. So they had actually used this for automation and this links back as it links back into the scripts that was actually running in the background. So they're able to go and use this for automation, for scanning. And they be able to then determine where the data was. And then they actually created an SEP server and then started basically dropping all of the actually files, the company files, including the data base onto that machine. And it started syncing the data out of the organization. Unfortunately, the organization didn't have really good Deepak inspection or filters. And the only thing they they could see was that data was going out. They couldn't see exactly what and, and they only knew that it was up to 40 gigs of data. We have 10 minutes. Okay. Thank you. So the next stage is they'll go and basically run up to the RDP RDP. In this case, I'm using a standalone, portable RDP, and now I've got credentials to the domain controller
And now I on, and at this point in time, I own the network. I own the entire infrastructure. I can go anywhere. I want, I can get access to anything I want. And the organization is basically, you know, this, this is disaster mode. At this point in time, the organization rebuild is likely a rebuild of active direct at that stage. Other things that attackers will do as well. If I go back to my script here, they might use things like PSAC to move around. So they actually wanted to appear to be similar to the system administrator. And they find that the system administrator was heavily using PSAC for their automation, for backup jobs and so forth. So attacker also was using PSAC. So simply using it allows me to get access to machines. So now I can go and log on and actually use the same footprint living off the land that the actually organization uses the manager systems.
So it's very hard to then determine the attackers actions versus system administrators actions. Also what was used as well was things like pass the hash. So now what I can do is as I was able to go into this machine and as I was logging in, you'll see here that even if I didn't get the password, that if I only got the hash of the administrator here, I can take the hash administrator and use basically the evil win RM to access the actually domain controller. So you can see here, I'm actually the administrator, what you host name I'm actually logged in as in the domain controller. So this is the exact steps that attackers use and they use this almost the same ones, every single time, simple variations, simple methods. Maybe they change a little, few things and so forth, but this is what's really common.
This is the techniques that the attackers, if they get access to organization do have the right defenses in order to actually protect against it. So just going back to the slides, just give you a bit of a recap. It's so important that during a attack that you do find patient zero quickly because that's the door into your organization. That's the vulnerability. That's where the compromise credentials are being abused. That's where doing thence that's for the actually looking, trying to understand about your organization. So the more that you understand patient zero, you understand also that they might have different staging machines. This will allow you to actually stop the attack quicker. So finding patient zero, when I did the super timeline and I was trying to find patient zero, what I actually did was I didn't have much logs to go with. I actually had almost empty logs when I imported it.
All I had was clean log files, cleared log files, cleared log files. And most of it was encrypted as well. The way I actually was able to find patient zero was actually looking at the times of the cleared log files and actually working my way back to try and find the first one that had happened on was my way of actually just looking at the, the sequence of events to try and find patient zero, cuz typically they'll do it from where they're located first and they'll spread it out and be able to do that, to find that was quite very difficult, but so important to find patient zero. Next thing is understand about that initial access. How did they get in the door? And it's so important. You put the right defenses and controls in to actually to protect it in this case. The first of all, that machine that had RDP access should not have been just a password and username human created.
It should have additional security controls. It should have been actually visible by the it team because it was even outside of their knowledge. They didn't even know it existed until it was already too late. So it's really important to make sure you have consistent policies, discovery visibility into when those things happen. Also looking at how does security, how high risk is it to give users local administrator rights. As you're seeing from here, it's only a few steps from an attacker to jump from local to full domain, any local minister rights that you give to employees, they should be considered very high risk users. And you should basically be very, very stringent in the basically auditing on the security controls and everything that happens with those accounts. The best practice is actually to move the principle. Lease privilege and actually move, remove local minister rights and go to something like application control and elevation on demand.
Also look at persistent back doors. This, you should be searching for the registry settings of these correctively. Do an audit in environment to actually look for basically where there's back doors that's being created. Cuz sticky keys is an nerdy indication that the attackers is about to actually launch an attack. So go and understand about look for those registry key changes because that's an early indicator also about the registry key changes that was used in MI cats in order to make sure the credentials appear on clear text, do an audit of this one, search all your machines is a simple registry query and to find out word exists and have it periodically because sometimes there's a good early indicator or compromise that the attackers are on your network. The goal that we have is to make it more challenging for attackers, forcing them to take more risks, the more risks they take, the more noise they create and the more chance you have at seeing them understanding the difference between your administrators actions and the attackers actions.
Maybe you actually put something that actually makes it time based that these actions cannot happen on the weekend or early hours in the morning, and also understand about what automation was put in place. So what things can you do? What simple things you can take away from this is one is good. Education, knowledge, password, hygiene, rotating, a passwords, not using domain credentials, basically for automation, scripts, not logging in the systems and not rotating the password after use, not basically, you know, leaving humans to choosing passwords, making sure you have a system at creating more complex automated passwords. Don't store your passwords in a browser back up and have a test plan. Practice. The principle leads privilege and zero trust privilege access to help you do automation of a lot of this control applications and patching and updating security. These are simple things, but you must do them really well.
You must be very stringent in making sure that you've got full visibility and full coverage. Understanding these techniques is your best way to understanding about how you make attackers more challenged, more difficult for them, but you have to convert all of this into business risk in order to make sure you get the budget in order to do the things you need to do. So at this point in time, hopefully this is educational entertaining and that you've got some value from this. If you do have questions, if you do want to see me after this, I'll be around for another maybe half hour or so. So do grab me to challenge me and if you want, I actually have a lot of these actually created in white papers. So you'd be interested in actually getting a copy of those instructions that actually took through this. I can make sure you get a copy of that. So thank you. It's a pleasure. Stay safe. Enjoy the conference.
