Lecture 3

Questions and Answers

Explain what is lateral movement? If you are an attacker, explain the pros and cons of using Windows RDP protocol to perform lateral movement.

Lateral movement is moving from one device to another after compromising the organization's network. The goal is to get high valued data without making noise. The pros of using Windows RDP protocol to perform lateral movement are can interact the target's GUI fully, RDP sessions are encrypted, which means the data transmitted between your machine and the target machine is secure. The cons is that if someone is using the remote computer, they will see that another user has logged in so can only use it when they are not on their device.

Tell me about Nmap.

Nmap is a scanning tool that maps out all the hosts in the network to discover the ones that contains valuable information. It uses IP packets in unique ways to discover which devices are active on a network, identify the services that they are running, their versions, OS, type of firewall and many other characteristics.

As an attacker, how would you perform a lateral movement using Sysinternals?

Sysinternals is a set of tools that allows the administrator to control Windows-based computers from a remote terminal. As an attacker, I can use it to upload, execute and interact with executables. It will not alert and are ignored by anti-virus devices since it is classified as legitimate system admin tool. It can be used to reveal services that are running and can stop that service.

How would you use file sharing to perform lateral movement?

After compromising the organization's network, an attacker can access the resources that are shared within the organization. They can plant virus or malware in those files or resources to infect the computers that copy those files. This method gives low detection because legitimate file sharing tools are used. It is more effective when attackers have administrative privileges.

How do attackers use PowerShell to run lateral movement?

An attacker will use the PowerShell from the device that he compromised to run scripts automatically at a scheduled time. Once this script has been executed, all the devices within the network would have downloaded remote access tools. This method will reduce the risk of being alerted by the antivirus devices nor leave traces for investigators.

Explain Window Management Instrumentation.

WMI is Microsoft's inbuilt framework that manages the way in which Windows systems are configured (legitimate and not detectable). The framework can be used to start processes remotely, to gather system information, and also store malware that stays in the system even after restarted.

What does privilege escalation mean?

Privilege escalation means an attacker gains access to a regular user account on a computer and then exploits a software vulnerability to gain administrative privileges, granting them broader access and control over the system.

How would an attacker perform horizontal privilege escalation?

An attacker can move from one normal account to another through software bugs: a normal user is able to view and access files of other users due to an error in the coding system, and through an administrative account: attackers can go on with the attack by creating other admin-level users.

How do attackers perform vertical privilege escalation?

Vertical escalation techniques differ from system to system. ➢In Windows: buffer overflows are commonly used. ➢In Mac: it can be done in a code called jailbreaking. ➢Also, by web-based tools: the exploitation of the code used in the backend.

What can attackers do using valid administrator accounts?

Using valid administrator accounts, attackers gain unauthorized admin access and use it to log in to a sensitive system or create their own logon credentials. Attackers can exploit programming errors, which may introduce vulnerabilities that attackers can bypass security mechanisms. Some systems will accept certain phrases as passwords for all users.

What can access token manipulation do?

Access token manipulation involves tricking Windows into thinking a process is started by an admin, so it runs with admin privileges. Attackers copy access tokens from existing admin processes to new ones, using built-in Windows functions. This lets them run processes with full admin privileges without interference.

What is application shimming and how can hackers exploit it?

Application shimming is a Windows framework that ensures compatibility for older programs on newer Windows versions. It acts as a middleman, making older programs work smoothly with the newer system. However, hackers have exploited this framework by creating custom shims. These custom shims can bypass security measures, inject malicious code into legitimate programs to turn them into malicious programs, and manipulate memory addresses.

What is DLL?

Dynamic Link Library is a shared library for Windows system that allows developers to share codes without needing to link or combine applications.

How is DLL injection performed?

DLL injection lets hackers hide their malicious activities behind the facade of normal, trusted programs. The attacker finds a way to attach their malicious code to a legitimate process or service. Once the malicious code is attached, it can access the computer's memory. The attacker's code copies a malicious DLL (Dynamic-link library) into the computer's memory. Finally, the attacker's code executes the malicious DLL using a legitimate process or service. Because it's running with a trusted program, the malicious code can do its dirty work without raising suspicion.

Explain reflective DLL injection.

Reflective DLL injection takes a more stealthy approach. Instead of relying on the operating system's functions to load the malicious DLL from the file system, the attacker's code loads the DLL directly into the memory of the target process as raw data. This means that the DLL doesn't have to be stored as a separate file on disk.

Explain Stuxnet.

A sophisticated computer worm created to target and disrupt Iran's nuclear program It spreads through USB drives and networks, targeting industrial control systems, particularly those used in Iran's nuclear facilities. Once inside, it manipulates programmable logic controllers (PLCs) to sabotage centrifuges by causing them to spin too fast or too slow, ultimately damaging them.

Explain Flame.

A highly complex and stealthy cyber espionage malware discovered in the Middle East, primarily targeting computers in Iran and neighboring countries. It was designed to steal sensitive information, including documents, screenshots, and audio recordings, from infected systems. Spread over USB sticks, it could infect printers shared over the same network. Data’s sent off in smaller chunks: Flame didn’t simply transmit the information it harvested all at once to its command-and-control server, because network managers might notice that sudden outflow. Flame could exchange data with any Bluetooth-enabled device: the attackers could steal information or install other malware not only within Bluetooth’s standard 30-meter range but also farther out (about 2km) using Bluetooth rifle.