-
Notifications
You must be signed in to change notification settings - Fork 0
Week 4 TTPs
Threat Analysis report done by the Cybereason team regarding the IcedID infection, aka BokBot, which was a banking trojan used to steal personal financial information and has been around since at least 2017~.
Pick 1 Tactic, Technique or Procedure that is of interest to you and describe in your own words how the attacker's TTP could be identified by a defender.
One TTP that is of interest to me is Lateral Movement as this is the act of elevating permissions or moving around the network in search of higher priority data.
The Attacker's process
-
pinged the host to see if it was online
-
used wmic.exe to create a remote file
-
once on the remote host, they executed the same command but using another file name.
"The attacker continued to follow this process throughout the network, using ping.exe to see if the host is online, moving laterally through WMI, and executing Cobalt Strike payload for a better foothold."
How could this be identified by a defender?
- The pings would likely have been logged in the system somewhere to catch the initial exploitation, and the path could be followed based on the commands input and files created as the attacker had moved laterally throughput the network.