LAPSUS$ TTP's
LAPSUS$ 所使用到技术 attack 矩阵映射图LAPSUS$ 使用了两个比较有趣的技术,一个是代码签名,另一个是禁用和修改工具
TA0005 - 规避防御
T1553.002 - 信任崩塌:代码签名
一些恶意软件使用 NVIDIA 的证书来签名
泄露包括两个被窃取的 NVIDIA 代码签名证书,这些签名证书是 NVIDIA 开发者用来签名他们的驱动和可执行程序。
开发者用代码签名证书给可执行程序及驱动进行签名以便让操作系统和用户能够验证文件的所有者及是否被第三方篡改,另外微软要求内核级别驱动必须得签名,目的是为了增加安全性。
以下为用 NVIDIA 证书签名的 Mimikatz
样本链接:https://www.virustotal.com/gui/file/9d123f8ca1a24ba215deb9968483d40b5d7a69feee7342562407c42ed4e09cf7/details
样本链接:https://www.virustotal.com/gui/file/065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1
NVIDIA 证书序列号
[*]43:bb:43:7d:60:98:66:28:6d:d8:39:e1:d0:03:09:f5
[*]14:78:1b:c8:62:e8:dc:50:3a:55:93:46:f5:dc:c5:18
即便是 NVIDIA 证书到期了,windows 也会允许它运行,因此,攻击者使用这些被窃取来的证书来让恶意驱动伪装成合法的 NVIDIA 程序以便让操作系统来加载。
Yara 规则:
import "pe"
rule SUSP_NVIDIA_LAPSUS_Leak_Compromised_Cert_Mar22_1 {
meta:
description = "Detects a binary signed with the leaked NVIDIA certifcate and compiled after March 1st 2022"
author = "Florian Roth"
date = "2022-03-03"
modified = "2022-03-04"
score = 70
reference = "https://twitter.com/cyb3rops/status/1499514240008437762"
condition:
uint16(0) == 0x5a4d and filesize < 100MB and
pe.timestamp > 1646092800 and// comment out to find all files signed with that certificate
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures.issuer contains "VeriSign Class 3 Code Signing 2010 CA" and (
pe.signatures.serial == "43:bb:43:7d:60:98:66:28:6d:d8:39:e1:d0:03:09:f5" or
pe.signatures.serial == "14:78:1b:c8:62:e8:dc:50:3a:55:93:46:f5:dc:c5:18"
)
)
}
攻击者会采取一些措施来让安全工具失效,使之无法检测到他们预部署的恶意工具。attack 矩阵官方在 T1052.001 文档说明中给出了很多表格,比如杀死安全软件进程或服务,修改和删除注册表键或配置文件使之失效,又或是使用其它方法来干扰安全工具扫描和报告信息。
攻击者使用 Process Hacker 工具来终止运行 EDR 进程,一旦 EDR 被关闭,那么就有可能会将 Mimikatz 释放到内存当中。
现在需要做的就是检测和监控,安全专家可以使用 Atomic Red Team 来测试 (例如禁用安全工具)
MITRE ATT&CK TTP’s used by LAPSUS$
TA0001: Initial Access
[*]T1078: Valid Accounts
[*]T1133: External Remote Services
[*]T1190: Exploit Public-Facing Applications
[*]T1199: Trusted Relationships
TA0002: Execution
[*]T1059: Command and Scripting Interpreter
[*]T1059.001: Command and Scripting Interpreter: PowerShell
[*]T1059.003: Command and Scripting Interpreter: Windows Command Shell
[*]T1059.004: Command and Scripting Interpreter: Unix Shell
TA0003: Persistence
[*]T1078: Valid Accounts
[*]T1078.002: Domain Accounts
[*]T1078.003: Local Accounts
[*]T1078.004: Cloud Accounts
[*]T1021: Services
[*]T1021.001: Services: Remote Desktop Services
[*]T1114: Email Collection
[*]T1114.003: Email Collection: Email Forwarding Rules
TA0004: Privilege Escalation
[*]T1068: Exploitation for Privilege Escalation
[*]T1078: Valid Accounts
[*]T1078.002: Domain Accounts
TA0005: Defence Evasion
[*]T1562: Impair Defences
[*]T1562: Impair Defences: Disable or Modify Tools
[*]T1027: Obfuscated Files or Information
[*]T1027.002: Obfuscated Files or Information: Software Packing
[*]T1553: Subverted Trust Controls
[*]T1553.003: Subverted Trust Controls: Code Signing
[*]T1078: Valid Accounts
[*]T1078.002: Domain Accounts
[*]T1078.003: Local Accounts
[*]T1078.004: Cloud Accounts
TA0006: Credential Access
[*]T1552: Unsecured Credentials
[*]T1552.002: Unsecured Credentials: Credential in Files
[*]T1552.004: Unsecured Credentials: Private Keys
[*]T1003: Credential Dumping
[*]T1003: Credential Dumping: LSASS Memory
[*]T1111: Two Factor Authentication Interception
TA0007: Discovery
[*]T1082: System Information Discovery
[*]TA0008: Lateral Movement
[*]T1021: Services
[*]T1021: Services: T1021.001: Services: Remote Desktop Services
[*]T1078: Valid Accounts
[*]T1078.002: Domain Accounts
TA0009: Collection
[*]T1114: Email Collection
[*]T1114.003: Email Collection: Email Forwarding Rules
[*]TA0010: Exfiltration
[*]T1537: Transfer Data to Cloud Account
[*]T1114.003: Email Collection: Email Forwarding Rules
页:
[1]