Operation I am Tom: How APT actors move laterally in corporate networks presented at CODEBLUE2020 2020

by Aragorn Li,

Summary : TeamT5 has helped many cyber-attack victims defending against APT actors for years. We see enormous cases showing that the actors still maintained their access to the victim network after some malware cleaning by unexperienced network managers or immature security teams. The main reason would be lacking knowledge regarding threat actors’ techniques in lateral movement operations. For example, Microsoft Windows Active Directory plays a key role and dominates most corporate network environments for centralized management and authentication. However, there are many scenarios of improper security settings would cause Active Directory attacks to become a convenient way for threat actors to move around.In this talk, we are going to present lateral movement methods to penetrate corporate network environment and techniques to bypass security monitoring systems. All cases are based on our real experiences fighting with APT actors in recent years. We categorize them into 4 categories and list the items as below:1.AD Farm's penetration technique: mimilib, MemSSP, skeleton key, ACL abuse2.Web-shell technique: IIS module abuse, Web source code injection, Deserialization, Rootkit3.Second Tier backdoor techniques: DLL-hijack, IAT insert, Port reuse4.Miscellaneous technique: how actors moving laterally in your network without malware or hacking tools.The target audiences of this talk include security researchers, antivirus vendors, SOC team analyst and incident response teams. The techniques disclosed in this talk would help and facilitate blue team members to detect and understand threat actors’ footprints inside a corporate network and effectively block their activities.