. . .
 

SuperCyberx Mitigation

Updated: Jul 9


Once an attacker has gained access to a machine, they can use fileless tactics and genuine system administration tools to avoid discovery. In order to prevent this, we implement a variety of post-exploitation techniques, such as: ​ 1-Impose less privileges and access controls:

  • Keeping our credentials in the cache is no different than sending our passwords to an attacker via email. The solution is simple: don’t save passwords for network authentication. Credential Caching should be disabled.

  • If valid credentials are obtained, avoiding credential overlap across systems will deny hackers any lateral movement opportunities.

  • Staying logged in on remote systems is risky since it allows attackers to take over your admin access and privileges.

  • Even if attackers have successfully obtained passwords, using two-factor authentication (2FA) can help keep them out. Keep in mind that strong passwords can prevent a hack in the first place.

  • Open shares can be used as a pivot point or a way to extend an attack to other network users. We can get rid of them by disabling anonymous logins for read and write access to Network File Shares (NFS) and File Transfer Protocol (FTP).

  • Enabling Admin Approval Mode for the built-in Administrator enforces UAC, and removing users from the Local Administrators Group prevents privilege escalation and lateral movement attempts.

  • To prevent brute force attempts, apply account policies or progressive delays for logins.

  • Users should only have the bare minimum of access and privileges to reduce the amount of damage they may cause if they are compromised.

  • Use the highest level of UAC enforcement, which includes setting UAC to “always notify”. This will prompt you whenever an application tries to change Windows settings or the computer. This can be bothersome, but is highly effective.



2-Powershell related technique:

Why do attackers use PowerShell? Malicious actors utilize PowerShell to execute local scripts and execute remote resources after retrieving them using multiple network protocols. They can also encode payloads using the command line and load PowerShell into other processes. We can disable PowerShell for normal users and make it only available for admin users.

Techniques:

  • Attackers can bypass unsigned PowerShell scripts, old PowerShell versions and other execution policies. To prevent this, block unsigned PowerShell scripts and update to the latest version of PowerShell.

  • Consider using PowerShell Constrained Language Mode, which restricts PowerShell to its most basic capabilities, rendering many fileless attack techniques worthless.

  • Extensive PowerShell Logging should be enabled and monitored, even though this can result in more false positives.

3-How to use WMI to prevent Exploitation:

What is WMI Script?

You can write WMI scripts or applications to automate administrative tasks on remote computers, but WMI also supplies management data to other parts of the operating system and products.

Techniques:

  • WMI’s extensive administrative capabilities make it a popular target for abuse, but they also make it a useful tool for detecting and responding to unwanted activities. Create WMI Event Subscriptions that are defensive and permanent.

  • Set a fixed port for WMI and block it if we no need it longer.

4-Set Application controls:

There is always a method to bypass AppLocker, no matter what security measures are in place. Limit the Execution of Executables, DLLs, and Scripts with AppLocker and take additional steps to harden AppLocker.

Suggestions for defensive team to detect the end-point attacks:

  • enabling more rules to detect malicious activities.

  • escalate privileges scheduled tasks - Create a rule based on scheduled task which holds PowerShell scripts.

  • Monitoring for suspicious processes and API specific calls in the PowerShell operational log - can provide a strong indication of whether an attack has taken place.

  • Create a rule based on processes with the CREATE_SUSPENDED flag - a good indicator of process hollowing.

  • One of the most popular ways for attackers is to obtain access via hiding scripts in the registry. - Using Windows Management Instrumentation (WMI) subscription events and/or tools like it can help detect the changes in the registry and create a rule based on it.

Conclusion:

End-point attack prevention is a challenging, but manageable task if proper guidelines are followed and skilled analysts are employed. Even though we have more defensive technologies to detect and prevent threats, our analysts remain our first line of defense. To ensure the well being of your company’s data infrastructure follow the steps outlined above.

3 views0 comments

Related Posts

See All