Knocking Out Post-Exploitation Kits
Вставка
- Опубліковано 20 жов 2024
- Matt Bromiley (LimaCharlie, US)
Lead Solutions Engineer/Developer Relations at LimaCharlie. I have presented at multiple conferences, teach at BlackHat, and am a SANS instructor.
---
Post exploitation kits have become the tools of choice for adversaries. We all know the names - Cobalt Strike, Nighthawk, Brute Ratel, Sliver, etc.. Used by red teamers, ransomware attackers, and state-nexus actors alike, post-exploitation kits allow these actors to exploit, move laterally, compromise accounts and systems, all via relatively stealthy techniques. However, these exploit kits are not as stealthy as many think. They have telltale signs that, if caught, can stop an adversary in their tracks. In this workshop, we're going to uncover ways to detect these popular exploit kits, using deep technical analysis of both host- and network-based artifacts. Using what we know about their behavior, we'll analyze how to:
Detect process manipulation
Uncover privilege escalation and account abuse
Find lateral movement between systems via host artifacts and network traffic.
Despite popularity, the tactics and techniques used by these kits are not exclusive. By analyzing commonalities between them, we'll learn how high-fidelity detections can find all sorts of adversary activity. Attendees in this workshop will gain the experience they need to effectively detect the use of exploit kits within their environment. Furthermore, our analysis takeaways will also include preventative countermeasures, allowing for teams to take this knowledge back to their environments immediately.
