当前位置:首页 > 报告详情

高级威胁研究方法:揭开三重APT入侵的真相.pdf

上传人: 可*** 编号:991922 2025-12-07 43页 10.70MB

1、Advanced Threat Research MethodologiesUnraveling a Triple-APT IntrusionAbout UsLior is a principal threat researcher at Palo Alto Networks,focusing on threat hunting,malware analysis and tracking nation state APTs.Lior Rochberger,Principal Threat ResearcherTom Fakterman,Senior Threat ResearcherTom i

2、s a senior threat researcher at Palo Alto Networks.On his day to day,Tom focuses on threat hunting,malware research,and threat intelligence.1AgendaBACKGROUND 2THE CHALLENGES 3CLUSTERING METHODOLOGY 4THREAT ACTOR ACTIVITY+ATTRIBUTION METHODOLOGY5INTELLIGENCE DRIVEN HUNTING 6KEY TAKEAWAYS BackgroundTh

3、e ChallengesWhere to begin?How to go over all the data?Where one kill chain ends and another begins?A single threat actor or multiple threat actors in the network?Data ChallengeMultiple Kill ChainsSingle vs.Multiple Threat ActorClustering MethodologyTools&TechniquesKill Chain InfrastructureCLUSTER A

4、CLUSTER BCLUSTER ACLUSTER CCLUSTER BCLUSTER ACLUSTER A Suspect?CLUSTER B Suspect?CLUSTER C Suspect?CLUSTER AESETs Remote Administrator(Signed&Verified)Unknown MalwareAbusing Existing Antivirus SoftwareTrend Micro(Signed&Verified)Identifying The Mysterious BackdoorToneShell BackdoorThree DLL componen

5、ts working in tandemKnown Mustang Panda backdoor(AKA Stately Taurus)Main CapabilitiesExecuting commands File system interaction Downloading&uploading files Keylogging Screen capturingShadowPad BackdoorPopular among chinese threat actors since at least 2015Considered to be the successor of PlugXDLL s

6、ide loading into a legitimate component of BitdefenderHighly Targeted and Intelligence-Driven OperationSuccessful login attemptsAssignments of sensitive privileges to new login sessionsRedacted user name of target individualFind hostnames of interestCompromise MachinesGather names of individuals who

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要讲述了Palo Alto Networks的威胁研究人员Lior Rochberger和Tom Fakterman关于高级持续性威胁(APT)入侵事件的研究。他们通过聚类方法和威胁行为者活动归因方法,追踪了三个不同的APT活动集群。关键点如下: 1. **挑战**:确定入侵起点,处理大量数据,区分单一威胁行为者和多个行为者。 2. **聚类方法**:使用工具和技术,通过基础设施的kill chain(杀伤链)对威胁进行分类。 3. **威胁行为者活动**:识别了多个恶意软件,如Mustang Panda、ShadowPad和ToneShell后门等。 4. **情报驱动狩猎**:针对特定行业和地区的组织,创建基于威胁行为者TTPs(战术、技术和过程)的狩猎查询。 5. **关键结论**:相似的恶意活动和时间框架不一定意味着是同一威胁行为者;高级威胁可能数年不被发现;情报驱动的狩猎对于及时发现和阻止APT至关重要。 文章提到的核心数据包括三个集群的IP地址和所针对的政府机构,以及使用的恶意软件和技术细节。
揭秘多重入侵!" 如何识别未知威胁?" 对抗APT的关键策略!"
客服
商务合作
小程序
服务号
折叠