Assumptions: ACLs exist on most Enterprise equipment to limit where they can be administered from.

. However, as the laptops that we are attempting to attack are routinely plugged into IP subnets that are permitted via ACLs, they can be used to administer routers/switches. Target laptop included in that ACL. Policy exists for email. Rarely, if ever, is it enforced. It is not uncommon for people to have auto-forwarding from home to work enabled. If email filtering devices don't fire, an attacker can sneak malicious mail in (and out). Most of the administrators live on non-NAT'd address space. Network Access Protection (NAP) is not used. HIPS standard rules are in place.

Attack Methodologies: Figure 1 Attack Methodologies (Kzsancyian, 2011)

Initial Infiltration (Social Engineering): By using Follow Company in LinkedIN the attacker ascertains that SPAWAR Barling Bay houses a primary node for administration. (Figure 2) As displayed in figure two, the attacker sees new activity the company just posted. Being very skilled with social engineering the attacker determines that there is a high probability that a new-hire has probably not been made aware of the corporate security policies. As such, the attacker is banking on social engineering skills to trick him into installing a backdoor software application thus defeating the security technology put into place at SPAWAR. Figure 2

The attacker does some quick searches on Linkedin using a LinkedIN Hack to determine the security engineers working in SPAWAR at Barling Bay. In addition the CEO of said location is also determined. Less than 5 minutes pass by and the attacker now has several IT staff member names to choose from. (Figure 3) The following LinkedIn hack is used to quickly narrow down LinkedIn search for only Barling Bay SPAWAR employees with adequate clearance. site:www.linkedin.com intitle:linkedin (Barling Bay AND security AND SPAWAR) intitle:profile -intitle:updated -intitle:blog -intitle:directory -intitle:jobs -intitle:groups intitle:events -intitle:answers

Figure 3

Target (Robert Ashworth) receives a spoofed welcome email from attacker masquerading as the SPAWAR CEO (Bob Bush) via LinkedIn system. Being a new employee and eager to please his new boss, Robert immediately opens the email. Payload is now delivered to BIOS on target laptop.

LinkedIn Search Results:

SPAWAR President Barling Bay:

SPAWAR Target:

Foothold: The stealth payload from target laptop email is delivered to BIOS of target laptop(s) and a persistent agent is installed. See Compromised Workstations (Figure 4). When installed, the deployed agent registers itself as a normal windows service using the name "Remote Procedure Call (RPC) Net". This name, with slight variations, is also used by Windows to refer other legitimate services as "Remote Procedure Call (RPC)" , used to provide the endpoint mapper and other RPC Services along with "Remote Procedure Call (RPC) Locator" which is in charge of managing the RPC name service database. In this way, the registered service could be easily confused with legitimate Windows services, except for its lack of a description. The service is implemented on the rpcnet.exe or rpcnetp.exe _le. Figure 4

Exfiltration: Exfiltrate To surreptitiously move personnel or materials out of an area under enemy control. In computing terms, exfiltration is the unauthorized removal of data from a network (Kzsancyian, 2011). Figure 5 Exfiltration Methodology

Persistence: Victim conducted thorough remediation by: System rebuilds Changed all local and domain passwords Implemented enhanced network controls and Segmentation Implemented enhanced host-based controls. Attacker re-infiltrates by regaining access to environment several months later. Compromised Servers are now accessed for data. Sleeper malware is now activated to avoid detection. (Figure 6) Data collection Strategy: Examine and filter in-place o Probe for data of interest o Obtain recursive directory listings o Return later to retrieve small sets of specific files

Figure 6 (Kzsancyian, 2011)

Staging Area: Locations will aggregate data before sending it out o Easier to track tools and stolen data o File size will be minimized Fewer connections to external drops will minimize detection Using Servers will ensure persistent use Staging points: (Kzsancyian, 2011) %systemdrive%\RECYCLER Recycle Bin maps to subdirectories for each user SID Hidden directory Root directory shouldnt contain any files %systemdrive%\System Volume Information Subdirectories contain Restore Point folders Hidden directory Access restricted to SYSTEM by default Root directory typically only contains tracking.log %systemroot%\Tasks Special folder Windows hides contents in Explorer Root directory only contains scheduled .job files, SA.dat and desktop.ini Optional Locations: %systemroot%\system32 %systemroot%\debug User temp folders Trivial to hide from most users Staging points vary on OS, attacker privileges File Extensions: Attacker avoide custom HIPS rule blocking of RAR file creation by changing data file extension.

Exfiltration Techniques: (Kzsancyian, 2011)

Exfiltration via outbound encrypted (HTTPS) Keep It Simple Silly (KISS) Out-of-band: distinct from C2 channels and endpoints (Figure 7) o Maintain separate external drop points o C2 resilience if data exfil channel detected

Figure 7 Outbound HTTPS

Figure 8 All malware traffic is encrypted (Kzsancyian, 2011)

Bibliography
Kzsancyian, R. (2011). Methods and Defenses for Data Exfiltration. Black Hat DC 2011 (p. 57). DC: Mandiant.