WEBVTT

1
00:00:00.000 --> 00:00:01.260
In this lesson,

2
00:00:01.260 --> 00:00:03.900
we will learn about Post-exploitation

3
00:00:03.900 --> 00:00:06.030
and Evasion Methods.

4
00:00:06.030 --> 00:00:07.290
Post-exploitation

5
00:00:07.290 --> 00:00:10.470
and evasion methods in threat modeling

6
00:00:10.470 --> 00:00:13.500
refer to the techniques attackers use

7
00:00:13.500 --> 00:00:15.780
after gaining initial access

8
00:00:15.780 --> 00:00:17.490
to maintain control,

9
00:00:17.490 --> 00:00:20.220
expand their reach within the system,

10
00:00:20.220 --> 00:00:22.050
and avoid detection.

11
00:00:22.050 --> 00:00:24.750
Post-exploitation and evasion methods

12
00:00:24.750 --> 00:00:27.810
include threat actor tactics, techniques,

13
00:00:27.810 --> 00:00:31.170
and procedures such as lateral movement,

14
00:00:31.170 --> 00:00:33.180
unauthorized execution,

15
00:00:33.180 --> 00:00:35.520
and defensive evasion.

16
00:00:35.520 --> 00:00:37.830
Lateral movement involves the attacker

17
00:00:37.830 --> 00:00:39.990
navigating through the network,

18
00:00:39.990 --> 00:00:43.140
often by compromising additional systems

19
00:00:43.140 --> 00:00:47.340
to gain access to more valuable assets or data.

20
00:00:47.340 --> 00:00:50.880
Next, unauthorized execution refers

21
00:00:50.880 --> 00:00:53.280
to an attacker running malicious code

22
00:00:53.280 --> 00:00:56.580
or commands on compromised systems,

23
00:00:56.580 --> 00:00:59.790
usually to conduct data exfiltration

24
00:00:59.790 --> 00:01:01.860
or system disruption.

25
00:01:01.860 --> 00:01:06.450
Finally, defensive evasion encompasses attacker tactics

26
00:01:06.450 --> 00:01:07.770
to avoid detection

27
00:01:07.770 --> 00:01:10.590
by security tools and analysts.

28
00:01:10.590 --> 00:01:13.350
Let's learn more about lateral movement,

29
00:01:13.350 --> 00:01:15.300
unauthorized execution,

30
00:01:15.300 --> 00:01:17.310
and defensive evasion.

31
00:01:17.310 --> 00:01:20.160
First, we have lateral movement.

32
00:01:20.160 --> 00:01:23.190
Lateral movement is a technique where attackers,

33
00:01:23.190 --> 00:01:26.280
after gaining initial access to a system,

34
00:01:26.280 --> 00:01:29.100
navigate within the same network segment

35
00:01:29.100 --> 00:01:32.010
to access additional resources.

36
00:01:32.010 --> 00:01:34.920
The goal of lateral movement is to explore

37
00:01:34.920 --> 00:01:37.260
and compromise other systems

38
00:01:37.260 --> 00:01:40.020
within the attacker's immediate reach,

39
00:01:40.020 --> 00:01:43.440
often to find high value assets like databases

40
00:01:43.440 --> 00:01:47.130
or servers with administrative privileges.

41
00:01:47.130 --> 00:01:50.850
This technique helps attackers expand their control

42
00:01:50.850 --> 00:01:53.490
without triggering security alarms,

43
00:01:53.490 --> 00:01:56.280
allowing them to persist undetected

44
00:01:56.280 --> 00:01:58.650
within the compromised environment.

45
00:01:58.650 --> 00:02:01.380
A related technique is pivoting.

46
00:02:01.380 --> 00:02:04.200
Pivoting allows attackers to access different,

47
00:02:04.200 --> 00:02:06.810
often more secure network segments

48
00:02:06.810 --> 00:02:09.810
beyond the one initially breached.

49
00:02:09.810 --> 00:02:11.910
Pivoting enables attackers to use

50
00:02:11.910 --> 00:02:15.120
the compromised system as a launchpad

51
00:02:15.120 --> 00:02:17.520
to reach other security zones

52
00:02:17.520 --> 00:02:18.870
or network segments

53
00:02:18.870 --> 00:02:21.780
that were previously inaccessible.

54
00:02:21.780 --> 00:02:23.190
By setting up tunnels

55
00:02:23.190 --> 00:02:26.010
or routes from the compromised systems,

56
00:02:26.010 --> 00:02:27.930
attackers effectively bridge

57
00:02:27.930 --> 00:02:30.210
to other parts of the network

58
00:02:30.210 --> 00:02:34.260
that may have additional protections or segmentation.

59
00:02:34.260 --> 00:02:35.790
The primary distinction

60
00:02:35.790 --> 00:02:38.310
between lateral movement and pivoting

61
00:02:38.310 --> 00:02:41.340
is the scope and direction of movement.

62
00:02:41.340 --> 00:02:42.930
Lateral movement remains

63
00:02:42.930 --> 00:02:45.210
within the initial security zone,

64
00:02:45.210 --> 00:02:47.460
focusing on systems and resources

65
00:02:47.460 --> 00:02:49.860
in the same network segment.

66
00:02:49.860 --> 00:02:53.910
Pivoting, however, involves crossing security boundaries

67
00:02:53.910 --> 00:02:55.650
to gain access to separate

68
00:02:55.650 --> 00:02:58.830
and often more secure network segments,

69
00:02:58.830 --> 00:03:01.170
allowing attackers to move deeper

70
00:03:01.170 --> 00:03:04.200
into the organization's infrastructure.

71
00:03:04.200 --> 00:03:05.280
In this lesson,

72
00:03:05.280 --> 00:03:08.790
we will focus our discussion on lateral movement.

73
00:03:08.790 --> 00:03:10.710
An example of lateral movement

74
00:03:10.710 --> 00:03:13.093
occurred in the 2017,

75
00:03:13.093 --> 00:03:15.750
WannaCry ransomware attack,

76
00:03:15.750 --> 00:03:18.750
where attackers used lateral movement techniques

77
00:03:18.750 --> 00:03:22.440
to spread ransomware within the corporate network.

78
00:03:22.440 --> 00:03:24.990
WannaCry exploited a vulnerability

79
00:03:24.990 --> 00:03:28.350
in the Windows Server Message Block protocol

80
00:03:28.350 --> 00:03:30.690
using the EternalBlue exploit

81
00:03:30.690 --> 00:03:33.990
to move from one Windows computer to another

82
00:03:33.990 --> 00:03:36.360
within the same network segment,

83
00:03:36.360 --> 00:03:39.240
allowing the ransomware to spread laterally

84
00:03:39.240 --> 00:03:42.600
without crossing into different network zones.

85
00:03:42.600 --> 00:03:44.700
Once it gained a foothold,

86
00:03:44.700 --> 00:03:46.200
WannaCry propagated

87
00:03:46.200 --> 00:03:48.720
by scanning for other vulnerable machines

88
00:03:48.720 --> 00:03:50.940
within the same network segment,

89
00:03:50.940 --> 00:03:54.570
targeting only devices it could reach directly.

90
00:03:54.570 --> 00:03:56.610
This lateral movement enabled

91
00:03:56.610 --> 00:03:59.790
WannaCry to lock down data on many systems

92
00:03:59.790 --> 00:04:02.370
within each segment very quickly,

93
00:04:02.370 --> 00:04:05.700
encrypting files and demanding a ransom.

94
00:04:05.700 --> 00:04:06.990
By moving laterally

95
00:04:06.990 --> 00:04:09.990
rather than pivoting into other network segments,

96
00:04:09.990 --> 00:04:12.750
WannaCry spread across large portions

97
00:04:12.750 --> 00:04:14.340
of networked computers

98
00:04:14.340 --> 00:04:16.680
and affected organizations.

99
00:04:16.680 --> 00:04:19.710
So preventing lateral movement requires

100
00:04:19.710 --> 00:04:22.980
robust segmentation of network assets

101
00:04:22.980 --> 00:04:25.590
and strict access controls.

102
00:04:25.590 --> 00:04:28.260
Network segmentation limits the reach

103
00:04:28.260 --> 00:04:29.940
of compromised accounts,

104
00:04:29.940 --> 00:04:33.330
while implementing least privileged access ensures

105
00:04:33.330 --> 00:04:36.180
that only users have the minimal access

106
00:04:36.180 --> 00:04:38.190
required for their roles.

107
00:04:38.190 --> 00:04:40.050
Additionally, monitoring

108
00:04:40.050 --> 00:04:42.900
for unusual internal traffic patterns,

109
00:04:42.900 --> 00:04:46.710
particularly those related to account device activity,

110
00:04:46.710 --> 00:04:48.600
can help detect unauthorized

111
00:04:48.600 --> 00:04:50.610
lateral movement attempts.

112
00:04:50.610 --> 00:04:53.190
And finally, disabling or restricting

113
00:04:53.190 --> 00:04:56.880
remote execution tools like a PsExec

114
00:04:56.880 --> 00:05:00.090
and enforcing multifactor authentication

115
00:05:00.090 --> 00:05:02.610
can further reduce the risk.

116
00:05:02.610 --> 00:05:05.804
Second, we have unauthorized execution.

117
00:05:05.804 --> 00:05:09.030
Unauthorized execution refers to attackers

118
00:05:09.030 --> 00:05:12.270
running unauthorized commands or scripts

119
00:05:12.270 --> 00:05:14.340
on compromised systems.

120
00:05:14.340 --> 00:05:16.980
This often involves using malware,

121
00:05:16.980 --> 00:05:19.320
remote code execution exploits,

122
00:05:19.320 --> 00:05:20.550
or custom scripts

123
00:05:20.550 --> 00:05:22.440
to achieve their objectives,

124
00:05:22.440 --> 00:05:25.560
which may include data exfiltration

125
00:05:25.560 --> 00:05:27.510
or service disruption.

126
00:05:27.510 --> 00:05:30.390
Unauthorized execution gives attackers

127
00:05:30.390 --> 00:05:33.780
greater control over a compromised system

128
00:05:33.780 --> 00:05:35.790
and allows them to manipulate it

129
00:05:35.790 --> 00:05:37.860
to their advantage.

130
00:05:37.860 --> 00:05:40.980
An example of unauthorized execution

131
00:05:40.980 --> 00:05:43.980
is the Emotet malware campaign

132
00:05:43.980 --> 00:05:47.670
where attackers used unauthorized code execution

133
00:05:47.670 --> 00:05:51.420
to deploy malware across compromised systems.

134
00:05:51.420 --> 00:05:54.450
Emotet, initially, a banking Trojan

135
00:05:54.450 --> 00:05:57.660
evolved into a modular malware loader

136
00:05:57.660 --> 00:06:00.720
capable of delivering various payloads

137
00:06:00.720 --> 00:06:02.520
such as ransomware

138
00:06:02.520 --> 00:06:04.620
or data-stealing malware.

139
00:06:04.620 --> 00:06:07.500
Once Emotet infected a system,

140
00:06:07.500 --> 00:06:09.900
it executed unauthorized scripts

141
00:06:09.900 --> 00:06:11.730
to establish persistence,

142
00:06:11.730 --> 00:06:13.890
spread to additional systems,

143
00:06:13.890 --> 00:06:16.530
and install other malicious software

144
00:06:16.530 --> 00:06:19.080
based on the attacker's objectives.

145
00:06:19.080 --> 00:06:22.740
So, to prevent unauthorized execution,

146
00:06:22.740 --> 00:06:24.570
organizations should ensure

147
00:06:24.570 --> 00:06:26.400
that all systems are updated

148
00:06:26.400 --> 00:06:28.680
with the latest security patches

149
00:06:28.680 --> 00:06:31.050
to fix known vulnerabilities.

150
00:06:31.050 --> 00:06:34.290
Next, endpoint detection and response tools

151
00:06:34.290 --> 00:06:37.140
can help by detecting unusual scripts

152
00:06:37.140 --> 00:06:39.600
or command execution patterns,

153
00:06:39.600 --> 00:06:41.520
stopping potential attacks

154
00:06:41.520 --> 00:06:43.440
before they can spread.

155
00:06:43.440 --> 00:06:46.140
Finally, restricting user permissions,

156
00:06:46.140 --> 00:06:49.800
monitoring for unauthorized command executions,

157
00:06:49.800 --> 00:06:53.640
and using robust malware detection mechanisms

158
00:06:53.640 --> 00:06:57.510
further reduce the risk of unauthorized execution

159
00:06:57.510 --> 00:07:00.120
in enterprise environments.

160
00:07:00.120 --> 00:07:04.200
Third and last, we have defensive evasion.

161
00:07:04.200 --> 00:07:07.050
Defensive evasion includes a variety

162
00:07:07.050 --> 00:07:09.480
of techniques attackers use

163
00:07:09.480 --> 00:07:10.860
to avoid detection

164
00:07:10.860 --> 00:07:15.090
and maintain control over compromised systems.

165
00:07:15.090 --> 00:07:17.340
This often involves disabling

166
00:07:17.340 --> 00:07:19.950
or modifying security software,

167
00:07:19.950 --> 00:07:22.080
hiding malicious processes,

168
00:07:22.080 --> 00:07:23.340
clearing logs,

169
00:07:23.340 --> 00:07:25.920
or using encrypted communication

170
00:07:25.920 --> 00:07:28.410
to evade monitoring systems.

171
00:07:28.410 --> 00:07:30.900
Defensive evasion helps attackers

172
00:07:30.900 --> 00:07:33.990
remain undetected for longer,

173
00:07:33.990 --> 00:07:36.480
increasing their chances of achieving

174
00:07:36.480 --> 00:07:39.840
their objectives without interruption.

175
00:07:39.840 --> 00:07:42.450
An example of defensive evasion

176
00:07:42.450 --> 00:07:45.420
is the use of malware obfuscation

177
00:07:45.420 --> 00:07:47.700
and anti-detection techniques

178
00:07:47.700 --> 00:07:51.780
to hide malicious activity from security tools.

179
00:07:51.780 --> 00:07:53.370
Using these methods,

180
00:07:53.370 --> 00:07:56.130
attackers may obfuscate their code

181
00:07:56.130 --> 00:07:58.380
or use encryption to bypass

182
00:07:58.380 --> 00:08:01.770
traditional signature-based detection mechanisms,

183
00:08:01.770 --> 00:08:04.530
making it difficult for antivirus

184
00:08:04.530 --> 00:08:06.690
and endpoint detection tools

185
00:08:06.690 --> 00:08:09.480
to identify malicious scripts.

186
00:08:09.480 --> 00:08:11.820
Attackers might also disable

187
00:08:11.820 --> 00:08:14.670
or tamper with security controls

188
00:08:14.670 --> 00:08:17.430
such as disabling Windows Defender

189
00:08:17.430 --> 00:08:20.190
or other antivirus software.

190
00:08:20.190 --> 00:08:22.800
They would do this to prevent detection

191
00:08:22.800 --> 00:08:25.020
of their malicious activity.

192
00:08:25.020 --> 00:08:27.390
Additionally, attackers may delete

193
00:08:27.390 --> 00:08:29.490
or modify system logs

194
00:08:29.490 --> 00:08:32.070
to erase traces of their activity,

195
00:08:32.070 --> 00:08:35.400
which helps them avoid forensic detection.

196
00:08:35.400 --> 00:08:38.430
These evasive tactics allow attackers

197
00:08:38.430 --> 00:08:41.310
to operate within compromised systems

198
00:08:41.310 --> 00:08:43.140
for extended periods

199
00:08:43.140 --> 00:08:46.350
without alerting security teams.

200
00:08:46.350 --> 00:08:49.440
So, to prevent defensive evasion,

201
00:08:49.440 --> 00:08:51.630
organizations should employ

202
00:08:51.630 --> 00:08:54.090
behavioral-based detection systems

203
00:08:54.090 --> 00:08:57.180
that monitor unusual activity patterns

204
00:08:57.180 --> 00:08:59.010
rather than relying solely

205
00:08:59.010 --> 00:09:01.320
on signature-based detection.

206
00:09:01.320 --> 00:09:04.200
Also, enabling advanced logging,

207
00:09:04.200 --> 00:09:07.710
employing tamper protection on security software,

208
00:09:07.710 --> 00:09:09.690
and conducting regular audits

209
00:09:09.690 --> 00:09:11.910
of security configurations

210
00:09:11.910 --> 00:09:13.290
can also help detect

211
00:09:13.290 --> 00:09:17.010
and prevent defensive evasion techniques.

212
00:09:17.010 --> 00:09:21.750
So, remember, in post-exploitation and evasion,

213
00:09:21.750 --> 00:09:23.670
attackers use techniques

214
00:09:23.670 --> 00:09:25.350
to expand their access

215
00:09:25.350 --> 00:09:27.510
within a compromised network

216
00:09:27.510 --> 00:09:29.610
and avoid detection.

217
00:09:29.610 --> 00:09:31.950
They may start with lateral movement

218
00:09:31.950 --> 00:09:35.130
by exploring systems in the same network segment

219
00:09:35.130 --> 00:09:37.380
to find more valuable assets

220
00:09:37.380 --> 00:09:39.600
without raising alarms.

221
00:09:39.600 --> 00:09:42.090
Sometimes attackers then engage

222
00:09:42.090 --> 00:09:44.490
in unauthorized execution,

223
00:09:44.490 --> 00:09:47.400
where they run malicious commands or scripts

224
00:09:47.400 --> 00:09:50.970
to exfiltrate data or disrupt services.

225
00:09:50.970 --> 00:09:52.560
With these techniques,

226
00:09:52.560 --> 00:09:56.010
attackers can gain more control over systems

227
00:09:56.010 --> 00:09:59.580
and pursue their objectives more effectively.

228
00:09:59.580 --> 00:10:04.020
Finally, attackers use defensive evasion techniques

229
00:10:04.020 --> 00:10:05.820
to cover their tracks,

230
00:10:05.820 --> 00:10:08.370
like disabling security tools

231
00:10:08.370 --> 00:10:09.960
or clearing logs,

232
00:10:09.960 --> 00:10:11.850
making it harder for defenders

233
00:10:11.850 --> 00:10:13.680
to trace their steps.

234
00:10:13.680 --> 00:10:17.070
Detecting and stopping these attacker techniques

235
00:10:17.070 --> 00:10:20.550
requires a combination of network segmentation,

236
00:10:20.550 --> 00:10:22.530
strict access controls,

237
00:10:22.530 --> 00:10:24.600
regular software updates,

238
00:10:24.600 --> 00:10:27.303
and advanced behavioral monitoring.