During attacks on the infrastructure of various companies. Attackers increasingly resort to manipulating modules that interact with the Local Security Authority (LSA) process. This allows them to gain access to user credentials. Gain a foothold in the system, increase their privileges, or develop an attack on other systems of the attacked company. Therefore, when preparing safe implementation the next quarterly update for our SIEM system Kaspersky Unified Monitoring and Analysis Platform, we added rules for detecting such attempts. According to the MITRE ATT&CK classification , the new rules allow identifying techniques T1547.002 , T1547.005 , and T1556.002 .
What is the essence of techniques T1547.002, T1547.005 and T1556.002?
Both of the above mentioned variants of the T1547 technique involve loading malicious modules into the LSA process. Sub-technique 002 describes adding malicious DLLs with Windows Authentication Packages, while sub-technique 005 describes adding DLLs with Security Support Providers. Loading these modules allows attackers to gain access to the LSA process safe implementation memory, i.e. to critical data such as user credentials.
Technique T1556.002 describes a scenario where an attacker registers malicious Password Filter DLLs in the system, which are essentially a mechanism for enforcing password policies. That is, if an attacker manages to introduce his malicious password filter into the system, he will be able to collect passwords at every request.
How KUMA SIEM counters
Loading suspicious authentication packages, password filter packages and SSP (Security Support Provider) modules using events 4610, 4614, 4622 respectively.
Commands in cmd.exe and powershell.exe aimed at modifying the LSA registry branch and the Authentication Packages, Notification Packages, and Security Packages keys.
Changes in the LSA\Security Packages registry branch that could include a malicious file via registry change event 4657.
What else are we improving in the KUMA update?
In the next update, we also add the R999_99 rule, which is used to detect changes to critical attributes of accounts in Active Directory that are Malicious modules responsible for performing various actions at each logon, such as Script-Path and msTSInitialProgram.
These attributes are responsible for executing scripts when logging in. That is, scripts that are executed every time a user logs in to the network. This makes them a convenient target for attackers to gain a foothold in the network. Manipulation bangladesh whatsapp data of these attributes may indicate unauthorized attempts to gain a foothold in the system or escalate privileges, that is, the use of the T1037.003 technique according to the MITRE ATT&CK classification.
The strategy for detecting these manipulations
This event records any changes made to objects in Active Directory, including attribute changes.
After installing the latest update, more than 700 rules will be available on the KUMA platform. Thus, by the end of 2024, our solution will cover 400 MITRE ATT&CK techniques. Of course, we do not aim to create rules that detect all the techniques described safe implementation in the matrix. It is not possible to cover a significant part of them, simply based Malicious modules on their nature (they imply actions outside the protected perimeter or are not fully covered by a SIEM class solution in principle). However, in the fourth quarter of this year, we tried to further increase the coverage of the techniques described in MITRE ATT&CK, as well as expand the detection logic in terms of the already covered techniques.
New and improved normalizers
In the latest update, we also add normalizers to our SIEM system that allow us to work with the following event sources:
In addition, our experts have improved the following normalizers:
You can learn more about our SIEM system Kaspersky Unified Monitoring and Analysis Platform on the official product page .
Remote attack on an organization’s wireless network
Let’s say there are some attackers who are going to hack a certain organization remotely. They collect information about the company, examine its external perimeter, maybe even find some employees’ credentials in leaked password databases. But they don’t see any exploitable vulnerabilities, and they also realize that all of the company’s external services have two-factor authentication enabled. So passwords alone aren’t enough to log in.
A method of penetration could be a corporate Wi-Fi network. Which one could try to log into using the same credentials. Especially if the organization Malicious modules safe implementation has a guest Wi-Fi network that is not sufficiently isolated from. The main network – two-factor authentication is enabled for it very rarely. But there is a problem: the attackers are on the other side of the world and cannot physically connect to the office Wi-Fi.
This is where the “nearest neighbor”
If the attackers conduct additional reconnaissance, they will likely easily discover many other organizations whose offices are within. The Wi-Fi signal range of the company they are attacking. And it cannot be ruled out that some of these neighboring organizations will be significantly more vulnerable than the attackers’ original target.
Simply because the profile of these organizations does not imply a serious risk of cyber attacks, so they do not pay much attention to security. For example, they do not use two-factor authentication on their external resources. Or they do not update their software Malicious modules in a timely manner, providing attackers with convenient vulnerabilities to exploit.
Either way, it is easier for attackers to gain access to the network
After that, using the compromised “neighbor’s” device as a bridge, the attackers will be able to connect to the corporate Wi-Fi network of the real target of their attack.
How to protect yourself from your “nearest neighbor”
It should be noted that this tactic has been used by at least one APT group for some time. So the danger is not theoretical. Therefore, organizations that are likely to become victims of targeted attacks should start to treat. The security of their corporate wireless network as carefully as they do the security of resources connected to the Internet.