当前位置:首页 > 报告详情

在为时已晚之前检测到初始访问恶意软件.pdf

上传人: 可*** 编号:991791 2025-12-07 37页 2MB

1、DETECTING INITIAL ACCESS MALWARE BEFORE ITS TOO LATEHiren Sadhwani|30th May 2025SANS Ransomware Summit 2025Whoami Working as Cyber Threat Hunter Inspira Enterprise Ex-Forescout and PwC Occasionally blogs on medium Previous speaker at SANS BlueTeam Summit 2023 and various other local infosec chapters

2、 Connect with on:hir3n_s/in/hiren-sadhwani/ What is Initial access malware and why it matters Common initial access vectors and types Initial Access Brokers(IABs)Threat Hunting Malwares ConclusionInitial Access MalwareInitial access malware is malicious software designed to gain a foothold in a targ

3、et system or network,often serving as the entry point for further attacks like data theft,lateral movement,or ransomware deployment.Why it matters?All attacks start by gaining an initial foothold in the target environment.Most often,this occurs by tricking employees into downloading malware onto the

4、ir machines or compromising third-party vendor accounts with access to your network or cloud resources.Some common initial access vectorsTraditional Methods Phishing(T1566)Drive-by Downloads(T1189)Malicious Advertisements(Malvertising)Exposed Remote Desktop Protocol(RDP)(T1133)Exploiting Public-Faci

5、ng Applications(T1190)New Emerging Methods ClickFix Attacks/Fake CAPTCHA Bypasses/Paste&Run Email Bombing-MS Teams Impersonation Supply Chain Attacks QR Code Phishing(Quishing)Search Engine Optimization(SEO)PoisoningTypes of Initial Access MalwareInfostealers(e.g.,Lumma,RedLine,Vidar)Steal credentia

6、ls,cookies,and session tokens to bypass authentication.Example:Fake browser updates dropping Lumma Stealer.Droppers/Downloaders(e.g.,BazarLoader,QakBot)Disguised as legitimate files(PDFs,Word docs)to fetch additional malware.Exploits(e.g.,ProxyLogon,Log4Shell)RATs(Remote Access Trojans,e.g.,AsyncRAT

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: 1. **初始访问恶意软件的重要性**:初始访问恶意软件是攻击的起点,常用于数据窃取、横向移动或勒索软件部署。 2. **常见初始访问向量**:包括钓鱼、恶意软件下载、恶意广告、暴露的远程桌面协议、公共应用程序利用等。 3. **新兴方法**:如ClickFix攻击、供应链攻击、QR码钓鱼、搜索引擎优化中毒等。 4. **初始访问恶意软件类型**:信息窃取器、下载器、远程访问木马等。 5. **初始访问经纪人(IABs)**:出售已入侵的访问权限,如VPN、RDP、云服务。 6. **威胁狩猎**:主动搜索网络中的隐藏威胁,以提前发现并阻止攻击。 7. **关键数据**:基于浏览器的方法(如恶意广告、SEO中毒、假浏览器更新)占恶意软件案例的70%。 8. **威胁狩猎框架**:如PEAK、TaHiTI、威胁狩猎循环等。 9. **案例研究**:Lumma Stealer、SocGholish、GootLoader等恶意软件的检测和狩猎方法。 10. **关键点**:防御初始访问是阻止整个攻击链的关键,应投资于持续检测和狩猎以缩小漏洞。
"防毒先防侵入,怎么做到?" "暗网卖网络访问,你知道多少?" "如何提前发现Lumma窃密?"
客服
商务合作
小程序
服务号
折叠