Or Chechik and Daniel Frank - 从侦察到毁灭——揭露伊朗 Agrius APT 最新 TTPs.pdf

1、From Recon to Ruin:Exposing the Iranian Agrius APT Latest TTPsOr ChechikDaniel FrankAbout Us Or ChechikPrincipal Security Researcher,Cortex XDR,Palo Alto NetworksDaniel FrankThreat Research Team Leader,Cortex XDR,Palo Alto NetworksOur Story Begins on a Friday afternoonWhat started our investigation?

2、A very suspicious and rare alert appeared in our telemetrySomeone was trying to terminate our agent from the kernelThe Journey begins:Pulling threads and following breadcrumbsInitial Access and Establishing Foothold:Vulnerable Web Applications and Web ShellsWebshell similarities with previous resear

3、chOctober 2023 Webshell Webshell in a previous research by SentinelOneInitial Access and Establishing Foothold:Vulnerable Web Applications and Web ShellsAttack Timelinereconnaissance and lateral movement in DMZAttacker gains access to LAN envAttacker gains access to the Domain Controller and retriev

4、es a domain admin accountInitial access from web serverAttacker gained local administrator Attack Timelinereconnaissance and lateral movement in DMZAttacker gains access to LAN envAttacker gains access to the Domain Controller and retrieves a domain admin accountData exfiltration attemptInitial acce

5、ss from web serverAttacker gained local administrator Files extraction and archivingWriting of the extracted data to CSV filesData Exfiltration:A Custom SQL Extractor ToolData Exfiltration:A Custom SQL Extractor ToolAnd then Wipers!Attack Timelinereconnaissance and lateral movement in DMZAttempted d

6、eletion of evidence and causing damageAttacker gains access to LAN envAttacker gains access to the Domain Controller and retrieves a domain admin accountData exfiltration attemptInitial access from web serverAttacker lost connection to the networkAttacker gained local administrator What is a Wiper?D