Development and operations a practical guide

Download 4.62 Mb.

View original pdf

Page	94/96
Date	11.02.2023
Size	4.62 Mb.
	#60628

1 ... 88 89 90 91 92 93 94 95 96

1 Joe Vest, James Tubberville Red Team Development and Operations

Begin the Exercise
Begin by researching the Energetic Bear threat and attack. After you complete your own, compare your observations to the highlights below.
Highlights have been provided to help with this process.
Highlights from the Energetic Bear Threat Actor
●
Starting in 2010 and ending in 2014, Energetic Bear / Dragonfly / Crouching Yeti malware attacked numerous computers to collect information on industrial control systems in the
United States and Europe
●
Spread out overtime and thus difficult to detect
●
The primary goal was to collect information that impacted the energy and pharmaceutical industries
●
Possibly nation-state supported
●
Phishing, watering hole attacks
●
Known exploits were used (PDF, Java, IE, Word)
●
Compromised ICS web servers
●
HTTP-based C2
●
Specific activities and capabilities
IOCs from the actor Energetic Bear and the HAVEX malware
Actor

Associated with the Russian Federation
●
Active over multiple years
●
Active primarily during Moscow business hours
●
Targeted organizations based in the industry control system sector vGoal of gathering intelligence on ICS-based organizations
●
Use of custom malware
Attack and delivery TTPs
●
Phishing
●
Watering hole
●
Compromised web servers
Exploitation TTPs
●
PDF exploits
●
Java and IE exploits
●
Word exploits2
●
Custom binaries
Post-exploitation TTPs
●
Local system enumeration for OS, username, processes, internet history, etc.
●
Scan for known ICS-related ports
●
DLL injection to migrate into explorer.exe
●
Collect Outlook address book information
●
Collect passwords from browsers
●
Save exfiltrated data to an encrypted file on disk before delivery to the C in an HTTP
POST request

Download 4.62 Mb.

Share with your friends:

1 ... 88 89 90 91 92 93 94 95 96