Difference between revisions of "The “Hikit” rootkit: advanced and persistent attack techniques (part 1)"

From Botnets.fr
Jump to navigation Jump to search
m (1 revision imported)
 
Line 1: Line 1:
{{Publication
{{Publication
|Botnet=Hikit
|Feature=Rootkit,
|Year=2012
|Date=2012-08-20
|Editor=Mandiant
|Link=https://blog.mandiant.com/archives/3155 blog.mandiant.com
|Link=https://blog.mandiant.com/archives/3155 blog.mandiant.com
|Author=Ryan Kazanciyan, Christopher Glyer
|Author=Ryan Kazanciyan, Christopher Glyer
|Abstract=We first encountered this malware during a sweep of thousands of systems in a victim environment for Indicators of Compromise (IOCs), using our Mandiant Intelligent Response (MIR) platform.  The attacker already had administrator privileges to the entire corporate Windows domain and had compromised numerous systems.  Fortunately, we had several indicators gathered during the onset of the investigation that we could use during initial MIR sweeps.  For instance, we knew they were fond of using the old-but-reliable“sticky keys” technique, whereby “sethc.exe” is overwritten with a copy of “cmd.exe” to provide unauthenticated access during RDP logon.  (Carnal0wnage’s blog has a nice succinct write-up of this attack here.)
|NomRevue=M-unition
|NomRevue=M-unition
|Date=20 août 2012
|Editor=Mandiant
|Year=2012
|Botnet=Hikit
|Abstract=We first encountered this malware during a sweep of thousands of systems in a victim environment for Indicators of Compromise (IOCs), using our Mandiant Intelligent Response (MIR) platform.  The attacker already had administrator privileges to the entire corporate Windows domain and had compromised numerous systems.  Fortunately, we had several indicators gathered during the onset of the investigation that we could use during initial MIR sweeps.  For instance, we knew they were fond of using the old-but-reliable“sticky keys” technique, whereby “sethc.exe” is overwritten with a copy of “cmd.exe” to provide unauthenticated access during RDP logon.  (Carnal0wnage’s blog has a nice succinct write-up of this attack here.)
}}
}}

Latest revision as of 16:28, 31 July 2015

(Publication) Google search: [1]

The “Hikit” rootkit: advanced and persistent attack techniques (part 1)
Botnet Hikit
Malware
Botnet/malware group
Exploit kits
Services
Feature Rootkit
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-08-20
Editor/Conference Mandiant
Link https://blog.mandiant.com/archives/3155 blog.mandiant.com (blog.mandiant.com Archive copy)
Author Ryan Kazanciyan, Christopher Glyer
Type

Abstract

We first encountered this malware during a sweep of thousands of systems in a victim environment for Indicators of Compromise (IOCs), using our Mandiant Intelligent Response (MIR) platform. The attacker already had administrator privileges to the entire corporate Windows domain and had compromised numerous systems. Fortunately, we had several indicators gathered during the onset of the investigation that we could use during initial MIR sweeps. For instance, we knew they were fond of using the old-but-reliable“sticky keys” technique, whereby “sethc.exe” is overwritten with a copy of “cmd.exe” to provide unauthenticated access during RDP logon. (Carnal0wnage’s blog has a nice succinct write-up of this attack here.)

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1129,
   editor = {Mandiant},
   author = {Ryan Kazanciyan, Christopher Glyer},
   title = {The “Hikit” rootkit: advanced and persistent attack techniques (part 1)},
   date = {20},
   month = Aug,
   year = {2012},
   howpublished = {\url{https://blog.mandiant.com/archives/3155 blog.mandiant.com}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=The_“Hikit”_rootkit:_advanced_and_persistent_attack_techniques_(part_1)&oldid=4789"