The “Hikit” rootkit: advanced and persistent attack techniques (part 1)
(Publication) Google search: [1]
The “Hikit” rootkit: advanced and persistent attack techniques (part 1) | |
---|---|
Botnet | Hikit |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | Rootkit |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 2012-08-20 |
Editor/Conference | Mandiant |
Link | https://blog.mandiant.com/archives/3155 blog.mandiant.com (blog.mandiant.com Archive copy) |
Author | Ryan Kazanciyan, Christopher Glyer |
Type |
Abstract
“ We first encountered this malware during a sweep of thousands of systems in a victim environment for Indicators of Compromise (IOCs), using our Mandiant Intelligent Response (MIR) platform. The attacker already had administrator privileges to the entire corporate Windows domain and had compromised numerous systems. Fortunately, we had several indicators gathered during the onset of the investigation that we could use during initial MIR sweeps. For instance, we knew they were fond of using the old-but-reliable“sticky keys” technique, whereby “sethc.exe” is overwritten with a copy of “cmd.exe” to provide unauthenticated access during RDP logon. (Carnal0wnage’s blog has a nice succinct write-up of this attack here.)
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1129, editor = {Mandiant}, author = {Ryan Kazanciyan, Christopher Glyer}, title = {The “Hikit” rootkit: advanced and persistent attack techniques (part 1)}, date = {20}, month = Aug, year = {2012}, howpublished = {\url{https://blog.mandiant.com/archives/3155 blog.mandiant.com}}, }