hello and welcome to another application of the minor attack framework discussion
Today. We're going to get on application deployment software and what that looks like within lateral movement. So today's objectives are as follows.
We're going to describe application deployment software. We're going to look at some mitigation techniques and we'll talk detection techniques now. Application deployment software is when a threat actor deploy software to systems within the victim network using application deployment systems
commonly used by system administrators.
Permissions, Mayberry and results may vary in these instances. You can think of these types of software, says things like we've seen with managed service providers and manage security service providers where they deploy agents throughout their different client environments, and then they could globally manage those systems. And so we've seen that is a very
prominent vector and a concern for MSP S and M SS peas, just ensuring that
their application appointment software and remote management tools
are properly locked down. But you could see this on a smaller scale where an enterprise administrator may use ah, certain applications to push software out 10 users. And so I have a quick look at a P T 32 here, which is is a threat group. Now this has provided my fire I from their site.
But the area that I really wanted to focus on in this is
after privilege escalation and before the completion of the mission, there's this internal re kon phase. Now you'll notice that lateral movement is here and that this process is essentially essentially cyclical and that it moves through
this internal re kon phase until we get
to the completion of the mission. So we're right now in lateral movement
and we want to ensure is we're doing this, that we maintain persistence and will use things again like sys admin, utilities, power shell, remote deployment tools, other things, that nature to move laterally and we'll discuss some other parts of that. But this particular group, it shows their life cycle. So, using things I active
name fish. To get to internal compromise,
they establish a foothold with one of these tools. They escalate privilege to a number of areas. Such a scheduled task about strike this particular see ve many cats, they get into internal re kon and then they complete their mission by getting local and men usage or access to VPN, email files, etcetera. Things of that nature. Now this is one
a p T. But it's probably pretty standard that it would be a modification of each of these given tool sets in areas based on what the threat actor likes to use. I'm sure the mission and the framework is relatively the same between them.
Now let's talk about mitigation techniques.
So when we're talking about application deployment software, use of multi factor authentication for that system prior to deployment could definitely help with mitigating that threat. Actors ability to just compromise an account, run something regular updates to reduce the likelihood of exploitation is good for privilege escalation.
Use proper network segmentation to isolate critical systems,
using other forms of network protections to make the task of exploitation of those systems more difficult. So by doing some of those things, you can definitely mitigate the potential for that type of attack happening.
We also have a few detection techniques, such as monitoring application, appointment from a secondary system, making sure that we produce a standard scheduled for application deployment looking for a normal activity. Monitoring long on activity of those systems are onto those systems so again,
coming back to not so much a tool now that's telling us when something bad is happening or stopping something but us
being engaged in how the system works when it works, when it should be working and what that looks like, and then knowing the difference in being able to address those scenarios on a case by case basis.
So with this in mind, let's go ahead and jump into a check on learning True or false application Appointment systems are commonly employed by enterprise administrators and could be used by threat actors to deploy malicious software.
Well, if you mean additional time, please pause the video at this time. This is a true statement application. Employment systems are commonly employed by enterprise administrators, but they could be used by threat actors to push malicious software. So this is a true statement.
So let's go ahead and jump into our summary. For today's discussion,
we looked at and described application deployment software. We talked about a P T 32 their ability to essentially move laterally through systems and how that process looks for them. We looked at mitigation techniques. We talked about detection techniques,
all of those things again, compounding upon the other sections of the minor attack framework.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.