Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion Today. We're looking at elevated execution with Prompt. So let's go ahead and jump into our objectives.
00:13
So today's objectives are as follows. We're going to describe elevated execution with prompt. So the name has a lot to say about what we're going to be doing here.
00:22
How has elevated execution with prompt been used? We're going to look at some mitigation techniques, and then we're going to talk detection techniques as well.
00:33
Show
00:34
elevated execution with prompts a threat. Actors use authorization. Execute with privilege AP Eyes to escalate privileges by prompting the user for credentials. So that is a mouthful.
00:49
The A P I has no validation to determine if the request has come from a reputable source. And so a key thing here
00:57
is that
00:58
anybody can pretty much put something in here, and it will attempt to get the user to provide credentials. Teoh provide you no additional privileges, and so this could be abused. In that threat, actors will install malicious software and other persistence mechanisms by taking advantage of this a p I
01:18
so very interesting, right? So we have something built in probably developed for, you know, good causes
01:23
that someone has found in their able to manipulate through this this particular loophole. So that's very interesting. So let's talk about an instance where this is used.
01:34
And so there's actually a Mac OS malware variant called Slayer. And essentially, this malware attempts to get the user to install malicious updates claiming to be for Flash Player.
01:49
And so, essentially, the Mauer does some of the following things. It will collect system information such as Mats, Mac Version and I O platform. Do you I d.
01:59
It will generate assist a session. Do you? I d using the you you I degen command. It creates a custom. You are l using the information from these given steps. And then it will attempt to download a zip file payload using curl creates a directory and unzips
02:17
makes the binary executes the payload performs a kill on. So all this happens in pretty
02:23
rapid succession. But essentially, this is mimicking or looking much like the elevated execution with prompt a sfar us how this ax you go out,
02:34
you do something that you think is is legit like downloading an update or something of that nature, you're convinced that it's necessary your prompted to enter credentials to maybe give a pseudo or some type of domain administrator, local administrator privilege. You do so and then they've got you. So
02:53
you really have to make sure that you're paying attention. And a big part of this is going to be, you know, user education and understanding how these things work.
03:04
But there are also some techniques we can use for mitigation as well. So with respect to mitigation activities in the case of the Mac, we can prevent applications from running that haven't been downloaded through the Apple store. And so
03:19
not to say that trust is 100% here. But it's a little bit harder from a quality control standpoint to just throw something on there.
03:27
Um, and it be infected. But it happens, and so that's not foolproof. But it's definitely, you know, reducing some risk and do not allow unsigned applications to be run on the system at all again.
03:40
Not foolproof. But there's a little extra work that a threat actor would have to put in in order to circumvent some of these controls and do these things and then, from a detection standpoint,
03:53
we can consider monitoring for the user live e x e c slash security underscore. And then this is off
04:01
trampoline executions, which could indicate that, um,
04:05
the authorization execute with privileges is being executed. So a lot of jumbled words there, but that is exactly what you could do to help t provide some type of detection in this particular case.
04:21
Now, true or false, Max are not susceptible to malware or viruses.
04:30
All right, well, we're not going to take too long on this when this is definitely false because we just went over a particular malware variant that is Mac oriented. Now I know that it seems like we jump through some hoops pretty quickly here, but essentially
04:46
some other things to consider. When we talk about this particular type of elevated execution with prompt
04:54
is remember that if our users don't have privileges to install APS and do things of that nature, it could also work is a mitigating factor in our favor and then user education, While not mentioned in every instance with respect to detection and maybe even mitigation
05:13
is important with respect to them being able to know when something may be bogus, or to know when they are potentially being manipulated by a threat actor. So those are always going to be things that we want to bring up from time to time. Ah, and implement where we can.
05:29
So, in summary of today's discussion, we described elevated execution with prompt.
05:33
We described how elevated execution with prompt has been used in the Mac OS version of this discussion as well, describes a mitigation techniques and describe some detection techniques as well. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor