Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion Today. We're looking at execution through a P I as an attack vector in the execution phase. So let's go ahead and jump right into our objectives.
00:15
So today we're going to look at what is execution through a P I. We're going to look at some tools that are used in this particular method. We're gonna look at some mitigation techniques and some detection techniques as well. So what? That let's go ahead and jump right in
00:33
now execution through a p I. So these attacks involved the use of tools that may directly use the Windows Application programming interface to execute binaries. And so
00:45
we've probably heard of. I'm sure you've heard off using a P eyes to communicate between systems as well as between Web applications
00:54
and things of that nature. We're doing a P. I calls with you RL's and things of that nature.
01:00
This is focusing on the Windows application programming interface with respect to the execution of binaries. And so some examples of a P I calls it can be used to execute binaries are as given now. This list isn't all inclusive
01:15
but create process. A and W create processes user create processes user w love library on load module So these could be beneficial and executing scripts and things of that nature when AP eyes are
01:33
a part of attacking and generally
01:36
it's again when we're looking at the attack vectors and we're talking about the attack vectors,
01:42
a user may execute a fishing attachment or spearfishing attachment that results in command. Long calls that result in a P I actions or something of that nature,
01:55
so these could be compounded. And each of these vectors is not a one for one. You may have lateral movement as well as movement up and down through a particular phase as well.
02:07
Now, when we look at tools used, this is some tools that are used by a particular threat group eso boost right loader is essentially a loader created to be launched via,
02:19
uh, the abuse of the DLL search order of applications. And so the application loads several libraries and finally loads d
02:28
Right now this causes the import of a malicious DLL that is then used to load an instance of thedc are Banach Backdoor, another tool that we have here is already F sniffer
02:39
module, which is loaded by a boost. Right? It will hook Win 32 AP I functions and can be used to hijack elements of NCR Ola Ah Lo, a command center. There's also a backdoor component that enables it to inject commands into an active already have clients session now
03:00
some other components of this tool. It also allows for the uploading and downloading of files on systems. And so if there are particular files that the Threat actor would be after, they could potentially load some of those files as well. Now, when we talk about mitigation techniques,
03:17
really within the respect to these a PS and things that nature
03:22
identify and block malicious payloads of software through execution prevention methods. And so this convey be things such as an A virus that can be things such as, um,
03:34
intrusion, prevention systems and things that nature that will look essentially for suspicious activity and then will attempt to block then activity based on what is known malicious
03:45
now
03:46
detection methods
03:49
with respect to AP eyes because they're so as far as within Windows because they're used so much in the way software works in the way the systems work. It wouldn't make sense to long activity of
04:02
every AP I or every call on the window system. It would overwhelm your logs, and it would make it very tedious to inspect this information
04:12
and so which you would want to do, is utilize intrusion prevention and detection systems to do correlation essentially around events that could be potentially malicious in nature involving Windows AP Ah, So instead of looking at single events,
04:27
you would really want to take multiple events at a time that looks suspicious or seemed to be, ah, signature of a particular type of attack.
04:35
And then you would investigate that information and see if it is, in fact, malicious.
04:42
Now let's do a quick check on learning true or false execution through a B a p. I is concerning the use of the Windows application programming interface.
04:56
All right, well, if you need some additional time, police, go ahead and pause the video and take a moment. Now this statement is true. So with respect to a P I execution in this case, minor talks about being Windows application programming interface. And so
05:16
we're not talking Web. AP eyes and things of that nature. Right now, it's strictly focusing on Windows application programming interface. And so, in this case, the statement given is true. So let's go ahead and jump over to the summary for today's discussion. So we reviewed
05:33
execution through a P I. As presented in the attack framework.
05:39
We reviewed some tools that we can use or that would be used for manipulating these AP eyes or how we've seen instances of these AP eyes being taken advantage of. We reviewed some mitigation techniques, which was really
05:53
through things like Anna virus through execution prevention and other white listing tools that you can put in place to try and block
06:00
malicious loads and things of that nature
06:03
and then reviewed some detection techniques again, not looking at all aspects of a P I activity within Windows because it would be so much information, it would be very tedious and hard for you to single out. One event is being malicious,
06:19
so you'd want to focus again on correlation of events to attempt to detect activity with respect to
06:27
Windows eight p eyes and malicious activity.
06:30
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor