Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. So today we're going to be looking at user execution.
00:10
So the objectives of today's discussion are to look at what user execution is.
00:18
Some common methods as far as using user execution as a vector. Common file types that have been seen in user execution as faras thebe of attachments that have been seen
00:30
mitigation techniques and then some detection techniques as well that we're going to go through.
00:36
So with that, let's go ahead and jump over to our first slide here. User execution. So the reliance on an end user
00:45
to perform a specific action in order to gain execution. Essentially, we do initial access
00:52
where we get on a system,
00:54
but we need a user to open something, do something per miner, so that could be several things. But really, we're looking at direct code execution where a user is opening a malicious execute herbal. So this could be something in the form of an email attachment or something of that nature. That's my attempt to do email
01:12
on, then code execution through
01:15
lynx eyes also away that this happens and so this could be again. We looked at that, your bank exploit or something of that nature where a user doesn't so much get an attachment, they get some kind of link in the body of an email.
01:30
They interact with it that takes them to a site. Maybe there's more action that has to take place or at that point, attempts to do
01:38
a download of sometimes. So that's what we're looking at when we talk about user execution and so some ways that it's mentioned that user execution happens,
01:49
one of which could be drive by compromise. And so this is where a threat actor gains access by having a user visit a website that has infected ads or maybe some other function of the Web site has been compromised. And so when the user interacts with that, it then download something or does something to their system.
02:07
Spearfishing attachments is something that we've mentioned as well, so this is where malware is attached to an email Directly
02:15
again, the user has to interact with that content, and that content also has to get past any number of controls that we have in place that should hopefully strip that content or prevent the user from executing that content.
02:29
And then we've got spear phishing links. And so in this case, the user must interact with a link sent via email that then downloads the malware. So now something to remember here is that with a drive by compromise or a compromise that has to do with the site, the user could just be surfing the Web
02:49
as they normally would during the day, maybe a lunch or something like that. So this is interaction, as faras dropped by, Compromise goes. But it's not as direct as spearfishing attachments and spear phishing links, because
03:02
in these two cases the user has been sent something that they interact with. Withdraw by compromised. The usual could just be surfing the Web, not really thinking about anything. And they go to a site that you know, delivers some type of malware or something of that nature at that point.
03:20
Now, when we look at attachments and file types with respect to what threat actors air using, there's a few common ones. Now this list isn't all inclusive, but these If you were going to get an email attachment or something of that nature of the ones, you'll likely see. And so word documents,
03:38
PDFs Excel files rich textiles execute a bles.
03:43
Um, we've got control panel items that we had talked about earlier. We talked about executed Bols as well. But really, you know, text files you can't deliver like dot txt. You can't deliver a virus with that. It just doesn't execute in the same way that these other ones do. So
04:00
any time you get any form of file via email, that wasn't something you discussed with somebody or anything of that nature. You need to kind of stop and think, Hey, did I ask for this? Was it requested? Do I know this person? And even if you do know them,
04:18
we're finding more and more that higher ups managers, executives, business partners, whatever the case may be,
04:25
are falling victim to spoofing like, you know, their account is either spoofed or its outright compromised. And then 1/3 party, a threat actor, will engage you an attempt to get you to do things on behalf of that person. So always ask, always call
04:41
and just look into things a little bit further before taking action, especially when these files are involved
04:46
Now let's talk about some mitigation techniques here.
04:49
So execution prevention of executed bols so stopping those from even running use of anti virus to stop known bad files from running. So Anna viruses kind of the age old, you know, Hopefully it'll catch everything in anything that runs, especially if it's a common attack type of common pattern. But
05:10
if you're dealing with a zero day attack or something that hasn't been seen before,
05:15
chances are your anti virus may not stop it. So you know you would run the risk of having issues their network intrusion prevention, toe block known bad activity. So essentially, you know how this differs from intrusion. Detection is with intrusion prevention. It will see the activity
05:32
that is associated with malicious behavior or a threat actor
05:38
with detection, it will simply notify somebody or alert on the activity. But the activity continues, as is with prevention. It will attempt to block the connection out, block the process whatever the case may be,
05:51
and so network intrusion prevention definitely could help with mitigation, but it could also blocked legitimate activity as well. So you always want to consider that
06:00
restrict Web content and prevent users from visiting known bad sites, and so that can help
06:06
would drive by compromise and things of that nature. It could also assist if they again click a link that takes them to a known bad site that's attempting to do something that could be blocked
06:17
anytime. Web restrictions of restrictions in the office take place, especially when the office was previously liberal. As far as their permissions, and allowing people to do things
06:30
this could be seen is as oppressive. But really, the mission here is to reduce risk for the business. And as long as that's clearly explained, I don't think that would be anyone that would have issues with restrictions on content and things of that nature. And then, of course, in user a well, awareness training is huge.
06:48
I don't think there's a single person that would view this content
06:54
that has not heard of end user awareness training As far as training in users doing security awareness training may be doing fishing campaigns to see who your risky users are, who interacts with content and things of that nature because if they do it during the test,
07:11
chances are they may have interacted with content in the past as well. That was potentially malicious.
07:15
So with that, let's go ahead and look a tsum detection techniques as well. So in this list we've got monitoring for the execution of command line arguments again, this carries between multiple discussions like Power Point, the Power Point discussion. Sorry, the power Shell discussion. This is a power point,
07:33
the power shell discussion as well as,
07:36
um, the scripting discussion, things of that nature.
07:41
So in those cases, that's user execution user interaction. So that's gonna carry true that we'd want to prevent the users from using the the command line from using the terminal from using power shell things of that nature. Because if they don't need it again in their day to day activities,
07:59
then it could help us in the event that they get some type of infection that attempts to take advantage of that
08:03
and then monitor hits on an A virus and have a security team member review activity pre and post. Alerting the reason I say pre alert and post alert is there may have been things on that system that happened leading up to that anti virus hit
08:20
that were the threat actor doing certain things to get to that point and then post that activity to see one if it was not successful, which, if the antivirus alerted on it, it blocks something. But there may be room enter pieces event that it didn't get.
08:35
And so you'd want to look at that scenario kind of holistically. They're kind of walking into it, thinking that maybe something was going on before or after the fact. And so definitely take that into consideration with your detection activities there.
08:50
Now let's do a quick check on learning a dot txt file is a common means for threat actors to execute a virus or malware,
08:58
commonly using a phishing attack.
09:03
All right, well, if you need any additional time to think this through, please pause the video. So true or false, a txt dot txt file is a common means for threat actors to execute a voucher, some malware using a phishing attack.
09:16
Well, if you were listening to what we said earlier, this is a false statement. Currently, text files are not able to execute viruses, malware, things of that nature, and so they're not commonly seen as a component for threat actors to attack. Now
09:31
that's right. Doctor could send a text file with a link in it that you could then copy and paste into a Web browser that would then download something. So
09:39
that's not to say that it could not be malicious, but it is currently not a common means of attack as far as this is concerned. So in summary of today's discussion, we did a review of user execution and what it is. We talked about some common methods for user execution, common file types,
09:58
mitigation techniques
10:00
as well as detection techniques. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor