I was recently reading the Internet Security Threat Report (ISTR) from Symantec put out July 2017 “Living off the land and fileless attack techniques” and wanted to call attention to this document, as many of the TTPs discussed seem to be just as relevant today.
One of the TTPs that jumps out is what Symatec calls “Dual-use Tools”. The example they call out is:
net user /add [username] [password]
net localgroup administrators [username] /add
This is something that is great to use as an attacker – try to hide in the noise of normal business operations! This increases the importance of proper administrative activity monitoring – just relying on access restrictions is not enough.
The ISTR goes on to show some of common Threat Actors and the Dual-use tools included in their attack chain – an interesting play-by-play that you can consider discussing as a tabletop exercise. What do you have in place to prevent these attack chains? How could you detect the usage? What would you do to contain the incident?
The report goes into much further detail, and also includes other TTPs suck as leveraging GPOs and Task Scheduler, and various memory-based attacks. I highly recommend giving this a read.
I also gave a webinar this past week “How to Use PCI DSS for a Stronger IT Security Posture and Streamline your Compliance Efforts”. The slides and recording can be found here.