Once in
Why would you want to install extra software once you have gained root access; inside the network the standard tools would be totally sufficient, but installing new stuff could set off tripwires
Hackers almost exclusively use standard network admin tools to move around a compromised network once they’ve broken in using malware or other hacking techniques. Researchers at security startup LightCyber found that 99 per cent of post-intrusion cyberattack activities did not employ malware, but rather employed standard …
Keyloggers are nice, but you can get web passwords from cache and RAM. Windows passwords are hashed with no salt and available from the directory an RAM. Most everything they are looking for can be found in snapshot (system restore) data. You go where the admins are not looking. In many cases admins are clueless that these spots have the goods to begin with.
Well, back in the day we'd usually have to install some basic software that was never shipped in order to get stuff up there, because you'd usually only have root (admin, whatever) in the namespace of the unpatched application. You could see the rest of the server, but, to use the most commonly attacked and most commonly vulnerable system as an example, you'd have to get root in the Windows shell namespace too. It would usually be a TFTP server, which would fly totally under the radar, enable you to work in hidden directories, and which would enable you to get the stuff you needed to get into the rest of the system, which would then enable you to first patch that vulnerability so no one else would screw with it, and then set yourself up as a regular administrator. Of course, you'd then remove all the other stuff you'd used and clear the logs. So even if someone did notice suspicious activity, all they'd see was that the vulnerable application was patched. They wouldn't be able to see what you did, how you did it, where you were connected from, or what else you did, unless they were monitoring changes.
I'd hope / expect there be some separation of duty in medium and large orgs. The admin could be a virtualisation, workstation, server, network, DB, account, etc admin with a limited toolset. Of course this may not be the case or maybe loads of accounts got pwned, but an attacker would need to assess tools at their immediate disposal and maybe make a decision to bring their own. Just being root/SU/administrator doesn't mean a ready supply of useful standard / non-standard hacking and debug tools.
"LightCyber discovered that attackers commonly use standard administrator and remote desktop tools to conduct reconnaissance or for lateral movement rather than, as might be imagined, malware."
DOH! I would nave have figured that and get a load of the logo :) Not sure if it's wise posting the 'Cyber Weapons 2016 Report' as a PDF, considering as the report mentions 'PDF Exploit Generator', an app that generates malicious PDF files that can infect vulnerable PDF applications
--
You are being watched. The government has a secret system, a machine that spies on you every hour of every day.
They are extremely loud and you don't need LightCyber or HeavyCyber to detect it :)
Nevertheless it will take you probably forever to scan the entire segments.
There is a new thing called "Active Directory" you should check it out.
Also it allows you to simply take the entire data away using only one query :)
So probably the guys there haven't seen the Light (of cyber)
https://github.com/PyroTek3/PowerShell-AD-Recon
https://github.com/PowerShellMafia/PowerSploit
I suspect that the shotgun approach was used when aggregating and analyzing numbers - and systems. Consider . . . how many uses of Angry IP, NMap, et al, has been and is being accomplished by viewers, readers, customers who are wondering whose cookies, web bugs and other time-wasting bandwidth-stealing crap they are being bombarded with?
Even this page uses DoubleClick and Google Analytics . . .