back to article Hackers: Ditch the malware, we're in... Just act like a normal network admin. *Whistles*

Hackers almost exclusively use standard network admin tools to move around a compromised network once they’ve broken in using malware or other hacking techniques. Researchers at security startup LightCyber found that 99 per cent of post-intrusion cyberattack activities did not employ malware, but rather employed standard …

  1. Anonymous Coward
    Anonymous Coward

    Once in

    Why would you want to install extra software once you have gained root access; inside the network the standard tools would be totally sufficient, but installing new stuff could set off tripwires

    1. adnim
      Happy

      Re: Once in

      Exactly my thoughts, you beat me too it, have an up!

    2. Anonymous Coward
      Anonymous Coward

      Re: Once in

      But you might well expect a keylogger to be installed to capture all passwords (imagine getting hold of a password wallet master password), apparently not?

      1. Fan of Mr. Obvious

        Re: Once in

        Keyloggers are nice, but you can get web passwords from cache and RAM. Windows passwords are hashed with no salt and available from the directory an RAM. Most everything they are looking for can be found in snapshot (system restore) data. You go where the admins are not looking. In many cases admins are clueless that these spots have the goods to begin with.

    3. Jay 2

      Re: Once in

      That is true, but maybe the systems involved didn't have said hackers' fave tools?

      1. Fan of Mr. Obvious

        Re: Once in

        If they are not then they will just install standard tools that admins expect to find -- think SysInternals. Power Shell is making the need to pull tools in mute since it is the ultimate swiss army knife.

    4. Anonymous Coward
      Anonymous Coward

      Re: Once in

      As the current vendor install trend seems to include every package off the install + extras disks including gcc and make etc, or loads of extra admin tools on the windows server side, they probably don't need to add any new packages.

    5. Anonymous Coward
      Anonymous Coward

      Re: Once in

      Well, back in the day we'd usually have to install some basic software that was never shipped in order to get stuff up there, because you'd usually only have root (admin, whatever) in the namespace of the unpatched application. You could see the rest of the server, but, to use the most commonly attacked and most commonly vulnerable system as an example, you'd have to get root in the Windows shell namespace too. It would usually be a TFTP server, which would fly totally under the radar, enable you to work in hidden directories, and which would enable you to get the stuff you needed to get into the rest of the system, which would then enable you to first patch that vulnerability so no one else would screw with it, and then set yourself up as a regular administrator. Of course, you'd then remove all the other stuff you'd used and clear the logs. So even if someone did notice suspicious activity, all they'd see was that the vulnerable application was patched. They wouldn't be able to see what you did, how you did it, where you were connected from, or what else you did, unless they were monitoring changes.

    6. Anonymous Coward
      Anonymous Coward

      Re: Once in

      I'd hope / expect there be some separation of duty in medium and large orgs. The admin could be a virtualisation, workstation, server, network, DB, account, etc admin with a limited toolset. Of course this may not be the case or maybe loads of accounts got pwned, but an attacker would need to assess tools at their immediate disposal and maybe make a decision to bring their own. Just being root/SU/administrator doesn't mean a ready supply of useful standard / non-standard hacking and debug tools.

  2. Anonymous Coward
    Anonymous Coward

    Around here

    anyone using standard tools in a way that shows they know what they are doing would immediately stand out.

    Not a joke - and Anon for that very reason as I like it here despite everything

  3. Anonymous Coward
    Big Brother

    Laser sharp techncal analysis from LightCyber.

    "LightCyber discovered that attackers commonly use standard administrator and remote desktop tools to conduct reconnaissance or for lateral movement rather than, as might be imagined, malware."

    DOH! I would nave have figured that and get a load of the logo :) Not sure if it's wise posting the 'Cyber Weapons 2016 Report' as a PDF, considering as the report mentions 'PDF Exploit Generator', an app that generates malicious PDF files that can infect vulnerable PDF applications

    --

    You are being watched. The government has a secret system, a machine that spies on you every hour of every day.

    1. Random Handle

      Re: Laser sharp techncal analysis from LightCyber.

      >DOH! I would nave have figured that and get a load of the logo :)

      Is it a huge bear shitting in the woods?

  4. Anonymous Coward
    Anonymous Coward

    No one in the real world is using NMAP or scanning tool in the internal network!

    They are extremely loud and you don't need LightCyber or HeavyCyber to detect it :)

    Nevertheless it will take you probably forever to scan the entire segments.

    There is a new thing called "Active Directory" you should check it out.

    Also it allows you to simply take the entire data away using only one query :)

    So probably the guys there haven't seen the Light (of cyber)

    https://github.com/PyroTek3/PowerShell-AD-Recon

    https://github.com/PowerShellMafia/PowerSploit

  5. shovelDriver

    A Diagnosis which favors Implementation of Yet More Tracking

    I suspect that the shotgun approach was used when aggregating and analyzing numbers - and systems. Consider . . . how many uses of Angry IP, NMap, et al, has been and is being accomplished by viewers, readers, customers who are wondering whose cookies, web bugs and other time-wasting bandwidth-stealing crap they are being bombarded with?

    Even this page uses DoubleClick and Google Analytics . . .

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like