This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Blog
- Another great threat Profile... Shell_Crew
Anonymous
Not applicable
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2014-01-23
10:31 AM
Another great find. As pointed out by Rui.A too!
The RSA Incident Response (RSA IR) team has developed an in-depth report called Emerging
Threat Profile: Shell_Crew, where they detail the TTPs used by an adversary
that we have dubbed “Shell_Crew.” The Shell_Crew report is based on RSA IR’s
multiple incident response engagements involving a group of advanced threat
actors whose objective is to gain access, stay entrenched and ultimately steal
as much data and intellectual property as possible.
It appears that Shell_Crew has persisted in enterprises of
varying sizes for years without being detected – updating or replacing existing
malicious backdoors and continuing to map the enterprise while installing Web
shells and poisoning existing web pages. These tenacious approaches make it
difficult for an under resourced internal security team to detect and remediate
the actions of this adversary.
The report is now live at http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf,
and a blog detailing the threat is also now live on Speaking of Security
(https://blogs.rsa.com/dissecting-tactics-techniques-advanced-adversary/).
A few of the highlights include:
- Prevalent use of Web shells to maintain low level
persistence in spite of determined remediation efforts; - Altering or poisoning existing legitimate web pages
maintained by an organization; - Occasional use of Web application framework exploits to
achieve initial entry versus standard spearfishing attacks; - Lateral movement and compromise of Digital Code Signing
Certificate infrastructure; - Abuse of Code Signing infrastructure to validly sign custom
backdoor malware; - Exploiting systems using different SETHC.exe methods
accessible via Remote Desktop Protocol (RDP); - Long history of IP/DNS telemetry allowing for historical
research and link analysis; - Placement of malicious proxy tools introduced into the
environment on Windows server based proxies to bypass proxy logging; - Extensive use of time/date stomping of malicious files to
hinder forensic analysis; and - Malware leveraging compromised credentials to bypass
authentication NTLM proxies (proxy aware).
Check out the full report. Feel free to add thoughts and comments!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Latest Articles
- Using NetWitness to Detect Phishing reCAPTCHA Campaign
- Netwitness Platform Integration with Amazon Elastic Kubernetes Service
- Netwitness Platform Integration with MS Azure Sentinel Incidents
- Netwitness Platform Integration with AWS Application Load Balancer Access logs
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- New HotFix: Addresses Kernel Panic After Upgrading to 12.4.1
- Automation with NetWitness: Core and NetWitness APIs
- HYDRA Brute Force
- DDoS using BotNet Use Case
Labels
-
Announcements
64 -
Events
12 -
Features
12 -
Integrations
15 -
Resources
68 -
Tutorials
32 -
Use Cases
31 -
Videos
119
