Analysis on legit tools abused in human-operated ransomware

SANS Ransomware Summit 2023 Analysis on legit tools abused in human-operated ransomware Speakers: Toru Yamashige, Senior Incident Response Consultant, Trend Micro Inc. Keisuke Tanaka, Principal Incident Response Consultant, Trend Micro Inc. As the detection logics of AV vendors improve, threat actors employ countermeasures to evade them. One of the most common ways in which threat actors hide from detection and carry out their malicious activities is by abusing legitimate tools. We believe that “legitimate tools“ can be classified into three categories below, with a marked increase in the number of cases in which “commercial tools“ are being abused: - MS native tools, such as PsExec, PowerShell, and WMI. - Legitimate penetration testing tools, including Cobalt Strike, Metasploit, and Mimikatz. - Commercial tools, such as Atera, AnyDesk, and Splashtop. Regarding MS native tools, techniques such as LOLBAS and LOLBIN are well-researched, while AV vendors are making efforts to detect penetration testing tools. We feel that threat actors are likely to abuse commercial tools these days as the tools are highly functional and commonly used in corporate operations. There is, however, little research on the exact functionalities of these tools, the traces they leave behind when abused, and countermeasures to prevent such abuse. Therefor, in this presentation, we will focus on actual incident cases where commercial tools were abused and try to explain the details based on the following three points: Chapter 1: Introducing actual incident response cases we have supported in which commercial tools were abused and describing their functionalities. Chapter 2: Explaining the traces and artifacts left behind when the tools are abused in an attack, so that the audience can use this information in their actual incident response investigations. Chapter 3: Describing effective countermeasures against attacks that exploit the tool, which will be useful for containment during incident response and for considerations during normal operations. View upcoming Summits: