![]() Industroyer can use supplied user credentials to execute processes and stop services. GALLIUM leveraged valid accounts to maintain access to a victim network. įox Kitten has used valid credentials with various services during lateral movement. įIN8 has used valid accounts for persistence and lateral movement. įIN7 has harvested valid administrative credentials for lateral movement. To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes. įIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment. ![]() įIN4 has used legitimate credentials to hijack email communications. įIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware. Īdversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). ĭtrack used hard-coded credentials to gain access to a network share. ĭragonfly has compromised user credentials and used valid accounts for operations. Ĭhimera has used a valid account to maintain persistence via scheduled task. Ĭarbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars. Īxiom has used previously compromised administrative accounts to escalate privileges. ĪPT41 used compromised credentials to log on to other systems. ĪPT39 has used stolen credentials to compromise Outlook Web Access (OWA). ĪPT33 has used valid accounts for initial access and privilege escalation. ĪPT29 used different compromised credentials for remote access and to move laterally. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. ĪPT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. ĪPT18 actors leverage legitimate credentials to log into external remote services. The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. ![]() Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. In order to rule out a network routing or firewall issue I logged into an AWS EC2 instance in our same region and tested access to the endpoint URL via curl, and this was successful.Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (I should note that in both cases, I am trying to proxy to an https address, not just http.) My endpoint is on my internal company network, but as a test I also tried proxying to an Internet address and this failed with the same error. However, if I set my endpoint to be a non-AWS URL I get back a 500 response and I see in my API gateway Cloudwatch log:Įxecution failed due to configuration error: Invalid endpoint address If I set my endpoint to be another AWS API gateway, it works. I'm creating a proxy resource with resource path / and enabling API gateway CORS, then creating ANY method as HTTP Proxy and content handling passthrough (just like the petshop example in the above mentioned example). The issue I'm running into is that it seems to work if my endpoint URL is another AWS API gateway, but I can't get it to work for any other URL. I am trying to use an AWS API gateway to configure simple http proxy, following the example from this page: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |