10 21 2024 - rtji0/Arthur-Tech-Journal GitHub Wiki

10-21-2024

occurs when a threat actor positions themself in between two communicating users or devices
can occur without either parties' knowledge of attacker
Attacker has flexibility - can eavesdrop or even modify messages sent before they reach recipient
Man-in-the-middle (MITM), where a threat actor is positioned into a communication between two parties with the goal to eavesdrop or impersonate one of the parties
Usually takes two phases: intercepting traffic, then decrypting the transmissions

Screenshot 2024-10-21 101734

Man-in-the-browser (MITB) attacks intercept communication between parties to steal or manipulate data - occurs between a browser and the underlying computer
Trojan infects computer, installing and "extension" into the browser config and waits for information such as passwords to be entered, at which such data is captured and given to the attacker

A hierarchical name system for matching computer names and IP addresses
DNS-based attack substitutes a DNS address so the the computer is silently redirected to a different device (ie, redirecting to a fake google/gmail site where user is prompted to enter credentials, which are promptly stolen)
DNS attack consequences: URL redirection, domain reputation
DNS poisoning - modifies a local host file on a device to point to a different domain - threat actors will add a single entry that directs computer to a DNS server that is under attacker control
DNS hijacking - intended to infect an external DNS server with Ip addresses that point to malicious sites - has the advantage of redirecting ALL users to their servers - attackers attempt to exploit a protocol flaw and convince the authentic DNS server to accept fraudulent DNS entries sent from the attackers' DNS server

Screenshot 2024-10-21 103745

Denial of service (DoS) attack is a deliberate attempt to prevent authorized users from using or accessing a system by overwhelming it with requests
Most DoS attacks today are DDoS attacks, which use hundreds or thousands of devices flooding the server with requests
Devices participating in DDoS attacks are infected and controlled by threat actors so that users are completely unaware that their endpoints are part of a DDoS attack
Using larger numbers of compromised devices, each sending bogus requests
Amplified attacks (reflection attacks), where a threat actor attacks a misconfigured Internet device or service in a way that causes the device or service to reflect and generate an even larger payload at the ultimate target

Some network attacks come from malicious software code and scripts
PowerShell is a task automation and config management framework from MS
Admin tasks are performed by cmdlets which are specialized .NET classes that implement a specific operation
PowerShell allows attackers to inject code from the PowerShell environment into other processes without first storing any malicious code on the hard disk
Visual Basic for Applications (VBA) is an event-driven MS programming language - allows developers and users to automate processes that normally would take multiple steps or levels of steps
VBA is most often used to create macros, which are used to automate a complex task or a repeated series of tasks - macros date back to late 1990s but continue to be a key attack vector
Python is a programming language that can run on several OS platforms - best Python practices include: using latest version of Python, staying current on Python vulnerabilities, taking care when formatting strings on Python, downloading only vetted Python libraries
Bash is the command language interpreter for Linus/UNIX OS
Bash scripting is using Bash to create a script
Exploits have taken advantage of vulnerabilities in BASH - ie one vulnerability allowed attackers to remotely attach a malicious exe file to a variable that is executed when Bash is invoked