Hacking Exposed - Real-World Tradecraft of Bears, Pandas and Kittens

Explore real-world case studies of advanced cyber intrusions in this 47-minute conference talk from RSA Conference. Delve into demos and mitigation strategies for high-profile hacks, including the Democratic National Committee breach, as presented by Dmitri Alperovitch, Co-Founder and CTO of CrowdStrike. Gain insights into the tradecraft of state-sponsored threat actors like Bears, Pandas, and Kittens. Learn about initial infection tactics using malicious LNK files and macro documents, privilege escalation techniques involving UACME and kernel exploits, credential theft methods, persistence mechanisms through WMI event subscriptions and service DLLs, and exfiltration strategies employing disguised RAR files. Understand the power of cyber threat intelligence and discover effective countermeasures to protect against sophisticated cyber attacks.

Intro
POWER OF THE ACADEMY
INITIAL INFECTION: BEAR TACTIC - MALICIOUS LNK
LNK FILE COMPONENTS
LNK FILE CONSTRUCTION
INITIAL INFECTION: PANDA TACTIC - MACRO DOCUMENT
PRIVILEGE ESCALATION: BEAR TACTIC - UACME #23
HIGH LEVEL EXPLANATION: USMDISM METHOD
PRIVILEGE ESCALATION: PANDA TACTIC - KERNEL O-DAY
CREDENTIAL THEFT: BEAR & PANDA - IT'S A TIE!
PERSISTENCE: BEAR TACTIC - WMI EVENT SUBSCRIPTION
WMI EVENT SUBSCRIPTION BREAKDOWN
PERSISTENCE: PANDA TACTIC - SERVICEDLL
REGISTERING THE SERVICE
COUNTERMEASURES
EXFILTRATION: PANDA TACTIC - DISGUISED RAR