Прослушивание сетевого трафика

Обнаружение

Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a Adversary-in-the-Middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes. In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors.

Ссылки

1. Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.
2. Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.
3. Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.
4. Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
5. Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.
6. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
7. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.
8. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.
9. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
10. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
11. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
12. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
13. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
14. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
15. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
16. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
17. SecureAuth. (n.d.). Retrieved January 15, 2019.
18. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
19. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
20. Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
21. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
22. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
23. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
24. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
25. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.