⚔️ Common Attack Scenarios

Типовые сценарии атак и методы их обнаружения

🦠
Ransomware Attack
Data Encryption & Extortion
⏱️ Attack Timeline
  • T+0
    Phishing email с макросом доставлен
  • T+5 min
    Dropper скачивает payload
  • T+30 min
    Lateral movement через SMB
  • T+2 hours
    Отключение защиты и бэкапов
  • T+3 hours
    Начало шифрования
🔍 Индикаторы компрометации
  • vssadmin.exe delete shadows /all /quiet
  • bcdedit /set {default} recoveryenabled no
  • Файлы с расширениями .locked, .encrypted
  • Ransom note в каждой папке
  • Резкий рост CPU/Disk usage
📋 SIEM Detection Rules
Event ID 4688 AND CommandLine CONTAINS "vssadmin" AND "delete"
Process Creation: wmic.exe shadowcopy delete
🚨 Response Actions
  • Изоляция заражённых хостовImmediate
  • Отключение сетевых шарImmediate
  • Проверка состояния бэкаповHigh
  • Активация DR планаHigh
🎣
Phishing Campaign
Credential Harvesting
⏱️ Attack Timeline
  • T+0
    Массовая рассылка фишинга
  • T+15 min
    Первые клики на ссылки
  • T+30 min
    Ввод credentials на фейковой странице
  • T+1 hour
    Попытки входа с украденными данными
  • T+2 hours
    Доступ к почте и отправка от имени жертвы
🔍 Индикаторы
  • Массовые входящие письма с одного домена
  • Typosquatting домены (microsоft.com)
  • Короткие URL (bit.ly, tinyurl)
  • Urgency в subject line
  • Множественные failed logins
📋 Detection Rules
Email Gateway: FROM domain age < 7 days AND attachment.type = HTML
Auth logs: Failed login > 5 in 10 minutes FROM different GeoIP
🚨 Response Actions
  • Блокировка sender domainImmediate
  • Reset паролей для affected usersHigh
  • Поиск других жертвHigh
  • User awareness alertMedium
🔓
Privilege Escalation
Local to Domain Admin
⏱️ Attack Timeline
  • T+0
    Initial foothold через RCE
  • T+10 min
    Enumeration: whoami /priv
  • T+30 min
    Mimikatz execution
  • T+45 min
    Pass-the-hash attack
  • T+1 hour
    DCSync для получения krbtgt
🔍 Индикаторы
  • lsass.exe memory access
  • Suspicious PowerShell usage
  • sekurlsa::logonpasswords
  • Abnormal Kerberos ticket requests
  • NTDS.dit access attempts
📋 Detection Rules
Sysmon Event ID 10: TargetImage="lsass.exe" AND GrantedAccess="0x1010"
Event ID 4662: ObjectType="DS-Replication-Get-Changes-All"
🚨 Response Actions
  • Изоляция compromised hostImmediate
  • Reset krbtgt password twiceImmediate
  • Audit все privileged accountsHigh
  • Golden ticket huntHigh
🌐
Web Application Attack
SQL Injection to RCE
⏱️ Attack Timeline
  • T+0
    Fuzzing параметров приложения
  • T+20 min
    SQL injection обнаружен
  • T+40 min
    Database enumeration
  • T+1 hour
    xp_cmdshell activation
  • T+1.5 hours
    Webshell upload
🔍 Индикаторы
  • UNION SELECT statements в логах
  • sleep() или WAITFOR DELAY
  • xp_cmdshell в SQL queries
  • Новые файлы в web directories
  • Abnormal database queries volume
📋 Detection Rules
WAF: SQL keywords (UNION, SELECT, xp_cmdshell) in parameters
IIS Logs: cs-uri-query CONTAINS "CAST(" OR "CONVERT("
🚨 Response Actions
  • Block attacker IPImmediate
  • Review database audit logsHigh
  • Check for webshellsHigh
  • Patch vulnerable applicationMedium
🔌
Supply Chain Attack
Third-party Compromise
⏱️ Attack Timeline
  • T-30 days
    Vendor software compromised
  • T+0
    Malicious update deployed
  • T+1 hour
    Backdoor activation
  • T+3 hours
    C2 communication established
  • T+1 day
    Data exfiltration begins
🔍 Индикаторы
  • Unexpected outbound connections
  • Modified legitimate executables
  • New scheduled tasks after update
  • Unusual DNS queries patterns
  • Certificate mismatches
📋 Detection Rules
Network: New outbound connection from [vendor_app].exe to unknown IP
File Integrity: Hash mismatch for trusted application
🚨 Response Actions
  • Isolate affected systemsImmediate
  • Block C2 communicationsImmediate
  • Vendor notificationHigh
  • Threat hunt across environmentHigh
💳
Data Exfiltration
Insider Threat
⏱️ Attack Timeline
  • T-7 days
    Unusual access patterns begin
  • T-3 days
    Large database queries
  • T-1 day
    Data staging in temp folders
  • T+0
    ZIP files creation
  • T+2 hours
    Upload to cloud storage
🔍 Индикаторы
  • After-hours database access
  • Large SELECT * queries
  • Compression tools usage
  • Personal cloud storage access
  • USB device connections
📋 Detection Rules
DLP: File transfer > 100MB to unapproved destination
Database: SELECT queries returning > 10000 rows outside business hours
🚨 Response Actions
  • Disable user accountImmediate
  • Legal/HR notificationImmediate
  • Preserve evidenceHigh
  • Review access logsHigh

📊 Статистика атак 2024

47%
Ransomware
31%
Phishing
$10.5M
Avg. Cost
277 days
Avg. Detection
82%
Human Factor

🎯 Attack vs Defense Matrix

Attack Type Initial Vector Key Indicators Critical Controls Severity
Ransomware Phishing, RDP Shadow copies deletion, encryption Backups, EDR, Network segmentation Critical
APT Spear phishing, 0-day Long dwell time, custom tools Threat hunting, NDR, UEBA Critical
Insider Threat Legitimate access Abnormal access patterns DLP, UEBA, Access control High
Web Attacks Public applications SQLi, XSS patterns WAF, Input validation, Patching High
BEC Email compromise Wire transfer requests Email security, MFA, Training Medium
Cryptomining Vulnerable services High CPU usage Patch management, EDR Low