Part 7. Discovery

Links to all parts:

Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining Credential Access
Part 7. Discovery

Having received, as a result of the initial compromise, the adversary must “look around” into the system, understand that he now controls what opportunities he has and whether the current access is sufficient to achieve a tactical or ultimate goal. This stage of the attack is called “Discovery” (born Discovery - “scientific discovery”, “disclosure”, “disclosure”).

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of the content of MITER ATT & CK .

Operating systems have many built-in tools with which the enemy can carry out a study of the inner perimeter of the attacked network after it is compromised. In Windows, direct interaction with the Windows API, WMI functionality and PowerShell can be used to gather information.

The attacker uses detection methods during the study of the attacked environment, so identifying such activity should be considered as part of the attack chain, followed by attempts to move the enemy through the network.

As a measure aimed at identifying the above described activity in the protected systems, monitoring of processes and command line arguments that can be used during the collection of information about the system or network is recommended. A general recommendation to prevent unauthorized internal research of the protected system and network is to audit the presence of unnecessary system utilities and potentially dangerous software that can be used to study the protected environment, and use tools to block their launch, such as AppLocker or software restriction policies (Software Restriction Policies).

Account Discovery

System: Windows, Linux, macOS
Rights: User
Description: Malicious users may attempt to obtain a list of local system or domain accounts.

Windows
Utilities Net or Dsquery can be used to obtain account information:
net user
net group
net localgroup
dsquery user
dsquery group

An attacker could use System Owner / User Discovery techniques to find the main user, current user of the system, or a group of users who typically use the system.

Mac
On Mac, user groups can be obtained using the groups and id commands. Also, user groups and users can be listed using the following commands:
dscl . list /Groups
dscacheutile -q group

Linux
On Linux, local users can be obtained from the / etc / passwd file , which is readable to all users. On a Mac, the same file is used only in single user mode in addition to the /etc/master.passwd file. In addition, the teams and id commands are also available in Linux.

Security Tips: Prevent the ability to enumerate administrator accounts when elevating rights through UAC, as this will lead to the disclosure of administrator account names. The corresponding registry key can be disabled using GPO:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\
EnumerateAdministrators

GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.

Application Window Discovery

System: Windows, macOS
Rights: User
Description: Attackers may attempt to get lists of windows opened by applications. Such lists may indicate how the system is used there or discover the context of the information collected by the keylogger. On a Mac, this can be done using a small AppleScript script.

Browser Bookmark Discovery

System: Windows, Linux, macOS
Rights: User
Description: In order to learn as much information as possible about the compromised system, attackers can examine the user's browser bookmarks. Bookmarks can reveal personal information about users (for example, banking sites, personal interests, social networks, etc.), as well as information about the internal network resources of the network — servers, tools, dashboards, and other infrastructure elements. An adversary can use credentials cached in the browser to gain access to the user's services whose addresses are stored in browser tabs. The storage locations for bookmarks depend on the platform and the specific application and OS. Browser bookmarks are usually stored as local files or databases.

Protection recommendations: Considering that the storage of information in files is a regular function of the OS, attempts to suppress this activity will be inappropriate. For example, restricting access to browser bookmarks files is likely to result in unintended side effects and disrupt legitimate software. Protection efforts should be directed at preventing the attacker from launching tools and tools at earlier stages of an attack.

File and Directory Discovery Detection

System: Windows, Linux, macOS
Rights: User, Administrator, System
Description: Attackers can list files and directories or search for specific information in specific locations on a host or on shared network resources.

Windows
Examples of utilities for obtaining information about files and directories are dir and tree . Custom tools through direct interaction with the Windows API can also be used to collect information about files and directories.

Linux and macOS
On Linux and macOS, browsing files and directories is done with the ls, find, and locate commands.

Protection recommendations: Considering that the presentation of information in the form of files and directories is a regular feature of the OS, attempts to suppress this activity will be inappropriate. Protection efforts should be directed at preventing the attacker from launching tools and tools at earlier stages of an attack.

Network Service Scanning

System: Windows, Linux, macOS
Rights: Administrator, System
Description: Attackers may attempt to obtain a list of services running on remote hosts, including those that may be vulnerable to remote access tools. Methods for obtaining such information include scanning ports and vulnerabilities using tools that are loaded into the system.

Security Tips : Use IDS / IPS systems to detect and prevent remote scans. Ensure that unnecessary ports are closed, unused services are disabled, and proper network segmentation is followed to protect critical servers and devices.

Network Share Discovery (Network Share Discovery)

System: Windows, macOS
Rights: User
Description: Local networks often have shared network drives and folders that allow users to access file directories hosted on different systems over the network. Attackers can search for shared network folders and drives in remote systems in order to search for targeted data sources and identify potential systems for further promotion on the network.

Windows
File exchange in Windows-based networks using the SMB protocol. The Net utility can be used to obtain information from a remote system on the presence of shared network drives in it: net view \remotesystem
Or getting information about shared network drives on the local system: net share .

Mac
On a Mac, locally-mounted network shares can be viewed using the command: df -aH .

Network Sniffing

System: Windows, Linux, macOS
Description: An attacker can use the network interface in promiscuos mode ("promiscuous" mode), in which the network card will accept all packets regardless of whom they are addressed to or use span ports (mirroring ports) to capture large amounts of data transmitted over wired or wireless networks.

Data captured during sniffing may contain credentials sent via unprotected connections without using encryption protocols. Various attacks on network name service such as poisoning LLMNR / NBT-NS by redirecting traffic can also be used to collect credentials on websites, proxy servers and internal systems. While listening to the network, the adversary can also reveal various configuration information (running services, version numbers, IP addresses, host names, VLAN ID, etc.) necessary for further network propagation and / or circumvention of security features.

Security Tips: Ensure that the wireless traffic is properly encrypted. If possible, use Kerberos, SSL and multifactor authentication. Monitor network switches for use of span ports, ARP / DNS poisoning, and unauthorized configuration changes to the router. Use tools to detect and block potentially dangerous software that can be used to intercept and analyze network traffic.

Password Policy Discovery

System: Windows, Linux, macOS
Rights: User
Description: Password policy on the network is a way for users to use complex passwords that are difficult to guess or crack by brute force. An attacker may try to access information about the password policy settings of the attacked network in order to create a list of common well-known passwords that meet the requirements of the policy (for example, if the policy sets a minimum password length of 8 characters, do not try to use pass123 passwords or check more than 3 4 passwords per account, if the number of unsuccessful attempts is 6) and the subsequent start of the selection of passwords in the dictionary. Password policies can be applied and detected both in Windows and in Linux and macOS.

Windows
net accounts
net accounts /domain

Linux
chage -l
cat /etc/pam.d/comman-password

macOS
pwpolicy getaccountpolicies

Security Tips: Attempts to directly obstruct the identification of a password policy are not recommended, since the password policy settings should be known to all systems and users of the network. Make sure that the password policy you use makes it difficult to brute force passwords and prevent using too light passwords. The most common way to use password policy in a corporate network is to implement Active Directory.

If there is a task to detect malicious activity, monitor the processes for the presence of tools and command line arguments that indicate attempts to detect the password policy. Match this activity with other suspicious actions of the source system to reduce the likelihood of a false event associated with the actions of the user or administrator. The enemy is likely to try to identify the parameters of the password policy in the early stages of the attack or in conjunction with the use of other techniques of the detection and review stages.

Peripheral Device Discovery (Peripheral Device Discovery)

System: Windows
Rights: User, Administrator, System
Description: Attackers may attempt to gather information about peripherals connected to computers in the attacked network. This information can be used to raise awareness of the attacked environment and to use it when planning further malicious actions.

Permission Groups Discovery

System: Windows, Linux, macOS
Rights: User
Description: Attackers can try to find local or domain access groups and investigate the parameters of their permissions.

Windows
You can list access groups using the Net utility:
net group /domain
ner localgroup

Linux
In Linux, local groups can be listed using the groups command, domain groups can be listed using the ldapsearch command.

macOS
On a Mac, you can do the same with the following commands:
dscacheutil -q - for domain groups;
dscl . -list /Groups dscl . -list /Groups - for local groups.

Process Discovery

System: Windows, Linux, macOS
Rights: User, Administrator, System
Description: Opponents may attempt to obtain information about the processes launched from the system in order to obtain information about the software running on the systems of the attacked network.

Windows
An example of a way to get information about processes in Windows is the system tasklist utility.

Mac and Linux
On Mac and Linux, this is done using the ps command.

Registry queries (Query Registry)

System: Windows
Rights: User, Administrator, System
Description: Attackers can interact with the Windows registry to gather information about the system, configuration, and installed software. The registry contains a significant amount of information about the operating system, configuration, software and security. Some information may help the enemy in conducting further operations in the attacked network. The interaction with the registry can occur using various utilities, for example, Reg or by running third-party tools that use the Windows API.

Remote System Discovery

System: Windows, Linux, macOS
Rights: User, Administrator, System
Description: An adversary is likely to attempt to get a list of systems on the attacked network. Remote systems can be detected by IP address, host name, or other identifier, which can later be used to move an attacker through the network from the current system. Corresponding functionality can be included in Remote Access Tools (RAT), and built-in system utilities can also be used.

Windows
Ping or net view commands.

Mac
For detection of Mac systems within a broadcast domain (broadcast domain), Bonjour protocol is used. Utilities such as ping can also be used to collect information about remote systems.

Linux
Utilities such as ping can also be used to collect information about remote systems.

Security Software Discovery Detection

System: Windows, macOS
Rights: User, Administrator, System
Description: Attackers can try to get lists of security software, configurations, sensors installed in the system. The purpose of the enemy can be such things as local firewall rules, antivirus and virtualization tools. These checks can be embedded in remote access tools (RAT) used in the early stages of an attack.

Windows
Examples of commands that can be used to obtain information about security tools are the netsh, reg query, dir, and tasklist utilities , but other more specific tools can be used to identify the specific security systems that the adversary is looking for.

Mac
A common way to check for malware is to use the LittleSnitch and KnockKnock programs .

System Information Discovery

System: Windows, Linux, macOS
Rights: User
Description: An adversary may attempt to obtain detailed information about the operating system and hardware, including the architecture, version, fixes, and installed service packs.

Windows
Examples of utilities for getting system information are ver, systeminfo, and dir for identifying system information based on existing files and directories.

Mac
The systemsetup command provides detailed system information, but it requires administrative privileges. In addition, a detailed breakdown of configurations, firewall rules, connected volumes, equipment, and many other things without the need for privilege escalation is provided by system_profiler .

Network Configuration Configuration Discovery (System Network Configuration Discovery)

System: Windows, Linux, macOS
Rights: User
Description: An attacker is most likely to look for detailed information about the network configuration and the parameters of the systems to which he has access or through the study of remote systems. Some utilities designed to administer the operating system can be used to collect the above information. Examples of such utilities are arp, ipconfig / ifconfig, nbtstat, route, tracert / tracerout , etc.

Network Connections Discovery (System Network Connections Discovery)

System: Windows, Linux, macOS
Rights: User, Administrator
Description: Attackers can attempt to get a list of incoming and outgoing network connections of the compromised system to which they have access, or of the remote system, requesting information over the network.

Windows
Utilities and commands for getting information about network connections:
Netstat
net use
net session

Mac and Linux
Netstat and lsof can be used to display current connections. Similar to the " net session ", the who and w utilities can display current logged users.

Detection of the owner / user of the system (System Owner / User Discovery)

System: Windows, Linux, macOS
Rights: User, Administrator
Description: Malefactors can try to identify the main user of the system, the current user who is currently registered, a group of users who usually use the system or determine how actively the user uses the system. An adversary can obtain the above information through the methods of identifying accounts (see the “Account Discovery” technique) or by using Dumping credentials methods . Information about the user and his name is distributed throughout the system — included in the information on owners of processes, files and directories, in session information and system logs, so an adversary can use various detection methods.
In Mac, the current user can be identified using the users, w and who utilities. In linux systems, only with w and who .

System Service Discovery

System: Windows
Rights: User, Administrator, System
Description: An attacker may attempt to obtain information about registered services. To collect data, the adversary can use various tools, including built-in utilities that can get information about services:
sc
tasklist /svc
net start

System Time Discovery (System Time Discovery)

System: Windows
Rights: User
Description: The system time is set in the domain and stored by the Time Service (Windows Times Service) to ensure time synchronization between systems and services in the enterprise network. An attacker can get the system time and / or time zone from a local or remote system. This information can be collected in several ways:
net time \\hostname — get host system time;
w32tm /tz - getting time zone.
Information on system time can be useful for the adversary to use various attack methods, such as executing a file with a scheduled task or, based on information about the time zone, to disclose the location of the victim.

Protection Tips : Benign software uses legitimate processes to collect system time. Security efforts need to be directed at preventing the execution of unwanted or unknown code in the system. In order to prevent unauthorized receipt of time information from a remote system, tools such as the Net utility can be blocked by a security policy. Monitoring the command line can be useful for detecting instances of Net.exe or other utilities used to collect system time and time zone. Monitoring API calls for these purposes is less useful due to the fact that the API is often used by legitimate software.