Links to all parts:Part 1. Getting Initial AccessPart 2. ExecutionPart 3. PersistencePart 4. Privilege EscalationPart 5. Defense EvasionPart 6. Obtaining Credential AccessPart 7. DiscoveryHaving received, as a result of the initial compromise, the adversary must “look around” into the system, understand that he now controls what opportunities he has and whether the current access is sufficient to achieve a tactical or ultimate goal. This stage of the attack is called “Discovery” (born
Discovery - “scientific discovery”, “disclosure”, “disclosure”).
The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of the content of MITER ATT & CK .Operating systems have many built-in tools with which the enemy can carry out a study of the inner perimeter of the attacked network after it is compromised. In Windows, direct interaction with the Windows API, WMI functionality and PowerShell can be used to gather information.
The attacker uses detection methods during the study of the attacked environment, so identifying such activity should be considered as part of the attack chain, followed by attempts to move the enemy through the network.
As a measure aimed at identifying the above described activity in the protected systems, monitoring of processes and command line arguments that can be used during the collection of information about the system or network is recommended. A general recommendation to prevent unauthorized internal research of the protected system and network is to audit the presence of unnecessary system utilities and potentially dangerous software that can be used to study the protected environment, and use tools to block their launch, such as AppLocker or software restriction policies (Software Restriction Policies).
System: Windows, Linux, macOS
Rights: User
Description: Malicious users may attempt to obtain a list of local system or domain accounts.
WindowsUtilities
Net or
Dsquery can be used to obtain account information:
net user
net group
net localgroup
dsquery user
dsquery group
An attacker could use
System Owner / User Discovery techniques to find the main user, current user of the system, or a group of users who typically use the system.
MacOn Mac, user groups can be obtained using the
groups and
id commands. Also, user groups and users can be listed using the following commands:
dscl . list /Groups
dscacheutile -q group
LinuxOn Linux, local users can be obtained from the
/ etc / passwd file , which is readable to all users. On a Mac, the same file is used only in single user mode in addition to the
/etc/master.passwd file. In addition, the teams and
id commands are also available in Linux.
Security Tips: Prevent the ability to enumerate administrator accounts when elevating rights through UAC, as this will lead to the disclosure of administrator account names. The corresponding registry key can be disabled using GPO:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\
EnumerateAdministrators
GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.
System: Windows, macOS
Rights: User
Description: Attackers may attempt to get lists of windows opened by applications. Such lists may indicate how the system is used there or discover the context of the information collected by the keylogger. On a Mac, this can be done using a small AppleScript script.
System: Windows, Linux, macOS
Rights: User
Description: In order to learn as much information as possible about the compromised system, attackers can examine the user's browser bookmarks. Bookmarks can reveal personal information about users (for example, banking sites, personal interests, social networks, etc.), as well as information about the internal network resources of the network — servers, tools, dashboards, and other infrastructure elements. An adversary can use credentials cached in the browser to gain access to the user's services whose addresses are stored in browser tabs. The storage locations for bookmarks depend on the platform and the specific application and OS. Browser bookmarks are usually stored as local files or databases.
Protection recommendations: Considering that the storage of information in files is a regular function of the OS, attempts to suppress this activity will be inappropriate. For example, restricting access to browser bookmarks files is likely to result in unintended side effects and disrupt legitimate software. Protection efforts should be directed at preventing the attacker from launching tools and tools at earlier stages of an attack.
System: Windows, Linux, macOS
Rights: User, Administrator, System
Description: Attackers can list files and directories or search for specific information in specific locations on a host or on shared network resources.
WindowsExamples of utilities for obtaining information about files and directories are
dir and
tree . Custom tools through direct interaction with the Windows API can also be used to collect information about files and directories.
Linux and macOSOn Linux and macOS, browsing files and directories is done with the
ls, find, and
locate commands.
Protection recommendations: Considering that the presentation of information in the form of files and directories is a regular feature of the OS, attempts to suppress this activity will be inappropriate. Protection efforts should be directed at preventing the attacker from launching tools and tools at earlier stages of an attack.
System: Windows, Linux, macOS
Rights: Administrator, System
Description: Attackers may attempt to obtain a list of services running on remote hosts, including those that may be vulnerable to remote access tools. Methods for obtaining such information include scanning ports and vulnerabilities using tools that are loaded into the system.
Security Tips
: Use IDS / IPS systems to detect and prevent remote scans. Ensure that unnecessary ports are closed, unused services are disabled, and proper network segmentation is followed to protect critical servers and devices.
System: Windows, macOS
Rights: User
Description: Local networks often have shared network drives and folders that allow users to access file directories hosted on different systems over the network. Attackers can search for shared network folders and drives in remote systems in order to search for targeted data sources and identify potential systems for further promotion on the network.
WindowsFile exchange in Windows-based networks using the SMB protocol. The
Net utility can be used to obtain information from a remote system on the presence of shared network drives in it:
net view \remotesystem
Or getting information about shared network drives on the local system:
net share
.
MacOn a Mac, locally-mounted network shares can be viewed using the command:
df -aH
.
System: Windows, Linux, macOS
Description: An attacker can use the network interface in
promiscuos mode ("promiscuous" mode), in which the network card will accept all packets regardless of whom they are addressed to or use span ports (mirroring ports) to capture large amounts of data transmitted over wired or wireless networks.
Data captured during sniffing may contain credentials sent via unprotected connections without using encryption protocols. Various attacks on network name service such as poisoning LLMNR / NBT-NS by redirecting traffic can also be used to collect credentials on websites, proxy servers and internal systems. While listening to the network, the adversary can also reveal various configuration information (running services, version numbers, IP addresses, host names, VLAN ID, etc.) necessary for further network propagation and / or circumvention of security features.
Security Tips: Ensure that the wireless traffic is properly encrypted. If possible, use Kerberos, SSL and multifactor authentication. Monitor network switches for use of span ports, ARP / DNS poisoning, and unauthorized configuration changes to the router. Use tools to detect and block potentially dangerous software that can be used to intercept and analyze network traffic.
System: Windows, Linux, macOS
Rights: User
Description: Password policy on the network is a way for users to use complex passwords that are difficult to guess or crack by brute force. An attacker may try to access information about the password policy settings of the attacked network in order to create a list of common well-known passwords that meet the requirements of the policy (for example, if the policy sets a minimum password length of 8 characters, do not try to use pass123 passwords or check more than 3 4 passwords per account, if the number of unsuccessful attempts is 6) and the subsequent start of the selection of passwords in the dictionary. Password policies can be applied and detected both in Windows and in Linux and macOS.
Windowsnet accounts
net accounts /domain
Linuxchage -l
cat /etc/pam.d/comman-password
macOSpwpolicy getaccountpolicies
Security Tips: Attempts to directly obstruct the identification of a password policy are not recommended, since the password policy settings should be known to all systems and users of the network. Make sure that the password policy you use makes it difficult to brute force passwords and prevent using too light passwords. The most common way to use password policy in a corporate network is to implement Active Directory.
If there is a task to detect malicious activity, monitor the processes for the presence of tools and command line arguments that indicate attempts to detect the password policy. Match this activity with other suspicious actions of the source system to reduce the likelihood of a false event associated with the actions of the user or administrator. The enemy is likely to try to identify the parameters of the password policy in the early stages of the attack or in conjunction with the use of other techniques of the detection and review stages.
System: Windows
Rights: User, Administrator, System
Description: Attackers may attempt to gather information about peripherals connected to computers in the attacked network. This information can be used to raise awareness of the attacked environment and to use it when planning further malicious actions.
System: Windows, Linux, macOS
Rights: User
Description: Attackers can try to find local or domain access groups and investigate the parameters of their permissions.
WindowsYou can list access groups using the
Net utility:
net group /domain
ner localgroup
LinuxIn Linux, local groups can be listed using the
groups command, domain groups can be listed using the
ldapsearch command.
macOSOn a Mac, you can do the same with the following commands:
dscacheutil -q
- for domain groups;
dscl . -list /Groups
dscl . -list /Groups
- for local groups.
System: Windows, Linux, macOS
Rights: User, Administrator, System
Description: Opponents may attempt to obtain information about the processes launched from the system in order to obtain information about the software running on the systems of the attacked network.
WindowsAn example of a way to get information about processes in Windows is the system
tasklist utility.
Mac and LinuxOn Mac and Linux, this is done using the
ps command.
System: Windows
Rights: User, Administrator, System
Description: Attackers can interact with the Windows registry to gather information about the system, configuration, and installed software. The registry contains a significant amount of information about the operating system, configuration, software and security. Some information may help the enemy in conducting further operations in the attacked network. The interaction with the registry can occur using various utilities, for example,
Reg or by running third-party tools that use the Windows API.
System: Windows, Linux, macOS
Rights: User, Administrator, System
Description: An adversary is likely to attempt to get a list of systems on the attacked network. Remote systems can be detected by IP address, host name, or other identifier, which can later be used to move an attacker through the network from the current system. Corresponding functionality can be included in Remote Access Tools (RAT), and built-in system utilities can also be used.
WindowsPing or
net view commands.
MacFor detection of Mac systems within a broadcast domain (broadcast domain),
Bonjour protocol is used. Utilities such as
ping can also be used to collect information about remote systems.
LinuxUtilities such as ping can also be used to collect information about remote systems.
System: Windows, macOS
Rights: User, Administrator, System
Description: Attackers can try to get lists of security software, configurations, sensors installed in the system. The purpose of the enemy can be such things as local firewall rules, antivirus and virtualization tools. These checks can be embedded in remote access tools (RAT) used in the early stages of an attack.
WindowsExamples of commands that can be used to obtain information about security tools are the
netsh, reg query, dir, and
tasklist utilities , but other more specific tools can be used to identify the specific security systems that the adversary is looking for.
MacA common way to check for malware is to use the
LittleSnitch and
KnockKnock programs .
System: Windows, Linux, macOS
Rights: User
Description: An adversary may attempt to obtain detailed information about the operating system and hardware, including the architecture, version, fixes, and installed service packs.
WindowsExamples of utilities for getting system information are
ver, systeminfo, and
dir for identifying system information based on existing files and directories.
MacThe
systemsetup command provides detailed system information, but it requires administrative privileges. In addition, a detailed breakdown of configurations, firewall rules, connected volumes, equipment, and many other things without the need for privilege escalation is
provided by system_profiler .
System: Windows, Linux, macOS
Rights: User
Description: An attacker is most likely to look for detailed information about the network configuration and the parameters of the systems to which he has access or through the study of remote systems. Some utilities designed to administer the operating system can be used to collect the above information. Examples of such utilities are
arp, ipconfig / ifconfig, nbtstat, route, tracert / tracerout , etc.
System: Windows, Linux, macOS
Rights: User, Administrator
Description: Attackers can attempt to get a list of incoming and outgoing network connections of the compromised system to which they have access, or of the remote system, requesting information over the network.
WindowsUtilities and commands for getting information about network connections:
Netstat
net use
net session
Mac and LinuxNetstat and
lsof can be used to display current connections. Similar to the "
net session ", the
who and
w utilities can display current logged users.
System: Windows, Linux, macOS
Rights: User, Administrator
Description: Malefactors can try to identify the main user of the system, the current user who is currently registered, a group of users who usually use the system or determine how actively the user uses the system. An adversary can obtain the above information through the methods of identifying accounts (see the “Account Discovery” technique) or by using
Dumping credentials methods . Information about the user and his name is distributed throughout the system — included in the information on owners of processes, files and directories, in session information and system logs, so an adversary can use various detection methods.
In Mac, the current user can be identified using the
users, w and
who utilities. In linux systems, only with
w and
who .
System: Windows
Rights: User, Administrator, System
Description: An attacker may attempt to obtain information about registered services. To collect data, the adversary can use various tools, including built-in utilities that can get information about services:
sc
tasklist /svc
net start
System: Windows
Rights: User
Description: The system time is set in the domain and stored by the Time Service (Windows Times Service) to ensure time synchronization between systems and services in the enterprise network. An attacker can get the system time and / or time zone from a local or remote system. This information can be collected in several ways:
net time \\hostname
— get host system time;
w32tm /tz
- getting time zone.
Information on system time can be useful for the adversary to use various attack methods, such as executing a file with a scheduled task or, based on information about the time zone, to disclose the location of the victim.
Protection Tips
: Benign software uses legitimate processes to collect system time. Security efforts need to be directed at preventing the execution of unwanted or unknown code in the system. In order to prevent unauthorized receipt of time information from a remote system, tools such as the
Net utility can be blocked by a security policy. Monitoring the command line can be useful for detecting instances of Net.exe or other utilities used to collect system time and time zone. Monitoring API calls for these purposes is less useful due to the fact that the API is often used by legitimate software.