March 29: Top Threat Actors, Malware, Vulnerabilities and Exploits
Read More
Suleyman Ozarslan, PhD | October 05, 2020
In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that System Information Discovery was the ninth most prevalent ATT&CK technique used by adversaries in their malware.
|
The Red Report 2024
|
When adversaries gain initial access to a system, they observe the environment and gain knowledge about the system. Adversaries then use the collected system information to determine how to act in follow-on behaviors. Our research has found that System Information Discovery
is the ninth most prevalent ATT&CK technique
used by adversaries in their malware.
Following initial access to a system, attackers need to gather information about the system to decide how to continue the attack. They collect operating system, hardware, host, and user information to shape follow-on actions.
In this article, we review:
Adversaries commonly collect the following system information:
Adversaries use built-in OS utilities to discover system information:
Adversaries use APIs to get information about instances in cloud Infrastructure as a Service (IaaS) providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
describe-instance-information
in AWS: This API action gives information about instances, including computer name, instanceid, IP address, OS type, OS name, and OS version [2], [3].Virtual Machines - Get
in Microsoft Azure: This operation retrieves information about the model view or the instance view of a virtual machine, such as OS type, computer name, and admin username [4].instances.get
in Google Cloud: This method returns information about the specified instance, including hostname, CPU platform, disk size, IP address, and the DNS domain [5].
If ZxShell
(aka Sensocode
) RAT
(Remote Administration Tool), which is used by Group 72 to conduct cyber-espionage operations, composes a large string that contains the following system information of the victim host and sends this information to its CnC server[6]:
Sodinokibi
(aka REvil) ransomware
generates a unique identifier (UID) for the host using the volume serial number and CPUID [7]. It uses this UID for encryption/decryption processes as part of the payment URL referenced in the dropped ransom note. Moreover, Sodinokibi profiles the compromised host by collecting the following information:
Interestingly, it uses a parameter named “bro” that indicates a Russian keyboard layout. If this parameter returns true, the compromised host is whitelisted, and it is immune to Sodinokibi
. It calls User32.dll
's GetKeyboardLayoutList function to get the configured keyboard layout.
Mekotio banking Trojan collects the following information about the compromised host [8]:
Adversaries discover system information to detect and avoid virtualization and analysis environments, such as sandboxes that are used to analyze malicious files and URLs to obtain indicators of compromises (IoCs). Then these IOCs are used to improve defenses and block/detect malicious behavior of adversaries.
Accordingly, the MITRE ATT&CK technique T1497 Virtualization/Sandbox Evasion is one of the primary use cases of the MITRE ATT&CK T1082 System Information Discovery technique. Specifically, the T1497.001 System Checks sub-technique is directly related to the System Information Discovery technique.
Sandbox-evading malware commonly collects the following system information to detect a virtualization/sandbox environment:
Total physical memory size: A total RAM size lower than 4GB may indicate a sandbox environment.
Storage size: A storage lower than 64 GB may indicate a sandbox.
Storage name: If a hard disc drive has a name used by virtual machines (e.g., QEMU, VBOX, VIRTUAL HD, VMWare), it strongly indicates a virtual machine.
HDD vendor ID: If the vendor id of the hard disc drive is VBOX or vmware, it is in a virtual machine.
Audio device: If there is no audio device in the machine, it may be a sandbox.
Screen resolution: Low resolutions may indicate a sandbox environment.
Username: Common sandbox usernames (e.g., sandbox, virus, malware, vmware, test) may indicate a sandbox.
Hostname: Common sandbox names (e.g., cuckoo, sandbox, sample, malware) may indicate a sandbox environment.
List of directories: The existence of “oracle\virtualbox guest additions\” or “VMWare” directory strongly indicates a virtual machine environment.
Browser usage: A short/empty browser history or cookie list may indicate a sandbox.
The number of running processes: In a regular Windows environment, at least 50 processes run simultaneously. Lower numbers may indicate a sandbox.
Process names: Specific processes (e.g., vmware.exe, xenservice.exe, vmsrvc.exe, vboxservice.exe, joeboxserver.exe, prl_cc.exe) strongly indicate a virtual machine environment.
CPU temperature: Virtual machines don’t return a result after CPU temperature check calls, such as MSAcpi_ThermalZoneTemperature.
Number of CPU cores: A single core may indicate a virtual machine.
Red Teaming - How to simulate?
The following command gets a list of installed Windows and software updates applied to the local computer using WMIC (Windows Management Instrumentation Command) [9]
wmic qfe get description,hotfixid,installedon
C:\Windows\system32>wmic qfe get description,hotfixid,installedon Description HotFixID InstalledOn Update KB4576478 9/9/2020 Security Update KB4537759 5/11/2020 Security Update KB4557968 5/11/2020 Security Update KB4560366 7/13/2020 Security Update KB4561600 7/13/2020 Security Update KB4566785 7/23/2020 Security Update KB4570334 8/12/2020 Security Update KB4577266 9/9/2020 Update KB4571756 9/9/2020 |
The following Sigma rule can be used to detect an attempt to gather information about installed patches on the local system via the WMIC tool.
title: System Information Discovery by Gathering Installed Patches via WMIC Tool |
References
|