Living off the land: the reconnaissance phase

This is the first blog post in a series exploring the use of Living Off the Land techniques.

Each blog post will be designed around a different stage of the Cyber Kill Chain framework developed by Lockheed-Martin. This blog post will focus on how widely available tools can be used to facilitate the reconnaissance stage of the Kill Chain.

Living off the Land is an expression which refers to actions taken in pursuit of an objective using minimal custom developed tools or resources. By making use of tools already available in the target network, adversaries can evade conventional detection methods and obscure their activity. Additionally, this technique reduces an adversary’s unique footprint on the target network, meaning less opportunity for defenders to attribute activity to an individual or group. While these techniques pose unique challenges to defenders, they offer an opportunity to gain meaningful insight into adversary activity. This post will cover several common reconnaissance techniques using tools such as PowerShell and WMI, and offer several existing methods for addressing them.

Background

PowerShell is a scripting language designed for task automation and configuration management. In the fourth quarter of 2017, MacAfee identified a 267% increase in malware that made use of PowerShell and a 432% year over year growth [1]. Using PowerShell, attackers can query specific information such as system information, open ports, network configurations, password lockout thresholds and more.

Windows Management Instrumentation (WMI) is a tool used to query management information and remotely manage computer systems in an enterprise environment. Similar to PowerShell, WMI usage is expected in organizations to some degree, making identification of malicious activity difficult.

Case Study

In 2017, eSentire identified an incident where an unknown adversary gained unauthorized access to a customer’s network by leveraging stolen VPN credentials. Once a foothold inside the network was obtained, the adversary located and, using Remote Desktop Protocol, accessed a critical system where endpoint monitoring was present. Here, the adversary was observed using command line tools to discover accounts and remote systems. Systeminfo was used to gather detailed information on the current system. The commands query user,net user [username] and net user/domain were employed to determine:

• If the target has an account on the machine
• Other machines the target had accessed

Within a short period of time, the adversary was able to identify and access the intended target with limited exposure. Visibility into reconnaissance activity allowed responders to make determinations about possible intentions and next target, ultimately reducing the overall time it took to scope and contain the threat.

Additional Information on Common Reconnaissance Tools

The following section demonstrates a variety of PowerShell, WMI and Command line utilities leveraged by adversaries when performing reconnaissance activities.

Figure 1: Gwmi Win32_Group

Gwmi Win32_Group

Administrative Perspective:

Similar to other PowerShell commands, “Gwmi Win32_Group” shows associated groups.

Adversary Use:

This command is used by adversaries to identify users associated with administrative groups. Administrative users will then be targeted for future attacks, as their high permissions make them a valuable target.

Figure 2: Get-wmiobject

Get-wmiobject

Administrative Perspective:

The “get-wmiobject” services command is used to show all services installed on the machine.

Adversary Use:

An adversary may use this information to determine what security software could potentially be installed, allowing the attack to be tailored against the known security infrastructure. This command will also reveal software that can potentially be targeted and if vulnerable, be exploited.

Figure 3: systeminfo

Systeminfo

Administrative Perspective:

Legitimate users may employ the “systeminfo” command to display operating system information including host name, operating system, version, product ID, install date and hardware information for troubleshooting purposes.

The “systeminfo” command is available in both Command Prompt and PowerShell.

Adversary Use:

Malicious actors use this command to identify the operating system on the exploited system and attempt to elevate privileges.

Figure 4: net view and net use

Net view/use

Administrative Perspective:

The “net” command line utility allows users to view available network shares. This information is important for administrators as it allows them to easily record and audit network shares available to users.

Adversary Use:

Attackers use the “net” command to expose available shares accessible to the compromised accounts. They can use this information to insert malware on to shared drives or encrypt the contents.

Figure 5: net user

Net user

Administrative Perspective:

Administrators employ the “net user” command to manage user accounts; this includes adding, removing and renaming accounts.

Adversary Use:

This command can be used by attackers to look for accounts installed across multiple machines. After discerning accounts that are active on various machines, the attacker may then target these machines to perform lateral movement without needing additional compromised credentials. The “net user” command can also be used by adversaries to add users or elevate privileges.

Figure 6: net accounts

Net accounts

Administrative Perspective:

Administrators use the “net accounts” command to view user account login settings, including password length requirements, password expiry time and previous password exclusion.

Adversary Use:

Attackers utilize this information, specifically the lockout threshold, to avoid locking additional accounts out while moving laterally throughout the network.

PowerSploit

PowerSploit is an online repository of PowerShell scripts that are organized for specific attack scenarios [2]. The repository was originally assembled for penetration testing purposes but has been widely misused by malicious actors. Threat actors have been seen to remotely download or manually type out the scripts to avoid suspicion.

Figure 7a: Invoke-PortScan

Figure 7a: Invoke-PortScan

Invoke-PortScan

Adversary Use:

Attackers use the “Invoke-PortScan” command to perform network scans and reveal open ports. In other situations the attacker would have to download a network mapping tool such as Nmap, which is more likely to be discovered.

For additional PowerSploit commands used for reconnaissance, such as get-NetUser, get-NetComputer, get-userproperty and Invoke-ReverseDnsLookup, see the PowerSploit repository on GitHub [2].

Mitigation Strategies

While it might be nearly impossible to completely prevent your tools from being used against you, there are ways to reduce an adversary’s ability to conduct reconnaissance on your network:

• Implement Microsoft’s PAM [3]
• Follow the concept of Least-Privilege [4]
• Monitor logon failures
• Obfuscate all security appliance and high value asset host names
• Enable PowerShell logging [5]
• Isolate VLANs based on user requirements

Additional Considerations

Every incident, no matter how minor, presents an opportunity to gain a foothold and move laterally throughout the network. Defenders should be aware of potential blind spots in monitoring to ensure they aren’t neglecting dual-purpose tools such as PowerShell or WMI. PowerShell logging is a popular choice but requires tuning to ensure you’re not getting alerted every time a system administrator is working through a ticket. One method for addressing this problem is to separate your users into role-based monitoring groups, with higher thresholds for groups who regularly use the tool (such as systems administrators). Also consider that adversaries have adapted to these controls, and obfuscation techniques are becoming more common. Consider how you might identify obfuscated PowerShell commands by entropy, length or behavior. For example, any PowerShell activity which results in a network connection, or creation of a child process may be of interest.

Conclusion

Living off the Land techniques for reconnaissance are a popular choice for adversaries, simply because they are so difficult to detect and block. Defenders have several options available to reduce opportunities but should be mindful of resistance among their users.

Sources

[1] https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2018.pdf

[2] https://github.com/PowerShellMafia/PowerSploit

[3] https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

[4] https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege

[5] https://blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc/