Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
This is the first blog post in a series exploring the use of Living Off the Land techniques.
Each blog post will be designed around a different stage of the Cyber Kill Chain framework developed by Lockheed-Martin. This blog post will focus on how widely available tools can be used to facilitate the reconnaissance stage of the Kill Chain.
Living off the Land is an expression which refers to actions taken in pursuit of an objective using minimal custom developed tools or resources. By making use of tools already available in the target network, adversaries can evade conventional detection methods and obscure their activity. Additionally, this technique reduces an adversary’s unique footprint on the target network, meaning less opportunity for defenders to attribute activity to an individual or group. While these techniques pose unique challenges to defenders, they offer an opportunity to gain meaningful insight into adversary activity. This post will cover several common reconnaissance techniques using tools such as PowerShell and WMI, and offer several existing methods for addressing them.
PowerShell is a scripting language designed for task automation and configuration management. In the fourth quarter of 2017, MacAfee identified a 267% increase in malware that made use of PowerShell and a 432% year over year growth [1]. Using PowerShell, attackers can query specific information such as system information, open ports, network configurations, password lockout thresholds and more.
Windows Management Instrumentation (WMI) is a tool used to query management information and remotely manage computer systems in an enterprise environment. Similar to PowerShell, WMI usage is expected in organizations to some degree, making identification of malicious activity difficult.
In 2017, eSentire identified an incident where an unknown adversary gained unauthorized access to a customer’s network by leveraging stolen VPN credentials. Once a foothold inside the network was obtained, the adversary located and, using Remote Desktop Protocol, accessed a critical system where endpoint monitoring was present. Here, the adversary was observed using command line tools to discover accounts and remote systems. Systeminfo was used to gather detailed information on the current system. The commands query user,net user [username] and net user/domain were employed to determine:
Within a short period of time, the adversary was able to identify and access the intended target with limited exposure. Visibility into reconnaissance activity allowed responders to make determinations about possible intentions and next target, ultimately reducing the overall time it took to scope and contain the threat.
The following section demonstrates a variety of PowerShell, WMI and Command line utilities leveraged by adversaries when performing reconnaissance activities.
Figure 1: Gwmi Win32_Group
Similar to other PowerShell commands, “Gwmi Win32_Group” shows associated groups.
This command is used by adversaries to identify users associated with administrative groups. Administrative users will then be targeted for future attacks, as their high permissions make them a valuable target.
Figure 2: Get-wmiobject
The “get-wmiobject” services command is used to show all services installed on the machine.
An adversary may use this information to determine what security software could potentially be installed, allowing the attack to be tailored against the known security infrastructure. This command will also reveal software that can potentially be targeted and if vulnerable, be exploited.
Figure 3: systeminfo
Legitimate users may employ the “systeminfo” command to display operating system information including host name, operating system, version, product ID, install date and hardware information for troubleshooting purposes.
The “systeminfo” command is available in both Command Prompt and PowerShell.
Malicious actors use this command to identify the operating system on the exploited system and attempt to elevate privileges.
Figure 4: net view and net use
The “net” command line utility allows users to view available network shares. This information is important for administrators as it allows them to easily record and audit network shares available to users.
Attackers use the “net” command to expose available shares accessible to the compromised accounts. They can use this information to insert malware on to shared drives or encrypt the contents.
Figure 5: net user
Administrators employ the “net user” command to manage user accounts; this includes adding, removing and renaming accounts.
This command can be used by attackers to look for accounts installed across multiple machines. After discerning accounts that are active on various machines, the attacker may then target these machines to perform lateral movement without needing additional compromised credentials. The “net user” command can also be used by adversaries to add users or elevate privileges.
Figure 6: net accounts
Administrators use the “net accounts” command to view user account login settings, including password length requirements, password expiry time and previous password exclusion.
Attackers utilize this information, specifically the lockout threshold, to avoid locking additional accounts out while moving laterally throughout the network.
PowerSploit is an online repository of PowerShell scripts that are organized for specific attack scenarios [2]. The repository was originally assembled for penetration testing purposes but has been widely misused by malicious actors. Threat actors have been seen to remotely download or manually type out the scripts to avoid suspicion.
Figure 7a: Invoke-PortScan
Figure 7a: Invoke-PortScan
Attackers use the “Invoke-PortScan” command to perform network scans and reveal open ports. In other situations the attacker would have to download a network mapping tool such as Nmap, which is more likely to be discovered.
For additional PowerSploit commands used for reconnaissance, such as get-NetUser, get-NetComputer, get-userproperty and Invoke-ReverseDnsLookup, see the PowerSploit repository on GitHub [2].
While it might be nearly impossible to completely prevent your tools from being used against you, there are ways to reduce an adversary’s ability to conduct reconnaissance on your network:
Every incident, no matter how minor, presents an opportunity to gain a foothold and move laterally throughout the network. Defenders should be aware of potential blind spots in monitoring to ensure they aren’t neglecting dual-purpose tools such as PowerShell or WMI. PowerShell logging is a popular choice but requires tuning to ensure you’re not getting alerted every time a system administrator is working through a ticket. One method for addressing this problem is to separate your users into role-based monitoring groups, with higher thresholds for groups who regularly use the tool (such as systems administrators). Also consider that adversaries have adapted to these controls, and obfuscation techniques are becoming more common. Consider how you might identify obfuscated PowerShell commands by entropy, length or behavior. For example, any PowerShell activity which results in a network connection, or creation of a child process may be of interest.
Living off the Land techniques for reconnaissance are a popular choice for adversaries, simply because they are so difficult to detect and block. Defenders have several options available to reduce opportunities but should be mindful of resistance among their users.
Sources
[1] https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2018.pdf
[2] https://github.com/PowerShellMafia/PowerSploit
[4] https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege