What We Do
How we do it
Resources
SECURITY ADVISORIES
Oct 19, 2021
Hackers Infect Employees of Law Firms, Manufacturing Companies, and Financial Services Orgs. with Increasingly Pervasive Infostealer, SolarMarker
SolarMarker Infects 5X More Corporate Victims Using Over a Million Poisoned WordPress Pages Key Takeaways eSentire has observed a fivefold increase in SolarMarker infections. Prior to September, eSentire’s Threat Response Unit (TRU) detected and shut down one infection per week. Beginning in September, TRU averaged the detection and shutdown of five per week. SolarMarker is a…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
PARTNER RESOURCES
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Apr 05, 2018

Living off the land: the reconnaissance phase

This is the first blog post in a series exploring the use of Living Off the Land techniques.

Each blog post will be designed around a different stage of the Cyber Kill Chain framework developed by Lockheed-Martin. This blog post will focus on how widely available tools can be used to facilitate the reconnaissance stage of the Kill Chain.

Living off the Land is an expression which refers to actions taken in pursuit of an objective using minimal custom developed tools or resources. By making use of tools already available in the target network, adversaries can evade conventional detection methods and obscure their activity. Additionally, this technique reduces an adversary’s unique footprint on the target network, meaning less opportunity for defenders to attribute activity to an individual or group. While these techniques pose unique challenges to defenders, they offer an opportunity to gain meaningful insight into adversary activity. This post will cover several common reconnaissance techniques using tools such as PowerShell and WMI, and offer several existing methods for addressing them.

Background

PowerShell is a scripting language designed for task automation and configuration management. In the fourth quarter of 2017, MacAfee identified a 267% increase in malware that made use of PowerShell and a 432% year over year growth [1]. Using PowerShell, attackers can query specific information such as system information, open ports, network configurations, password lockout thresholds and more.

Windows Management Instrumentation (WMI) is a tool used to query management information and remotely manage computer systems in an enterprise environment. Similar to PowerShell, WMI usage is expected in organizations to some degree, making identification of malicious activity difficult.

Case Study

In 2017, eSentire identified an incident where an unknown adversary gained unauthorized access to a customer’s network by leveraging stolen VPN credentials. Once a foothold inside the network was obtained, the adversary located and, using Remote Desktop Protocol, accessed a critical system where endpoint monitoring was present. Here, the adversary was observed using command line tools to discover accounts and remote systems. Systeminfo was used to gather detailed information on the current system. The commands query user,net user [username] and net user/domain were employed to determine:

Within a short period of time, the adversary was able to identify and access the intended target with limited exposure. Visibility into reconnaissance activity allowed responders to make determinations about possible intentions and next target, ultimately reducing the overall time it took to scope and contain the threat.

Additional Information on Common Reconnaissance Tools

The following section demonstrates a variety of PowerShell, WMI and Command line utilities leveraged by adversaries when performing reconnaissance activities.

Figure 1: Gwmi Win32_Group

Gwmi Win32_Group

Administrative Perspective:

Similar to other PowerShell commands, “Gwmi Win32_Group” shows associated groups.

Adversary Use:

This command is used by adversaries to identify users associated with administrative groups. Administrative users will then be targeted for future attacks, as their high permissions make them a valuable target.



Figure 2: Get-wmiobject

Get-wmiobject

Administrative Perspective:

The “get-wmiobject” services command is used to show all services installed on the machine.

Adversary Use:

An adversary may use this information to determine what security software could potentially be installed, allowing the attack to be tailored against the known security infrastructure. This command will also reveal software that can potentially be targeted and if vulnerable, be exploited.


Figure 3: systeminfo

Systeminfo

Administrative Perspective:

Legitimate users may employ the “systeminfo” command to display operating system information including host name, operating system, version, product ID, install date and hardware information for troubleshooting purposes.

The “systeminfo” command is available in both Command Prompt and PowerShell.

Adversary Use:

Malicious actors use this command to identify the operating system on the exploited system and attempt to elevate privileges.


Figure 4: net view and net use

Net view/use

Administrative Perspective:

The “net” command line utility allows users to view available network shares. This information is important for administrators as it allows them to easily record and audit network shares available to users.

Adversary Use:

Attackers use the “net” command to expose available shares accessible to the compromised accounts. They can use this information to insert malware on to shared drives or encrypt the contents.


Figure 5: net user

Net user

Administrative Perspective:

Administrators employ the “net user” command to manage user accounts; this includes adding, removing and renaming accounts.

Adversary Use:

This command can be used by attackers to look for accounts installed across multiple machines. After discerning accounts that are active on various machines, the attacker may then target these machines to perform lateral movement without needing additional compromised credentials. The “net user” command can also be used by adversaries to add users or elevate privileges.



Figure 6: net accounts

Net accounts

Administrative Perspective:

Administrators use the “net accounts” command to view user account login settings, including password length requirements, password expiry time and previous password exclusion.

Adversary Use:

Attackers utilize this information, specifically the lockout threshold, to avoid locking additional accounts out while moving laterally throughout the network.


PowerSploit

PowerSploit is an online repository of PowerShell scripts that are organized for specific attack scenarios [2]. The repository was originally assembled for penetration testing purposes but has been widely misused by malicious actors. Threat actors have been seen to remotely download or manually type out the scripts to avoid suspicion.



Figure 7a: Invoke-PortScan


Figure 7a: Invoke-PortScan

Invoke-PortScan

Adversary Use:

Attackers use the “Invoke-PortScan” command to perform network scans and reveal open ports. In other situations the attacker would have to download a network mapping tool such as Nmap, which is more likely to be discovered.

For additional PowerSploit commands used for reconnaissance, such as get-NetUser, get-NetComputer, get-userproperty and Invoke-ReverseDnsLookup, see the PowerSploit repository on GitHub [2].


Mitigation Strategies

While it might be nearly impossible to completely prevent your tools from being used against you, there are ways to reduce an adversary’s ability to conduct reconnaissance on your network:

Additional Considerations

Every incident, no matter how minor, presents an opportunity to gain a foothold and move laterally throughout the network. Defenders should be aware of potential blind spots in monitoring to ensure they aren’t neglecting dual-purpose tools such as PowerShell or WMI. PowerShell logging is a popular choice but requires tuning to ensure you’re not getting alerted every time a system administrator is working through a ticket. One method for addressing this problem is to separate your users into role-based monitoring groups, with higher thresholds for groups who regularly use the tool (such as systems administrators). Also consider that adversaries have adapted to these controls, and obfuscation techniques are becoming more common. Consider how you might identify obfuscated PowerShell commands by entropy, length or behavior. For example, any PowerShell activity which results in a network connection, or creation of a child process may be of interest.

Conclusion

Living off the Land techniques for reconnaissance are a popular choice for adversaries, simply because they are so difficult to detect and block. Defenders have several options available to reduce opportunities but should be mindful of resistance among their users.


Sources

[1] https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2018.pdf

[2] https://github.com/PowerShellMafia/PowerSploit

[3] https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

[4] https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege

[5] https://blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc/

Red Team
Red Team Penetration Testing Team