This is the first blog post in a series exploring the use of Living Off the Land techniques.
Each blog post will be designed around a different stage of the Cyber Kill Chain framework developed by Lockheed-Martin. This blog post will focus on how widely available tools can be used to facilitate the reconnaissance stage of the Kill Chain.
Living off the Land is an expression which refers to actions taken in pursuit of an objective using minimal custom developed tools or resources. By making use of tools already available in the target network, adversaries can evade conventional detection methods and obscure their activity. Additionally, this technique reduces an adversary’s unique footprint on the target network, meaning less opportunity for defenders to attribute activity to an individual or group. While these techniques pose unique challenges to defenders, they offer an opportunity to gain meaningful insight into adversary activity. This post will cover several common reconnaissance techniques using tools such as PowerShell and WMI, and offer several existing methods for addressing them.
PowerShell is a scripting language designed for task automation and configuration management. In the fourth quarter of 2017, MacAfee identified a 267% increase in malware that made use of PowerShell and a 432% year over year growth . Using PowerShell, attackers can query specific information such as system information, open ports, network configurations, password lockout thresholds and more.
Windows Management Instrumentation (WMI) is a tool used to query management information and remotely manage computer systems in an enterprise environment. Similar to PowerShell, WMI usage is expected in organizations to some degree, making identification of malicious activity difficult.
In 2017, eSentire identified an incident where an unknown adversary gained unauthorized access to a customer’s network by leveraging stolen VPN credentials. Once a foothold inside the network was obtained, the adversary located and, using Remote Desktop Protocol, accessed a critical system where endpoint monitoring was present. Here, the adversary was observed using command line tools to discover accounts and remote systems. Systeminfo was used to gather detailed information on the current system. The commands query user,net user [username] and net user/domain were employed to determine:
- If the target has an account on the machine
- Other machines the target had accessed
Within a short period of time, the adversary was able to identify and access the intended target with limited exposure. Visibility into reconnaissance activity allowed responders to make determinations about possible intentions and next target, ultimately reducing the overall time it took to scope and contain the threat.
Additional Information on Common Reconnaissance Tools
The following section demonstrates a variety of PowerShell, WMI and Command line utilities leveraged by adversaries when performing reconnaissance activities.
Similar to other PowerShell commands, “Gwmi Win32_Group” shows associated groups.
This command is used by adversaries to identify users associated with administrative groups. Administrative users will then be targeted for future attacks, as their high permissions make them a valuable target.
The “get-wmiobject” services command is used to show all services installed on the machine.
An adversary may use this information to determine what security software could potentially be installed, allowing the attack to be tailored against the known security infrastructure. This command will also reveal software that can potentially be targeted and if vulnerable, be exploited.
Legitimate users may employ the “systeminfo” command to display operating system information including host name, operating system, version, product ID, install date and hardware information for troubleshooting purposes.
The “systeminfo” command is available in both Command Prompt and PowerShell.
Malicious actors use this command to identify the operating system on the exploited system and attempt to elevate privileges.
The “net” command line utility allows users to view available network shares. This information is important for administrators as it allows them to easily record and audit network shares available to users.
Attackers use the “net” command to expose available shares accessible to the compromised accounts. They can use this information to insert malware on to shared drives or encrypt the contents.
Administrators employ the “net user” command to manage user accounts; this includes adding, removing and renaming accounts.
This command can be used by attackers to look for accounts installed across multiple machines. After discerning accounts that are active on various machines, the attacker may then target these machines to perform lateral movement without needing additional compromised credentials. The “net user” command can also be used by adversaries to add users or elevate privileges.
Administrators use the “net accounts” command to view user account login settings, including password length requirements, password expiry time and previous password exclusion.
Attackers utilize this information, specifically the lockout threshold, to avoid locking additional accounts out while moving laterally throughout the network.
PowerSploit is an online repository of PowerShell scripts that are organized for specific attack scenarios . The repository was originally assembled for penetration testing purposes but has been widely misused by malicious actors. Threat actors have been seen to remotely download or manually type out the scripts to avoid suspicion.
Attackers use the “Invoke-PortScan” command to perform network scans and reveal open ports. In other situations the attacker would have to download a network mapping tool such as Nmap, which is more likely to be discovered.
For additional PowerSploit commands used for reconnaissance, such as get-NetUser, get-NetComputer, get-userproperty and Invoke-ReverseDnsLookup, see the PowerSploit repository on GitHub .
While it might be nearly impossible to completely prevent your tools from being used against you, there are ways to reduce an adversary’s ability to conduct reconnaissance on your network:
- Implement Microsoft’s PAM 
- Follow the concept of Least-Privilege 
- Monitor logon failures
- Obfuscate all security appliance and high value asset host names
- Enable PowerShell logging 
- Isolate VLANs based on user requirements
Every incident, no matter how minor, presents an opportunity to gain a foothold and move laterally throughout the network. Defenders should be aware of potential blind spots in monitoring to ensure they aren’t neglecting dual-purpose tools such as PowerShell or WMI. PowerShell logging is a popular choice but requires tuning to ensure you’re not getting alerted every time a system administrator is working through a ticket. One method for addressing this problem is to separate your users into role-based monitoring groups, with higher thresholds for groups who regularly use the tool (such as systems administrators). Also consider that adversaries have adapted to these controls, and obfuscation techniques are becoming more common. Consider how you might identify obfuscated PowerShell commands by entropy, length or behavior. For example, any PowerShell activity which results in a network connection, or creation of a child process may be of interest.
Living off the Land techniques for reconnaissance are a popular choice for adversaries, simply because they are so difficult to detect and block. Defenders have several options available to reduce opportunities but should be mindful of resistance among their users.