By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila
As we laid out in our introduction, The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. This first post will focus on hunting for Internal Reconnaissance. Before we dive into the specifics of how to do this, let’s briefly review the two major models that we’ll be referencing over the course of the series.
The first is the Threat Hunting Loop, which outlines a process for threat hunting. As a loop, it is specifically meant to be repeated continually.
Hunters create hypotheses to drive their investigations, which are then carried out via tools and techniques. Over the course of an investigation, hunters look for specific patterns or Tactics, Techniques, and Procedures (TTPs) that might inform them of potential compromises. If a TTP is identified, a hunter will document it and export it to a Threat Intelligence Platform or other systems. The analyst will also update or create new analytics to ensure that the next time a similar attack occurs it will be discovered automatically and a hunt will not be necessary.
An important mantra to remember is that finding a specific threat is only one of the goals of hunting. The other goal is to build persistent defenses that continuously adapt to adversary tactics. You do not hunt only to find new incidents; you also hunt to find new ways of finding new incidents.
To orient a hunt, another useful model is the Cyber Kill Chain.
In case you’re not familiar with it already, the kill chain outlines the steps that attackers may take in order to carry out a full attack. By aligning malicious behaviors to the various steps of the kill chain, hunters can keep track of the “big picture” and prioritize their efforts to where they have detection gaps within the kill chain.
Understanding Internal Reconnaissance
Internal reconnaissance belongs to the 7th and final step of the kill chain: Act on Objectives. Internal reconnaissance is the process of collecting internal information about a target network, so that an attacker can more effectively move through the network and conduct further activities.
Note: This diagram represents a workflow that attackers commonly use during the Actions on Objectives phase. The workflow is not representative of all attack scenarios and certain steps (represented by dotted lines) may be skipped.
There are several methods and techniques in which an attacker might try to carry out internal reconnaissance, including the enumeration of hosts, networks, and processes. This consists of a listing of all relevant information to develop an understanding of where an attacker has landed on a network, and to plan their next move.
Host enumeration
This is an attempt at determining the details about a local host, which includes establishing an understanding of local user context and local host configuration. User context lets you, as an attacker, know what user you are logged in as and what privileges are allotted to you. Local host configuration includes information about the host itself, including things like hostname and IP address.
The commands used by attackers for host enumeration will depend on the operating system, but will commonly include:
Windows | User context | whoami /all |
net user | ||
Useraccount (WMIC) | ||
System config | Get-NetIPConfiguration (PowerShell) | |
hostname | ||
ipconfig | ||
Nicconfig (WMIC) | ||
Mac |
User context |
whoami |
id | ||
System config | hostname | |
ifconfig | ||
Linux | User context | whoami |
id | ||
System config | hostname | |
ifconfig |
It’s important to note that this is not an exhaustive list of commands that an attacker might run for host enumeration, but these are the most common.
Network enumeration
This establishes what other hosts are remotely accessible from the local host. Once attackers have compromised an initial host, they will need to determine how to move around the network and where they can go. Network enumeration lets you, as an attacker, see what access the hosts you are on has to remote shares and what active connections there are to other systems and assets.
The commands used by attackers for network enumeration will depend on the operating system, but will commonly include:
Windows | net view |
netstat | |
netuse | |
‘\Device\NPF_{‘ (packet capture) | |
Mac |
mount |
netstat |
|
Linux | mount |
netstat |
In addition to these simple common commands run to carry out network enumeration, attackers will also attempt to carry out more involved actions to scope the surrounding network and determine what connections are available to them. These behaviors include:
- Address scanning
- Consists of validating network connections from the local host to multiple remote hosts
- Port scanning
- Consists of validating network connections from the local host to remote host via multiple ports
- Consists of validating network connections from the local host to remote host via multiple ports
These behaviors will not be executed by a specific command like those listed above, but might be carried out via specific tools or sometimes custom scripts.
Example tools used for carrying out these actions include nmap, ipscan, and nbtscan.
Process enumeration
This attempts to establish what processes are running on the local host and the surrounding hosts. Attackers have several reasons for doing this, including trying to establish what software may impede their progress (such as antivirus software), or what programs may be used for privilege escalation (such as the occurrence of unquoted paths, which may allow the attacker to run arbitrary executables). Attackers may also want to determine what software may be commonly run on the network so that they can hide their activities as normal network traffic and/or analyze the software for potential exploits.
The commands used by attackers for process enumeration will depend on whether the attacker is looking for specific services (i.e. critical processes that run at startup and in the background) or general processes.
Commands for identifying services, based on operating system, include but are not limited to:
Windows |
net start |
sc query |
|
gsv (PowerShell) |
|
Get-Service (Powershell) |
|
service (WMIC) |
|
Mac |
launchctl list |
Linux |
service –status-all |
initctl list |
Commands for identifying running processes, based on operating system, include but are not limited to:
Windows | tasklist |
Get-Process (Powershell) | |
gps (PowerShell) | |
process (WMIC) | |
Mac |
ps -A |
Linux | ps -A |
Commands for identifying scheduled processes, based on operating system, include but are not limited to:
Windows |
at |
schtasks /query |
|
Get-ScheduledTask (PowerShell) |
|
Get-ScheduledJob (Powershell) |
|
job (WMIC) |
|
Mac |
crontab -l |
Linux |
crontab -l |
Example hypotheses/sub-hypotheses
As laid out in the hunting loop, developing hypotheses is the key to the beginning of every hunt. Developing hypotheses to hunt for internal reconnaissance consists of using the knowledge of the tools and TTPs that attackers may use (laid out above) and attempting to determine how an attacker will use them and in what way. In other words, a hypothesis attempts to apply intelligence to an analysis of the tools and TTPs in order to differentiate their use by normal users and by attackers.
There are many kinds of hypotheses that might be developed to hunt for internal reconnaissance. One example hypothesis, taking into account the knowledge of the tools and TTPs outlined above, is the following:
Attackers conducting internal reconnaissance will leave behind artifacts related to enumeration activity.
An analyst should follow up a hypothesis like this with sub-hypotheses. These might include (but are not limited to):
- Attackers conducting internal reconnaissance may attempt to automate these commands
-
- Look for the commands to be executed by Batch scripts and PowerShell scripts on Windows hosts and shell scripts on Mac/Linux hosts
- Attackers conducting internal reconnaissance may use these commands during abnormal business hours
- Define “normal” business hours, then look for usages during abnormal business times
- Attackers conducting internal reconnaissance may use these commands on hosts that do not typically run these commands
- Look for artifacts on hosts that do not typically run the commands
This kind of hypothesis (and its associated sub-hypotheses) can apply to all three types of enumeration.
Other hypotheses may be more specific to certain enumeration types. One example of this is a hypothesis like:
Attackers will leave behind specific network enumeration artifacts that I can use to identify attackers conducting internal reconnaissance.
A sub-hypothesis in this case might focus on specific artifacts:
- An attacker conducting internal reconnaissance may leave behind artifacts related to packet capture tools (WinPcap)
- Look for processes interacting with ‘\Device\NPF_{‘ on the command line. These may be processes sniffing a local network interface on the host
- Look for service activity related to ‘npf’ (net start npf). WinPcap utilizes a Netgroup Packet Filter (NPF) driver for accessing packet data; access to this driver may indicate that network sniffing
This kind of hypothesis is specific to network enumeration, but can be more useful than a general hypothesis depending on the situation. It is possible to have other enumeration-specific hypotheses, but they are generally less common.
With a hypothesis formulated, an analyst would be ready to begin hunting for internal reconnaissance with the right datasets and techniques. In part 2 of this post, we will take a look at which datasets work best and what techniques can be used to effectively find cases of internal reconnaissance in your network.