ATT&CK Series: Discovery

Account Discovery and Network Service Scanning 

Modern information technology has rocketed the business sector to impressive heights, as innovative devices and software solutions are implemented every day. This is creating new business opportunities and improving efficiency while simplifying the way companies do business. However, the downside to these ever-changing system and software environments is that the attack surface also substantially grows.

In this blog post, we will look at ATT&CK’s Discovery Phase techniques and tactics from an adversarial perspective. We will cover two techniques commonly used by adversaries to enumerate enterprise networks looking for critical security flaws within systems and applications. Additionally, we will detail the dangers of some widely used native Operating System (OS) functions. It is essential to stay up to date with techniques attackers use for discovery and triage as this is not an all-encompassing list and the enterprise attack surface is always evolving.

Techniques 

T1046 – Network Service Scanning

Description 
A crucial aspect of any network’s security posture is the number of listening services available on each host, whether internal to the network, or exposed to the public Internet. Generally, more listening services are observed on internal networks as OS rely on specific services for host communication and traffic. Although this adds simplicity, it can greatly increase the attack surface or avenues of approach for a would-be attacker. Native Windows services such as Server Message Block protocol (SMB) are tied to multiple exploits that can lead to Remote Code Execution (RCE) and administrative takeover of critical assets. 

When it comes to Linux, certain services allow an attacker unlimited password guessing attempts, allowing an attacker to conduct brute force attacks against the given service. It is a delicate balance in understanding what services are necessary for business requirements while maintaining a strong network security posture. Network service scanning is an integral part of initial reconnaissance and triage, and there is no shortage of tools that can quickly and efficiently scan an entire network. 

What’s the Risk?
As mentioned above, the risk of having unnecessary services exposed expands the avenues of approach that an intruder can take to achieve their end goals. System compromise often happens when assets expose services with outdated versions implemented, and thus likely linked to publicly available exploits.  

How to Mitigate
First and foremost, a primary preventative measure that can be taken against network scanning is determining business requirements for all exposed services and ensuring all unnecessary ports and services are closed or accessible only by authorized devices. Next, implementing proper segmentation is vital to protecting critical assets from being initially seen or scanned. Finally, a properly configured IDS/IPS can be implemented to catch mass scan activity within the network either preventing or detecting in the event of deconfliction from valid network scans. 

T1087 – Account Discovery

Description 
One of the first things an attacker does when landing on a new system is identifying what account (domain or local) they have control over and the coinciding privileges. In both Windows and Linux systems, this initial reconnaissance is vital to getting a “lay of the land” on the compromised system and the rest of the network. Below we will discuss a few different ways (in Windows and Linux) Account Discovery can aid in post-exploitation and lateral movement. 

First, when it comes to learning about the Windows domain, users can execute LDAP queries and net commands to gain a plethora of information. Users, as well as the groups they are in, and the associated privileges of those groups, can detail a great deal of information and allow an attacker to prioritize which accounts to target. For example, domain accounts generally have the highest privilege and can cause crippling damage to a network should one be obtained for adversarial purposes. This is also where identifying groups can come in handy for an attacker and their aligned goals. If the goal of an intrusion is to compromise sensitive data (e.g., Personally Identifiable Information (PII) or other damaging information), users in groups such as Finance, HR, and Accounting may demonstrate the same impact, and in some cases can be easier to compromise than a Domain Administrator account.  

Next, we have Linux which differs significantly from Windows, however for Account Discovery, the general concepts are the same. A Linux user can use the “id” and “group” commands to enumerate accounts and see what privileges they possess. Any user can query the etc passwrd file to gather a list of users and the associated privileges. Linux defines privileges as Read, Write, Execute” (RWX) and having one, or a combination of these determines the level of access a given user has. Generally, the highest account, Root, in a Linux system has full RWX over all files. These tend to be the targeted accounts to compromise because they have access to all configuration files which may contain sensitive information aligned with intrusion objectives. The root account also has access to the etc shadow file which contains all hashed passwords for users on the Linux system. If an attacker is looking to target a certain user and they have root privileges, they can dump the password hash and attempt to crack the password. All in all, it is uncommon to find general Linux users in a Windows environment. Most Linux systems are server related or serve a specific purpose, which in some cases makes them even more of a critical asset.  

What’s the Risk?
The risk of Account Discovery can be detrimental in both Windows and Linux. It is one of the first triage steps during initial reconnaissance and aids an attacker in the prioritization of which accounts to target. This can streamline the process to fulfill the goals of an intrusion, as some accounts will have administrative access across a Windows domain and, in the case of Linux, a compromised root account on a critical asset could greatly affect an organization. 

How to Mitigate
While mitigating account discovery for both Windows and Linux is not full proof, there are things you can do to thwart or catch malicious activity associated with Account Discovery. For Windows, ensuring users do not have unnecessary privileges is an absolute must. For accounts with administrative access across the domain or accounts with access to sensitive resources strong password complexity must be used. Additionally, default Active Directory security settings should be changed to meet industry standard best practices. 

With Linux, ensure that the root account along with other accounts on the system are secured with a strong password. In the event the etc shadow file is compromised, it will be very difficult to crack a strong password. Lastly, enterprises can implement threat detection software which essentially builds a baseline for users and will alert or highlight any unusual behavior. The downfall of this solution is a baseline must be established for a user to detect anomalous behavior. 

These are just a few mitigation efforts to take against Account Discovery. In the end, even slowing down an attacker’s effort in this critical step of reconnaissance can allow time for incident management to discover an intrusion.

Conclusion 

Bringing these techniques together is a large portion of initial reconnaissance and triage that are commonly seen in today’s network compromises. 

The overall takeaways are:

1. Maintaining constant awareness of evolving attack techniques and tools. 
2. Utilizing native functions of operating systems continues to be a common attack vector as it blends with the environment and is difficult to detect. 
3. Ensure critical assets are properly hardened according to industry standards before they are deployed into enterprise networks to include limiting exposed services. 

The techniques covered in this post only scratch the surface of the various methods of discovery and reconnaissance the attackers of today use. Staying current is a sure way to be one step ahead of a would-be intruder. This series will continue to cover various ATT&CK techniques and tactics currently in use, to provide security departments with both knowledge on risk to networks and respective possible mitigation strategies.

Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:

• ATT&CK Intro - September 2018
• ATT&CK Initial Access - October 2018
• ATT&CK Privilege Escalation - November 2018
• ATT&CK Discovery - March 2019
• ATT&CK Persistence - April 2019
• ATT&CK Credential Access - April 2019
• ATT&CK Execution - May 2019
• ATT&CK Defense Evasion - May 2019
• ATT&CK Lateral Movement Techniques - June 2019
• ATT&CK Exfiltration - July 2019
• ATT&CK Series: Command and Control - August, 2019
• ATT&CK Series: Collection Tactics – September, 2019
• ATT&CK Series: Collection Tactics Part Two – April, 2020
• ATT&CK Series: Impact – September, 2019