Get best of the week

How Traffic Analysis Systems Detect Hacker Tactics by MITER ATT & CK, Part 3



In previous posts ( first and second parts), we examined the techniques of the five tactics of MITER ATT & CK:

  • initial access
  • execution
  • consolidation (persistence);
  • privilege escalation
  • prevention detection (defense evasion).

In addition, we showed how with the help of our NTA-solution it is possible to recognize suspicious activity in network traffic. Now we’ll show you how our technologies work with credential access and discovery techniques.

Getting Credential Access


This tactic involves techniques aimed at stealing data that can be used for authentication (for example, usernames and passwords). The use of legitimate accounts helps attackers gain access to systems, create more records to secure, and makes it more difficult to detect the presence of attackers on the network.

Below are four techniques that can be identified by suspicious activity in traffic.

1. T1110 : brute force


The technique of gaining access to services using brute force methods when credentials are unknown or partially known. Usually they select usernames, passwords or hash sums of passwords.

What does PT Network Attack Discovery (PT NAD) : in automatic mode, it detects signs of password selection for authentication via LDAP, Kerberos, SMB, SSH, SMTP, POP3, POP3S, IMAP, IMAPS, FTP. In addition, it identifies attempts to select credentials for popular web services such as phpMyAdmin, Joomla, WordPress, Drupal, Confluence, MySQL, Tomcat. Such attacks generate a large number of unsuccessful authentication attempts, which can be seen in the traffic.

2. T1003 : credential dumping


Obtaining credentials (usually a hash or an open password) from operating systems or software. We will consider this technique in more detail to demonstrate its detection in traffic.

What PT NAD does: An example of
PT NAD detection recorded access to the domain controller registry using the hacker utility secretsdump, based on the Impacket library modules. The main task of the utility is to obtain user password hashes. With its help, the attackers authenticate with the domain controller via the SMB protocol, connect to the Service Control Manager (SCM), then use the WINREG protocol to connect to the remote registry and copy the necessary data to the local file. After that, the file is downloaded to your network node via SMB.



Identifying a query for the LSA registry key containing the hashes of domain user passwords

In the same session, where PT NAD recorded access to the domain controller registry, the same files were transferred to which the secretsdump utility saved important information from the domain controller registry. By the names of the triggered rules in the PT NAD interface, it is evident that the attackers obtained password hashes of domain users from LSA and local ones from SAM:



The files that the attackers managed to download are reflected in the session card

3. T1212 : exploitation for credential access


A technique for an attacker to gain access to credentials as a result of exploiting vulnerabilities in software.

What PT NAD does : sees traffic exploiting many vulnerabilities. For example, MS14-068 could be used to fake Kerberos tickets. An attacker requests a ticket of a special type (TGT, Ticket Granted Ticket), adds himself to a privileged group and modifies this ticket so that the vulnerable domain controller recognizes it as valid. PT NAD identifies requests for such tickets.

4. T1208 : kerberoasting


A method for retrieving service accounts from Active Directory as a regular user. Any domain user can request a Kerberos ticket to access the service in the Active Directory (Ticket Granting Service). TGS is encrypted with the password hash of the account from which the target service is running. An attacker who thus obtained TGS can now decrypt it, picking up a password and not being afraid of blocking, since it does it offline. If successful, he receives a password from an account associated with the service, which is often privileged.

What does PT NAD do?: Fixes requests for listing services in Active Directory that may become targets for an attack. This stage is necessary for attackers to select a service to attack, and precedes the request for a TGS ticket and selection offline. PT NAD also automatically detects requests for TGS tickets encrypted with the RC4 algorithm, which is one of the signs of a Kerberoasting attack.

Discovery


Having gained a foothold and gained access to the system, attackers need to understand where they are in the infrastructure, what surrounds them, what they can control. During reconnaissance, attackers collect data about the system and internal network, which helps to navigate the infrastructure and decide how to proceed. For this, built-in tools of operating systems are often used.
Traffic analysis reveals the use of ten intelligence techniques.

1. T1087 : account discovery


Trying to get a list of local system or domain accounts.

What PT NAD does: an example of detection
Attackers tried to obtain information from a domain controller about domain accounts via LDAP, a lightweight directory access protocol. PT NAD detected an LDAP request. This method of obtaining domain accounts can apply both to the T1087 (account discovery) technique, and to T1069 (permission groups discovery).



Intelligence Attempt to Obtain Domain Account Information via LDAP

2. T1482 : domain trust discovery


Search for domain trust information. Attackers use such relationships for horizontal movement in multi-domain infrastructures.

What PT NAD does : A list of trust relationships between domains can be obtained using RPC and LDAP queries. PT NAD automatically detects attempts to enumerate trusts between domains using the LDAP protocol and EnumTrustDom RPC call.

3. T1046 : network service scanning


Trying to get a list of services running on remote network nodes. This is possible with the help of installed port scan tools and vulnerabilities.

What PT NAD does : detects signs of port scanning tools and vulnerabilities (for example, Nmap utilities), as well as non-standard requests to known ports.

4. T1135 : network share discovery


Search for shared network drives and folders that allow access to file directories on various network systems.

What PT NAD does : detects a request for a list of shared network drives and folders on the remote machine.

5. T1201 : password policy discovery


A technique by which an attacker looks for information about a password policy in a company's infrastructure. For example, a policy can set a minimum password length and the number of allowed failed authentication attempts. Knowing the number of characters will help attackers make a list of suitable common passwords, start dictionary guessing using a dictionary, or using exhaustive search (T1110: brute force).

What PT NAD does : Automatically detects password policy requests via SAMR.

6. T1069 : permission groups discovery


Using this technique, attackers try to find local or domain groups and their access settings. Such information can be used by attackers when choosing a target for an attack.

What PT NAD does : Automatically detects attempts to obtain information about domain groups via LDAP and SAMR. An example of identifying this technique is shown in the screenshot above.

7. T1018 : remote system discovery


A technique in which attackers try to get a list of systems in an attacked network using remote access systems or built-in system utilities. This is possible by IP address, host name, or other identifier, which can later be used to move horizontally across the network from the current system.

What PT NAD does : sees requests for lists of domain controllers, workstations and servers, SPN (Service Principle Name).

8. T1063 : security software discovery


A technique in which attackers try to obtain information about installed security systems, their configuration and sensors. One way to get this list is through DCE / RPC requests.

What PT NAD does: sees DCE / RPC requests. The system user can find all sessions with these requests and detect attempts to remotely receive information about security features.

9. T1033 : system owner / user discovery


When implementing this technique, attackers can identify the main user of the system, the current logged-in user, the group of users who usually use the system, and determine how actively the system is used.

What PT NAD does : cybercriminals can obtain a list of active user sessions on a remote host using queries over the SRVSVC protocol. PT NAD automatically detects such requests.

10. T1007 : system service discovery


Attackers search for information about registered services.

What PT NAD does : attackers can get this kind of information using DCE / RPC network requests. PT NAD automatically detects calls to Service Control Manager (SCM) using the DCE / RPC protocol, including commands to obtain a list of services on a remote network node and the status of their activity.

Instead of a conclusion


We remind you that the full mapping of PT NAD to the MITER ATT & CK matrix is  published on Habré .

In the following articles, we will talk about other tactics and techniques of hackers and how the PT Network Attack Discovery NTA-system helps to identify them. Stay with us!



Authors :

  • Anton Kutepov, Specialist, PT Expert Security Center Positive Technologies
  • , Positive Technologies

, , . - YouTube. « » 18:00 , .

Positive Technologies , , . YouTube, (1, 2, 3, 4, 5).

More articles:


All Articles