Sqrrl Blog

Nov 3, 2016 3:00:00 PM

The Hunter’s Den: Internal Reconnaissance (Part 1)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

As we laid out in our introduction, The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. This first post will focus on hunting for Internal Reconnaissance. Before we dive into the specifics of how to do this, let’s briefly review the two major models that we’ll be referencing over the course of the series.

The first is the Threat Hunting Loop, which outlines a process for threat hunting. As a loop, it is specifically meant to be repeated continually.

 

HuntingLoopBlack.png

Hunters create hypotheses to drive their investigations, which are then carried out via tools and techniques. Over the course of an investigation, hunters look for specific patterns or Tactics, Techniques, and Procedures (TTPs) that might inform them of potential compromises. If a TTP is identified, a hunter will document it and export it to a Threat Intelligence Platform or other systems. The analyst will also update or create new analytics to ensure that the next time a similar attack occurs it will be discovered automatically and a hunt will not be necessary.

An important mantra to remember is that finding a specific threat is only one of the goals of hunting. The other goal is to build persistent defenses that continuously adapt to adversary tactics. You do not hunt only to find new incidents; you also hunt to find new ways of finding new incidents.

To orient a hunt, another useful model is the Cyber Kill Chain.

Sqrrl Kill Chain Stylized.png

In case you’re not familiar with it already, the kill chain outlines the steps that attackers may take in order to carry out a full attack. By aligning malicious behaviors to the various steps of the kill chain, hunters can keep track of the “big picture” and prioritize their efforts to where they have detection gaps within the kill chain.

Understanding Internal Reconnaissance

Internal reconnaissance belongs to the 7th and final step of the kill chain: Act on Objectives. Internal reconnaissance is the process of collecting internal information about a target network, so that an attacker can more effectively move through the network and conduct further activities.

KC7- Actions on Objectives (1).png
Note: This diagram represents a workflow that attackers commonly use during the Actions on Objectives phase. The workflow is not representative of all attack scenarios and certain steps (represented by dotted lines) may be skipped.

There are several methods and techniques in which an attacker might try to carry out internal reconnaissance, including the enumeration of hosts, networks, and processes. This consists of a listing of all relevant information to develop an understanding of where an attacker has landed on a network, and to plan their next move.

Host enumeration

This is an attempt at determining the details about a local host, which includes establishing an understanding of local user context and local host configuration. User context lets you, as an attacker, know what user you are logged in as and what privileges are allotted to you. Local host configuration includes information about the host itself, including things like hostname and IP address.

The commands used by attackers for host enumeration will depend on the operating system, but will commonly include:

Windows

User context

whoami /all

net user

Useraccount (WMIC)

System config

Get-NetIPConfiguration (PowerShell)

hostname

ipconfig

Nicconfig (WMIC)

Mac

User context

whoami

id

System config

hostname

ifconfig

Linux

User context

whoami

id

System config

hostname

ifconfig

 

It’s important to note that this is not an exhaustive list of commands that an attacker might run for host enumeration, but these are the most common.

Network enumeration

This establishes what other hosts are remotely accessible from the local host. Once attackers have compromised an initial host, they will need to determine how to move around the network and where they can go. Network enumeration lets you, as an attacker, see what access the hosts you are on has to remote shares and what active connections there are to other systems and assets.

The commands used by attackers for network enumeration will depend on the operating system, but will commonly include:

Windows

net view

netstat

netuse

‘\Device\NPF_{‘ (packet capture)

Mac

mount

netstat

Linux

mount

netstat

 

In addition to these simple common commands run to carry out network enumeration, attackers will also attempt to carry out more involved actions to scope the surrounding network and determine what connections are available to them. These behaviors include:

  • Address scanning
    • Consists of validating network connections from the local host to multiple remote hosts
  • Port scanning
    • Consists of validating network connections from the local host to remote host via multiple ports
       

These behaviors will not be executed by a specific command like those listed above, but might be carried out via specific tools or sometimes custom scripts.

Example tools used for carrying out these actions include nmap, ipscan, and nbtscan.

Process enumeration

This attempts to establish what processes are running on the local host and the surrounding hosts. Attackers have several reasons for doing this, including trying to establish what software may impede their progress (such as antivirus software), or what programs may be used for privilege escalation (such as the occurrence of unquoted paths, which may allow the attacker to run arbitrary executables). Attackers may also want to determine what software may be commonly run on the network so that they can hide their activities as normal network traffic and/or analyze the software for potential exploits.

The commands used by attackers for process enumeration will depend on whether the attacker is looking for specific services (i.e. critical processes that run at startup and in the background) or general processes.

Commands for identifying services, based on operating system, include but are not limited to:

Windows

net start

sc query

gsv (PowerShell)

Get-Service (Powershell)

service (WMIC)

Mac

launchctl list

Linux

service --status-all

initctl list


Commands for identifying
running processes, based on operating system, include but are not limited to:

Windows

tasklist

Get-Process (Powershell)

gps (PowerShell)

process (WMIC)

Mac

ps -A

Linux

ps -A


Commands for identifying
scheduled processes, based on operating system, include but are not limited to:

Windows

at

schtasks /query

Get-ScheduledTask (PowerShell)

Get-ScheduledJob (Powershell)

job (WMIC)

Mac

crontab -l

Linux

crontab -l

 

Example hypotheses/sub-hypotheses 

As laid out in the hunting loop, developing hypotheses is the key to the beginning of every hunt. Developing hypotheses to hunt for internal reconnaissance consists of using the knowledge of the tools and TTPs that attackers may use (laid out above) and attempting to determine how an attacker will use them and in what way. In other words, a hypothesis attempts to apply intelligence to an analysis of the tools and TTPs in order to differentiate their use by normal users and by attackers.

There are many kinds of hypotheses that might be developed to hunt for internal reconnaissance. One example hypothesis, taking into account the knowledge of the tools and TTPs outlined above, is the following:  

Attackers conducting internal reconnaissance will leave behind artifacts related to enumeration activity.

An analyst should follow up a hypothesis like this with sub-hypotheses. These might include (but are not limited to):

  • Attackers conducting internal reconnaissance may attempt to automate these commands
    • Look for the commands to be executed by Batch scripts and PowerShell scripts on Windows hosts and shell scripts on Mac/Linux hosts

 

  • Attackers conducting internal reconnaissance may use these commands during abnormal business hours
    • Define “normal” business hours, then look for usages during abnormal business times

 

  • Attackers conducting internal reconnaissance may use these commands on hosts that do not typically run these commands
    • Look for artifacts on hosts that do not typically run the commands
       

This kind of hypothesis (and its associated sub-hypotheses) can apply to all three types of enumeration.

Other hypotheses may be more specific to certain enumeration types. One example of this is a hypothesis like:

Attackers will leave behind specific network enumeration artifacts that I can use to identify attackers conducting internal reconnaissance.

A sub-hypothesis in this case might focus on specific artifacts:

  • An attacker conducting internal reconnaissance may leave behind artifacts related to packet capture tools (WinPcap)

    • Look for processes interacting with ‘\Device\NPF_{‘ on the command line. These may be processes sniffing a local network interface on the host

    • Look for service activity related to ‘npf’ (net start npf). WinPcap utilizes a Netgroup Packet Filter (NPF) driver for accessing packet data; access to this driver may indicate that network sniffing

This kind of hypothesis is specific to network enumeration, but can be more useful than a general hypothesis depending on the situation. It is possible to have other enumeration-specific hypotheses, but they are generally less common.

With a hypothesis formulated, an analyst would be ready to begin hunting for internal reconnaissance with the right datasets and techniques. In part 2 of this post, we will take a look at which datasets work best and what techniques can be used to effectively find cases of internal reconnaissance in your network.

Sqrrl Test Drive VM

Read Part 2 of this Hunter's Den post 

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den