How Traffic Analysis Systems Detect Hacker Tactics by MITER ATT & CK, Part 3
In previous posts (first and second parts), we examined the techniques of the five tactics of MITER ATT & CK:
- initial access
- consolidation (persistence);
- privilege escalation;
- prevention detection (defense evasion).
In addition, we showed how with the help of our NTA-solution it is possible to recognize suspicious activity in network traffic. Now we’ll show you how our technologies work with credential access and discovery techniques.
Getting credential access
This tactic involves techniques aimed at stealing data that can be used for authentication (for example, usernames and passwords). The use of legitimate accounts helps attackers gain access to systems, create more records to secure, and makes it more difficult to detect the presence of attackers on the network.
Below are four techniques that can be identified by suspicious activity in traffic.
1. T1110: brute force
The technique of gaining access to services using brute force methods when credentials are unknown or partially known. Usually they pick usernames, passwords or hash sums of passwords.
What PT Network Attack Discovery (PT NAD) does: in automatic mode, it detects signs of password selection during authentication using the LDAP, Kerberos, SMB, SSH, SMTP, POP3, POP3S, IMAP, IMAPS, FTP protocols. In addition, it identifies attempts to select credentials for popular web services such as phpMyAdmin, Joomla, WordPress, Drupal, Confluence, MySQL, Tomcat. Such attacks generate a large number of unsuccessful authentication attempts, which can be seen in the traffic.
2. T1003: credential dumping
Obtaining credentials (usually a hash or an open password) from operating systems or software. We will consider this technique in more detail to demonstrate its detection in traffic.
What PT NAD does: discovery example
PT NAD recorded calls to the domain controller registry using the hacker utility secretsdump, based on the Impacket library modules. The main task of the utility is to obtain hashes of user passwords. With its help, the attackers authenticate with the domain controller via the SMB protocol, connect to the Service Control Manager (SCM), then use the WINREG protocol to connect to the remote registry and copy the necessary data to the local file. After which the file is downloaded to your network node via SMB.
Identification of a request to the LSA registry key containing domain password hashes
In the same session, where PT NAD recorded a call to the domain controller registry, the same files were transferred to which the secretsdump utility saved important information from the domain controller registry. By the names of the triggered rules in the PT NAD interface, it can be seen that attackers obtained password hashes of domain users from LSA and local ones from SAM:
The session card displays the files that the attackers managed to download
3. T1212: exploitation for credential access
A technique for an attacker to gain access to credentials as a result of exploiting vulnerabilities in software.
What does PT NAD do?: sees traffic exploiting many vulnerabilities. For example, vulnerability MS14-068 could be used to fake Kerberos tickets. An attacker requests a ticket of a special type (TGT, Ticket Granted Ticket), adds himself to a privileged group and modifies this ticket so that the vulnerable domain controller recognizes it as valid. PT NAD identifies requests for such tickets.
4. T1208: kerberoasting
A method for retrieving service accounts from Active Directory as a regular user. Any domain user can request a Kerberos ticket to access the service in the Active Directory (Ticket Granting Service). TGS is encrypted with the password hash of the account from which the target service is running. An attacker who thus obtained TGS can now decrypt it, picking up a password and not being afraid of blocking, since it does it offline. If successful, he receives a password from an account associated with the service, which is often privileged.
What does PT NAD do?: Fixes requests for listing services in Active Directory that may become targets for an attack. This stage is necessary for attackers to choose a service to attack, and precedes the request for a TGS ticket and selection offline. PT NAD also automatically detects requests for TGS tickets encrypted with the RC4 algorithm, which is one of the signs of a Kerberoasting attack.
Having gained a foothold and gained access to the system, attackers need to understand where they are in the infrastructure, what surrounds them, what they can control. During intelligence, attackers collect data about the system and the internal network, which helps to navigate the infrastructure and decide how to proceed. For this, built-in tools of operating systems are often used.
Traffic analysis reveals the use of ten intelligence techniques.
1. T1087: account discovery
Trying to get a list of local system or domain accounts.
What PT NAD does: discovery example
Attackers tried to obtain information from the domain controller about domain accounts via LDAP, a lightweight directory access protocol. PT NAD detected an LDAP request. This method of obtaining domain accounts can relate to both the T1087 (account discovery) technique and the T1069 (permission groups discovery) technique.
Intelligence Attempt to Obtain Domain Account Information via LDAP
2. T1482: domain trust discovery
Search for domain trust information. Attackers use such relationships for horizontal movement in multi-domain infrastructures.
What does PT NAD do?: A list of trust relationships between domains can be obtained using RPC and LDAP queries. PT NAD automatically detects attempts to enumerate trusts between domains using the LDAP protocol and the EnumTrustDom RPC call.
3. T1046: network service scanning
Trying to get a list of services running on remote network nodes. This is possible with the help of installed port scan tools and vulnerabilities.
What does PT NAD do?: Detects signs of port scanning tools and vulnerabilities (for example, Nmap utilities), as well as non-standard requests to known ports.
4. T1135: network share discovery
Search for shared network drives and folders that allow access to file directories on various network systems.
What does PT NAD do?: Detects a list of shared network drives and folders on the remote machine.
5. T1201: password policy discovery
A technique by which an attacker searches for information about a password policy in a company’s infrastructure. For example, a policy can set a minimum password length and the number of allowed failed authentication attempts. Knowing the number of characters will help attackers make a list of suitable common passwords, start dictionary guessing using a dictionary, or using exhaustive search (T1110: brute force).
What does PT NAD do?: Automatically detects password policy requests via SAMR.
6. T1069: permission groups discovery
Using this technique, attackers try to find local or domain groups and their access settings. Such information can be used by attackers when choosing a target for an attack.
What does PT NAD do?: Automatically detects attempts to obtain information about domain groups via LDAP and SAMR. An example of identifying this technique is shown in the screenshot above.
7. T1018: remote system discovery
A technique in which attackers try to get a list of systems in an attacked network using remote access systems or built-in system utilities. This is possible by IP-address, host name or other identifier, which can later be used for horizontal movement across the network from the current system.
What does PT NAD do?: sees requests for lists of domain controllers, workstations and servers, SPN (Service Principle Name).
eight. T1063: security software discovery
A technique in which attackers try to obtain information about installed security systems, their configuration and sensors. One way to get this list is through DCE / RPC requests.
What PT NAD does: sees DCE / RPC requests. The system user can find all sessions with these requests and detect attempts to remotely receive information about security features.
nine. T1033: system owner / user discovery
When implementing this technique, attackers can identify the main user of the system, the current logged-in user, the group of users who usually use the system, and determine how actively the system is used.
What does PT NAD do?: Attackers can get a list of active user sessions on a remote host using SRVSVC requests. PT NAD automatically detects such requests.
ten. T1007: system service discovery
Attackers search for information about registered services.
What does PT NAD do?: Attackers can obtain this information using DCE / RPC network requests. PT NAD automatically detects calls to Service Control Manager (SCM) using the DCE / RPC protocol, including commands to obtain a list of services on a remote network node and the status of their activity.
Instead of a conclusion
We remind you that the full mapping of PT NAD to the MITER ATT & CK matrix published on Habré.
In the following articles, we will talk about other hacker tactics and techniques and how the PT Network Attack Discovery NTA-system helps to identify them. Stay with us!
- Anton Kutepov, Specialist, PT Expert Security Center Positive Technologies
- Natalia Kazankova, product marketer Positive Technologies
During the distance work, we want to stay close to colleagues, partners, customers and just friends. Therefore, we erase distances and launch our online TV on YouTube. Channel “IBshnik on a remote site” is broadcast at 18:00 every Monday, Wednesday and Friday.
Positive Technologies experts and invited experts discuss IS issues, the future of technology and education, a healthy lifestyle, and much more. Subscribe to our youtube channel, so as not to miss new releases and see the records of past broadcasts (1, 2, 3, 4, 5)