How Traffic Analysis Systems Detect Hacker Tactics by MITER ATT & CK, Part 4

In previous posts (first, second and third parts), we examined the techniques of the seven tactics of MITER ATT & CK:

• initial access
• execution
• consolidation (persistence);
• privilege escalation;
• detection prevention (defense evasion);
• obtaining credential access;
• intelligence (discovery).

We also showed how using our NTA Solutions You can recognize suspicious activity in network traffic. Now we’ll show you how our technologies work with lateral movement and collection techniques.

Movement within the perimeter (lateral movement)

Attackers use perimeter movement techniques to gain access and control remote systems on the network, to install malware, and to gradually expand their presence in the infrastructure. The main goal of the attackers is to identify the administrators on the network, their computers, key assets and data in order to ultimately gain full control over the infrastructure.
The following are descriptions of perimeter movement techniques that can be detected by analyzing traffic. There are nine of them.

one. T1175: Component Object Model and Distributed COM

Using COM or DCOM technologies to execute code on local or remote systems while moving through the network.

What PT Network Attack Discovery (PT NAD) does: when this technology is used to access remote systems, it can be detected by analyzing traffic. PT NAD detects suspicious DCOM calls that cybercriminals typically use to advance through the network.

2. T1210: exploitation of remote services

Exploiting vulnerabilities in network services to move around the network.

What does PT NAD do?: Detects exploitation of common vulnerabilities. Among them are vulnerabilities in the SMB (MS17-010) and Print System Remote Protocol (MS-RPRN) protocols, in the Redis DBMS, in the rConfig network device configuration system.

3. T1075: pass the hash

A method of authenticating a user without access to his password in the clear. Attackers bypass the standard authentication steps that require a password and go directly to that part of the authentication that uses the password hash. Attackers will obtain hashes in advance using credential acquisition techniques.

What does PT NAD do?: detects various signs of network activity of the hacker utility Mimikatz, which attackers use to attack the overpass the hash (developing the pass the hash attack).

4. T1097: pass the ticket

Authentication method on a system using Kerberos tickets without access to an account password. It can be used by attackers as the first step in moving around the perimeter to a remote system.

What does PT NAD do?: detects the preparatory stage of the pass the ticket technique, reveals the transfer of files with exported Kerberos tickets over the network.

5. T1076: remote desktop protocol

The technique by which attackers log on to a remote system using the RDP Remote Desktop Protocol, if it is allowed for use on a network and allows users to connect to their computer using their credentials.

What does PT NAD do?: In the program, you can filter all saved sessions by protocols (for example, RDP) and analyze each suspicious one. The function is useful for investigating and proactively searching for threats (threat hunting).

6. T1021: remote services

Use valid accounts to log in to a service designed to accept remote connections, such as Telnet, SSH, or VNC. After that, attackers will be able to perform actions on behalf of the logged in user.

What does PT NAD do?: Automatically detects VNC connections and EvilVNC trojan activity. This trojan secretly installs a VNC server on the victim’s host and automatically starts it. To verify the legitimacy of remote connections using SSH and TELNET protocols, PT NAD users can filter out all sessions with such connections and analyze each suspicious one.

7. T1072: third-party software

The technique by which attackers gain access to network administration software (third-party software and software deployment systems) and use it to launch malicious code. Examples of third-party software: SCCM, VNC, HBSS, Altiris. In the event of gaining access to such systems, the adversary can remotely run the code on all nodes connected to the software deployment, monitoring or administration system.
What PT NAD does: it automatically detects the operation of such software on the network. For example, the rules are triggered by the facts of the VNC connection and the activity of the EvilVNC trojan, which secretly installs the VNC server on the victim’s host and automatically starts this server.

eight. T1077: Windows Admin Shares

Using hidden network folders available only to administrators, for example C $, ADMIN $, IPC $. They provide the ability to remotely copy files and other administrative functions.

What PT NAD does: discovery example

PT NAD detected remote command execution through the Service Control Manager (SCM). This is only possible if you have access to the administrative shares of Windows Admin Shares.

T1077 Application Discovery: Windows Admin Shares

If you open a session, you can see that the rule for the Impacket tool worked in it. It uses network access to C $ to get command execution results.

Session card showing downloaded files from the administrator’s network folder

9. T1028: Windows Remote Management

Using the Windows service and protocol, which allows the user to interact with remote systems.

What does PT NAD do?: sees network connections established using Windows Remote Management. Such sessions are automatically detected by the rules.

Data collection

Attackers use collection tactics to collect information that they then plan to steal using data exfiltration techniques. Typical data sources include different types of drives, browsers, audio, video, and email.

Traffic analysis may indicate the use of two data collection techniques in the network.

one. T1039: data from network shared drive

Collect data from remote systems that have public network drives.

What PT NAD does: discovery example

File transfer from network drives is visible by traffic, file transfer sessions can be studied in detail in PT NAD.

Let’s check the hypothesis that the attackers used the T1039 technique and were able to access the file server of the company’s financial department. To do this, we filter out all sessions based on activity from the IP address of the file storage and find among them the connections in which the files were downloaded. Having entered the card of one of such sessions, we see that the TopSecretReport_2020 file has been downloaded.

After downloading and looking at the file, we understand what specific information the attackers managed to seize.

2. T1185: man in the browser

A technique whereby an attacker exploits a victim’s browser vulnerability and changes web content and intercepts information. One example: an attacker injects software into the browser that allows you to intercept cookies, HTTP sessions, client SSL certificates and use the browser to authenticate and go to the intranet.

What does PT NAD do?: Automatically detects a man in the browser attack based on the introduction of malicious scripts into downloadable web pages. PT NAD detects such attacks in two ways: by compromised certificates that were previously used in such attacks, and by the characteristic network activity of malicious programs aimed at injecting code into the browser (for example, Zeus).

Instead of a conclusion

We remind you that the full mapping of PT NAD to the MITER ATT & CK matrix published on Habré.

In the following articles, we will talk about other hacker tactics and techniques and how the PT Network Attack Discovery NTA-system helps to identify them. Stay with us!

Authors:

• Anton Kutepov, Specialist, PT Expert Security Center Positive Technologies
• Natalia Kazankova, product marketer Positive Technologies