Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting.
Several commands and utilities are configured by default in Windows and Linux. The adversary can use these commands to perform reconnaissance for gathering information and later distributing or loading the malware. It is challenging to detect if these commands and utilities are used for malicious activities as the users use them regularly. As seen in the past many threat groups have used such commands for persistence, privilege escalation, reconnaissance, and lateral movement to evade conventional detection methods and obscure their activity. In this blog, we will have a look at Windows and Linux commands that are commonly used for recon attacks in recent years and some ways to prevent them from executing.
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. The attackers can use this information to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
Use of Reconnaissance Techniques
1. Active Scanning (T1595):
Adversaries may execute active reconnaissance scans to gather the information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
2. Gather Victim Host Information (T1592):
Adversaries may gather information about the victim’s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
3. Gather Victim Identity Information (T1589):
Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.
4. Gather Victim Network Information (T1590):
Adversaries may gather information about the victim’s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
5. Phishing for Information (T1598):
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequent credentials, or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
Common Reconnaissance Tools
The following section demonstrates a variety of PowerShell, WMI and Command line utilities leveraged by adversaries when performing reconnaissance activities.
The Net utility is a component of the Windows operating system used in command-line operations to control users, groups, services, and network connections. The adversary uses the net command line for gathering system and network information for Discovery and moving laterally through SMB/Windows Admin Shares. Following are the few Net utility commands used by the adversaries in the past attacks.
Net View (MITRE ID: T1135):
The net view command line utility allows users to view available network shares. This information is important for administrators as it allows them to easily record and audit network shares available to users. This command can be used by attackers to look for accounts installed across multiple machines.
Net Accounts (MITRE ID: T1201):
The net accounts command is used to view user account login settings, including password length requirements, password expiry time, and previous password exclusion. Attackers can utilize this information to avoid locking additional accounts out while moving laterally throughout the network.
Net group (MITRE ID: T1069):
The net group command is used for obtaining a list of users belonging to certain domain groups. This command can be used by the attacker to gather information about and manipulate groups of the targeted machine.
Net user (MITRE ID: T1087):
The net user command is used to add, remove, and make changes to the user accounts on a computer. This command is used by attackers to gather information about and manipulate user accounts.
The Net utility had been used by many threat groups like APT33, APT32, Fin8, APT28, Deep Panda, etc. in the past
SystemInfo (MITRE ID: T1082):
SystemInfo command displays operating system information including hostname, operating system, version, product ID, install date, and hardware information for troubleshooting purposes. Threat actors use this command to identify the operating system on the exploited device and attempt to elevate privileges.
Get-wmiobject (MITRE ID: T1047):
The Get-wmiobject services command is used to show all services installed on the machine. The malware can use this information to determine the security and other analysis tools installed on the machine.
Invoke-PortScan (MITRE ID: T1046):
Invoke-PortScan command is used to perform network scans and reveal open ports. Attackers can use this inbuilt tool rather than installing Nmap for evading detections.
Nltest.exe (MITRE ID: T1482):
Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts. Attackers can use this utility to gather domain trust information from Active Directory for the purpose of lateral movement.
Whoami (MITRE ID: T1033):
Whoami command is used to display user, group, and privileges information for the user who is currently logged on to the local system. The Attacker can use this to check user information which can later be used for privilege escalation.
ARP (MITRE ID: T1018):
ARP command is used to display and modify entries in the Address Resolution Protocol (ARP) cache. Attackers can use this command for remote system discovery in the internal network.
uname (MITRE ID: T1082):
uname is a Linux command which is used for displaying OS information including version and other details. Attackers can make use of this command to identify the operating system running on the device for further attacks.
It is difficult to completely prevent these tools from being used for malicious activities but there are ways to reduce an adversary’s ability to conduct reconnaissance on the network:
- Restricting Execution of Unnecessary Windows Commands
- Enable PowerShell logging
- Isolate VLANs based on user requirements
- Use of software or hardware firewall to filter all specious traffic on the internal network.
- Enforce technical controls over the data by turning off unused and unnecessary ports and having firewalls in place.
- Implementing advanced security strategies and solutions, such as endpoint detection and response (EDR), SIEM, breach, and attack simulation.
- Keep up with the most recent security flaws reported by MITRE ATT&CK, CISA, NIST, and other sources, prioritize fixes, patch them and apply other recommended mitigations.
- Schedule regular training and awareness programs.