Discovery Flashcards
Discovery
This lesson is going to cover the seventh stage in the MITRE ATT&CK framework, Discovery. These techniques are used to describe ways that adversaries will collect more information about the network they’re in and other systems that are present. Adversaries should spend a good deal of time at this stage, quietly watching what is happening around them so they can take further actions and ensure that they remain stealthy, attempting to blend into ‘normal’ network activity. At the time of writing currently includes 24 top-level techniques. We will be looking at the following:
Account Discovery
Network Service Scanning
File and Directory Discovery
Account Discovery
MITRE Technique T1087
Once an attacker has a foothold in a system the next logical step is to identify existing accounts so they can plan privilege escalation and lateral movement activities. The immediate choice is to look what accounts are found within the operating system, but additional accounts could include any logged-in email accounts and web services, from Outlook to Facebook. All of these could provide valuable information but also allow follow-up attacks such as internal spear phishing and social engineering.
This technique includes 4 sub-technique which we’ll go into more detail below.
Local Accounts – Attackers may attempt to get a listing of local accounts using commands such as net user and net localgroup of the Net utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through reading the /etc/passwd file using commands such as cat, strings, and head.
Domain Accounts – Attackers may attempt to get a listing of domain accounts using commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.
Email Accounts – Attackers may attempt to get a listing of email addresses and accounts using techniques such as dumping Exchange address lists. It’s worth mentioning that this is what Emotet does when it infects a system, using this technique to scrape email addresses so it can send malicious emails from the compromised email account to any contacts or recent recipients.
Cloud Accounts – Attackers may attempt to get a listing of cloud accounts that are configured by an organization for use by users, remote support, services, or for the administration of resources within a cloud environment. This can be achieved by navigating to popular console windows for AWS or Azure through the browser of the user to identify any cached credentials to log in to these services.
Account Discovery 2
Moving down to the Mitigations table on the main technique there is only one suggestion listed, which is to disable the registry key shown below to prevent administrator accounts from being enumerated, disclosing information such as their usernames. To disable this key across a large environment we can use Group Policy Objects to enforce the change across all domain users.