Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
This is the first blog post in a series exploring the use of Living Off the Land techniques.
Each blog post will be designed around a different stage of the Cyber Kill Chain framework developed by Lockheed-Martin. This blog post will focus on how widely available tools can be used to facilitate the reconnaissance stage of the Kill Chain.
Living off the Land is an expression which refers to actions taken in pursuit of an objective using minimal custom developed tools or resources. By making use of tools already available in the target network, adversaries can evade conventional detection methods and obscure their activity. Additionally, this technique reduces an adversary’s unique footprint on the target network, meaning less opportunity for defenders to attribute activity to an individual or group. While these techniques pose unique challenges to defenders, they offer an opportunity to gain meaningful insight into adversary activity. This post will cover several common reconnaissance techniques using tools such as PowerShell and WMI, and offer several existing methods for addressing them.
PowerShell is a scripting language designed for task automation and configuration management. In the fourth quarter of 2017, MacAfee identified a 267% increase in malware that made use of PowerShell and a 432% year over year growth. Using PowerShell, attackers can query specific information such as system information, open ports, network configurations, password lockout thresholds and more.
Windows Management Instrumentation (WMI) is a tool used to query management information and remotely manage computer systems in an enterprise environment. Similar to PowerShell, WMI usage is expected in organizations to some degree, making identification of malicious activity difficult.
In 2017, eSentire identified an incident where an unknown adversary gained unauthorized access to a customer’s network by leveraging stolen VPN credentials. Once a foothold inside the network was obtained, the adversary located and, using Remote Desktop Protocol, accessed a critical system where endpoint monitoring was present. Here, the adversary was observed using command line tools to discover accounts and remote systems. Systeminfo was used to gather detailed information on the current system. The commands query user,net user [username] and net user/domain were employed to determine:
Within a short period of time, the adversary was able to identify and access the intended target with limited exposure. Visibility into reconnaissance activity allowed responders to make determinations about possible intentions and next target, ultimately reducing the overall time it took to scope and contain the threat.
The following section demonstrates a variety of PowerShell, WMI and Command line utilities leveraged by adversaries when performing reconnaissance activities.
Figure 1: Gwmi Win32_Group
Administrative Perspective:
Similar to other PowerShell commands, “Gwmi Win32_Group” shows associated groups.
Adversary Use:
This command is used by adversaries to identify users associated with administrative groups. Administrative users will then be targeted for future attacks, as their high permissions make them a valuable target.
Figure 2: Get-wmiobject
Administrative Perspective:
The “get-wmiobject” services command is used to show all services installed on the machine.
Adversary Use:
An adversary may use this information to determine what security software could potentially be installed, allowing the attack to be tailored against the known security infrastructure. This command will also reveal software that can potentially be targeted and if vulnerable, be exploited.
Figure 3: systeminfo
Administrative Perspective:
Legitimate users may employ the “systeminfo” command to display operating system information including host name, operating system, version, product ID, install date and hardware information for troubleshooting purposes.
The “systeminfo” command is available in both Command Prompt and PowerShell.
Adversary Use:
Malicious actors use this command to identify the operating system on the exploited system and attempt to elevate privileges.
Figure 4: net view and net use
Administrative Perspective:
The “net” command line utility allows users to view available network shares. This information is important for administrators as it allows them to easily record and audit network shares available to users.
Adversary Use:
Attackers use the “net” command to expose available shares accessible to the compromised accounts. They can use this information to insert malware on to shared drives or encrypt the contents.
Figure 5: net user
Administrative Perspective:
Administrators employ the “net user” command to manage user accounts; this includes adding, removing and renaming accounts.
Adversary Use:
This command can be used by attackers to look for accounts installed across multiple machines. After discerning accounts that are active on various machines, the attacker may then target these machines to perform lateral movement without needing additional compromised credentials. The “net user” command can also be used by adversaries to add users or elevate privileges.
Figure 6: net accounts
Administrative Perspective:
Administrators use the “net accounts” command to view user account login settings, including password length requirements, password expiry time and previous password exclusion.
Adversary Use:
Attackers utilize this information, specifically the lockout threshold, to avoid locking additional accounts out while moving laterally throughout the network.
PowerSploit is an online repository of PowerShell scripts that are organized for specific attack scenarios [1]. The repository was originally assembled for penetration testing purposes but has been widely misused by malicious actors. Threat actors have been seen to remotely download or manually type out the scripts to avoid suspicion.
Figure 7a: Invoke-PortScan
Figure 7a: Invoke-PortScan
Adversary Use:
Attackers use the “Invoke-PortScan” command to perform network scans and reveal open ports. In other situations the attacker would have to download a network mapping tool such as Nmap, which is more likely to be discovered.
For additional PowerSploit commands used for reconnaissance, such as get-NetUser, get-NetComputer, get-userproperty and Invoke-ReverseDnsLookup, see the PowerSploit repository on GitHub [1].
While it might be nearly impossible to completely prevent your tools from being used against you, there are ways to reduce an adversary’s ability to conduct reconnaissance on your network:
Every incident, no matter how minor, presents an opportunity to gain a foothold and move laterally throughout the network. Defenders should be aware of potential blind spots in monitoring to ensure they aren’t neglecting dual-purpose tools such as PowerShell or WMI. PowerShell logging is a popular choice but requires tuning to ensure you’re not getting alerted every time a system administrator is working through a ticket. One method for addressing this problem is to separate your users into role-based monitoring groups, with higher thresholds for groups who regularly use the tool (such as systems administrators). Also consider that adversaries have adapted to these controls, and obfuscation techniques are becoming more common. Consider how you might identify obfuscated PowerShell commands by entropy, length or behavior. For example, any PowerShell activity which results in a network connection, or creation of a child process may be of interest.
Living off the Land techniques for reconnaissance are a popular choice for adversaries, simply because they are so difficult to detect and block. Defenders have several options available to reduce opportunities but should be mindful of resistance among their users.
Sources
[1] https://github.com/PowerShellMafia/PowerSploit
[3] https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege