While threat actors can raise a profit by installing CoinMiners or ransomware strains after initial access, they often first install a backdoor or RAT malware to seize control over the infected system. Infostealers are used for the purpose of stealing user information in the system, but sometimes, they are used to obtain data that can be utilized in gaining control over the target system to ultimately install CoinMiners or ransomware.
This may not be of significance if the attack target is a single system, but if it is an environment within a corporation or organization, the threat actor may attempt to attack the overall infrastructure to which the target system belongs. If the organization’s infrastructure is an environment that uses Active Directory and if the infected system is a part of this network, the threat actor can use malware strains and many other tools to compromise the entire domain.
This article will cover the general process of a threat actor taking control over a system within an Active Directory environment before conducting reconnaissance on the internal network to collect data. If this process succeeds, the threat actor can steal account credentials which in turn can be used to take over the domain environment through lateral movement. Ultimately, the threat actor would distribute ransomware to all systems connected within the network or exfiltrate internal data from the corporation and generate a profit from it.
In the internal reconnaissance stage, legitimate tools for system management are often used. Accordingly, there is a limit to detecting these behaviors with existing products such as anti-malware programs. It is desirable to use EDR to monitor and respond to suspicious behaviors.
AhnLab EDR (Endpoint Detection and Response) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR collects information on suspicious behaviors by type around the clock, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Comprehensive analysis using the collected data allows administrators to identify the cause, make appropriate responses, and establish processes to prevent threat recurrence.
Figure 1. AhnLab EDR
1. Overview
Directory services integrate, save, and manage information on users and resources within a computer network. The directory service implemented in Windows is called Active Directory (AD). Domains are the basic unit of AD, and the server that performs management such as authentication or permission grants is called the Domain Controller. This means that because a Domain Controller in a certain domain has practical control over the whole domain, when a threat actor obtains control over the DC, the whole domain is compromised.
Like local environments, there are administrator groups in domain environments. Accounts in the Domain Admins group have control permissions over the domain. The goal of the threat actor is to steal account credentials of an account in the Domain Admins group because such an account can remotely access the Domain Controller and ultimately perform various maneuvers over the domain. Of course there may be groups aside from Domain Admins whose accounts have similar permissions, but this depends on the admin’s configuration.
For a threat actor to steal a domain administrator account in a domain environment, they must first identify the structure of the domain. While net and PowerShell commands (provided in Windows by default) can be used for this purpose, most threat actors utilize penetration testing tools. Generally, threat actors use port scanners for network inspection or tools such as AdFind, PowerView, and BloodHound which extract various pieces of information from AD environments.
2. Port Scanning
Port scanning is the most popular method by which information can be obtained from a certain network, meaning the target domain. Through port scanning, information on running services such as currently activated systems and port numbers can be acquired. A threat actor performs port scanning to explore the network through which they may identify the network structure including information on the subnet and host. Cobalt Strike offers a port scanning feature by default, and the following commands can be used for a port scanning attack.
Figure 2. Cobalt Strike’s port scanning command (Source – Cobalt Strike User Guide) [1]
Cobalt Strike is a tool used for the purpose of checking the security vulnerabilities within the network and systems of companies and organizations. As such, in addition to features for internal reconnaissance such as port scanning, it provides various other features for each stage of penetration testing including privilege escalation, lateral movement, and command and control. Threat actors who do not use Cobalt Strike use other port scanner tools to inspect the network containing the infected system.
Advanced Port Scanner is a tool favored by ransomware operators such as GlobeImposter, MedusaLocker, [2] Crysis, and Venus that target externally exposed remote desktop services. While they are being used in many attacks, because it is a tool that administrators can use to inspect the organization’s network, there is a limit to anti-malware products blocking these tools perfectly.
AhnLab EDR detects the behavior of scanning an organization’s network using port scanner tools such as Advanced Port Scanner as threats as shown below, helping administrators recognize these behaviors.
Figure 3. Log detecting a port scanning tool – EDR
3. Net & PowerShell Commands
Net commands are available in Windows by default and are mainly used for network resource management tasks. Although they are default commands, they are useful for looking up the computer’s users or network structure data. They also provide information on systems and users in the network in Active Directory environments.
Accordingly, threat actors tend to seize control over the infected system before using net commands to collect basic information on the network containing the infected system. The following commands are the main net commands used in actual cases of attacks against Active Directory environments.
| > net time > net user > net group /domain > net group /domain “Domain Admins” > net group /domain “Enterprise Admins” > net group /domain “Domain Computers” > net group /domain “Domain Controllers” > net localgroup Administrators |
Figure 4. Looking up domain information using net commandsAhnLab EDR detects suspicious net commands as key behaviors, allowing administrators to recognize them, identify the cause, and make appropriate responses.
Figure 5. Logs detecting suspicious net commands – EDRThe threat actor may use the default net commands in Windows, but they may also utilize PowerShell. For example, the following PowerShell commands were used in actual attacks similarly to net commands. [3] [4]
| > Get-ADDomain > Get-ADComputer -Filter {enabled -eq $true} -properties *|select DNSHostName, IPv4Address, OperatingSystem, LastLogonDate > Get-ADDomainController |
4. PowerView
PowerView is a tool also included in the PowerSploit project which collects and displays various information in Windows domain environments. Such information includes data on network sharing and Active Directory objects such as users, groups, and computers. Through such information, the threat actor can learn the structure of the domain environment and identify targets that need to be attacked for privilege escalation.
Because it offers a much greater range of features than the net commands or basic PowerShell commands covered above and also has many that show Windows domain-related information, it is frequently used in attacks against Active Directory environments.
Figure 6. PowerSploit’s PowerView scriptFor example, the Get-Domain (or Get-NetDomain) command shows basic information on the current domain, the Get-DomainUser (or Get-NetUser) command shows users in the current domain and information on said users, and the Get-DomainGroup (or Get-NetGroup) command returns information on groups in the current domain. Additionally, the Get-DomainComputer (or Get-NetComputer) command can be used to obtain information on local systems that are a part of the current domain.
The threat actor that distributed the IcedID banking trojan in the past installed Cobalt Strike in the infected system before using the following PowerView commands to obtain domain information. [5]
| > Get-Domain > Get-DomainUser > Get-DomainComputer -OperatingSystem server -Properties dnshostname > Get-DomainComputer -Properties dnshostname -Ping > Get-DomainController > Get-PSDrive |
Figure 7. Logs detecting PowerView commands – EDR
5. AdFind
AdFind is a command line-type tool that collects Active Directory information in the current network. Like the aforementioned PowerView, it is used to collect information on the Domain Controller, list of subnets, computers, users, and groups in the domain, and the Active Directory that the current system is a part of. The threat actor can use the results from AdFind to learn the structure of the domain environment and identify attack targets for lateral movement.
In the past, the Ryuk ransomware operator used the Batch file “adf.bat” to execute the following AdFind commands. While PowerView was used in the case of IcedID above, the Ryuk ransomware operator used AdFind, which is a tool that can also be used by administrators to check the organization’s domain environment, and was able to collect domain information more covertly. [6]
| > AdFind.exe -gcb -sc trustdmp > AdFind.exe -sc trustdmp > AdFind.exe -f “objectcategory=computer” > AdFind.exe -f “(objectcategory=person)” > AdFind.exe -f “(objectcategory=group)” > AdFind.exe -f “(objectcategory=organizationalUnit)” > AdFind.exe -subnets -f (objectCategory=subnet) > AdFind.exe -f objectcategory=computer -csv name cn dNSHostName |
Figure 8. The lookup result of information on computers in the domain using AdFindBecause AdFind is a tool that can also be used for legitimate purposes, there is a limit to using anti-malware products for detection. AhnLab EDR detects the behavior of using AdFind to collect an organization’s Active Directory information as a threat as shown below, helping administrators perceive the threat.
Figure 9. Log detecting AdFind commands – EDR
6. BloodHound
BloodHound is used to collect Active Directory domain-related information to find an attack path for privilege escalation. It shows modeled, GUI-based results, using a graph to visualize the shortest route for the threat actor to gain domain administrator privileges in the domain.
BloodHound’s SharpHound is a tool for collecting information in domain environments. The threat actor can execute SharpHound in a certain system within the domain to collect information. There are two formats of SharpHound: the executable file “SharpHound.exe” and the PowerShell script “SharpHound.ps1”. It collects information such as the trust relationship, group policy settings, and information on Active Directory objects.
Figure 10. Upon executing SharpHoundThe collected information is in a compressed file format (.zip). Afterward, the threat actor imports this file into a system with BloodHound and analyzes it using the tool which gives a visual display of various information as shown below.
Figure 11. Result of parsing the collected information through BloodHound (Source – BloodHound[7])AhnLab EDR detects the behavior of using BloodHound’s SharpHound.exe executable file and SharpHound.ps PowerShell script to collect Active Directory information from the organization as threats as shown below, helping administrators perceive the threat.
Figure 12. Log detecting SharpHound executable file and PowerShell scripts – EDR
7. Conclusion
Threat actors that infiltrate the domain environment of organizations that use Active Directory can use various tools to obtain Active Directory-related information. The threat actor can use tools such as PowerView and AdFind to collect basic information on the domain before using port scanners to identify attack targets to proceed with the subsequent lateral movement stage. The ultimate goal of lateral movement is to obtain the domain administrator permissions to compromise the whole domain environment. BloodHound is used to find the optimum path for this.
At the internal reconnaissance stage, legitimate net commands, AdFind, port scanners, and other management tools are used in addition to tools such as PowerView and BloodHound. As such, threat actor’s data-collecting behaviors that are present in the internal reconnaissance stage cannot perfectly be detected or blocked using security software such as anti-malware products. AhnLab EDR detects not only malware but also tools that can be used for ordinary management purposes, helping administrators identify the cause, make adequate responses, and establish recurrence prevention processes.
Behavior Detection
– Execution/EDR.Behavior.M10741
– Suspicious/DETECT.T1018.M2919
– LateralMovement/EDR.PowerView.M4055
– LateralMovement/EDR.ADFind.M10710
– Execution/DETECT.Scripting.M4091
– Execution/EDR.SharpHound.M11547
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Detection of Internal Reconnaissance in Domain Environments Using EDR appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/60106/