Attack vectors are the entry point; but how are they leveraged by threat actors for gaining access to networks?
Threat actors have a large bag of tricks with the various methods and common tools they have access to when they are attempting to gain the initial access into systems and networks.
We’re going to cover these methods and what can be done in order to protect systems and networks from becoming compromised.
Gathering Information
First, reconnaissance and how threat actors gather their initial information needs to be covered.
Threat actors are looking for vulnerabilities and potential access points for their attacks. They will concentrate efforts on the most vulnerable entry points first before escalating to more sophisticated types of attacks. Think of, what’s easiest and the lowest hanging fruit.
To start, threat actors will collect open-source information about your organization. This might include them looking for files that were not intended to be exposed. Google is commonly used too to accomplish this and has a vast amount of information and provides a single platform for threat actors to use for initial reconnaissance. Using Google Dorks, threat actors can perform complex search queries for items of interest.
Threat actors will also attempt to mention any domain or sub-domains in use by the victim, one by one.
By finding additional sites operated by the victim, the threat actor might be able to find a certain attack or vulnerability to exploit. They can also conduct research on domain names to find devices and IP ranges belonging to organizations.
Several tools used for additional research include:
These tools allow the threat actor to either actively or passively scan the domains and IP addresses of the victim’s network. They will produce reports containing information on the operating system, versioning, along with known vulnerabilities that could be exploited.
Gathering Information Complete. Next – Weaponization
Once the threat actor has completed the reconnaissance portion of the attack, they will then move to weaponize an initial exploit. This exploit will focus on leveraging one or more of the previous vulnerabilities found. Many times, there is proof of concepts already out in the wild for threat actors to leverage against known vulnerabilities. This is a quick win and allows quicker successful attacks.
Phishing, Drive-Bys and Getting People to Click on Malware
Next, they must determine the best method of getting the exploit into the network successfully. The most common delivery method is via email. This is called Phishing. Phishing can either contain a malicious document, link, or zip file. Once it is sent, it is simply a waiting game for the end-user to open and execute the malware. Threat actors can also use previously breached websites to post malware in an attempt to infect users. This is known as drive-by attacks or downloads.
Attacks can also begin by the threat actor exploiting one of the vulnerabilities found during the scanning of either a hardware or software component. They can attempt to brute force the system or use a published proof of concept attack to take leverage a way into the network.
Executing the Weaponized Exploit
Once the weaponized exploit is executed, the threat actor has an established foothold in the network. Now is the time they will look for methods of maintaining access to the system infected. Often, threat actors will utilize the Windows registry to achieve persistence by modifying or storing malicious code in the following keys.
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
There might also be malicious files placed in a startup directory that would allow threat actors to maintain persistence.
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShell Folders
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
Next are running services. Many Windows services are required to run at boot. Malicious files can be loaded if a service fails to start or in place of a legitimate service.
Some background services allow remote access to systems.
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
Note: These do not represent all the potential options for malware persistence but are some of the more common locations.
Escalation
Once persistence is gained, the threat actor will look to escalate privileges and move laterally through the network. Normally native tools are used to move through the network such as remote desktop or Windows administrative shares. Other techniques include passing the hash, internal spearphishing, or SSH hijacking.
In recent attacks, specifically ransomware, threat actors will exfiltrate data to attempt to push the victim into paying the ransom. During reconnaissance and lateral movement, the threat actor will look for sensitive data that would be of great value to the victim. Once located, they will package the data and remove it from the network.
Common tools and methods include exfiltration to cloud storage solutions, such as:
They may also use email or traditional SFTP tools to transfer the data.
What Can Be Done?
What can be done by IT security to help identify malware, persistence, lateral movement, and any potential data exfiltration?
You must be able to monitor what is going on in the network. Traditional anti-virus can help, but most of the time does not give you a centralized platform to monitor what is going on. Plus, your organization might not have the ability or personnel to adequately monitor alerts.
This typically has become an additional duty for the IT team without proper training or the team does not have the experience needed to recognize and identify real threats. Organizations should invest in advanced cyber security solutions such as endpoint detection and response or have a managed service provider monitoring system.
The most critical vulnerability for organizations: People!
Either clicking on a link, downloading a file, not updating or patching, or taking shortcuts to allow remote access, all of these are vulnerabilities that allow threat actors into the network. Training is key for people to become aware of the threats and how to identify something suspicious is going on. Organizations should also include scheduled vulnerability scans of systems and dedicated patch management processes.