We’ve all seen the movies and television shows where ‘hackers’ use elaborate tools to break into networks and, once in, use more elaborate tools to move around undetected doing whatever they set out to do. It’s true, there are some pretty cool tools out there (a few noted below) but, as this article at Threatpost does an excellent job of pointing out, much of the functionality needed by an attacker once they have access to a network like discover secrets (passwords, account numbers, etc.) or steal large amounts of data are already there in most cases. As an attacker, the smaller my footprint and the less that I have to put on disk, the greater my chances of getting in, doing my thing and getting out without getting caught and / or stopped. The article points to a number of off-the-shelf tools like Angry IP Scanner, Nmap, VNC, etc. which are popular tools but they touch disk and often trip antivirus or other basic defenses (granted, many admins have gotten used to simpy ignoring portscans). The article glosses over more fundamental things though like the net commands (net view, net use, net user, etc.), WMI (query for installed software, running processes, event logs [were you noisy on the way in], etc.) and my personal favorite Powershell (invoke-expression).
At one time, preventing a / the breach was all the rage, that was the goal. As the perimeter has faded (mobile phones that are also connected to your company WIFI completely bypass the firewall) and the reality that the perimeter is gone has been (begrudgingly) accepted, I’ve heard more and more people using the term ‘assume breach’. Rather than simply focusing on keeping separation between trusted and untrusted, the ‘assume breach’ approach takes additional steps like IDS (do we have weird traffic on the inside?), application whitelisting (no, elfbowling.exe is not on the list) and egress filtering (that outbound connection on TCP port 4444 just ain’t going to work, get creative [443 likely will]) and ultimately, hunting.
Misc / Erratta
- Threatpost Article – https://threatpost.com/most-post-intrusion-cyber-attacks-involve-everyday-admin-tools/119046/
- Bank Info Security – http://www.bankinfosecurity.com/how-to-spot-attacks-that-dont-rely-on-malware-a-9235
- Metasploit – https://www.metasploit.com/
- Powershell Empire – http://www.powershellempire.com/
- Burp – https://portswigger.net/burp/