Process Discovery

From enterprise
Jump to: navigation, search
Process Discovery
Technique
ID T1057
Tactic Discovery
Platform Linux, macOS, Windows
System Requirements Administrator, SYSTEM may provide better process ownership details
Permissions Required User, Administrator, SYSTEM
Data Sources Process command-line parameters, Process monitoring
CAPEC ID CAPEC-573

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.

Windows

An example command that would obtain details on processes is "tasklist" using the Tasklist utility.

Mac and Linux

In Mac and Linux, this is accomplished with the ps command.

Examples

  • APT28 has used built-in tools like ps aux on macOS to determine which processes are running.1 An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.2
  • APT3 has a tool that can list out currently running processes. 3 4
  • Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.5
  • Ke3chang performs process discovery using tasklist commands.6
  • Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server.78
  • Magic Hound malware can list running processes.9
  • Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.10
  • OilRig has run tasklist on a victim.11
  • After compromising a victim, Poseidon Group lists all running processes.12
  • Stealth Falcon malware gathers a list of running processes.13
  • Turla surveys a system upon check-in to discover running processes using the tasklist /v command.14
  • Winnti Group looked for a specific process running on infected servers.15
  • 4H RAT has the capability to obtain a listing of running processes (including loaded modules).16
  • ADVSTORESHELL can list running processes.17
  • BACKSPACE may collect information about running processes.18
  • BBSRAT can list running processes.19
  • BLACKCOFFEE has the capability to discover processes.20
  • Backdoor.Oldrea collects information about running processes.21
  • BlackEnergy has gathered a process list by using Tasklist.exe.2223
  • ChChes collects its process identifier (PID) on the victim.24
  • ChChes collects the victim's running process IDs.25
  • Cobalt Strike's "beacon" payload can collect information on process details.26
  • Crimson contains a command to list processes.27
  • Derusbi collects current and parent process IDs.2829
  • The discovery modules used with Duqu can collect information on process details.30
  • DustySky collects information about running processes from victims.10
  • ELMER is capable of performing process listings.31
  • GeminiDuke collects information on running processes and environment variables from the victim.32
  • HALFBAKED can obtain information about running processes on the victim.33
  • Helminth has used Tasklist to get information on processes.34
  • Hydraq creates a backdoor through which remote attackers can monitor processes.3536
  • JHUHUGIT obtains a list of running processes on the victim.3738
  • JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.39
  • JPIN can list running processes.39
  • Kasidet has the ability to search for a given process name in processes currently running in the system.40
  • The OsInfo function in Komplex collects a running process list.41
  • creates a backdoor through which remote attackers can retrieve a list of running processes.42
  • MobileOrder has a command to upload information about all running processes to its C2 server.43
  • MoonWind has a command to return a list of running processes.44
  • NETEAGLE can send process listings over the C2 channel.18
  • Orz can gather a process list from the victim.45
  • POORAIM can enumerate processes.46
  • POWRUNER may collect process information by running tasklist on a victim.47
  • Pasam creates a backdoor through which remote attackers can retrieve lists of running processes.48
  • PowerDuke has a command to list the victim's processes.49
  • PowerSploit's Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.5051
  • Pupy can list the running processes and get the process ID and parent process’s ID.52
  • RTM can obtain information about process integrity levels.53
  • Remsec can obtain a process list from the victim.54
  • SHOTPUT has a command to obtain a process listing.55
  • ... further results

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting56 tools, like AppLocker,5758 or Software Restriction Policies59 where appropriate.60

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. ^  Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  2. ^  Unit 42. (2018, February 28). Unit 42 Playbook Viewer - Sofacy. Retrieved March 15, 2018.
  3. ^  Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  4. ^  Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  5. ^  Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  6. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  7. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  8. ^  Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  9. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  10. a b  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  11. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  12. ^  Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  13. ^  Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  14. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  15. ^  Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  16. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  17. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  18. a b  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  19. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  20. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  21. ^  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  22. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  23. ^  Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  24. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  25. ^  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  26. ^  Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  27. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  28. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  29. ^  FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  30. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  1. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  2. ^  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  3. ^  Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  4. ^  Unit 42. (2017, December 15). Unit 42 Playbook Viewer - OilRig. Retrieved December 20, 2017.
  5. ^  Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  6. ^  Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  7. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  8. ^  Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  9. a b  Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  10. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  11. ^  Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  12. ^  Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  13. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  14. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  15. ^  Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  16. ^  FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  17. ^  Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  18. ^  Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  19. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  20. ^  PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  21. ^  PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  22. ^  Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  23. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  24. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  25. ^  Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  26. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  27. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  28. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  29. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  30. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.