Process Discovery

From ATT&CK
Jump to: navigation, search
Process Discovery
Technique
ID T1057
Tactic Discovery
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux
System Requirements Administrator, SYSTEM may provide better process ownership details
Permissions Required User, Administrator, SYSTEM
Data Sources Process command-line parameters, Process monitoring
CAPEC ID CAPEC-573

Adversaries may attempt to get information about running processes on a system. An example command that would obtain details on processes is "tasklist" using the Tasklist utility.

Information obtained could be used to gain an understanding of common software running on systems within the network.

Examples

  • Ke3chang performs process discovery using tasklist commands.1
  • Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.2
  • Turla surveys a system upon check-in to discover running processes using the tasklist /v command.3
  • Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.4
  • Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server.5
  • After compromising a victim, Poseidon Group lists all running processes.6
  • Stealth Falcon malware gathers a list of running processes.7
  • Winnti Group looked for a specific process running on infected servers.8
  • Sykipot may gather a list of running processes by running tasklist /v.9
  • Derusbi collects current and parent process IDs.10
  • BACKSPACE may collect information about running processes.11
  • gh0st RAT is able to list processes.12
  • NETEAGLE can send process listings over the C2 channel.11
  • The discovery modules used with Duqu can collect information on process details.13
  • JHUHUGIT obtains a list of running processes on the victim.14
  • ADVSTORESHELL can list running processes.15
  • GeminiDuke collects information on running processes and environment variables from the victim.16
  • Tasklist can be used to discover processes running on a system.17
  • WinMM sets a WH_CBT Windows hook to collect information on process creation.18
  • DustySky collects information about running processes from victims.4
  • SHOTPUT has a command to obtain a process listing.19
  • ELMER is capable of performing process listings.20
  • 4H RAT has the capability to obtain a listing of running processes (including loaded modules).21
  • BLACKCOFFEE has the capability to discover processes.22
  • MobileOrder has a command to upload information about all running processes to its C2 server.23
  • Kasidet has the ability to search for a given process name in processes currently running in the system.24
  • BlackEnergy has gathered a process list by using Tasklist.exe.2526
  • Backdoor.Oldrea collects information about running processes.27
  • Trojan.Karagany can use tasklist to collect a list of running tasks.27
  • Crimson contains a command to list processes.28
  • Remsec can obtain a process list from the victim.29
  • BBSRAT can list running processes.30
  • PowerDuke has a command to list the victim's processes.31
  • StreamEx has the ability to enumerate processes.32
  • ChChes collects its process identifier (PID) on the victim.33
  • RTM can obtain information about process integrity levels.34
  • MoonWind has a command to return a list of running processes.35

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting36 tools, like AppLocker,3738 or Software Restriction Policies39 where appropriate.40

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  2. ^  Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  3. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  4. a b  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  5. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  6. ^  Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  7. ^  Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  8. ^  Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  9. ^  Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
  10. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  11. a b  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  12. ^  FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  13. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  14. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  15. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  16. ^  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  17. ^  Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
  18. ^  Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  19. ^  Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  20. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  1. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  2. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  3. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  4. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  5. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  6. ^  Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  7. a b  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  8. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  9. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  10. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  11. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  12. ^  Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  13. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  14. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  15. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  16. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  17. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  18. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  19. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  20. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.