Learn Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 9

Data collection

Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Credential Access
Part 7. Discovery.
Part 8. Lateral Movement.
Part 9. Collection.
Part 10. Exfiltration.
Part 11. Command and Control. )

Techniques for collecting data in a compromised environment include methods for identifying, localizing and directly collecting targeted information (for example, confidential files) in order to prepare it for further exfiltration. The description of information collection methods also covers the description of information storage places in systems or networks in which opponents can search and collect it.

Indicators of the implementation of most of the data collection techniques presented in ATT & CK are processes that use APIs, WMI, PowerShell, Cmd or Bash to capture target information from input / output devices or open files for reading multiple times and then copy the received data to a specific place on the file system or network . Information during data collection can be encrypted and combined into archive files.

Identification and blocking of potentially dangerous and malicious software using tools for organizing application whitelists such as AppLocker and Sofware Restriction Policies on Windows, encryption and storage of sensitive information outside local systems, restriction of rights are offered as general recommendations on protection against data collection. user access to network directories and corporate information storages; application of a password policy and two-factor authentication in a protected environment.

The author is not responsible for the possible consequences of applying the information set forth in the article, and also apologizes for possible inaccuracies made in some formulations and terms. The published information is a free retelling of the contents of MITER ATT & CK .

Audio Capture

System: Windows, Linux, macOS
Rights: User
Description: An adversary can use computer peripherals (for example, a microphone or a webcam) or applications (for example, voice and video call services) to capture audio recordings in order to further listen to confidential conversations. Malicious software or scripts can be used to interact with peripheral devices through the API functions provided by the operating system or application. Collected audio files can be recorded to a local disc with subsequent exfiltration.

Protection Recommendations:Direct opposition to the above technique can be difficult, since it requires detailed control over the use of the API. Detecting malicious activity can also be difficult due to the variety of API functions.

Depending on the purpose of the system being attacked, data on the use of the API can be completely useless or, on the contrary, provide content to detect other malicious activities occurring in the system. An indicator of enemy activity can be an unknown or unusual process of accessing the API associated with devices or software that interact with a microphone, recording devices, recording programs, or a process that periodically writes files that contain audio data to disk.

Automated Collection

System: Windows, Linux, macOS
Rights: User
Description: An attacker can use automated data collection tools, such as scripts, to search and copy information that meets certain criteria - file type, location, name, time intervals. This functionality can also be integrated into remote access utilities. In the process of automating data collection for the purpose of identifying and moving files, techniques for detecting files and directories ( File and Directory Discovery ) and remote file copying ( Remote File Copy ) can additionally be applied .

Protection Recommendations:Encryption and storage of confidential information outside the system is one way of counteracting the collection of files, however if the intrusion lasts a long time, the adversary can detect and gain access to data in other ways. For example, a keylogger installed in the system, by intercepting input, is able to collect passwords to decrypt protected documents. To prevent hacking of encrypted documents offline by brute force, you must use strong passwords.

Clipboard Data

System: Windows, Linux, macOS
Description: Opponents can collect data from the Windows clipboard stored in it during users copying information inside or between applications.

Windows
Applications can access the clipboard data using the Windows API.

MacOS
OSX has a built-in pbpast command to capture clipboard contents.

Protection Recommendations:Do not block the software based on the identification of the behavior associated with the capture of the contents of the clipboard, because access to the clipboard is a standard feature of many Windows applications. If the organization decides to track this behavior of the applications, then the monitoring data should be compared with other suspicious or non-user actions.

Data Staged

System: Windows, Linux, macOS
Description: Before exfiltration, the collected data is usually placed in a specific directory. Data can be stored in separate files or combined into a single file using compression or encryption. Interactive command shells can be used as tools, cmd and bash functionality can be used to copy data to an intermediate location.

Data from Information Repositories

System: Windows, Linux, macOS
Rights: User
Description: Opponents can extract valuable information from information storages - tools that allow you to store information, usually to optimize collaboration or data exchange between users. Information storages can contain a huge range of data that can help attackers achieve other goals or provide access to targeted information.

The following is a short list of information that can be found in information repositories and of potential value to an attacker:

• Policies, Procedures, and Standards;
• Schemes of physical / logical networks;
• Schemes of system architecture;
• Technical system documentation;
• Credentials for testing / development;
• Work / project plans;
• Snippets of source code;
• Links to network directories and other internal resources.

Common information storages:

Microsoft SharePoint
It is located in many corporate networks and is often used to store and exchange a significant amount of documentation.

Atlassian Confluence
Often found in development environments along with Atlassian JIRA. Confluence is typically used to store development-related documentation.

Protection recommendations: Recommended measures to prevent data collection from information repositories:

• Development and publication of policies defining acceptable information to be recorded in the information store;
• Implementation of access control mechanisms, which include both authentication and corresponding authorization;
• Ensuring the principle of least privilege;
• Periodic review of account privileges;
• Prevent access to valid Valid Accounts that can be used to access information repositories.

Since information repositories usually have a fairly large user base, detecting their malicious use can be a non-trivial task. At a minimum, access to information storages performed by privileged users (for example, Domain, Enterprise or Shema Admin) should be carefully monitored and prevented, since these types of accounts should not be used to access data in storages. If it is possible to monitor and alert, then you need to track users who retrieve and view a large number of documents and pages. This behavior may indicate the operation of software that retrieves data from the storage.

Microsoft SharePoint can be configured to log user access to specific pages and documents. In Confluence Atlassian, similar logging can be configured through AccessLogFilter. More efficient detection will probably require additional infrastructure for storing and analyzing logs.

Data from Local System

System: Windows, Linux, macOS
Description: Confidential data can be obtained from local system sources, such as the file system or database, for the purpose of further exfiltration.

Attackers often look for files on computers that they hacked. They can do this using the command line interface (cmd). Methods of automating the data collection process can also be used.

Data from Network Shared Drive

System: Windows, Linux, macOS
Description: Sensitive data can be collected from remote systems that have public network drives (local network folder or file server) accessible to the adversary.

In order to detect target files, an attacker can search for network resources on computers that have been compromised. To collect information, both interactive command shells and common command line functions can be used.

Data from Removable Media (Data from Removable Media)

System: Windows, Linux, macOS
Description: Sensitive data can be collected from any removable media (optical disk, USB drive, etc.) connected to a compromised system.

In order to detect target files, an attacker can search for removable media on compromised computers. To collect information, both interactive command shells and common command line functions, as well as automation tools for data collection, can be used.

Email Collection

System: Windows
Description: In order to collect confidential information, attackers can use user e-mail accounts. Data contained in email can be obtained from Outlook data files (.pst) or cache files (.ost). Having user credentials, an adversary can interact with the Exhange server directly and gain access to an external email web interface, such as Outlook Web Access.

Protection Recommendations:Using encryption provides an additional layer of protection for confidential information transmitted by e-mail. Using asymmetric encryption will require the adversary to obtain a private certificate with an encryption key. The use of two-factor authentication in public web mail systems is the best practice to minimize the possibility of an attacker using someone else's credentials.

There are several ways an attacker can obtain targeted email, each of which has its own detection mechanism. Indicators of malicious activity can be: access to local system email data files for subsequent exfiltration, unusual processes that connect to an email server on the network, as well as atypical access patterns and authentication attempts on public email web servers. Track processes and command line arguments that can be used to collect email data files. Remote access tools can interact directly with the Windows API. Data can also be retrieved using various Windows management tools, such as WMI or PowerShell.

Input Capture

System: Windows, Linux, macOS
Rights: Administrator, System
Description: Attackers can use the means of capturing user input in order to obtain the credentials of existing accounts. Keylogging is the most common type of user input capture, including many different methods of intercepting keystrokes, but there are other methods for obtaining target information such as calling a UAC request or writing a shell for the default credential provider (Windows Credential Providers). Keylogging is the most common way to steal credentials when the use of credential dumping techniques is inefficient and the attacker is forced to remain passive for a certain period of time.

In order to collect user credentials, an attacker can also install a software keylogger on external corporate portals, for example, on the VPN login page. This is possible after compromising the portal or service by obtaining legitimate administrative access, which in turn could be organized to provide backup access at the stages of obtaining initial access and securing it in the system.

Protection recommendations: Ensure the detection and blocking of potentially dangerous and malicious software using tools like AppLocker or software restriction policies. Take measures to reduce damage if an attacker obtains credentials. Follow Microsoft’s Best Practices for Designing and Administering a Corporate Network.

Keyloggers can modify the registry and install drivers. Commonly used API functions are SetWindowsHook, GetKeyState, GetAsyncKeyState. Calls to API functions alone cannot be indicators of keylogging, but in conjunction with an analysis of registry changes, detection of driver installation and the appearance of new files on the disk can indicate malicious activity. Track the appearance of Custom Credential Providers in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

Man in the Browser (Man in the Browser (MitB), Browser Pivoting)

System: Windows
Rights: Administrator, System
Description: During various MitB attack methods, an adversary, using the victim’s browser vulnerability, can modify web content using a malicious program, for example, add input fields to a page, modify user input, intercept information. A specific example is the case when an attacker injects software into the browser that allows cookies, HTTP sessions, client SSL client certificates to be inherited and use the browser as a way to authenticate and go to the intranet.

An attack requires SeDebugPrivilege privileges and high integrity processes (Understanding Protected Mode). By setting the HTTP proxy, HTTP, and HTTPS, traffic is redirected from the attacker's browser through a user browser. At the same time, user traffic does not change, and the proxy connection is disconnected as soon as the browser closes. This allows the adversary, including viewing web pages as an attacked user.

Typically, for each new tab, the browser creates a new process with separate permissions and certificates. Using these permissions, an adversary can go to any resource on the intranet that is accessible through a browser with existing rights, such as Sharepoint or Webmail. Browser pivoting also eliminates two-factor authentication protection.

Protection recommendations : It is recommended that the protection vector be aimed at restricting user permissions, preventing escalation of privileges and bypassing UAC. Close all browser sessions regularly and when they are no longer needed. MitB detection is extremely difficult as enemy traffic is disguised as normal user traffic, no new processes are created, no additional software is used, and the local drive of the attacked host is not affected. Authentication logs can be used to audit user logins to specific web applications, however, identifying malicious activity among them can be difficult, because activity will correspond to normal user behavior.

Screen Capture

System: Windows, Linux, macOS
Description: During the collection of information, opponents may try to take screenshots of the desktop. The corresponding functionality can be included in the remote access tools used after compromise.

Mac
OSX uses the built-in screencapture command to capture screenshots.
Linux
Linux has the xwd command.

Protection recommendations: As a detection method, it is recommended to monitor processes that use the API to take screenshots and then write files to disk. However, depending on the legitimacy of such behavior in a particular system, an additional correlation of the data being collected with other events in the system will most likely be required to detect malicious activity.

Video Capture

System: Windows, macOS
Description: An adversary can use computer peripherals (for example, built-in cameras and webcams) or applications (for example, video calling services) to capture video or image. Video capture, unlike screen capture methods, involves using devices and applications to record video, rather than capturing images from the victim’s screen. Instead of video files, images may be captured at certain intervals.
Malicious software or scripts can be used to interact with devices through the API provided by the operating system or application to capture video or images. Collected files can be written to disk and later filtered.

Several different malicious programs are known for macOS, for example Proton and FriutFly, which can record video from a user's webcam.

Security Tips: Direct opposition to the above technique can be difficult because it requires detailed API control. Protection efforts should be aimed at preventing unwanted or unknown code in the system.

Identify and block potentially dangerous and malicious software that can be used to record sound using AppLocker and Software Restriction Policies.

Detecting malicious activity can also be difficult due to various APIs. Depending on how the system being attacked is used, telemetry data regarding the API may be useless or, on the contrary, provide content for other malicious activities occurring in the system. An indicator of enemy activity can be an unknown or unusual process of accessing the API associated with devices or software that interact with a microphone, recording devices, recording programs, or a process that periodically writes files to disk that contain audio data.