MITRE Discovery — CMD Commands for Endpoint & Domain Reconnaissance — Part 1
Introduction
This is part one of a two part series that deals in using LOLBAS, or specifically, natively shipped CMD commands to conduct endpoint and domain reconnaissance in a Windows environment within an organization.
Both articles in this series contain section “MITRE Discovery and LOLBAS”, which covers:
- MITRE Discovery
- LOLBAS
- Implications of the Mixture
- How Organizations Cope with MITRE Discovery
Abstract
Part one of this series will cover the following three CMD executables:
Net
Tasklist
Route
For each of the commands mentioned above, we’ll dive deep and immerse ourselves into their —
Technological Value:
- Brief introduction to the CMD command
- Use case example to drive the concept home
Cyber Association
- How these commands are LOLBAS when used in cyber mode
- Concrete examples supplemented with MITRE techniques
Finally, we’re going to cover remediations for these natively shipped LOLBAS tools, both from the technological perspective, to the conceptual perspective.
MITRE Discovery and LOLBAS
MITRE Discovery
Discovery is known to be the most difficult MITRE Tactic to mitigate and remediate. This is because in Windows enterprise environments, legitimate LOTL (Living Off The Land) binaries and executables, or LOLBAS, are ubiquitous as they are stealthy.
LOLBAS
LOLBAS contain top technological threats within the cyber universe because they are incredibly effective and difficult to detect — read my article on it to get a healthy refresher.
Implications of the Mixture
For MITRE Discovery, this means a whole world of elusiveness. LOTL binaries flavored with MITRE Discovery abilities are often seen passively from the SOC’s defensive POV. This is because Security Operation Centers will usually want SIEM alerts or EDR rules for actions that are deliberately disturbing to the cyber fabric, rather than benign Windows search queries that may or may not indicate a MITRE Discovery technique in effect.
How Organizations Cope with MITRE Discovery
Large organizations that are cloud hybrid with a heavy web presence make for multiple integrations with innumerable defense systems equaling a storm of potential alerts — and believe me, potentially harmless LOLBAS discovery commands wouldn’t make the list for rule triggers in these organizations.
Smaller organizations for the most part need catching up to do with more pressing alerts/rules since they have a smaller information security budget to cope with — and once again MITRE Discovery LOLBAS is far off the radar for alert/trigger urgency.
Let’s get into Part 1!
Technological Value
Ilike to think of the cyber world as a derivative subject — it takes existing technologies and gives them an entire new frame of application and meaning. This being the case, what were the original meanings? What are the technological integrals of our cyber derivatives?
Net
About
The netcommand, just like its name implies, has to do with everything network related in a domain. For system administrators, it’s quite the swiss army knife. With the right permissions, using it grants your IT wishes over network configurations, user accounts, domain controllers, and more.
Use Case:
Consider Dylan, a system admin running IT for an organization with a large Active Directory. A new division is being created at the firm and he’s tasked with creating user profiles for 35 employees. Using net, he creates the users, adds them to relevant groups for GPO policy inheritance, and sets their properties.
Route
About
The route command is used for managing the network routing table in Windows. It allows users to view, add, modify, and delete routing entries to control how network traffic is directed. This makes it perfect for setting static routes, or troubleshooting connectivity problems.
Use Case:
Imagine John, a network administrator in a rapidly growing organization that needs interconnectivity between networks. John configures the network routing to ensure seamless communication between these locations. He modifies routing entries to direct network traffic along the optimal paths.
Tasklist
About
The tasklist command lets you see all running processes on a Windows endpoint. It gives a clean visual on process IDs, memory usage and CPU utilization as some examples. This ability enables administrators to troubleshoot annoying processes, or identify resource heavy tasks.
Use Case:
Consider Eddie, who works in IT. He get’s a call about a sluggish computer. He runs tasklist to see which processes are running and which are draining the most resources — he terminates an application consuming too much CPU and the caller’s PC is back to normal.
Cyber Association
CMD executables like net, tasklist and route as you may have guessed don’t just give nice toolsets for IT folk — they build the blocks for LOLBAS executions. We’re going to explore how each of these commands play their role in building an offensive security map from the services running on the localhost, to seeing network configurations, all the way up to user enumeration — with just these three CMD commands.
Tasklist
Cyber Mode
Any offensive security expert will want to see running processes of the host identified as the target. In fact, this is documented in MITRE Discovery as System Information technique (T1082). By entering tasklist /svc , you can see all services running on the local host.
Cyber Example
If an attacker gained a foothold machine in an organization, they’d want to see what defense systems are running in the background to be accurate in their offense — these systems are usually agents running as services. By entering tasklist /svc , imagine an attacker seeing:
They’d automatically know they’re in an environment with behavioral EDR modules against malware, courtesy of CrowdStrike, and privilege management/application control against privilege escalation attempts via Avecto Defendpoint.
Route
Cyber Mode
Networks within domains need routing tables. Well, you’ve got a full administrative routing tool shipped with Windows in the CMD with route. If you know how to use it, you can add, change and even delete entries in the routing table, completely influencing the traffic flow within the organization — see where this is going? This ability led to the creation of some mighty MITRE techniques. Namely, Network Route Discovery (T1047) and Network Service Scanning (T1046).
Cyber Example
Say the same attacker who knows which services and defense systems are running on the local host (and probably the rest of the organization), decides to raise the bar with some networking data like network destination, subnet mask, gateway, and interface information to perform MITRE Network Route Discovery (T1047). All that’s needed is route print:
Net
Cyber Mode
Network enumeration is key in offensive security and the net command bestows that power. With net, domain enumeration has never been simpler in that you can query the domain controller for domain users, groups, forest trusts and even individual PC’s for network shares — easily fulfilling MITRE Account Discovery (T1087).
Cyber Example
Our same attacker currently has an idea of running services, defense systems and routing configurations. The last reconnaissance effort needed to be done to move up in the cyber kill chain is domain enumeration. Well, using net, our attacker levels up by exporting all users and groups within the domain to a text file saved to the current user session’s TEMP folder to then exfiltrate outwards via email. All that’s needed is:
net user /domain > %temp%\users.txt
net group /domain > %temp%\groups.txt
And all domain users and groups will be available in two .txt files at your disposal, conveniently located at %TEMP%, or the environment path variable for your current user session’s Temp folder.
Remediations
Ubiquity doesn’t only grant offensive cyber its charms — sometimes the blue team world is no less furnished with opportunities. Sometimes, these opportunities can be check mates. If technological remediations represent the chess game elaborately played between capable players, then a conceptual remediation would represent the check mate in 4 moves, or the “Scholar’s Mate”.
Technological Remediation
Compliance forces organizations to do Regular Security Testing. This is good, because it forces information security divisions in these organizations to level up in their cyber craft. Penetration testing and cyber security consulting definitely are the fields that deal in bringing the vulnerabilities to the surface — in fact, I was responsible for pushing forth remediations on these LOLBAS executables in an organization I consult for. Regular security testing, especially the offensive angle could enlighten blue teams on potential SIEM rules or EDR IOC’s to implement.
Employ Behavioral Analysis — this usually comes shipped with EDR’s like CrowdStrike or Microsoft Defender for Endpoint. Attack vectors are quite anomalous when reflected as command executions and process trees. This anomalous behavior is exactly what the trigger rules in these behavioral EDR modules look for.
Conceptual Remediation
The conceptual remediation is the simple solution that saves all complexity thereafter — it is to be safe by design. Did you guess it? Only allow users who work in IT roles to be able to use these commands — all other users get blocked from access. Why is this conceptual? Simple. It takes security and implements it in the design. This is why cloud architecture is much safer than traditional on-prem. RBAC (Role Based Access Control) lets cloud users see only the resources they have access to — so much for domain enumeration. In this case, the same can be said about GPO for on-prem. By limiting access to crucial elements by the principle of least privilege and zero trust, you automatically create a safe by design environment before you even have to deal with the threats. This is best practice — hands down.
Conclusion
The efficiency of LOLBAS executables coupled with the inherent difficulties in mitigating MITRE Discovery provide fantastic solutions for endpoint and domain reconnaissance. This was demonstrated first hand with CMD executables net, tasklist and route.
Stay tuned for part 2!
