Tales from the Trenches: Host EnumerationBy: Counter Threat Unit Research Team
Once inside a network, threat actors need to find what they are looking for.
The search typically involves enumerating hosts within the network to find available hosts and determine their purpose. Host enumeration can be achieved in many ways, with the threat actors using their tools or possibly using tools that are already on the compromised systems. Regardless of method, there will be visible signs either on the host they are enumerating from (typically their initial vector into the network) or in the network traffic.
Endpoint detection and response technologies like Red Cloak give network defenders the visibility to detect host enumeration activities. SecureWorks® Counter Threat Unit™ (CTU) researchers use Red Cloak to monitor both tool execution on the host and network flow traffic to and from a host.
Example 1 – NetBIOS scanning
Red Cloak captured information about a process named "sharescan.exe" scanning the network (see Figure 1). Inspection of the file information revealed it was a tool to scan for the NetBIOS Name Service running on other computers to enumerate information such as hostname and domain for a host. The placement of this tool in the RECYCLER directory suggests that it was brought into the environment by the adversary, who used the output to decide which host to move to next to get closer to their actions on objective.
Figure 1. Red Cloak output displaying scanning of the NetBIOS Name Service. (Source: SecureWorks)
Example 2 – Ping sweep with further enumeration
In Figure 2, Red Cloak captured a ping sweep occurring on a host.
Figure 2. A ping sweep conducted from the command line. (Source: SecureWorks)
The ping sweep allows the threat actor to check which hosts in the network are available for further probing. In this example, the threat actor did not scan sequentially, so it is likely they used other information to identify potential hosts. Using Red Cloak’s ability to examine the parent process for these ping commands (see Figure 3), CTU™ researchers discovered that the threat actor launched a command prompt and used built-in Windows commands to enumerate hosts on the network. They used the "net view" command to see the shares from other hosts in the network and "arp -a" to view the Address Resolution Protocol (ARP) Cache to determine which other hosts this system previously talked to on the network.
Figure 3. Investigating the pings’ parent process shows more enumeration. (Source: SecureWorks)
The threat actors used the ping command on the hosts from the ARP Cache to verify the availability of certain hosts. Armed with this information, they continued scanning the network and working toward their final objective.
Example 3 – Custom tools for enumeration and host survey
In this final example, a threat actor first used a script to enumerate information about the initially compromised host. Figure 4 shows the tool collecting local information such as web history, Windows version, local users, and patch levels.
Figure 4. The threat actor used a script to survey a compromised host. (Source: SecureWorks)
After analyzing the local host, the threat actor then used a customized tool disguised as svchost.exe to enumerate other hosts in the network. Figure 5 displays the netflows showing the threat actor scanning hosts for a variety of common services (80/HTTP, 22/SSH, 443/HTTPS, 139/NetBIOS, 445/SMB, 3389/RDP).
Figure 5. Scanning activity does not reflect legitimate svchost behavior. (Source: SecureWorks)
Further investigation reveals the specific processes responsible for this network scanning activity (see Figure 6).
Figure 6. Abnormal svchost arguments. (Source: SecureWorks)
By looking at a specific instance of this process, CTU researchers discovered that it was running from the C:\.RECYCLER\ directory and that it was not the legitimate Windows svchost process (see Figure 7).
Figure 7. Detailed information on the svchost.exe process. (Source: SecureWorks)
Red Cloak provides additional details about this specific svchost.exe file, including the basic file metadata, VirusTotal information, the results of CTU researcher analysis, how common the file is, and where else it has been observed within the network. As shown in Figure 8, this file was marked as malicious due to being flagged by custom signatures. This information can be a starting point for steering incident response in the proper direction to find out more about the threat actor.
Figure 8. Detailed file information about the rogue svchost.exe. (Source: SecureWorks)
Threat actors can rarely enter a network via a host of interest; they typically need to enumerate the hosts on the network to find accessible systems. Endpoint security solutions like Red Cloak minimizes impact by detecting activities such as host enumeration to catch threat actors before they can achieve their actions on objective.