012. They Want to Know Everything About Your System!

Hello everyone! Today we'll look at reconnaissance techniques leveraged by Secret Blizzard (also known as Turla) as seen in the report by Microsoft Threat Intelligence. 

In this campaign Secret Blizzard used the Amadey bot to download its own backdoors to specifically selected target devices associated with the Ukrainian military.

So, one of the batch scripts leveraged by adversary invoked lots of reconnaissance commands. Let's look at each of them:

  • ver - to collect information about OS version;
  • systeminfo - to collect compromised system information;
  • ipconfig /all - to collect the full TCP/IP configuration for all adapters;
  • ipconfig /displaydns - to collect the contents of the DNS client resolver cache;
  • route print - to collect the entries in the local IP routing table;
  • arp -a - to collect information on current arp cache tables for all interfaces;
  • netstat -a -n - to collect information on active network connections;
  • net share - to collect information on available network shares;
  • net user - to collect information about users;
  • whoami /all - to collect information on current user;
  • wmic useraccount get name,sid - to collect information on the user name and SID;
  • net localgroup - to collect information on local groups;
  • net accounts - to collect information on the Account Lockout policy and Password Policy;
  • net config - to collect information on configaration of server and workstation services;
  • net time \\127.0.0.1 - to collect information on the system's time;
  • set - to collect information on environment variables;
  • netsh firewall show portopening - to collect information on opened ports;
  • netsh firewall show allowedprogram - to collect information on firewall allowed program configuration;
  • netsh firewall show config - to collect information on firewall configuration;
  • tasklist /v - to collect task information;
  • tasklist /svc - to collect the service information;
  • echo . | powershell get-hotfix - to collect update information;
  • reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /s - to collect information on system policies;
  • reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA - to collect information on UAC configuration;
  • collects information on the contents of various folders:
    • dir /x c:\
    • dir /x c:\users
    • dir %tmp%
    • dir "c:\program files (x86)" /x
    • dir "c:\program files" /x
    • tree "%UserProfile%\Desktop" /A
    • tree "%UserProfile%\Documents" /A
    • tree "%UserProfile%\Downloads" /A
    • dir /x "c:\windows\microsoft.net\framework"
  • collects autorun information:
    • reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • reg query HKLM\Software\Wow6432NodeMicrosoft\Windows\CurrentVersion\Run
    • reg query HKLM\Software\Wow6432NodeMicrosoft\Windows\CurrentVersion\RunOnce
Not bad, right? Do you have detections or hunts for each of them? Share you experience in the comments section!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge