# T1210 Exploitation of Remote Services

-----------------------------------------------------------------------

## Technique Description

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities,  or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)

Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.

## Technique Detection

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of [Discovery](https://attack.mitre.org/tactics/TA0007), or other unusual network traffic that may indicate additional tools transferred to the system.

-----------------------------------------------------------------------

### Tactics:

  *   Lateral-Movement

### Platforms:

  * Linux

  * Windows

  * macOS

### Adversary Required Permissions:

  * User

### System Requirements:

  * Unpatched software or otherwise vulnerable target. Depending on the target and goal, the system and exploitable service may need to be remotely accessible from the internal network.

### Data Sources:

  * **Application Log:** Application Log Content

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used EternalBlue exploits for lateral movement.(Citation: TrendMicro Tonto Team October 2020)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has exploited known vulnerabilities in remote services including RDP.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: ClearSky Pay2Kitten December 2020)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.(Citation: CrowdStrike Carbon Spider August 2021)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472).(Citation: Symantec Cicada November 2020)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.(Citation: CISA AA20-296A Berserk Bear December 2020)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has exploited MS17-010 to move laterally to other systems on the network.(Citation: Unit42 Emissary Panda May 2019)	| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017)(Citation: MS17-010 March 2017)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1210)

  * [Cis Multiple Smb Vulnerabilities](https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/), CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.

  * [Nvd Cve-2017-0176](https://nvd.nist.gov/vuln/detail/CVE-2017-0176), National Vulnerability Database. (2017, June 22). CVE-2017-0176 Detail. Retrieved April 3, 2018.

  * [Nvd Cve-2016-6662](https://nvd.nist.gov/vuln/detail/CVE-2016-6662), National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.

  * [Nvd Cve-2014-7169](https://nvd.nist.gov/vuln/detail/CVE-2014-7169), National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 28 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Servando Quinones

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- APT 28 may exploit remote services to laterally move throughout a network (SMB, NFS, Web servers, DNS, MySQL, RDP, etc...).

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 |  | 1, 2|

## Detection Blindspots

- Use of intel will allow for better hunting of this TTP. Ask for information relating to the mission partner.
- Encryption use over SMB may make detecting this TTP difficult. Correlate with host logs to assist in identifying suspicious network connections.

## Analytical References

  * [Report APT28](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf)
  * [APT28 Target Hospitality Sector](https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html)
  * [MS17-010](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010)
  * [Zeek Bzar](https://github.com/mitre-attack/bzar)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Use SMB logs and Kibana filters to detect initial lateral movement.  These filters should have few false positives and some may not return any results if you weren’t capturing during lateral “infection.”  May also capture legitimate Admin traffic, especially if you’ve been pulling files off of a suspected box.


#### Analytic 1

  * **Information:** Files created with naming scheme “double underscore followed by epoch millisecond to two decimal places” (__1541695775.37)

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```name.keyword: /__[1][5][0-9]{8}[\.][0-9]{2}/```

#### Analytic 2

  * **Information:** Files created under /Temp directory with naming scheme “8 random letters.tmp” (GnwAtUdx.tmp)

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```name.keyword: /Temp\\[A-Za-z0-9]{8}[\.]tmp/```

  #### Analytic 3

  * **Information:** Files being created in c:\Windows\ directory (this expression looks for files 1-12 characters long and with or without an extension (will also catch a directory listing)

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```name.keyword: /[Ww][Ii][Nn][Dd][Oo][Ww][Ss]\\?[a-zA-Z0-9]{1,12}?[\.]?[a-zA-Z]{3}?/```

  #### Analytic 4

  * **Information:** Connecting to ADMIN$ and C$ share using IP address instead of Hostname.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** Filter for ADMIN$ and C$

  * **Query:** ```path.keyword: /\\\\[0-9]{1,3}[\.][0-9]{1,3}[\.][0-9]{1,3}[\.][0-9]{1,3}\\[Aa][Dd][Mm][Ii][Nn]\$/```
  * **Query:** ```path.keyword: /\\\\[0-9]{1,3}[\.][0-9]{1,3}[\.][0-9]{1,3}[\.][0-9]{1,3}\\[cC]\$/```

   #### Analytic 5

  * **Information:** CRPC Operations only seen in our lateral movement. Completely unique in our traffic.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 
    - operation: `SchRpcGetLastRunInfo`
    - operation: `SchRpcRegisterTask`
    - operation: `SchRpcDelete`
  - Unique to DC’s and our Admin’s box
    - operation: `ComplexPing`
  - RPC for Enumeration. Completely Unique to Bad Enumeration in our traffic.
    - operation: `SamrRidToSid`


* **Query:** Query here



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Identify SMB traffic across the network and isolate systems and network shares that are being accessed. Close attention should be paid to the follwoing share locations, `ADMIN$, C$, and IPC$`. 
  - Correlate users and permissions with access to these shares, especially all admin accounts.
- Share and usernames may be case sensitive

### Deep Dive
| LSARPC (Local Security Authority Remote Procedure Call) | SAMR (Security Account Manager Remote Protocol) | SRVSVC (Server Service Remote Procotol) | WKSSVC (Workstation Service Remote Protocol)
| ------ | ---- | ------ | ------ |
LsarEnumerateAccounts | SamrEnumerateAliasesInDomain | NetrConnectionEnum | NetrWkstaUserEnum
LsarEnumerateAccountRights | SamrEnumerateDomainsInSamServer | NetrFileEnum | NetrWkstaTransportEnum
LsarEnumerateAccountsWithUserRight | SamrEnumerateGroupsInDomain | NetrRemoteTOD | NetrWkstaGetInfo
LsarEnumeratePrivileges | SamrEnumerateUsersInDomain | NetrServerAliasEnum
LsarEnumeratePrivilegesAccount | SamrGetAliasMembership | NetrServerGetInfo
LsarEnumerateTrustedDomainsEx | SamrGetGroupsForUser | NetrServerTransportEnum
LsarGetSystemAccessAccount | SamrGetMembersInAlias | NetrSessionEnum
LsarGetUserName | SamrGetMembersInGroup | NetrShareEnum
LsarLookupNames | SamrGetUserDomainPasswordInformation | NetrShareGetInfo
LsarLookupNames2 | SamrLookupDomainInSamServer
LsarLookupNames3 | SamrLookupIdsInDomain	
LsarLookupNames4 | SamrLookupNamesInDomain
LsarLookupPrivilegeDisplayName | SamrQueryDisplayInformation
LsarLookupPrivilegeName | SamrQueryDisplayInformation2
LsarQueryDomainInformationPolicy | SamrQueryDisplayInformation3
LsarQueryInfoTrustedDomain | SamrQueryInformationAlias
LsarQueryInformationPolicy | SamrQueryInformationDomain
LsarQueryInformationPolicy2 | SamrQueryInformationDomain2
LsarQueryTrustedDomainInfoByName | SamrQueryInformationGroup
LsarQueryTrustedDomainInfo | SamrQueryInformationUser
LsarLookupPrivilegeValue | SamrQueryInformationUser2
LsarLookupSids
LsarLookupSids2
LsarLookupSids3

#### Analytic 1

  * **Information:** Identify network shares that are available across the network with possible connections originating from outside the network or internal host connecting to external shares.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** Identify SMB shares, `Admin$, C$, IPC$` in connection with adminstrator accounts. Operator should also invert this query and identify users that are not administrator accessing these shares. `IPC$` is not actually a share but exists to allow for subsequent named pipe connections to the server. Review the [Zeek Bzar](https://github.com/mitre-attack/bzar) reference for analyzing dcerpc commands to combine two or more simple indicators in SMB and DCE-RPC traffic to detect ATT&CK-like activity with a greater degree of confidence. Specifcally section 3.1. SumStats Analytics for ATT&CK Lateral Movement and Execution.

  * **Query Arkime:** 
    * ```smb.share == EXISTS! || smb.share == [Admin$, C$, IPC$]```
    * ```protocols == smb && ip.src != [10/8, 172.16/12, 192.168/16]```
    * ```protocols == smb && ip.dst != [10/8, 172.16/12, 192.168/16]```
    * ```smb.user == [Admin*, admin*]```
    * ```smb.user != [Admin*, admin*] && smb.share == [Admin$, C$, IPC$]```
    * ```protocols == dcerpc && dcerpc.cmd == EXISTS!```
  * **Query Kibana:** 
    * ```smb.share: * OR smb.share: (Admin$ or C$ or IPC$)```
    * ```protocol: smb AND NOT srcIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)```
    * ```protocol: smb AND NOT dstIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ```
    * ```smb.user: (Admin* or admin*)```
    * ```protocol: dcerpc AND dcerpc.cmd: *```

#### Analytic 2

  * **Information:** Identify RDP connections that involve, internal host to internal host, internal host to external host, and external host to internal host.

  * **Source:** Network Traffic, PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** RDP connections that initalize external to the MP network should be investigated and deconflicted with mission partner as to if these connections are authorized.

  * **Query Arkime:** 
    * ```protocols == rdp && ip.src != [10/8, 172.16/12/ 192.168/16]```
    * ```protocols == rdp && ip.src == [10/8, 172.16/12/ 192.168/16] && ip.dst == [10/8, 172.16/12/ 192.168/16]```
    * ```protocols == rdp && ip.src == [10/8, 172.16/12/ 192.168/16] && ip.dst != [10/8, 172.16/12/ 192.168/16]```
  * **Query Kibana:** 
    * ```protocol: rdp AND NOT srcIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)```
    * ```protocol: rdp AND srcIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) AND dstIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)```
    * ```protocol: rdp AND srcIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) AND NOT dstIp: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)```

