Continuing in our series on the adversarial mindset, we focus on weaponization for computer network operations. Following the reconnaissance phase and identifying a target, an actor needs to gain a foothold in a network before determining how to monetize the access or remain “low and slow” to conduct additional collection, typically for espionage purposes.
An advanced adversary will ensure to have segmentation in their infrastructure and code throughout the process. With sophisticated adversaries, the weaponization phase is often a skillset left onto itself and a division of labor is often seen.
For example, actors that build the exploits and craft the delivery payloads are often different from the personnel conducting lateral movement, privilege escalation, and exfiltration once a foothold is gained.
Considerations for Weaponization:
“Patch Tuesday is Exploit Wednesday”
The reconnaissance phase likely turned up operating systems and software versions of applications that are vulnerable to current exploits or perhaps the actor wants to develop their own exploit that is unknown (zero-day vulnerabilities).
An exploit is a piece of code or a program that takes advantage of a vulnerability in an application or operating system. The exploit is typically categorized into the resulting behavior after the vulnerability is exploited, such as arbitrary code execution, local or remote privilege escalation, or data exposure.
While an exploit on its own is not malicious, bad actors tend to use them as a component within their malicious code to gain access to the system illegally. Exploit development is certainly a niche skill set and often one that is outsourced even among the most advanced adversaries.
To gain remote code execution against the latest version of a certain operating system or exploit a vulnerability in a software application takes significant research and development cycles and is certainly not trivial.
Weaponization is typically the process of taking a proof of concept or exploit code and working it into an attack method. An exploit developer identifies a vulnerability in a target application, writes an exploit that leverages that vulnerability, and then that exploit is "weaponized" to work against a certain version of the application, often under certain conditions or circumstances, and is packaged up into some delivery mechanism.
For example, many open source exploitation frameworks take exploit code and package them into modules that can then be thrown or delivered from within the framework, usually via a meterpreter session on a target host. The framework has then "weaponized" that exploit, but others may use the exploit in a different manner and would also be weaponizing the exploit, but just in their own attack framework or tool set.
Sophisticated adversaries generally use two forms of exploits: first stage lander (aka beachhead) and second stage implant beachheads.
The purpose of a first-stage beachhead is to allow either an upload and execute a binary to get a secondary beacon to call back to malicious command and control infrastructure and then be interactive on the exploited host.
If an actor drops a more sophisticated binary as the second-stage beachhead, they can potentially throw follow-on exploits right from the first-stage beachhead without a multi-stage process.
For example, at times, adversaries may attempt to exploit vulnerabilities via collections or kits hidden on hosted advertisement networks or invisible landing pages.
If a victim lands on one of these sites, the exploit kit will automatically scan the victim’s computer to find out the operating system the computer is using, which programs are running, and if there are any vulnerabilities associated with those software packages. Once it identifies a vulnerability, the exploit kit will use the appropriate exploit code and attempt to install and execute malware.
However, the dual stage approach of dropping a first stage loader or beachhead on a target and then uploading and executing or injecting a more capable second stage implant or beacon is more common.
Adversaries typically will not risk burning more sophisticated tools during the initial phase of an attack due to the high risk of end point detection controls like EDR/AV detecting, blocking and alerting the initial exploit and payload.
Malware is literally "malicious software" (a file, program, or strong of code for malicious activity) so the term is often interchangeable with an exploit being a form of "malware" alongside implants, covert exfiltration tools, etc.
For example, a malicious DLL file that is injected into a running process by some attack vector or "exploit" would be categorized as "malware" as it was not part of the operating system or any installed applications but instead was deployed by a third-party with the sole intent for that party to gain malicious access to the target system.
Malware is more the overall descriptor in today’s terminology and is classified by the payload or malicious action it performs. The classifications of malware include worms, trojans, botnets, spyware and viruses. Although each malware strain behaves uniquely, automated spreading behavior is most commonly associated with worms.
Open Ports and Services with Leaked Credentials
During the reconnaissance phase, scanning against a particular target likely picked up open services and ports like RDP exposed to the internet. If multi-factor authentication is not enabled and a corporate user recycled their credentials using a non-corporate service account, an actor can easily find credentials on the internet to gain unauthorized access.
A foothold is typically delivered through one of three mechanisms:
2) Web application vulnerabilities
3) Physical access.
We will dig into this for the next adversary mindset blog.