Unauthorized User Scan (T1012) v2

These steps are a basic steps for remediation for Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. This entry maps to the MITRE code referenced in the entry. Please check back regularly for updates to this library entry.

Notable Attacks and Timelines

Metasploit Project (2003 - Present)

The Metasploit Project, initiated in 2003, has become a cornerstone in the world of penetration testing. This popular framework contains modules for unauthorized scans, enabling the identification of network hosts, open ports, and vulnerabilities. Its versatility has made it a tool of choice for both ethical hackers and malicious actors, who leverage its efficient scanning capabilities as a prelude to exploitation attempts.

Stuxnet (2010)

Discovered in 2010, Stuxnet marked a watershed moment in cyber warfare. This sophisticated worm, widely attributed to the U.S. and Israeli governments, targeted industrial control systems (ICS) with unprecedented precision. Stuxnet employed network scanning techniques to identify connected centrifuges in Iranian nuclear facilities, subsequently exploiting identified vulnerabilities to deliver its payload. This attack demonstrated the potential for cyber operations to cause physical damage to critical infrastructure.

APT29 (Cozy Bear) Scans (2015-2020)

APT29, also known as Cozy Bear, has been a persistent threat in the cybersecurity landscape since at least 2015. Associated with the Russian Intelligence Agency (FSB), this group is renowned for its sophisticated cyber espionage campaigns. APT29 routinely employs unauthorized scans to map networks and identify vulnerabilities, as evidenced by their high-profile intrusion into the Democratic National Committee (DNC) networks in 2015. Their ongoing activities highlight the enduring nature of state-sponsored cyber threats.

Mirai Botnet (2016)

The Mirai botnet, discovered in 2016, exemplified the growing threat to Internet of Things (IoT) devices. This malware conducted massive scans to identify and infect IoT devices with weak security settings, subsequently using the compromised devices to launch devastating Distributed Denial of Service (DDoS) attacks. The individuals behind Mirai—Paras Jha, Josiah White, and Dalton Norman—were eventually identified and faced legal consequences, underlining the potential for attribution in cybercrime cases.

SolarWinds Attack (2020)

Unearthed in December 2020, the SolarWinds attack represented a sophisticated supply chain compromise. Attributed to the Russian Intelligence Agency (SVR/COPE), this attack involved unauthorized scans within already compromised environments to identify additional targets. This incident emphasized the potential for initial compromises to spiral into wide-ranging, persistent threats across multiple organizations.

Techniques and Tools Used for Unauthorized User Scans

• Nmap: An open-source network mapper widely used for network discovery and security auditing, particularly for scanning ports and services.

• Masscan: Capable of scanning the entire internet in under six minutes, this tool is often employed for large-scale unauthorized scans.

• Hping: Specializes in crafting TCP/IP packets, useful for scanning open ports and conducting network reconnaissance.

• Zmap: Similar to Masscan, this tool is designed for efficient, large-scale internet scanning operations.

Detection and Mitigation

Detection Strategies

1. Network Traffic Analysis: Implement continuous monitoring for unusual scanning activity, such as high volumes of SYN packets sent to multiple hosts or ports.

2. Intrusion Detection Systems (IDS): Deploy IDS with custom rules designed to trigger alerts on patterns indicative of unauthorized scanning.

3. Logs Analysis: Conduct regular reviews of access logs to identify unusual activities that may signify scanning attempts.

Mitigation Strategies

1. Network Segmentation: Implement robust network segregation and enforce strict Access Control Lists (ACLs) to protect sensitive segments.

2. Firewall Rules: Employ stringent firewall rules to block traffic from unauthorized IP addresses.

3. Rate Limiting: Apply rate-limiting measures to reduce the risk and effectiveness of scanning attempts.

4. Regular Patch Management: Maintain a rigorous patching regime to ensure all systems and applications are up-to-date, thereby reducing the overall attack surface.

Publicly Available Resources

• NIST's Cybersecurity Framework: A comprehensive guide for improving critical infrastructure cybersecurity.

• CIS Controls: With specific attention to Control 9, which focuses on limitation and control of network ports, protocols, and services.

Remediation: On-Prem

windows

Detecting and Mitigating Unauthorized User Scans on Windows

Identify Unauthorized Scanning Tools

Begin your investigation by examining running processes on your system. Open Task Manager by pressing Ctrl + Shift + Esc, and scrutinize the list for any unusual or unfamiliar processes. These could be indicators of unauthorized scanning tools operating on your system.

As an additional layer of defense, leverage Windows Defender or your preferred antivirus software to conduct a comprehensive scan of your system. Many of these security solutions are equipped with signature-based detection capabilities for known scanning tools.

Review Event Logs

Windows Event Logs can provide crucial insights into system activities. Access the Event Viewer by typing eventvwr in the Run dialog. Navigate to Windows Logs -> Security and pay particular attention to specific Event IDs, such as 4624, which signifies successful login attempts. Unusual patterns or high frequencies of these events could indicate scanning activities.

Block Unauthorized IPs

If you've identified suspicious IP addresses, take immediate action to block them using the Windows Firewall with Advanced Security. Create a new inbound rule to prevent any traffic from these IPs reaching your system. This proactive measure can significantly reduce your exposure to potential threats.

Remove Unauthorized Users

Conduct a thorough audit of user accounts on your system. Navigate to Control Panel -> User Accounts -> Manage another account to review all existing accounts. If you discover any unauthorized or suspicious accounts, promptly remove or disable them to prevent potential misuse.

Patch System Vulnerabilities

Maintaining an up-to-date system is crucial in defending against unauthorized scans and potential exploits. Ensure that Windows Update is enabled on your system. Regularly check for and install the latest security patches by going to Settings -> Update & Security -> Windows Update.

By systematically implementing these steps, you can significantly enhance your system's resilience against unauthorized user scans and potential security breaches. Remember, cybersecurity is an ongoing process that requires constant vigilance and proactive

macOS

Detecting and Mitigating Unauthorized User Scans on macOS

Identify Suspicious Applications

Begin your security audit by examining the applications running on your macOS system. Open Activity Monitor, which can be found in the Applications/Utilities folder or by using Spotlight search. Carefully review the list of active processes, paying particular attention to any unfamiliar or suspicious applications.

macOS comes equipped with built-in security features such as XProtect and Gatekeeper. These tools work silently in the background to protect your system from malware and unauthorized applications. Ensure these features are enabled in your Security & Privacy settings for an additional layer of protection.

Check System Logs

macOS maintains detailed logs of system activities, which can be invaluable for detecting unauthorized scans. Launch the Console application, typically found in the Utilities folder. Focus your attention on the system and authd logs, which can provide crucial information about system access and authentication attempts.

Block Unauthorized IP Addresses

If you've identified suspicious IP addresses, you can block them using macOS's built-in Packet Filter (PF) firewall. To configure PF:

1. Open Terminal and edit the PF configuration file with the command:

   Copy

   sudo nano /etc/pf.conf

2. Add rules to block the unauthorized IPs.

3. Save your changes and reload the configuration with:

   Copy

   sudo pfctl -f /etc/pf.conf

This proactive measure can significantly reduce your exposure to potential threats from known malicious IP addresses.

Manage User Accounts

Regularly audit user accounts on your system to ensure only authorized users have access. Navigate to System Preferences -> Users & Groups to review all existing accounts. If you discover any unauthorized or suspicious accounts, promptly remove or disable them to prevent potential misuse.

Enable Security Updates

Keeping your system up-to-date is crucial in maintaining a strong defense against unauthorized scans and potential exploits. Enable automatic updates by going to System Preferences -> Software Update. Ensure that "Automatically keep my Mac up to date" is checked to receive the latest security patches and system updates.

linux

Detecting and Mitigating Unauthorized User Scans on Linux

Identify Unauthorized Scanning Tools

Begin your security audit by examining the processes running on your Linux system. Open a terminal and use the following command to identify potential scanning processes:

ps aux | grep scan

This command will list all processes containing "scan" in their name or arguments. Review the output carefully for any unfamiliar or suspicious entries.

Additionally, check the crontab for any unusual scheduled scripts that could be performing unauthorized scans:

crontab -l

Review System Logs

Linux systems maintain detailed logs that can provide crucial information about system activities. Focus your attention on two key log files:

1. /var/log/auth.log: Contains authentication-related events.

2. /var/log/syslog: Provides general system activity logs.

Use the grep command to search these logs for suspicious activity. For example:

grep "Failed password" /var/log/auth.log

This command will show all failed login attempts, which could indicate scanning or brute-force attacks.

Block Malicious IPs

If you've identified suspicious IP addresses, you can block them using iptables, the Linux firewall utility. To block an IP address:

sudo iptables -A INPUT -s [IP_ADDRESS] -j DROP

Replace [IP_ADDRESS] with the actual IP you want to block. To ensure these rules persist after a system reboot, save them:

sudo iptables-save > /etc/iptables/rules.v4

Manage User Accounts

Regularly audit user accounts on your system to ensure only authorized users have access. List all user accounts with:

sudo cat /etc/passwd

If you discover any unauthorized or suspicious accounts, you can disable them:

sudo usermod -L [USERNAME]

Or remove them entirely:

sudo userdel [USERNAME]

Replace [USERNAME] with the actual username you want to disable or remove.

Apply Updates

Keeping your system up-to-date is crucial in maintaining a strong defense against unauthorized scans and potential exploits. Regularly update your system using your distribution's package manager. For Debian-based systems (like Ubuntu):

sudo apt update && sudo apt upgrade

For Red Hat-based systems:

sudo yum update

By systematically implementing these steps, you can significantly enhance your Linux system's resilience against unauthorized user scans and potential security breaches. Remember, cybersecurity is an ongoing process that requires constant vigilance and proactive measures.

Remediation: Cloud

Amazon aWS

Detecting and Mitigating Unauthorized User Scans in AWS

Check for Unauthorized Instances

Begin your security audit by examining the EC2 Dashboard in your AWS Console. Carefully review all running instances, paying close attention to any unfamiliar or unexpected instances. These could be indicators of unauthorized access or resource misuse.

If you identify any unauthorized instances:

1. Select the instance in question

2. Click 'Instance State'

3. Choose 'Terminate' to immediately stop and remove the instance

Review Security Groups and Access Logs

Navigate to EC2 -> Security Groups in your AWS Console. Examine each security group for recent changes or unfamiliar rules that might allow unauthorized access.

Leverage AWS CloudTrail to analyze logs for unauthorized activities. CloudTrail provides a comprehensive history of API calls in your account, which can help identify suspicious actions or potential security breaches.

Review IAM Roles and Policies

Access the IAM Dashboard to conduct a thorough audit of users and roles. Look for:

• Unfamiliar user accounts

• Unused roles

• Overly permissive policies

Update or remove any excessive permissions to adhere to the principle of least privilege. This reduces your attack surface and limits potential damage from compromised credentials.

Block IP Addresses

Implement Network Access Control Lists (NACLs) to block unauthorized IPs at the subnet level:

1. Navigate to VPC Dashboard

2. Select 'Network ACLs'

3. Edit inbound rules to deny traffic from suspicious IPs

For more granular control, consider implementing additional firewall rules with AWS WAF (Web Application Firewall). This service allows you to create custom rules to block specific IP addresses or ranges across your AWS resources.

Update Security Packs

Maintain robust security by regularly updating your AWS resources. Utilize AWS Systems Manager Patch Manager to automate the process of applying security updates across your EC2 instances and managed nodes.

To set up Patch Manager:

1. Open AWS Systems Manager console

2. Navigate to 'Patch Manager'

3. Create a patch baseline

4. Schedule patching operations

Google GCP

Detecting and Mitigating Unauthorized User Scans in Google Cloud Platform (GCP)

Check Unauthorized VM Instances

Begin your security audit by examining the Compute Engine dashboard in your GCP Console. Carefully review all VM instances, paying particular attention to any unfamiliar or unexpected instances. These could be indicators of unauthorized access or resource misuse.

If you identify any unauthorized instances:

1. Select the instance in question

2. Click the 'More actions' (three-dot) menu

3. Choose 'Delete' to immediately remove the instance

Review Firewall Rules

Navigate to VPC Network -> Firewall rules in your GCP Console. Examine each firewall rule for recent changes or unfamiliar configurations that might allow unauthorized access.

To update rules and block unauthorized IPs:

1. Select the rule you want to modify

2. Click 'Edit'

3. Add the unauthorized IP addresses to the 'Denied' list

4. Click 'Save' to apply the changes

Analyze Logs with Stackdriver

Leverage Google Cloud's Operations Suite (formerly Stackdriver) to analyze logs for unauthorized activities. This powerful tool provides comprehensive logging and monitoring capabilities:

1. Go to the Operations Suite dashboard

2. Select 'Logging' from the menu

3. Use the query interface to search for suspicious activities

4. Create custom alerts for unusual events to receive real-time notifications

Review IAM Policies

Access the IAM & Admin section to conduct a thorough audit of users and service accounts:

1. Review the list of users and service accounts

2. Check the permissions assigned to each

3. For any suspicious accounts:

   • Click on the account name

   • Review the 'Permissions' tab

   • Use 'Remove access' to revoke unnecessary permissions

Adhere to the principle of least privilege by ensuring each account has only the permissions necessary for its intended function.

Enable Security Command Center

Security Command Center is GCP's comprehensive security management and risk platform. To enable and utilize this feature:

1. Navigate to Security Command Center in the GCP Console

2. Click 'Enable' if not already activated

3. Once enabled, review the 'Findings' page regularly for potential security risks

4. For each finding:

   • Assess the risk level

   • Review the detailed information provided

   • Take appropriate action based on the nature of the finding

Azure

Detecting and Mitigating Unauthorized User Scans in Microsoft Azure

Check for Unauthorized Resources

Begin your security audit by thoroughly examining the Azure portal dashboard. Review all running resources across your subscriptions, paying close attention to any unfamiliar or unexpected instances.

If you identify unauthorized resources:

1. Select the resource in question

2. Click 'Stop' to immediately halt its operations

3. Once stopped, select 'Delete' to permanently remove the resource

This process helps maintain a clean and secure Azure environment by eliminating potential backdoors or resource misuse.

Audit Network Security Groups (NSGs)

Navigate to Network Security Groups in the Azure portal. Carefully examine both inbound and outbound rules for each NSG:

1. Select the NSG you want to review

2. Check 'Inbound security rules' and 'Outbound security rules'

3. Look for any unfamiliar or overly permissive rules

To block unauthorized IPs:

1. Click 'Add' to create a new rule

2. Set 'Source' to the IP addresses you want to block

3. Set 'Action' to 'Deny'

4. Assign a high priority to ensure it's evaluated before more permissive rules

Review Activity Logs

Leverage Azure's built-in monitoring capabilities by analyzing the Activity log:

1. Navigate to Monitor -> Activity log in the Azure portal

2. Use filters to focus on specific resource types, time ranges, or operations

3. Look for unusual patterns or unexpected operations that could indicate unauthorized access

Consider setting up alerts for critical activities to receive real-time notifications of potential security events.

Manage IAM Roles and Policies

Conduct a thorough audit of your Azure Active Directory users and groups:

1. Go to Azure Active Directory -> Users and Groups

2. Review the list of users and their assigned roles

3. For any suspicious or unnecessary accounts:

   • Select the account

   • Review its role assignments

   • Use 'Remove' to revoke unnecessary permissions

Adhere to the principle of least privilege, ensuring each account has only the permissions necessary for its intended function.

Apply Security Updates

Utilize Azure Security Center to maintain robust security across your resources:

1. Navigate to Security Center in the Azure portal

2. Review the 'Recommendations' tab for suggested security improvements

3. Apply critical updates to your resources

To enable automatic updates:

1. Go to the settings for each resource type

2. Look for an 'Automatic Updates' or similar option

3. Enable and configure as appropriate for each resource