We study MITER ATT & CK. Mobile Matrices: Device Access. Part 5

Review (Discovery) and Lateral Movement (Lateral Movement)

Links to all parts:



Part 1. Initial access to a mobile device (Initial Access)

Part 2. Persistence and Privilege Escalation

Part 3. Getting Credential Access

Part 4. Defense Evasion



Having gained access to the mobile device, the adversary will probably try to use the standard means of the operating system to “look around”, understand what advantage is gained, whether it contributes to the achievement of the invasion goal. This stage of the attack is called “Discovery”. Survey techniques are aimed at obtaining information about the characteristics of a compromised mobile device, as well as other available network systems.

')

After evaluating the capabilities of the attacked environment, the adversary will attempt to gain access to remote systems, and, possibly, control over them, will attempt to launch malicious tools on remote systems. The described activity is called Lateral Movement. Methods of lateral movement also include means of collecting information from remote systems without the use of additional tools, such as the RAT utility (Remote Access Tools).



The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free retelling of the content of the ATT @ CK Mobile Matrices: Device Access .

Review (Discovery)

Application Discovery Overview

Platform: Android, iOS

Description: In order to detect security tools in an attacked system, an attacker may try to identify applications installed on the device that may increase the risk of detecting malicious activity or, on the contrary, identify applications that will be targeted by a further attack.



In Android, applications can use the PackageManager class method to enumerate other applications or other objects with access to the command line to use the " pm " command. In iOS, applications can use private API calls to get a list of applications installed on the device. However, an application using private API calls will probably not be accepted in the AppStore.



Security Tips : Application verification methods should include tools for identifying applications that use the PackageManager class to list other applications, but this approach may not be practical, because many applications call PackageManager class methods as part of their normal work. In iOS, application verification tools similarly can search for private API calls.

Device Type Discovery

Platform: Android

Description: In Android, information about the type of device is available through the android.os.Build class. Device information can be used to further exploit targeted exploits that raise privileges.



Security Tips: During the pre-test, applications that use the android.os.Build class can be detected, but this measure is not effective, because many applications use this functionality as part of their regular work.

File and Directory Discovery Detection

Platform: Android

Description: To enumerate the contents of the file system in Android, you can use the command line tools or Java API to work with files. However, in Linux and SELinux, application access to files is usually very limited (unless you use an exploit to elevate privileges). As a rule, external storage is accessible to applications, therefore storing confidential data there in an improper manner should cause concern. IOS security architecture usually limits the ability to locate files and directories without extended privileges.



Security Tips: Privilege escalation is complicated with every new version of Android and iOS. The latest versions of Android have been enhanced sandbox, limiting the ability of applications to list the contents of the file system.

Network Service Scanning

Platform: Android, iOS

Description: With the help of port scanners and vulnerabilities, attackers can try to get a list of services running on remote devices, including those that have remote-exploitable vulnerabilities. The presence of a mobile device connecting to the internal network of the enterprise via a local or VPN connection can be perceived by the enemy as a potential advantage.

Process Discovery

Platform: Android

Description: In Android up to version 5, applications can receive information about other processes running through the methods of the ActivityManager class. On Android older than version 7, applications can receive this information by executing the ps command or “examining” the / proc directory. Starting with Android 7, using the Linux kernel’s hidepid function does not allow applications without elevated privileges to get information about other processes.



Security Tips: Using Android OS version 7 and above.

System Information Discovery Overview

Platform: Android, iOS

Description: An attacker may attempt to obtain detailed information about the operating system and hardware, including the version, installed fixes, and architecture. On Android, most of the system information is available through the android.os.Build class. On iOS, there are also methods by which applications can access system information.

Network Configuration Configuration Discovery Overview

Platform: Android

Description: In Android, configuration details of embedded network interfaces are available to applications through the java.net.NetworkInteface class. The TelephonyManager class can be used to collect information such as IMSI, IMEI and phone number.



Security Tips : Preliminary analysis of the application should include checking whether the application requests permissions ACCESS_NETWORK_STATE (required for accessing NetworkInterface information) or READ_PHONE_STATE (required for accessing TelephonyManager information). Starting with Android 6.0, applications cannot access the MAC addresses of network interfaces.

Network Connections Overview (System Network Connections Discovery)

Platform: Android

Description: Applications can use standard APIs to collect data about outgoing and incoming network connections. For example, the NetworkConnections application available on PlayMarket provides this functionality.

Lateral movement (Lateral Movement)

PC attack via USB connection (Attack PC via USB Connection)

Platform: Android

Description: In order to carry out attacks on the PC connected to a mobile device, the enemy (with elevated privileges) can make changes to the OS, after which the mobile device will impersonate a USB device: a keyboard, mouse, storage device or network device. This method has been demonstrated on Android. About the possibility of implementing this technique on iOS is not known.



Security Tips: Users are advised to connect mobile devices to PCs only when they are reasonably necessary (for example, if necessary for the development and debugging of mobile applications).

Exploiting Enterprise Resources (Exploit Enterprise Resources)

Platform: Android, iOS

Description: An adversary may attempt to use corporate servers, workstations, or other resources available on the network. This method is used when a mobile device is connected to a corporate network via a local or VPN connection.