Blog Post

Hunting for Goddi – Uncovering MITRE ATT&CK Discovery Tactics & Techniques

As the MITRE ATT&CK framework recognizes, discovery or reconnaissance play a pivotal role, whether in a real attack or a red teaming engagement. It helps the adversary secure a deep understanding of the network neighborhood, understand where the crown jewels of the organization might exist and plot a path to get there. Often however, this activity flies under the radar due to the use of stealthy and generic methods that tend to blend in with normal network traffic. From an attacker’s perspective, reconnaissance focuses on cataloging information such as operating system versions and patch levels, remote services, user groups, identifying the presence of devices by particular manufacturers and muchmore. Much of this information gathering has been automated and there are a number of tools that are widely available for performing the task. In this post we will focus on a popular recon tool: Goddi and discuss how security operations teams can hunt for the presence of this tool within their networks. However, the threat hunting techniques we present are generic and can apply to other tools in this category as well.

Goddi – Collecting Domain Information

Goddi (short for Go Dump Domain Info) is written using the Go programming language by NetSPI. The tool aids in gathering Active Directory domain information and is considered an alternative to several other common tools such as BloodHound, ADInfo, PowerSploit, windapsearch etc.

Goddi relies on performing a range of custom LDAP queries against the domain controller to pull out information. It also supports negotiating an encrypted connection with the domain controller via StartTLS over TCP/389. Post-authentication to the domain Goddi can retrieve the following types of information:

  • Domain users
  • Users in privileged user groups
  • Users with passwords not set to expire
  • User accounts that have been locked or disabled
  • Machine accounts with passwords older than 45 days
  • Domain computers
  • Domain controllers
  • Sites and subnets
  • Trusted domain relationships
  • SPNs (Service principal name)
  • Domain groups
  • Domain organizational units (OUs)
  • Domain account policy
  • Domain delegation users
  • Domain group policy objects (GPOs)
  • Domain flexible single master operation (FSMO) roles
  • Local administrator password solution (LAPS) passwords

Technical Analysis

By default, Microsoft Windows domain controllers support basic LDAP operations regardless of the privilege. This access, typically over port TCP/389 only needs a valid domain account to perform the LDAP queries and launch the enumeration.

Goddi is pretty simple to use. The screenshot below, for instance, shows how easy it is to launch an enumeration attempt:

Figure 1: Enumerating domain information using Goddi

So, what does this look like on the network? By capturing and then reviewing live network traffic we see the actual LDAP queries Goddi uses. Specifically, we observe a number of LDAP searchRequest messages that include a particular protocol data unit (PDU) based on the type of data being enumerated.

For instance, enumerating the list of computers in the domain and pulling some attributes for each would appear on the network as shown in Figure 2.

Figure 2: Awake UI view of parsed LDAP request

Decoding the same traffic in Wireshark (Figure 3), shows the LDAP Filters and Attributes used during the enumeration phase:

Figure 3: Wireshark view of LDAP Message

In fact, tshark is very handy in post processing and analyzing the network traffic as well, especially when you want to correlate the results of multiple Goddi requests. tshark can parse live network traffic, PCAP documents, and provides a wide range of protocol specific expressions to pull out interesting datasets and aid in quicker analysis.

Figure 4: Tshark view of LDAP searchRequest attributes during recon

As Figure 4 illustrates, we can extract the set of LDAP searchRequest attributes used to perform the enumeration against the domain controllers.

Detection Models

Parsing and understanding each enumeration type in such a verbose way, then allows us to fingerprint these LDAP queries in the Awake Security Platform. Awake understands LDAP queries and provides an abstraction layer to fetch these record types.

This knowledge has allowed us to build adversarial models that identify the usage of Goddi in customer environments. The platform can account for the rarity of the request, whether the enumeration is typical for the device and its peer group, is other suspect behavior associated with the device in question etc. All of this is possible since Awake’s EntityIQ is able to track the device as an entity rather than an ephemeral IP address. This helps ensure false positives with these models are low.

When the platform identifies such reconnaissance behavior on the network (MITRE ATT&CK ID: T1087, T1018, T1082, T1016, T1033), it creates a Situation as shown in Figure 5.

Figure 5: Recon – Domain Computers and OS Info

As Figure 5 illustrates, Awake was able to create a graphical visualization of this situation, which demonstrates that a source Windows device attempted to access the target machine’s list of operating systems and workstations.

Recommendation

Detecting and monitoring reconnaissance attempts can be really tricky because of the generic nature of the behavior. The team can often spend time triaging what is recon activity and what is just normal domain activity. However, the Awake Security Platform helps by correlating such sequences of LDAP searchRequest message types based on frequency, time frame, the entity making the request and other suspect activity from this entity.

From a defensive perspective, it is highly recommended that access control lists and permissions be tightened for domain controllers. Unfortunately, this is tricky since many legitimate tools and services depend on these capabilities. While there are suggestions on ways to tighten permissions and prevent enumeration, none of them are full proof and many could result in breaking of existing processes and operations.

Sujit Ghosal
Sujit Ghosal

Sr. Threat Researcher