T1016 System Network Configuration Discovery Mappings

Intel Threat Detection Technology (TDT) and CrowdStrike Falcon Accelerated Memory Scanning (CAMS): Defending Against System, Owner, User, and Network Information Discovery Attacks Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Advanced Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of System, Owner, User, and Network Information Discovery attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact. System, Owner, User, and Network Information Discovery attacks involve adversaries attempting to collect detailed information about the system they’ve infiltrated. Attackers gather data about the operating system, local users, network configurations, system owner, active connections, and network shares. This information is typically used to plan further exploitation, lateral movement, and privilege escalation within the target network. By querying system properties, user accounts, and network settings, attackers gain the intelligence necessary for executing advanced attacks. Intel TDT plays a crucial role by providing real-time telemetry on program execution, memory access, and control flow, enabling quick detection of abnormal activities like unauthorized information gathering from system and network resources. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of suspicious activity without negatively impacting system performance. CAMS is capable of identifying the unauthorized collection of system, user, or network-related data, helping to detect when attackers are gathering intelligence for the purpose of launching further attacks.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.