Full Report
Following on from Evert’s posting about the new BroadView v4, I’d like to showcase a specific aspect of BV that we’ve found useful, namely Attributes. These are small pieces of data collected and maintained for each host scanned by BV including somewhat mundane bits of info like IP address and OS but, they also include some really tasty morsels about remote hosts that are scanned. Attributes are collected on a per-scan-per-host basis, and are populated by each test that runs during the scan. Since attribute population is dependent on the selected tests, the set of Attributes available to you would vary according to you configuration.
Analysis Summary
# Tool/Technique: BroadView v4 Attributes
## Overview
BroadView (BV) v4 Attributes are small pieces of data collected and maintained for each host scanned by the tool. They are populated by tests run during a scan and are used to quickly aggregate and report on specific host configurations, patch levels, software installations, and security posture details (like anonymous FTP access). This functionality is primarily intended for internal Vulnerability Management and Pen Testing use within an organization.
## Technical Details
- Type: Tool (Feature within the BroadView scanning product)
- Platform: Primarily targets systems running Microsoft Windows, given the focus on Windows attributes (Patches, Registry, Active Directory, etc.). Scanning occurs across the network.
- Capabilities: Data aggregation, filtering, rapid reporting based on specific host characteristics gathered from network scans (authenticated or unauthenticated).
- First Seen: The article refers to a "new" v4 in April 2010, suggesting the feature was introduced around that time.
## MITRE ATT&CK Mapping
The core function of BroadView Attributes is **Discovery** and **Information Gathering** during network security assessments or vulnerability management activities.
- **TA0007 - Discovery**
- T1046 - Network Service Scanning
- T1087 - Account Discovery
- T1087.002 - Domain Account
- **TA0003 - Persistence** (If attributes are used to monitor for persistent changes post-exploitation, although the tool itself is not malware)
- (Less direct mapping, but its function overlaps with understanding system state)
*Note: BroadView is a management/scanning tool, not typical adversary malware. Mappings focus on the *type* of information it gathers, which mimics adversary reconnaissance.*
## Functionality
### Core Capabilities
- **Host Information Collection:** Collects basic data like IP address and OS.
- **Patch Status Reporting:** Quickly query which Windows hosts are missing specific Microsoft patches (e.g., MS10-018).
- **Configuration Auditing:** Identify systems using outdated configurations (e.g., old WSUS server names).
- **Software Inventory:** List hosts with specific software installed (e.g., uTorrent).
- **Service Configuration Discovery:** Determine configurations of network services (e.g., checking if FTP allows anonymous access).
### Advanced Features
- **Authenticated/Unauthenticated Data Collection:** Some attributes (like basic banners) can be collected without credentials, while others (like Active Directory group membership) require domain credentials.
- **Extensibility:** The system allows for adding custom attributes based on client needs or internal assessments.
- **Rapid Export:** Ability to immediately download query results as a CSV file for external analysis or reporting.
## Indicators of Compromise
Since BroadView is a benign vulnerability scanning tool, the general categories are listed, though actual EoC data for the tool itself is not present in the text.
- File Hashes: N/A (Tool Installation Files)
- File Names: N/A (Tool Executables)
- Registry Keys: Attributes monitor keys like configuration settings, e.g., related to `Config.Microsoft.Windows.WSUS.Server`.
- Network Indicators: N/A (The tool communicates with scanned hosts; no adversary C2 is involved.)
- Behavioral Indicators: N/A (Standard network scanning behavior.)
## Associated Threat Actors
None. BroadView is a commercial or internal security assessment tool developed by SensePost.
## Detection Methods
Detection focuses on identifying the *activity* of the BroadView scanner on the network, rather than detecting malware.
- Signature-based detection: Signatures may exist for the BroadView scanner executable or its known User-Agent strings if it uses specific HTTP headers during scans.
- Behavioral detection: Look for network scanning patterns characteristic of vulnerability assessment tools against a wide asset range.
- YARA rules: Not applicable.
## Mitigation Strategies
Mitigation centers on controlling or classifying the scanning traffic generated by the tool.
- Prevention measures: Restrict execution of vulnerability scanners (like BroadView) to authorized security teams or dedicated assessment jump boxes.
- Hardening recommendations: Implement host-based firewalls to limit which services are externally accessible, reducing the information leakage available via unauthenticated scanning tests.
## Related Tools/Techniques
- Other commercial vulnerability scanners (e.g., Nessus, Qualys).
- Internal auditing scripts leveraging native Windows tooling (e.g., PowerShell, WMI) to gather similar host attributes.
- Network reconnaissance frameworks.