Charles Leaver – Threat Indications Can Be Observed From Command Usage

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

 

The repetition of a theme when it concerns computer system security is never ever a bad thing. As advanced as some cyber attacks can be, you really have to watch for and comprehend the use of typical easily available tools in your environment. These tools are usually utilized by your IT personnel and more than likely would be white listed for use and can be missed out on by security groups mining through all the relevant applications that ‘could’ be carried out on an endpoint.

As soon as someone has penetrated your network, which can be carried out in a range of ways and another blog post for another day, indications of these programs/tools running in your environment ought to be looked at to make sure appropriate usage.

A few tools/commands and their functions:

Netstat – Information on the current connections on the network. This could be utilized to determine other systems within the network.

Powershell – Built-in Windows command line function and can carry out a variety of activities such as getting critical details about the system, eliminating processes, including files or deleting files and so on

WMI – Another powerful built-in Windows function. Can shift files around and gather essential system details.

Route Print – Command to see the local routing table.

Net – Including users/domains/accounts/groups.

RDP (Remote Desktop Protocol) – Program to access systems remotely.

AT – Scheduled tasks.

Trying to find activity from these tools can be time consuming and in some cases be overwhelming, but is needed to get a handle on who might be moving around in your network. And not just exactly what is taking place in real-time, however in the past also to see a path someone may have taken through the network. It’s typically not ‘patient zero’ that is the target, once they get a foothold, they might make use of these tools and commands to begin their reconnaissance and finally migrate to a high value asset. It’s that lateral movement that you wish to find.

You must have the ability to gather the details talked about above and the means to sort through to discover, alert, and examine this data. You can use Windows Events to monitor various changes on a device and after that filter that down.

Taking a look at some screen shots below from our Ziften console, you can see a quick difference in between what our IT group utilized to push out changes in the network, versus somebody running a very comparable command themselves. This could be just like what you discover when somebody did that from a remote location say via an RDP session.

commands-to-watch01

commands-to-watch02

commands-to-watch03

commands-to-watch04

A fascinating side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You wouldn’t see this specific information throughout a live investigation or if you were not constantly collecting the data. However considering that we are collecting all the information continuously, you have this historical data to look at. If in case you were seeing the Status as ‘Running’, this could show that someone is actually on that system right now.

This only scratches the surface of exactly what you must be collecting and ways to evaluate what is right for your network, which naturally will be different than that of others. However it’s a start. Harmful actors with intent to do you damage will usually try to find the path of least resistance. Why try and create new and interesting tools, when a lot of what they require is currently there and prepared to go.

Leave a Reply

Your email address will not be published. Required fields are marked *