Chuck Leaver – Watch Out For These Commands As They Could Be A Threat

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO

 

The repeating of a concept when it concerns computer system security is never ever a bad thing. As sophisticated as some cyber attacks can be, you truly need to look for and understand making use of common easily available tools in your environment. These tools are usually utilized by your IT staff and most likely would be whitelisted for usage and can be missed out on by security teams mining through all the appropriate applications that ‘might’ be carried out on an endpoint.

As soon as someone has penetrated your network, which can be done in a range of ways and another blog post for another day, indications of these programs/tools running in your environment needs to be looked at to guarantee appropriate use.

A couple of commands/tools and their purpose:

Netstat – Details on the current connections on the network. This may be utilized to recognize other systems within the network.

Powershell – Built-in Windows command line function and can perform a variety of activities such as obtaining important information about the system, eliminating processes, adding files or deleting files and so on

WMI – Another effective built in Windows function. Can shift files around and collect crucial system details.

Route Print – Command to view the local routing table.

Net – Including accounts/users/groups/domains.

RDP (Remote Desktop Protocol) – Program to access systems remotely.

AT – Arranged jobs.

Looking for activity from these tools can be time consuming and in some cases be overwhelming, but is necessary to get a handle on who might be moving around in your environment. And not simply what is occurring in real time, but historically too to see a course somebody might have taken through the environment. It’s frequently not ‘patient zero’ that is the target, but once they get a foothold, they could make use of these tools and commands to begin their reconnaissance and finally move to a high value asset. It’s that lateral motion that you would like to discover.

You must have the capability to gather the information gone over above and the means to sift through to find, alert, and investigate this data. You can use Windows Events to monitor various modifications on a device then filter that down.

Looking at some screen shots shown below from our Ziften console, you can see a quick difference between what our IT group used to push out modifications in the network, versus someone running a really comparable command themselves. This could be much like what you find when someone did that remotely say by means of an RDP session.

commands-to-watch01

 

commands-to-watch02

commands-to-watch03

commands-to-watch04

An interesting side note in these screenshots is that in all scenarios, the Process Status is ‘Terminated’. You wouldn’t observe this specific information during a live examination or if you were not constantly collecting the data. However given that we are collecting all the info constantly, you have this historic data to take a look at. If in case you were observing the Status as ‘Running’, this could suggest that somebody is actually on that system right now.

This only scratches the surface of exactly what you should be gathering and how to evaluate exactly what is right for your environment, which obviously will be distinct from that of others. However it’s a good place to start. Destructive actors with the intention to do you damage will typically try to find the path of least resistance. Why try and develop new and fascinating tools, when a lot of exactly what they need is already there and ready to go.

~leaverchuck1


No Responses Yet to “Chuck Leaver – Watch Out For These Commands As They Could Be A Threat”

Leave a Reply