When it comes to computer security, it never hurts to reiterate an ongoing theme over and over and over and…yes, over. As sophisticated as some attacks can be, you really need to watch for and understand the use of common readily available tools in your environment. These tools are typically used by your IT staff and most likely would be whitelisted for use and can be missed by security teams mining through all the relevant applications that ‘could’ be executed on an endpoint.
Once someone has breached your network, which can be done in a variety of ways and another blog for another day, signs of these tools/programs running in your environment should be looked at to ensure proper usage.
A few tools/commands and their functions:
- Netstat – Details to the current connections on the system. This could be used to identify other systems within the network.
- Powershell – Built-in Windows command line utility and can perform a host of activities such as getting critical information about the system, killing processes, adding files/deleting files etc.
- WMI – Another powerful built-in Windows utility. Can move files around and gather important system information.
- Route Print – Command to see the local routing table.
- Net – Adding users/domains/accounts/groups
- RDP (Remote Desktop Protocol) – Program to access systems remotely
- AT – Scheduled tasks
Looking for activity from these tools can be time consuming and sometimes overwhelming, but is necessary to get a handle on who might be moving around in your environment. And not just what is occurring in real-time, but historically as well to see a path someone might have taken through the environment. It’s often not ‘patient zero’ that is the target, but once they get a foothold, they could utilize these tools and commands to start their reconnaissance and finally move to a high value asset. It’s that lateral movement that you would like to find.
You must have the ability to collect the information discussed above and the means to sift through to find, alert, and investigate on this data. You can utilize Windows Events to monitor various changes on a device and then filter that down. A great article to read on that is located here. For more logging fun, you can reference these ‘cheat sheets’ and have a good handle on working the various events you captured.
Looking at some screen shots below from our Ziften console, you can see a quick difference between what our IT group used to push out changes in the environment, versus someone running a very similar command themselves. This could be similar to what you find when someone did that remotely say via and RDP session.
*Command line shows a script ‘admin.bat’ being executed. This is how IT was pushing out changes such as adding users and groups
*Command line is missing the ‘admin.bat’ script. This also shows that the Net command was run (spawned as a child proc of cmd.exe)
*When we look at the command line of the net.exe, we see a user being added to the system.
*Further investigation on this system shows a host of commands being run.
An interesting side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You would not see this detail during a live investigation or if you were not always collecting the data. But since we are collecting all of the information continuously, you have this historical data to look at. If in the event you were seeing the Status as ‘Running’, this could indicate that someone is live on that system right now.
This only touches the surface of what you should be collecting and how to analyze what is right for your environment, which of course will be different than that of others. But it’s a start. Malicious actors with intent to do you harm will usually look for the path of least resistance. Why try and create new and interesting tools, when a lot of what they need is already there and ready to go.