Chuck Leaver – Observe Specific Commands To Identify Threats

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO

 

The repeating of a concept when it comes to computer security is never ever a bad thing. As advanced as some cyber attacks can be, you truly need to watch for and comprehend using common readily available tools in your environment. These tools are typically utilized by your IT personnel and most likely would be white listed for use and can be missed out on by security groups mining through all the appropriate applications that ‘might’ be performed on an endpoint.

When someone has breached your network, which can be carried out in a variety of ways and another blog post for another day, signs of these tools/programs running in your environment ought to be looked at to make sure correct use.

A few tools/commands and their functions:

Netstat – Details on the existing connections on the system. This could be used to recognize other systems within the network.

Powershell – Integrated Windows command line function and can perform a host of actions for example obtaining critical details about the system, eliminating processes, adding files or removing files and so on

WMI – Another effective built in Windows function. Can move files around and gather crucial system details.

Route Print – Command to view the local routing table.

Net – Including accounts/users/groups/domains.

RDP (Remote Desktop Protocol) – Program to gain access to systems remotely.

AT – Scheduled tasks.

Searching for activity from these tools can be time consuming and sometimes be frustrating, but is required to manage who might be shuffling around in your network. And not just exactly what is taking place in real-time, but in the past too to see a course somebody may have taken through the network. It’s frequently not ‘patient zero’ that is the target, once they get a grip, they might use these commands and tools to begin their reconnaissance and lastly migrate to a high worth asset. It’s that lateral motion that you would like to find.

You must have the ability to collect the information gone over above and the means to sift through to find, alert, and investigate this data. You can make use of Windows Events to track different modifications on a device and after that filter that down.

Looking at some screen shots below from our Ziften console, you can see a quick difference between exactly what our IT group utilized to push out modifications in the network, versus someone running an extremely similar command themselves. This may be similar to what you find when somebody did that remotely say through an RDP session.

commands-to-watch01

commands-to-watch02

commands-to-watch03

commands-to-watch04

An intriguing side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You wouldn’t see this detail throughout a live investigation or if you were not constantly gathering the data. But since we are collecting all of the info constantly, you have this historical data to take a look at. If in case you were seeing the Status as ‘Running’, this could show that somebody is actually on that system right now.

This only touches the surface of exactly what you ought to be gathering and ways to evaluate what is right for your network, which naturally will be different than that of others. However it’s a good place to start. Destructive actors with intent to do you harm will generally search for the path of least resistance. Why attempt and create new and intriguing tools, when a great deal of exactly what they require is already there and ready to go.