Why You Need To Observe Command Activity To Uncover Threats – Charles Leaver

By | March 31, 2017

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

 

The repetition of a concept when it comes to computer security is never ever a bad thing. As sophisticated as some attacks may be, you truly have to look for and comprehend the use of typical readily offered tools in your environment. These tools are typically used by your IT staff and more than likely would be white listed for use and can be missed by security teams mining through all the pertinent applications that ‘could’ be performed on an endpoint.

Once someone has penetrated your network, which can be carried out in a variety of ways and another post for another day, indications of these programs/tools running in your environment ought to be examined to ensure correct usage.

A couple of commands/tools and their features:

Netstat – Details on the existing connections on the system. This may be utilized to identify other systems within the network.

Powershell – Built-in Windows command line function and can perform a range of actions such as obtaining critical info about the system, killing processes, including files or removing files and so on

WMI – Another effective integrated Windows function. Can move files around and gather crucial system details.

Route Print – Command to view the local routing table.

Net – Including accounts/users/groups/domains.

RDP (Remote Desktop Protocol) – Program to gain access to systems remotely.

AT – Arranged jobs.

Searching for activity from these tools can be time consuming and sometimes be frustrating, however is required to get a handle on who might be shuffling around in your network. And not just exactly what is taking place in real-time, but in the past as well to see a path somebody may have taken through the network. It’s typically not ‘patient zero’ that is the target, but once they get a grip, they might utilize these tools and commands to start their reconnaissance and lastly migrate to a high worth asset. It’s that lateral movement that you would like to discover.

You need to have the capability to gather the information discussed above and the means to sort through to find, alert, and examine this data. You can use Windows Events to track various modifications on a device then filter that down.

Looking at some screen shots below from our Ziften console, you can see a quick distinction between exactly what our IT group utilized to push out modifications in the network, versus somebody running a very comparable command themselves. This could be much like what you discover when somebody did that from a remote location say through an RDP session.

commands-to-watch01

commands-to-watch02

commands-to-watch03

commands-to-watch04

An interesting side note in these screenshots is that in all cases, the Process Status is ‘Terminated’. You would not see this specific information during a live examination or if you were not always collecting the data. However since we are collecting all of the details continually, you have this historical data to take a look at. If in case you were seeing the Status as ‘Running’, this could suggest that somebody is actually on that system as of now.

This only scratches the surface of what you must be collecting and the best ways to analyze exactly what is right for your network, which obviously will be different than that of others. However it’s a good place to start. Malicious actors with intent to do you harm will generally look for the path of least resistance. Why try and develop new and interesting tools, when a lot of exactly what they require is already there and all set to go.

Leave a Reply

Your email address will not be published. Required fields are marked *