Charles Leaver – Monitor These Commands For Potential Threats

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

 

The repeating of a concept when it pertains to computer security is never a negative thing. As sophisticated as some cyber attacks can be, you truly have to watch for and understand using typical readily available tools in your environment. These tools are generally utilized by your IT personnel and probably would be whitelisted for usage and can be missed by security groups mining through all the appropriate applications that ‘might’ be executed on an endpoint.

As soon as somebody has breached your network, which can be performed in a variety of ways and another post for another day, indications of these tools/programs running in your environment needs to be checked to guarantee appropriate usage.

A couple of commands/tools and their features:

Netstat – Details on the existing connections on the system. This may be used to recognize other systems within the network.

Powershell – Integrated Windows command line function and can perform a range of actions for example getting important info about the system, killing processes, including files or removing files and so on

WMI – Another effective integrated Windows function. Can shift files around and gather important system information.

Route Print – Command to see the local routing table.

Net – Including domains/groups/users/accounts.

RDP (Remote Desktop Protocol) – Program to gain access to systems remotely.

AT – Arranged tasks.

Looking for activity from these tools can be time consuming and often be overwhelming, however is essential to manage who might be moving around in your network. And not just what is occurring in real time, but in the past as well to see a course somebody may have taken through the network. It’s often not ‘patient zero’ that is the target, once they get a grip, they could make use of these tools and commands to start their reconnaissance and lastly migrate to a high worth asset. It’s that lateral motion that you wish to discover.

You need to have the capability to gather the info gone over above and the means to sift through to find, alert, and investigate this data. You can utilize Windows Events to track numerous changes on a device then filter that down.

Taking a look at some screen shots shown below from our Ziften console, you can see a quick distinction between exactly what our IT group used to push out changes in the environment, versus someone running an extremely similar command themselves. This may be much like what you discover when somebody did that remotely say by means of an RDP session.

An interesting side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You would not observe this detail during a live examination or if you were not constantly gathering the data. However because we are gathering all the info continuously, you have this historic data to take a look at. If in case you were seeing the Status as ‘Running’, this could show that somebody is live on that system right now.

This only scratches the surface of what you should be gathering and the best ways to evaluate what is right for your network, which obviously will be distinct from that of others. However it’s a start. Harmful actors with intent to do you damage will normally try to find the path of least resistance. Why attempt and produce new and intriguing tools, when a lot of exactly what they need is currently there and all set to go.