Written By Josh Harriman And Presented By Charles Leaver Ziften CEO
The repetition of a theme when it comes to computer security is never ever a bad thing. As advanced as some attacks may be, you actually have to check for and comprehend the use of typical readily available tools in your environment. These tools are typically utilized by your IT staff and more than likely would be whitelisted for usage and can be missed by security teams mining through all the pertinent applications that ‘could’ be executed on an endpoint.
Once somebody has breached your network, which can be carried out in a variety of ways and another post for another day, indications of these tools/programs running in your environment ought to be looked at to ensure appropriate use.
A few commands/tools and their functions:
Netstat – Information on the current connections on the network. This may be utilized to identify other systems within the network.
Powershell – Built in Windows command line utility and can carry out a variety of activities for example getting crucial details about the system, eliminating procedures, adding files or removing files and so on
WMI – Another powerful integrated Windows utility. Can shift files around and collect essential system information.
Route Print – Command to view the local routing table.
Net – Adding domains/groups/users/accounts.
RDP (Remote Desktop Protocol) – Program to gain access to systems remotely.
AT – Scheduled tasks.
Looking for activity from these tools can consume a lot of time and in some cases be frustrating, however is required to deal with who might be moving around in your environment. And not simply exactly what is occurring in real time, but historically also to see a path somebody might have taken through the network. It’s often not ‘patient zero’ that is the target, once they get a grip, they could use these tools and commands to start their reconnaissance and finally migrate to a high worth asset. It’s that lateral motion that you wish to discover.
You must have the ability to gather the details gone over above and the methods to sift through to find, alert, and examine this data. You can utilize Windows Events to monitor various modifications on a device and after that filter that down.
Looking at some screen shots below from our Ziften console, you can see a quick distinction between what our IT group utilized to push out changes in the network, versus someone running an extremely similar command themselves. This may be much like what you discover when somebody did that remotely say through an RDP session.
An interesting side note in these screenshots is that in all scenarios, the Process Status is ‘Terminated’. You would not see this detail throughout a live investigation or if you were not constantly gathering the data. But given that we are gathering all of the info continuously, you have this historical data to look at. If in the event you were observing the Status as ‘Running’, this might suggest that someone is live on that system as of now.
This only scratches the surface of what you need to be gathering and the best ways to analyze exactly what is right for your network, which of course will be different than that of others. But it’s a good place to start. Destructive actors with intent to do you damage will usually look for the path of least resistance. Why try and create brand new and fascinating tools, when a lot of exactly what they require is currently there and all set to go.