Written By Josh Harriman And Presented By Charles Leaver Ziften CEO
The repeating of a theme when it comes to computer system security is never ever a bad thing. As advanced as some attacks may be, you really need to look for and understand using common easily offered tools in your environment. These tools are usually used by your IT staff and more than likely would be white listed for use and can be missed out on by security groups mining through all the appropriate applications that ‘could’ be executed on an endpoint.
When someone has actually breached your network, which can be done in a range of ways and another blog for another day, indications of these programs/tools running in your environment must be examined to guarantee correct usage.
A couple of commands/tools and their features:
Netstat – Details on the existing connections on the network. This may be utilized to recognize other systems within the network.
Powershell – Built-in Windows command line function and can perform a host of actions for example getting important info about the system, killing procedures, including files or removing files etc
WMI – Another effective integrated Windows utility. Can move files around and gather essential system information.
Route Print – Command to view the local routing table.
Net – Including users/domains/accounts/groups.
RDP (Remote Desktop Protocol) – Program to access systems from a remote location.
AT – Set up jobs.
Looking for activity from these tools can take a long time and often be overwhelming, but is required to deal with who might be moving around in your environment. And not simply what is happening in real-time, however historically too to see a course somebody might have taken through the environment. It’s often not ‘patient zero’ that is the target, once they get a grip, they could use these tools and commands to begin their reconnaissance and lastly shift to a high value asset. It’s that lateral motion that you want to find.
You need to have the ability to collect the details gone over above and the ways to sift through to discover, alert, and examine this data. You can make use of Windows Events to monitor various modifications on a device and then filter that down.
Looking at some screen shots shown below from our Ziften console, you can see a quick distinction between what our IT group used to push out changes in the network, versus somebody running a very similar command themselves. This could be much like what you discover when someone did that from a remote location say by means of an RDP session.
An intriguing side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You would not observe this detail throughout a live examination or if you were not constantly collecting the data. However given that we are gathering all of the information continually, you have this historical data to take a look at. If in the event you were observing the Status as ‘Running’, this might suggest that someone is actually on that system as of now.
This only scratches the surface of what you must be collecting and how to evaluate exactly what is right for your network, which of course will be distinct from that of others. However it’s a good place to start. Harmful actors with the intention to do you harm will usually search for the path of least resistance. Why attempt and produce brand new and intriguing tools, when a great deal of what they need is currently there and ready to go.