Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO
The repetition of a theme when it pertains to computer system security is never a negative thing. As advanced as some attacks can be, you truly need to check for and understand the use of common readily offered tools in your environment. These tools are normally utilized by your IT staff and more than likely would be whitelisted for usage and can be missed out on by security teams mining through all the appropriate applications that ‘might’ be executed on an endpoint.
When somebody has penetrated your network, which can be performed in a variety of ways and another blog post for another day, signs of these programs/tools running in your environment ought to be looked at to ensure correct usage.
A couple of commands/tools and their purpose:
Netstat – Information on the existing connections on the system. This may be utilized to identify other systems within the network.
Powershell – Built in Windows command line function and can carry out a variety of activities for example getting crucial details about the system, eliminating processes, including files or deleting files and so on
WMI – Another powerful integrated Windows utility. Can move files around and collect essential system information.
Route Print – Command to view the local routing table.
Net – Including domains/groups/users/accounts.
RDP (Remote Desktop Protocol) – Program to access systems remotely.
AT – Set up tasks.
Searching for activity from these tools can take a long time and often be overwhelming, but is essential to manage who might be moving around in your environment. And not just exactly what is happening in real-time, but historically too to see a course someone might have taken through the environment. It’s frequently not ‘patient zero’ that is the target, once they get a grip, they might use these tools and commands to start their reconnaissance and lastly shift to a high value asset. It’s that lateral movement that you wish to discover.
You must have the capability to gather the information talked about above and the means to sift through to discover, alert, and examine this data. You can make use of Windows Events to monitor various changes on a device then filter that down.
Taking a look at some screen shots below from our Ziften console, you can see a quick distinction between exactly what our IT group utilized to push out changes in the environment, versus someone running a really comparable command themselves. This could be much like what you find when somebody did that remotely say by means of an RDP session.
An intriguing side note in these screenshots is that in all cases, the Process Status is ‘Terminated’. You wouldn’t observe this detail during a live investigation or if you were not constantly collecting the data. But since we are collecting all of the details continuously, you have this historical data to take a look at. If in case you were seeing the Status as ‘Running’, this could show that somebody is live on that system right now.
This only touches the surface of exactly what you should be gathering and how to analyze what is correct for your network, which of course will be distinct from that of others. However it’s a start. Destructive actors with the intention to do you harm will usually try to find the path of least resistance. Why attempt and create brand-new and intriguing tools, when a great deal of what they need is currently there and ready to go.