Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO
The repeating of a theme when it concerns computer system security is never ever a negative thing. As sophisticated as some attacks may be, you truly need to watch for and comprehend making use of typical easily available tools in your environment. These tools are normally utilized by your IT staff and most likely would be whitelisted for use and can be missed by security groups mining through all the pertinent applications that ‘could’ be performed on an endpoint.
Once somebody has actually penetrated your network, which can be carried out in a variety of ways and another post for another day, indications of these programs/tools running in your environment should be looked at to guarantee correct usage.
A couple of commands/tools and their features:
Netstat – Information on the present connections on the system. This could be used to identify other systems within the network.
Powershell – Integrated Windows command line function and can carry out a range of activities such as obtaining vital info about the system, eliminating processes, including files or removing files and so on
WMI – Another effective integrated Windows utility. Can shift files around and gather important system info.
Route Print – Command to see the local routing table.
Net – Including users/domains/accounts/groups.
RDP (Remote Desktop Protocol) – Program to access systems remotely.
AT – Set up tasks.
Searching for activity from these tools can be time consuming and often be overwhelming, however is required to manage who might be shuffling around in your network. And not simply what is happening in real-time, however historically as well to see a path somebody may have taken through the network. It’s frequently not ‘patient zero’ that is the target, once they get a grip, they might use these tools and commands to start their reconnaissance and lastly migrate to a high worth asset. It’s that lateral movement that you would like to find.
You need to have the ability to gather the information discussed above and the ways to sort through to discover, alert, and examine this data. You can utilize Windows Events to monitor various changes on a device and after that filter that down.
Looking at some screen shots shown below from our Ziften console, you can see a quick distinction between what our IT group utilized to push out modifications in the environment, versus someone running a very similar command themselves. This may be much like what you find when somebody did that remotely say via an RDP session.
An intriguing side note in these screenshots is that in all cases, the Process Status is ‘Terminated’. You wouldn’t observe this specific information during a live examination or if you were not constantly gathering the data. But given that we are collecting all the information constantly, you have this historical data to look at. If in case you were observing the Status as ‘Running’, this could suggest that somebody is live on that system as of now.
This only touches the surface of what you must be collecting and how to evaluate what is correct for your environment, which of course will be distinct from that of others. However it’s a good place to start. Destructive actors with intent to do you harm will usually look for the path of least resistance. Why attempt and produce new and interesting tools, when a great deal of exactly what they need is currently there and all set to go.