Wednesday, January 27, 2016
The Need for Instrumentation
The same thing is true of targeted adversaries...they're able to seamlessly blend into your environment. Like special operations forces, they learn how to use tools native to the environment in order to get the information that they're after, whether it's initial reconnaissance of the host or the infrastructure, locating items of interest, moving laterally within the infrastructure, or exfiltrating data.
I caught this post from JPCERT/CC that discusses Windows commands abused by attackers. The author takes a different approach from previous posts and shares some of the command lines used, but also focuses on the frequency of use for each tool. There's also a section in the post that recommends using GPOs to restrict the use of unnecessary commands. An alternative approach might be to track attempts to use the tools, by creating a trigger to write a Windows Event Log record (discussed previously in this post). When incorporated into an overall log management (SEIM, filtering, alerting, etc.) framework, this can be an extremely valuable detection mechanism.
If you're not familiar with some of the tools that you see listed in the JPCERT/CC blog post, try running them, starting by typing the command followed by "/?".
TradeCraft Tuesday - Episode #6 discusses how Powershell can be used and abused. The presenters (one of whom is Kyle Hanslovan) strongly encourage interaction (wow, does that sound familiar at all?) with the presentation via Twitter. During the presentation, the guys talk about Powershell being used to push base64 encoded commands into the Registry for later use (often referred to as "fileless"), and it doesn't stop there. Their discussion of the power of Powershell for post-exploitation activities really highlights the need for a suitable level of instrumentation in order to achieve visibility.
The use of native commands by an adversary or intruder is not new...it's been talked about before. For example, the guys at SecureWorks talked about the same thing in the articles Linking Users to Systems and Living off the Land. Rather than talking about what could be done, these articles show you data that illustrates what was actually done; not might or could, but did.
So, what do you do? Well, I've posted previously about how you can go about monitoring for command line activity, which is usually manifest when access is achieved via RATs.
Not all abuse of native Windows commands and functionality is going to be as obvious as some of what's been discussed already. Take this recent SecureWorks post for example...it illustrates how GPOs have been observed being abused by dedicated actors. An intruder moving about your infrastructure via Terminal Services won't be as easy to detect using command line process creation monitoring, unless and until they resort to some form of non-GUI interaction.