Topmost Signs of Compromise Detected with Windows operating System

0

Microsoft Operating system CLI ( Command Line Interface ) is a great feature to do background jobs , likely to runs scripts ,automation stuffs etc.It helps folks like system analyst ,network engineers and more techies to dig and troubleshooting an operating system to understand the root-cause for the problems. Most importantly an intruder can also leverage this CLI to do bad things to run a malicious commands to take over your system to get full access ,control and exfiltrate data to attackers servers.


Initial Reconnaissance

Identification of this activity will save your organization from security breaches , Monitoring a specific patterns and time intervals will provide you lots of information on your investigation. Lets Take a look of initial commands on this phase.

Windows CommandAttacker Intention
IpconfigUsed to collect network and DNS information
TasklistTasklist can be used to discover & explore software currently running on a system by process name of known products.
SysteminfoProvides Much information about OS version, Owner Name, Processor Type, BIOS Version, System Model, Time Zone, Boot Time, and more.
QueryInformation like processes, sessions, and Remote Desktop sessions are Obtained.
QprocessObtain the process information on Remote Desktop Session.
Net startSTART/STOP a known or Unknown service.
WhoamiSystem user Information
NetstatList of well-established connections to existing IP’s
Net timeTo gather the Time Information
VerMicrosoft Windows Version information
net user /domainPerforms the operation on the domain controller in the computer’s primary domain.
net localgroup administratorsdisplays the local administrator’s group on the computer.
net localgroup administrators /domaindisplays the local administrators’ group on a current domain controller.
net group /domainDisplay groups and performs the operation on the domain controller in the current domain.
net group “Domain Admins” /domainQuery users from domain admins in the current domain.
net group “Domain Computers” /domainQuery all domain computers in the current domain.
net group “Domain Controllers” /domainQuery Domain Controllers Computers.
net group “Domain Policy Creator Owners” /domainQuery Domain Policy Creators.
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumberLocal storage device management.
net sharedisplays information about all of the resources that are shared on the local computer.
wmic shareShared resource management.
net accounts /domainUpdates the user accounts database and modifies password and logon requirements for all accounts. Performs the operation on the primary domain controller of the current domain.
wmic useraccount LIST BRIEFPrint account information.
type C:\Windows\system32\soc_analyst.txtShow the contents of a file.
dir /aDisplays files with specified attributes.
dir /sSearches sub-directories
dir /s “*match-text*”Searches for the word entered in the match-text the section in all sub-dirs of the current directory.
find /I password C:\Windows\System32*.iniSearches for a password string in a file or files.
tree /F C:\Windows\system32Graphically displays the folder structure of a drive or path.
fsutil fsinfo drivesLists the current drives on the system.
wmic volumeLocal storage volume management.
net use \\ip\ipc$ password /user:usernameConnects a computer to or disconnects a computer from a shared resource, or displays information about computer connections.
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \DomainController\IPC$ /user:%n %p 1>NUL 2>&1 && @echo [*] %n:%p &&Bruteforce Windows accounts
FOR /F %f in (‘dir /b /s C:’) do find /I “password” %fSearch password in file or files from C:|
wmic startupManagement of commands that run automatically when users log onto the computer system.

Also Read: Lateral Movement Detection with Windows Event Logs

Malware Execution & Spread

Post successful reconnaissance, the Threat actor may use the live system inbuilt functionality to bring the malware and execute on the premise. Later an attacker may move inside your network to infect and exfiltrate the confidential data. Let us Take a look at the initial commands on this phase.

Windows CommandsAttackers Goal
At.exeSchedule periodic tasks
Atbroker.exeAtbroker.exe is a process associated with the Windows Assistive Technology Manager utility, It can also run an unknown file.
bash.exeWindows subsystem for Linux
Bitsadmin.exeUsed in hiding unknown files, move, copy and execute any unknown files.
Cmstp.exeInstalls or removes a Connection Manager service profile. Silently installs a . INF without creating a desktop icon.
Diskshadow.exeuses this utility to execute a malicious file.
Dnscmd.exeTo start a malicious DLL in the DNS server.
Explorer.exeuses this utility to execute a malicious file.
Extexport.exeuses this utility to execute malicious DLL.
Forfiles.exeuses this utility to execute a malicious file.
Ftp.exeuse this utility to execute malicious files.
Gpscript.exeExecutes logon scripts configured in Group Policy.
Ie4uinit.exeExecutes commands from a specially prepared ie4uinit.inf file.
Ieexec.exeDownloads and executes malicious.exe from the remote server.
Infdefaultinstall.exeuses this utility to execute malicious INF.
Installutil.exeuses this utility to execute malicious DLL.
Mavinject.exeuses this utility to execute malicious DLL.
Microsoft.Workflow.Compiler.exeCompile and execute C# or VB.net code in a XOML file referenced in the test.xml file
Mmc.exeLaunch a ‘backgrounded’ MMC process and invoke a COM payload
Msbuild.exeBuild and execute a C# project stored in the target XML file.
Msconfig.exeCode execution using Msconfig.exe
Msdt.exeExecute code bypass Application whitelisting
Extexport.exeExecute DLL files
Update.exeDownload and Execute a file
Tracker.exeProxy execution of an arbitrary DLL into another process
SQLToolsPS.exeExecute a malicious file

Conclusion

Restrict unnecessary commands for normal users using Applocker Rules, Collect the app locker events and correlate with SIEM (Security information and event management ) for earlier detection’s, Also consider detection rules under EDR as high alert with this kind of occurrences, as this malicious use of windows commands may leverage and compromise your organization on next few minutes.


Previous articleRITA – Real Intelligence Threat Analytics for Network Traffic Analysis
Next articleInvestigation of the Malware Persistence on Defragmented Disk
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here