Topmost Signs of Compromise Detected with Windows operating System

0

Microsoft Operating system CLI ( Command Line Interface ) is a great feature to do background jobs , likely to runs scripts ,automation stuffs etc.It helps folks like system analyst ,network engineers and more techies to dig and troubleshooting an operating system to understand the root-cause for the problems. Most importantly an intruder can also leverage this CLI to do bad things to run a malicious commands to take over your system to get full access ,control and exfiltrate data to attackers servers.


Initial Reconnaissance

Identification of this activity will save your organization from security breaches , Monitoring a specific patterns and time intervals will provide you lots of information on your investigation. Lets Take a look of initial commands on this phase.

Windows CommandAttacker Intention
IpconfigUsed to collect network and DNS information
TasklistTasklist can be used to discover & explore software currently running on a system by process name of known products.
SysteminfoProvides Much information about OS version,Owner Name,Processor Type,BIOS Version,System Model,Time Zone,Boot Time and more.
QueryInformation like processes, sessions, and Remote Desktop Session are Obtained.
QprocessObtain the process information on Remote Desktop Session.
Net startSTART/STOP a known or Unknown service.
WhoamiSystem user Information
NetstatList of well established connections to existing IP’s
Net timeTo gather the Time Information
VerMicrosoft Windows Version information
net user /domainPerforms the operation on the domain controller in the computer’s primary domain.
net localgroup administratorsdisplays the local administrators group on the computer.
net localgroup administrators /domaindisplays the local administrators group on current domain controller.
net group /domainDisplay groups and performs the operation on the domain controller in the current domain.
net group “Domain Admins” /domainQuery users from domain admins in current domain.
net group “Domain Computers” /domainQuery all domain computers in current domain.
net group “Domain Controllers” /domainQuery Domain Controllers Computers.
net group “Domain Policy Creator Owners” /domainQuery Domain Policy Creators.
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumberLocal storage device management.
net sharedisplays information about all of the resources that are shared on the local computer.
wmic shareShared resource management.
net accounts /domainUpdates the user accounts database and modifies password and logon requirements for all accounts. Performs the operation on the primary domain controller of the current domain.
wmic useraccount LIST BRIEFPrint account information.
type C:\Windows\system32\soc_analyst.txtShow the contents of a file.
dir /aDisplays files with specified attributes.
dir /sSearches sub-directories
dir /s “*match-text*”Searches for the word entered in the match-text section in all sub-dirs of the current directory.
find /I password C:\Windows\System32*.iniSearches for a password string in a file or files.
tree /F C:\Windows\system32Graphically displays the folder structure of a drive or path.
fsutil fsinfo drivesLists the current drives on the system.
wmic volumeLocal storage volume management.
net use \\ip\ipc$ password /user:usernameConnects a computer to or disconnects a computer from a shared resource, or displays information about computer connections.
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \DomainController\IPC$ /user:%n %p 1>NUL 2>&1 && @echo [*] %n:%p &&Bruteforce Windows accounts
FOR /F %f in (‘dir /b /s C:’) do find /I “password” %fSearch password in file or files from C:|
wmic startupManagement of commands that run automatically when users log onto the computer system.

Malware Execution & Spread

Post successful reconnaissance, Threat actor may use the live system inbuilt functionality to bring the malware and execute on the premise .Later a attacker may move inside your network to infect and exfiltrate the confidential data.Lets Take a look of initial commands on this phase.

Windows CommandsAttackers Goal
At.exeSchedule periodic tasks
Atbroker.exeAtbroker.exe is a process associated with the Windows Assistive Technology Manager utility , It can also run a unknown file.
bash.exeWindows subsystem for Linux
Bitsadmin.exeUsed in hide unknown files ,move ,copy and execute the any unknown files.
Cmstp.exeInstalls or removes a Connection Manager service profile.Silently installs a .INF without creating a desktop icon.
Diskshadow.exeuse this utility to execute malicious file.
Dnscmd.exeTo start a malicious DLL in DNS server.
Explorer.exeuse this utility to execute malicious file.
Extexport.exeuse this utility to execute malicious DLL.
Forfiles.exeuse this utility to execute malicious file.
Ftp.exeuse this utility to execute malicious file.
Gpscript.exeExecutes logon scripts configured in Group Policy.
Ie4uinit.exeExecutes commands from a specially prepared ie4uinit.inf file.
Ieexec.exeDownloads and executes malicious.exe from the remote server.
Infdefaultinstall.exeuse this utility to execute malicious INF.
Installutil.exeuse this utility to execute malicious DLL.
Mavinject.exeuse this utility to execute malicious DLL.
Microsoft.Workflow.Compiler.exeCompile and execute C# or VB.net code in a XOML file referenced in the test.xml file
Mmc.exeLaunch a ‘backgrounded’ MMC process and invoke a COM payload
Msbuild.exeBuild and execute a C# project stored in the target XML file.
Msconfig.exeCode execution using Msconfig.exe
Msdt.exeExecute code bypass Application whitelisting
Extexport.exeExecute dll files
Update.exeDownload and Execute a file
Tracker.exeProxy execution of an arbitrary DLL into another process
SQLToolsPS.exeExecute a malicious file

Conclusion

Restrict unnecessary commands for normal users using Applocker Rules ,Collect the app locker events and correlate with SIEM (Security information and event management ) for earlier detection’s, Also consider detection rules under EDR as high alert with this kind of occurrences ,as this malicious use of windows commands may leverage and compromise your organization on next few minutes .


Previous articleLinux Audit Logs cheatsheet – Detect & Respond Faster
Next articleInsecure Direct Object Reference – Prevention and Detection of IDOR
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here