The Need for Instrumentation
Almost everyone likes spies, right? Jason Bourne, James Bond, that sort of thing? One of things you dont see in the movies is the training these super spies go through, but you have to imagine that its pretty extensive, if they can pop up in a city that they maybe havent been to and transition seamlessly into the environment.
The same thing is true of targeted adversaries...theyre able to seamlessly blend into your environment. Like special operations forces, they learn how to use tools native to the environment in order to get the information that theyre after, whether its initial reconnaissance of the host or the infrastructure, locating items of interest, moving laterally within the infrastructure, or exfiltrating data.
I caught this post from JPCERT/CC that discusses Windows commands abused by attackers. The author takes a different approach from previous posts and shares some of the command lines used, but also focuses on the frequency of use for each tool. Theres also a section in the post that recommends using GPOs to restrict the use of unnecessary commands. An alternative approach might be to track attempts to use the tools, by creating a trigger to write a Windows Event Log record (discussed previously in this post). When incorporated into an overall log management (SEIM, filtering, alerting, etc.) framework, this can be an extremely valuable detection mechanism.
If youre not familiar with some of the tools that you see listed in the JPCERT/CC blog post, try running them, starting by typing the command followed by "/?".
TradeCraft Tuesday - Episode #6 discusses how Powershell can be used and abused. The presenters (one of whom is Kyle Hanslovan) strongly encourage interaction (wow, does that sound familiar at all?) with the presentation via Twitter. During the presentation, the guys talk about Powershell being used to push base64 encoded commands into the Registry for later use (often referred to as "fileless"), and it doesnt stop there. Their discussion of the power of Powershell for post-exploitation activities really highlights the need for a suitable level of instrumentation in order to achieve visibility.
The use of native commands by an adversary or intruder is not new...its been talked about before. For example, the guys at SecureWorks talked about the same thing in the articles Linking Users to Systems and Living off the Land. Rather than talking about what could be done, these articles show you data that illustrates what was actually done; not might or could, but did.
So, what do you do? Well, Ive posted previously about how you can go about monitoring for command line activity, which is usually manifest when access is achieved via RATs.
Not all abuse of native Windows commands and functionality is going to be as obvious as some of whats been discussed already. Take this recent SecureWorks post for example...it illustrates how GPOs have been observed being abused by dedicated actors. An intruder moving about your infrastructure via Terminal Services wont be as easy to detect using command line process creation monitoring, unless and until they resort to some form of non-GUI interaction.