Japan's National CERT released a blog on the breakdown of Windows commands abused by attackers. This is GREAT WORK and one of the best articles to reinforce what I have been saying in my presentations, Windows Logging training and of course the 'Windows Logging Cheat Sheet'. Logging command line execution is critical for a mature Detection and Response program.
JP-CERT broke down the commands into 3 categories:
- Initial investigation: Collect information of the infected machine
- Reconnaissance: Look for information saved in the machine and remote machines within the network
- Spread of infection: Infect the machine with other malware or try to access other machines
This is the first time someone has tried to break up the commands into categories to better understand what the hackers are doing and at what stage. I have a slightly different opinion on this, but I do not have the luxury of compiling data like they do to create this kind of breakdown.
Most of the p0wnage I have been involved with is pure 'spread the infection' with some recon or investigation occurring during the spread. Much of what they do is scripted, so identical behavior, other attacks had indications that there was more than one malwarian involved by the mistakes made (the Newb) and the way the other hacker worked and the commands used.
I have never really thought of breaking these commands into these three categories or more, but it might lead to so ideas to craft some logging alerts or tool tweaks From the behavior based solutions and our own work.
I promote The concept of 'Malware Management', the review of malware reports and analysis to gain artifacts used by the malwarians. These artifacts are used to help tune, tweak and improve your SecOps, Active Defense and Blue Team capabilities. I also promote the 'Windows Logging Cheat Sheet' to encourage enabling Command Line Logging to catch malicious behavior. You can get the Cheat Sheets here:
I have been involved in some hairy advanced attacks by a very persistent hacker group and the commands the malwarians executed can be a fantastic way to separate normal admin or developer behavior from malwarian behavior. I recently saw a Tweet and disagreed on the point that 'a good hacker in indistinguishable from a developer'. I just don't agree and the commands attackers execute as the data from JP-CERT show is something that can be distinguished from normal behavior and the quanties of execution is key as the data shows.
While doing malware analysis in my lab I also get to see what commodity malware of all types do from crapware to RansomeWare to the Dridex Trojan. What commands are built into the delivery, execution and call back and the follow on commands executed are also telling and help to improve Detection and Response, if we listen.
If you look up some of my presentations On SlideShare (MalwareArchaeology) you will see what commands were executed, malware payloads used, and built-in Windows commands abused by the malwarians.
I further the need to log command line execution and the importance by providing a sample query I created in Splunk for my 2015 Splunk .Conf presentation which can be found in the 'Windows Splunk Logging Cheat Sheet' also found on my website at the link above.
Now my list of commands to watch out for is more extensive than the ones in the JP-CERT blog for what I recommend people monitoring for. But all the commands I monitor for have been added in part to practicing Malware Management, analyzing malware to see what commands were executed, actual infected and compromised systems and all the reports folks and companies like us put out. Once you see and experience an actual advanced attack and are able to capture and see the malwarians behavior first hand, a light will go off and you will be able to tweak and adjust your tools to improve your Detection and Response capabilities.
Keep in mind that combining the Windows commands with other process executions, minus your normal program executions will allow you to separate the developers and admins from your adversaries. Consider looking at where the commands are executed, such as user space \AppData\ versus All Users \ProgramData to the program and Windows core directories. The data will begin to speak to you, of course ONLY if you have adequately configured logging like the Cheat Sheets recommend.
JPCERT blog on Windows commands used by hackers