How can we prevent Windows command line tools from being abused by hackers?
By default, various commands are installed in Windows, but only a small part of them are actually used by common users. JPCERT/CC also finds that attackers use Windows commands to collect system information and spread malicious viruses when they intrude into the target network.
It is worth noting that the Windows commands used by common users and attackers differ greatly, attackers may be detected or restricted by monitoring/controlling Windows command execution.
This project in this article will show how to mitigate the impact of attacks by exposing the Windows commands used by attackers on compromised Windows operating systems and limiting unnecessary command execution by common users.
Remote Access Tool/Trojan-RAT usually has a function to execute commands received from the Remote environment. With the help of this function, attackers can execute arbitrary Windows commands on the controlled end in a remote environment.
After successful installation of such malware in the network, attackers attempt to control other hosts in the same network in the following order to collect confidential information.
(1) Preliminary Investigation: collect information about infected hosts.
(2) investigation: searches for information stored on the host and other hosts on the same network.
(3) expanded infection: use other malware to infect the host or attempt to access other hosts.
Windows commands are used in all the above stages. I will introduce the Windows commands used in each stage.
Preliminary investigation
Table 1 lists the commands used by attackers to collect information about infected hosts. The "Times executed" statistics come from the sum of the Windows commands used by three different attack organizations on their C & C servers.
Table 1: preliminary investigation (Top 10 commands)
Attackers exploit such as "tasklist", "ver ", commands such as "ipconfig" and "systeminfo" are used to collect information about networks, processes, and operating systems to find out which hosts are infected successfully, this may be used to determine whether the host is a sandbox used for virus research.
Investigation
Commands in Table 2 are often used to search for confidential information and other hosts on the same network.
Attackers use "dir" and "type" to search for files. Sometimes they collect a series of files from infected hosts by using the "dir" command parameters.
The "net" command is used to search network data. In particular, the following commands are often seen:
· Net view: displays a list of domains, computers, or resources shared by a specified computer.
· Net user: Manage local/domain accounts
· Net localgroup: obtains a list of users in a local group.
· Net group: obtains a list of users in a specific domain group.
· Net use: Get Resources
In addition, the following commands can be used in an environment where Active Directory is enabled (see Appendix A in table 5. These commands are installed on Windows Server and do not exist in Windows 7 and Windows 8 operating systems. However, attackers can install and execute commands manually.
· Dsquery: Search for accounts in Active Directory
· Csvde: obtains account information in Active Directory.
Expanded Infection
The following commands are frequently used to intrude remote hosts and infect other hosts in the network:
"At" and "wmic" are often used to execute malicious programs on remote hosts.
Using the "at" command, attackers can connect to the host by planning task execution programs on the remote host:
at \\[remote host name or IP address] 12:00 cmd /c "C:\windows\temp\mal.exe"
Similarly, through the "wmic" command, attackers can execute arbitrary commands on the remote host:
wmic /node:[IP address] /user:”[user name]” /password:”[password]” process call create “cmd /c c:\Windows\System32\net.exe user”
Restrict unnecessary Windows Command Execution
To be fair, the Windows commands used by these hackers include the AppLocker (Application Control Policy) and Software Restriction principles that many common users will not use, it is possible to restrict hacker attacks. For example, if you want to restrict the use of the "net" command, you can set the following rules (for more detailed AppLocker configuration information, refer to the Microsoft website ).
Similarly, by enabling the AppLocker event logging function, the event is recorded in the log when the Windows Command is executed or the command being tried is denied, this helps investigate whether hackers execute commands on infected hosts.
AppLocker can also be used to monitor Windows commands. AppLocker cannot prevent command execution, but the execution history is recorded in the event log. If the Windows commands you want to use are often used by attackers, it is a good choice to set AppLocker to monitor.
Summary
When attacking a target, attackers not only use malware but also frequently use Windows commands for their purposes. If such behavior can be discovered, it can be intercepted early in its propagation. However, it is difficult to restrict Windows commands. Therefore, we recommend that you use AppLocker to collect logs during software execution.
Appendix
Appendix B
Appendix C