Spot Insider Threats: 10 Commands Commonly Used During the Cyber Attack Cycle

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Today, CyberArk announced a new capability that helps organizations automatically detect insider threats and accelerate incident response times. With this integrated release of CyberArk Privileged Threat Analytics and CyberArk Privileged Session Manager, customers can now receive customizable, prioritized alerts on high-risk user activity – during privileged sessions – to help security teams swiftly investigate and disrupt potential insider attacks.

Throughout the course of this release, we worked closely with our customers to understand their privileged threat detection needs and gain insight into how they prefer to receive alerts. Over the course of this process, we heard two pieces of feedback time and again.

First, customers want to customize detection capabilities so that, over time, they can tailor alerts to their specific needs. I’m happy to share that with this release we’ve provided that flexibility.

Second, because of our expertise in the privileged account security space, customers have asked us for ideas on what types of high-risk activity to look for initially. To help answer this question, we consulted with experts from CyberArk Labs and our customers’ security operations teams to develop a list of ten commands that are frequently associated with malicious – or accidentally damaging – behavior.

It’s always worth noting that no two situations are the same, so an action that may be harmless in one situation may create a major security issue in another. However, in the spirit of sharing what we learned, here are ten highly sensitive commands that were frequently cited as being indicative of risk:

  1. exe, Active Directory Users and Computers – This action opens a window in which a Windows user can add new user accounts to the domain. This could indicate that an attacker is creating backdoor access to establish persistence throughout the entire Windows domain.
  1. exe, User Accounts – As suggested by its name, this action opens a window in which a Windows user is able add new accounts to the system. This could indicate that an attacker is creating backdoor access to the system to establish persistence.
  1. exe, Registry Editor – This action opens a window that provides access to the Windows registry. From the registry, a user can change critical system configurations, alter security settings and access sensitive credential data on the system. CyberArk Labs research demonstrates how malicious users can alter registry settings to steal credentials.
  1. exe, Windows Firewall with Advanced Security – Access to the Windows Firewall enables users to modify security configurations on a system. Access to firewall settings may indicate that an attacker is disabling security controls on the machine to make the next steps of the attack chain easier.
  1. exe, Network Policy Server – The Windows Network Policy Server enables users to modify the network configuration. Access to this window could indicate that an attacker is enabling unauthorized access to or from the machine.
  1. authorized_keys – Commands containing “authorized_keys” can provide access to the authorized keys files on *nix systems. From this file, a user can add unauthorized SSH keys to the machine. Access to this file may indicate that an attacker is creating backdoor access to the system to establish persistence.
  1. sudoers – Commands containing “sudoers” can provide access to the sudoers file on *nix systems. Within this file, a user is able to manipulate user privileges on the system. Such an action could indicate that an attacker is granting unauthorized permissions to an account, which can be used at a later time to cause damage.
  1. :(){ :|: & };: – When entered on *nix systems, this sequence of characters operates a fork bomb to consume all machine resources and make the server unusable. These characters would not be entered accidentally, and thus represent an intentional attempt to harm the organization.
  1. tcpdump – When entered on *nix systems, this action dumps all accessible network packets. The use of this command may indicate that an attacker is attempting to learn about the communication channels of the machine and use that information to plan the next steps in the attack.
  1. rm – When entered on *nix systems, this command enables a user to delete files and directories. Such an action may indicate that a user is trying to harm the machine to potentially disrupt business.

While this list can be used as a starting point, it’s always important to keep in mind that every environment is different. When deciding which commands to detect initially, it’s important to consider what systems you run, what systems store your most sensitive information and what actions occur on a day-to-day basis within your organization. We’re here to help you understand potential risks and share knowledge from both our in-house and customer experts.

To learn more about our new ability to automatically detect potential insider threats, read this article.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?