Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at the vector command line interface. Now. The objectives of today's discussion are pretty straightforward.
00:15
We're going to look at How does minor define a command line interface?
00:21
We're going to look at What are some examples of common command line attack tools. We're going to look at some recommended mitigation techniques and then some detection techniques as well. So with that in mind, let's go ahead and jump right in
00:38
so command line interface, a manner that provides a way to interact with a computer system. So that's pretty straightforward. Some examples of command line interfaces include the following. So if you've worked around computer systems for some time, then none of these are foreign to you.
00:55
So we've got the Windows DOS or command prompt bash shell with OS X and Lennox bashes. Well,
01:02
all of these are pertinent to administering systems, managing systems, things of that nature, so that shouldn't be anything new. Now, what's the overall goal of using the command line? Well,
01:15
for an attacker, it's to remotely control the target system, much like when we administer systems or make changes to systems. Whatever the case may be, Attackers have the same goal in mind but for malicious purpose to execute changes to a target system. So if we want to change permissions or try to manipulate functions or features their anti virus,
01:34
we may try to do so through the command line as well
01:38
and then to install other tools. And so they may have the system reached out to a command and control server to download a package of payload. That could be something as well.
01:49
So before we get into the mitigation techniques and things that they trumped, I'd like to bring up the minor site. I'm just gonna pull that over, and I've got some other tabs open as well that we're gonna look at
02:00
prior to looking at mitigation techniques. So
02:04
again,
02:05
minor as faras, the way it's defining everything here is that the command line interface provides a way to interact with computer systems and is common across many platforms. They do talk about the Windows CMD, which again, if you do run CMD or just type CMD and hit, enter most of the times that pulls your command up command prompt up
02:24
performing tasks, including execution of software so
02:29
it can be interacted with locally or remotely be a remote desktop application. Reverse shell, etcetera. So these areas here, I'm sure you're familiar with. If you do any type of penetration, testing or security testing commands are executed with current permission level, which is important. So if I compromise a system
02:47
and I'm just a standard user and I attempt to run the command problem
02:53
commands, if I don't have the appropriate permissions to make changes and modifications, it won't happen. But again, access to a domain administrator account that could be troublesome
03:04
as well as if I do some form of privilege escalation that gets me system access or system level access that could be very damaging as well. So might also provides some examples of different threat groups there, just showing here that they use command, exceed to execute commands and custom backdoors.
03:23
I do some review of who this is, who they are as far as on the system.
03:29
And as you can see, most threat actors execute some form of command Dottie XY or command prompt type commands to help them
03:38
researchers system
03:40
put files in the system make changes to a system execute malware. Whatever the case may be, it's pretty prolific. So this is definitely an area that we would only focus on
03:51
as far as the attack vectors are concerned. Now, miners mitigation is execution prevention, which is to on it and or block and necessary command line interpreters using applications, white listing tools like defender application control, app locker, etcetera.
04:05
So I used a reference down here. There's a number of references here that go to different command line. Resource is
04:13
Microsoft mentions application control and using that which applies the Windows 10 Server 2016 and Server 2019. To essentially prevent the use of the command line interface as well as different file types and blocking those types
04:30
from either being modified, changed, executed, etcetera. So this is one mitigating control that we can look at the other direction you can go. If you're not running something more current, it may take a little more research on your end. If you're using the command prompt to run some things initially, it start up. Whatever the case may be,
04:48
it may differ, but you could always attempt to use a group policy as well, too,
04:56
not allow end users or standard users to utilize the command prompt. So if one of those accounts were, in fact compromised or whatever the case may be,
05:05
you may be able Teoh prevent the threat actor from easily moving forward or getting into other systems. And so that could be beneficial as well. Now let's go ahead and jump back into our slides here and look at the mitigation techniques that we listed so,
05:23
as is mentioned, restrict user accounts to not allow, uh, for elevated command prompt. So that's huge. One of the first things that I would do if I get into Olynyk system or if I get onto a window systems and I attempt to run
05:39
a Z. Either pseudo are run as an administrator or run. The command prompt is a privileged
05:46
command prompt to then see if I can further move through the system or do things of that nature. So threat actors are going to do the same thing.
05:55
So if we can block those types of things from happening, if we could prevent elevated prompts from happening, that would definitely be great for standard user accounts. Now, there may be scenarios where you use the command prompt for some system management. Maybe you've got some scheduled tests that run certain commands and things of that nature.
06:14
And so you would have to look at ways to allow those things to happen without,
06:18
uh, you know, any unnecessary other types of commands from being run.
06:24
And then we can block non essential or unnecessary command line interpreters. And so we looked at a group policy and a high level and just saying that we could use that to block command line interpreters altogether. But that may be specific to the ones on that system.
06:41
And so it may not block third party command line interpreters.
06:45
And so you may need to use again something like the application controls provided by Microsoft or some other software to prevent those things from being run on systems. And so that's definitely some additional research that would need to be done. But
07:00
worse, while as far as this being a common vector for threat actors and using command prompts because there
07:05
they could be minimised or almost invisible
07:09
when their run. And so it takes that much longer for end users to either discovered or even see it. Most of the times when we log into systems, we get the little blip of the command prompt coming up and going away. We don't get a chance to read it, and we just sometimes the same up. That's probably just the administrators
07:25
doing something new or applying some policies or whatever the case may be. And we go about our business so very important here, too.
07:30
Do those things
07:32
now from a detection standpoint, ensure that security solutions or activities are logged or longing process execution with command line arguments. And so there are some
07:46
ways that you can get loans from command line execution and things of that nature or get a copy of commands that were executed
07:54
definitely. Regardless, Whether you use analytics based system Windows based system, it would be beneficial to maintain these logs somewhere
08:01
again. That isn't easily accessible by administrators or in users, because if they can get to those things,
08:11
then a threat actor would be able to get to those things. And again, the goal of preserving this information is not so much for believing that people will do bad things, but if bad things do happen. You have a way to pull that information, trace it back
08:28
and then potentially get an idea of what a threat actor was doing, what commands they entered. And then you could cross reference those commands, you know, with signatures of other threat actors on the Internet, and then potentially see what type of attacks were being conducted and then use that information to potentially
08:46
remove that threat actors capabilities from your systems or prevent them from doing further damage to those systems.
08:52
So with that, let's go ahead and touch on our summary forward today's discussion. So we defined command line interface. And simply put, this is a software
09:05
or um,
09:07
feature of a system that allows you to manage that system either locally or remotely. We discussed some examples of common command line tools, really just talking about O SX having bash or windows using the DOS prompt.
09:22
Those are the common tools we're going to talk about power shell and some other things and the later vectors. But really,
09:31
the things that are natively installed are going to be what we would consider common command line attack tools. Here we discussed recommended mitigation techniques, esos things again, such as application controls and limiting user capability to access command promise is going to be key here.
09:48
And then we discuss recommended detection techniques in this case long in command line activity
09:54
and ensuring that we have a record of events that allow us to trace back to attacker activity and even in user activity cause sometimes and users can do things they shouldn't be doing
10:05
and use that to figure out what is going on. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor