Command Line Interface

00:00

hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at the vector command line interface. Now. The objectives of today's discussion are pretty straightforward.

00:15

We're going to look at How does minor define a command line interface?

00:21

We're going to look at What are some examples of common command line attack tools. We're going to look at some recommended mitigation techniques and then some detection techniques as well. So with that in mind, let's go ahead and jump right in

00:38

so command line interface, a manner that provides a way to interact with a computer system. So that's pretty straightforward. Some examples of command line interfaces include the following. So if you've worked around computer systems for some time, then none of these are foreign to you.

00:55

So we've got the Windows DOS or command prompt bash shell with OS X and Lennox bashes. Well,

01:02

all of these are pertinent to administering systems, managing systems, things of that nature, so that shouldn't be anything new. Now, what's the overall goal of using the command line? Well,

01:15

for an attacker, it's to remotely control the target system, much like when we administer systems or make changes to systems. Whatever the case may be, Attackers have the same goal in mind but for malicious purpose to execute changes to a target system. So if we want to change permissions or try to manipulate functions or features their anti virus,

01:34

we may try to do so through the command line as well

01:38

and then to install other tools. And so they may have the system reached out to a command and control server to download a package of payload. That could be something as well.

01:49

So before we get into the mitigation techniques and things that they trumped, I'd like to bring up the minor site. I'm just gonna pull that over, and I've got some other tabs open as well that we're gonna look at

02:00

prior to looking at mitigation techniques. So

02:04

again,

02:05

minor as faras, the way it's defining everything here is that the command line interface provides a way to interact with computer systems and is common across many platforms. They do talk about the Windows CMD, which again, if you do run CMD or just type CMD and hit, enter most of the times that pulls your command up command prompt up

02:24

performing tasks, including execution of software so

02:29

it can be interacted with locally or remotely be a remote desktop application. Reverse shell, etcetera. So these areas here, I'm sure you're familiar with. If you do any type of penetration, testing or security testing commands are executed with current permission level, which is important. So if I compromise a system

02:47

and I'm just a standard user and I attempt to run the command problem

02:53

commands, if I don't have the appropriate permissions to make changes and modifications, it won't happen. But again, access to a domain administrator account that could be troublesome

03:04

as well as if I do some form of privilege escalation that gets me system access or system level access that could be very damaging as well. So might also provides some examples of different threat groups there, just showing here that they use command, exceed to execute commands and custom backdoors.

03:23

I do some review of who this is, who they are as far as on the system.

03:29

And as you can see, most threat actors execute some form of command Dottie XY or command prompt type commands to help them

03:38

researchers system

03:40

put files in the system make changes to a system execute malware. Whatever the case may be, it's pretty prolific. So this is definitely an area that we would only focus on

03:51

as far as the attack vectors are concerned. Now, miners mitigation is execution prevention, which is to on it and or block and necessary command line interpreters using applications, white listing tools like defender application control, app locker, etcetera.

04:05

So I used a reference down here. There's a number of references here that go to different command line. Resource is

04:13

Microsoft mentions application control and using that which applies the Windows 10 Server 2016 and Server 2019. To essentially prevent the use of the command line interface as well as different file types and blocking those types

04:30

from either being modified, changed, executed, etcetera. So this is one mitigating control that we can look at the other direction you can go. If you're not running something more current, it may take a little more research on your end. If you're using the command prompt to run some things initially, it start up. Whatever the case may be,

04:48

it may differ, but you could always attempt to use a group policy as well, too,

04:56

not allow end users or standard users to utilize the command prompt. So if one of those accounts were, in fact compromised or whatever the case may be,

05:05

you may be able Teoh prevent the threat actor from easily moving forward or getting into other systems. And so that could be beneficial as well. Now let's go ahead and jump back into our slides here and look at the mitigation techniques that we listed so,

05:23

as is mentioned, restrict user accounts to not allow, uh, for elevated command prompt. So that's huge. One of the first things that I would do if I get into Olynyk system or if I get onto a window systems and I attempt to run

05:39

a Z. Either pseudo are run as an administrator or run. The command prompt is a privileged

05:46

command prompt to then see if I can further move through the system or do things of that nature. So threat actors are going to do the same thing.

05:55

So if we can block those types of things from happening, if we could prevent elevated prompts from happening, that would definitely be great for standard user accounts. Now, there may be scenarios where you use the command prompt for some system management. Maybe you've got some scheduled tests that run certain commands and things of that nature.

06:14

And so you would have to look at ways to allow those things to happen without,

06:18

uh, you know, any unnecessary other types of commands from being run.

06:24

And then we can block non essential or unnecessary command line interpreters. And so we looked at a group policy and a high level and just saying that we could use that to block command line interpreters altogether. But that may be specific to the ones on that system.

06:41

And so it may not block third party command line interpreters.

06:45

And so you may need to use again something like the application controls provided by Microsoft or some other software to prevent those things from being run on systems. And so that's definitely some additional research that would need to be done. But

07:00

worse, while as far as this being a common vector for threat actors and using command prompts because there

07:05

they could be minimised or almost invisible

07:09

when their run. And so it takes that much longer for end users to either discovered or even see it. Most of the times when we log into systems, we get the little blip of the command prompt coming up and going away. We don't get a chance to read it, and we just sometimes the same up. That's probably just the administrators

07:25

doing something new or applying some policies or whatever the case may be. And we go about our business so very important here, too.

07:30

Do those things

07:32

now from a detection standpoint, ensure that security solutions or activities are logged or longing process execution with command line arguments. And so there are some

07:46

ways that you can get loans from command line execution and things of that nature or get a copy of commands that were executed

07:54

definitely. Regardless, Whether you use analytics based system Windows based system, it would be beneficial to maintain these logs somewhere

08:01

again. That isn't easily accessible by administrators or in users, because if they can get to those things,

08:11

then a threat actor would be able to get to those things. And again, the goal of preserving this information is not so much for believing that people will do bad things, but if bad things do happen. You have a way to pull that information, trace it back

08:28

and then potentially get an idea of what a threat actor was doing, what commands they entered. And then you could cross reference those commands, you know, with signatures of other threat actors on the Internet, and then potentially see what type of attacks were being conducted and then use that information to potentially

08:46

remove that threat actors capabilities from your systems or prevent them from doing further damage to those systems.

08:52

So with that, let's go ahead and touch on our summary forward today's discussion. So we defined command line interface. And simply put, this is a software

09:05

or um,

09:07

feature of a system that allows you to manage that system either locally or remotely. We discussed some examples of common command line tools, really just talking about O SX having bash or windows using the DOS prompt.

09:22

Those are the common tools we're going to talk about power shell and some other things and the later vectors. But really,

09:31

the things that are natively installed are going to be what we would consider common command line attack tools. Here we discussed recommended mitigation techniques, esos things again, such as application controls and limiting user capability to access command promise is going to be key here.

09:48

And then we discuss recommended detection techniques in this case long in command line activity

09:54

and ensuring that we have a record of events that allow us to trace back to attacker activity and even in user activity cause sometimes and users can do things they shouldn't be doing