Combining such detection logic with other analytics adds to the fidelity of any triggered detections.
#Cmd c powershell windows
Network connections associated with Windows Command Shell are often benign, but there’s value in monitoring for connections to suspect top-level domains-or domains commonly associated with malicious activity. Process access monitoringĭetection logic that monitors for the Windows Command Shell or its child processes injecting threads into lsass.exe or other critical processes is generally a high-fidelity analytic. For example, while monitoring for Microsoft Office products spawning a Windows Command Shell may be prone to false positives, the same detection logic combined with suspicious command-line parameters, network connections to external domains, or cross-process events to critical processes (e.g., lsass.exe) may offer much higher fidelity. Monitoring process relationships, especially in combination with process behaviors, is another important capability. While monitoring for suspicious command-line parameters can help you catch malicious or suspicious activity, this shouldn’t be your only source of visibility. Because the Windows Command Shell is so often used to execute more useful or interesting system binaries, detection analytics that monitor for execution of those binaries with suspicious parameters are also useful.
These obfuscation techniques can point defenders to malicious behavior without needing to know the contents of command. Given adversaries’ affinity for obfuscation, some of the most effective detection analytics in our arsenal are those that look for characters and strings commonly used in obfuscation. The following data sources-largely available via commercial EDR products-offer valuable visibility into malicious use of the Windows Command Shell: Command monitoring
As with many of our detection analytics, we rely extensively (but not exclusively) on process and command-line monitoring. Given this, many different telemetry or data sources might offer valuable insight into suspicious command shell activity, depending on the context in your specific environment. The Windows Command Shell often plays a supporting role in the threats we detect. Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components. The shell built-in command mklink can be used to create these special file system features, allowing adversaries access to data they would normally not have rights to access-such as sensitive files stored in volume shadow copies. In recent years we have seen malicious use of obscure file system features such as symlinks and directory junctions. Lastly, adversaries can use the Command Shell to bypass security controls. Combine this with the shell’s built-in capabilities and the ability to put these commands together in batch files, and adversaries have unlocked a powerful tool in the humble Windows Command Shell. Moving beyond the command shell’s built-in commands, cmd.exe can be used to launch virtually any executable on the system, either native binaries that ship with Windows, binaries that adversaries drop on the systems, or interpreters such as PowerShell, CScript, and more. They can add entries to the \hosts file mentioned above, and can also use the built-in echo command to redirect the shell output. In addition to abusing the command shell for information gathering, adversaries can use it to modify system settings too. Combine the use of the built-in type command with shell redirection via the > and > operators, and adversaries have a means of copying files (even binary files) without using the copy command itself.
#Cmd c powershell code
The type command can be used to display the contents of configuration files, including everything from the relatively mundane but interesting %windir%\system32\drivers\etc\hosts to source code files for sensitive applications. Daniel Bohannon has covered obfuscation methods in depth.īeyond obfuscation, adversaries frequently use the shell’s built-in type command for information gathering.
If your detection logic is looking for specific strings (e.g., powershell.exe), you may be blind to adversaries calling something like P^ow””ersh””ell. Indicators of obfuscation include gratuitous use of: However, robust detection logic can effectively uncover obfuscation techniques. How do adversaries use Windows Command Shell?įrom a high level, an adversary can use Windows Command Shell to:Īdversaries commonly employ obfuscation to evade detection and delay or confound analysis.
0 kommentar(er)
