RED FLAGS IN COMMANDLINE PROCESS MONITORING

 

Jayden Lyons, B.S. 

CYBERSECURITY SUPPORT DESK

Adversaries may attempt to manipulate Windows command shell for execution of a kill chain on Windows computers.  The Windows commandline is a powerful tool that can be used to control almost every aspect of a Windows endpoint, and attackers will often leverage this Windows feature to execute various commands and payloads pursuant to their objectives in the network.  Common adversarial LOL (living off the land) techniques include execution of a single command or covertly utilizing the commandline with secret communications across a command and control (C2) channel.  Therefore, high visibility into command shell processes and continuous monitoring and analysis of event logs capturing activity on the commandline is an essential component of endpoint security.  Below is a list of some commandline entries that may be suspicious and should be investigated further for a chain of events that may be suggestive of a cyberattack in progress.  This document is a supplement to the video covering 12 commands to monitor for ransomware detection.

vssadmin delete shadows*

vssadmin create shadow /for=C:*

vssadmin resize shadowstorage

bcdedit /set {default} recoveryenabledno*

copy \\?\\GLOBALROOT\\Device\\*\\windows\\ntds\\ntds.dit

copy \\?\\GLOBALROOT\\Device\\*\\config\\SAM*

copy /Y *\\cmd.exe *sethc.exe     [copy command shell into sticky keys]

copy /Y *\\cmd.exe *.exe     [copy command shell into any other process]

reg SAVE HKLM\\SYSTEM *

* sekurlsa:*         [The module sekurlsa in Mimikatz lets you dump passwords from memory]

net group \Domain Admins\

certutil.exe *-urlcache* http*

certutil.exe *-urlcache* ftp*

cmd.e /c *  [execute a single command]

netsh advfirewall firewall *\\AppData\\* 

netsh.exe add helper*     [add helper DLLs to trigger execution of arbitrary code, persistence] 

 

 

 

 

 

 

icacls  *\\sethc.exe /grant*    [grant admin permissions on sticky keys]

icacls *\\osk.exe /grant*    [persistence, privilege escalation]

icacls *\\DisplaySwitch /grant*    [persistence, privilege escalation]

wevtutil cl *       [clears a Windows log]

attrib.exe +s    [create a system file]

attrib +S +H +R *\\AppData\\*        [grant all users full access controls]

attrib +h    [create hidden files]

schtasks* /create *\\AppData\\*

schtasks* /sc minute*

schtasks* /interactive *    [create scheduled task for a specific time]

*\\Regasm.exe *\\AppData\\*         

[Regasm.exe places the generated type libraries in the current working directory or the directory specified for the output file; Registration Assembly Tool To register or unregister a .NET component you must run a command-line tool called the Registration Assembly Tool]

*\\bitsadmin* /transfer*

*\\bitsadmin* /transfer /download /priority *      [download and execute payload]

*\\certutil.exe * -decode *

*\\certutil.exe * -decodehex *

*\\certutil.exe -ping *

bcdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures

certutil -f -encode *

icacls * /grant Everyone:F /T /C /Q

* wmic shadowcopy delete *

wmic useraccount get /ALL *     [list local user accounts information]

wmic process get caption,executablepath,commandline*   [list running processes]

wmic qfe get description,installedOn*   [list installed Software hotfix and patches with dates]

wmic /node* service where*    [list remote service information]

wmic process call create*    [execute a process on local host]

wmic process where name* delete   [cleanup]

wmic /user* /password* /node* process call create   [execute process on remote host]

wmic /user* /password* /node* process call create delete  [cleanup]

wbadmin.exe delete catalog -quiet*

 

 

 

 

 

 

*\\wscript.exe *.jse    OR   *\\wscript.exe *.js       [modify registry for persistence]

*\\wscript.exe *.vba OR *\\wscript.exe *.vbe

*\\cscript.exe *.jse    OR   *\\cscript.exe *.js     [modify registry for persistence]

*\\cscript.exe *.vba OR *\\cscript.exe *.vbe

cscript.exe $env:APPDATA\Microsoft\Windows*\Startup\vbsstartup.vbs *

cscript.exe "C:\ProgramData\Microsoft\Windows*\StartUp\vbsstartup.vbs"

[vbs file to run in startup folder, persistence]

*\\fodhelper.exe

*waitfor*/s*

*waitfor*/si persist*

*remote*/s*

*remote*/c*

*remote*/q*

assoc *   [change default file association]

*AddInProcess*

Modifications to HKLM*\\CurrentVersion\\Run*     [startup persistence]

 

 

 

 

 

 

*\\AppData\\Roaming\\Oracle*\\java*.exe *         [AdWind Rat]

*cscript.exe *Retrieve*.vbs *

*\\AppData\\Roaming\\Oracle\\bin\\java*.exe

reg add HKLM\system*\Terminal Server *AllowTSConnections*       [enable endpoint to add RDP connections]

reg delete*    [cleanup]

reg.exe import *  [potential dll injection through registry]

reg add HKLM\SOFTWARE\*\Image File Execution Options*      [IFEO injection]

reg add HKLM\SOFTWARE\*\SilentProcessExit *

reg add HKCU\Software\*\Outlook\Security  [persistence, code execution using Outlook]

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce  [persistence]

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [add file to startup folder for persistence]

reg add HKCU OR HKLM*\Explorer\User Shell Folders    [persistence]

reg add HKLM\SOFTWARE\* /v ReportingMode

reg add HKLM\SOFTWARE\* /v MonitorProcess

reg add HKCU\Environment*  UserInitMprLogonScript    [Adds a registry value to run batch script]

reg add HKCU\Software\*Special\Perf *    [load to run once, persistence]

 

 

 

 

 

Also any shortcut lnk to the startup folder

schtasks /create /tn * "cmd.exe /c calc.exe"

schtasks /create /tn * "cmd.exe /c calc.exe"

 

[use Task Scheduler to schedule new task for initial or recurring execution of malicious code]

 

*If an attacker executes a program by leveraging Win32 API's, it will launch calc.exe (calculator)

 

schtasks /delete /tn*

schtasks /delete /tn*       [cleanup]

powershell -exec bypass -e *   [create a process and encoded command]

taskkill /F /IM gup.exe  [software updates service vulnerable to dll-sideloading]

net user* /add /domain  [Creates a new domain admin user]

net group*  /add /domain

net user username* password* /add /domain   [create new user with anonymous logon]

net localgroup administrators /add   [creates a new admin user]

net user* /del /domain     [cleanup]

wmic process call create * /node *

Halftone Image of Crowd
Halftone Image of Crowd
Halftone Image of Crowd
Halftone Image of Crowd
Halftone Image of Crowd
Halftone Image of Crowd