A common approach to detecting hackers on your network is to focus on different components of what is known as the “cyber kill chain.” This term was first created by Lockheed Martin to record their success in identifying and stopping advanced attacks directed at them from nation states. The cyber kill chain identifies the steps used by an attacker to gain access to sensitive data and includes:
- Reconnaissance – The attacker finds a gap in the security of the social network
- Weaponization – builds a malicious attachment
- Delivery – and delivers it using social media or email targeting an employee
- Exploitation – The employee opens the file and the vulnerability is exposed
- Installation – Malware immediately installs on the client
- Command and Control – The attacker takes control of the system
- Actions on Objectives – and is able to pinpoint and access critical data.
Each link in the kill chain provides an opportunity for the defenders to identify and stop the attack from occurring. This is easier for some links than for others. For this blog post, we will focus our attention on the last two links: command and control and actions on objectives. I refer to these links as the pivot stage of an attack because the attacker will typically need to move from the initially compromised computer to other systems to ultimately gain access to sensitive data.
So, what are the signs or indicators that an attacker is preparing to pivot or has pivoted from their initial compromised computer? Indicators include the following:
- Creation of scheduled tasks on remote systems. Two command line tools that are native to Windows 7 computers allow attackers to create scheduled tasks on remote systems: schtasks.exe and at.exe. The use of at.exe appears to be more popular and is what we will focus our attention. When at.exe is used on the source host, you would see metadata in the form of an application Prefetch file indicating that at.exe had been run. On the destination host, an indicator will include a login event with identifier (ID) 4672, type 3 login in the Windows event log.
- Suspicious use of cmd.exe. Very few computer users ever use the command line tool built into Windows systems known as cmd.exe. Most use the mouse and click on windows as part of the graphical user interface or GUI. However, attackers will typically utilize the command line to perform additional reconnaissance before pivoting their attack. Indicators will be present in the form of Windows event logs with an audit event ID of 4688. This event ID includes information on all processes created on the source host. Look for patterns of cmd.exe being used by non-administrators.
- Behavior analytics. This requires you to have a thorough understanding of your network and the behavior of typical users. Using either Windows event logs or firewall logs, review the patterns of how different computers on your network communicate with each other. Logon events should be of your utmost concern. Then begin asking questions. Why did a user in marketing try to remotely access a computer in human resources? Why is our janitor remotely connecting to our network at 2 a.m.? Each question will likely require further investigation to confirm an attack and will likely result in additional questions. Continue the question and answer process until you can either confirm an attack or identify it as a false positive.
There are many other indicators of attackers pivoting within your network, but the above list is a good start. Join us at Regis in classes such as Network Forensics and learn more about the techniques used by attackers and sharpen your skills to identify and stop them.