2017’s Notably Abused System Administration Tools and Protocols
System administration tools and legitimately used protocols provide administrators, information security professionals, and developers/programmers flexibility and efficiency. When used by attackers, cybercriminals, and other malicious actors, however, they can enable malware to blend in with normal network traffic and evade traditional security mechanisms while leaving fewer footprints. And as this year’s most notable threats showed, leaving them exposed or unsecure, even inadvertently, can have costly consequences. Here are some of this year’s notably abused tools and protocols and some of the best practices enterprises can do against threats that exploit them:
What it is: Windows PowerShell is a management framework comprising a scripting language and command-line shell. It lets system administrators automate tasks and manage processes. Some of these include: launch Command Prompt, terminate processes, locate folders and files, schedule commands and set them in the background, access application program interfaces (APIs), and manage the configurations of systems and servers.
How it's abused: PowerShell is a staple in many kinds of malware, especially fileless threats. Ransomware such as Cerber and PowerWare, information stealers like FAREIT, banking Trojans like VAWTRAK, and backdoors embed malicious PowerShell scripts in their executables or macro malware-toting documents. These scripts are used to retrieve and launch/execute the payload. Given PowerShell’s nature, it is normally whitelisted; attackers abuse it to evade antivirus (AV) detection.
Best practices: Restrict its use, or blacklist possible command interpreters that may be abused — it will improve security, but will affect other system functions. Alternatively, administrators can use PowerShell itself by listing triggers that can detect commands or arguments typically contained in malicious PowerShell scripts. PowerShell also has a logging capability that can be used to analyze suspicious behavior within the system. Microsoft also suggests best practices on how to securely use PowerShell.
What it is: PsExec is a command-line tool that lets users remotely launch processes and execute commands or executables. It runs within the privilege of the user logged in to the system. PsExec is versatile in that it can let administrators redirect the console input and output between systems. PsExec can also be used to roll out patches or hotfixes.
How it's abused: The Petya/NotPetya ransomware abused PsExec by using a modified version of it to access and infect remote machines. The disk-encrypting HDDCryptor used it similarly. The fileless file-encrypting SOREBRECT malware abused PsExec to complement its code injection capabilities. And given PsExec’s flexibility, it was also abused to hijack endpoints, “zombify” them to become part of a botnet, and install a point-of-sale malware. PsExec was reportedly also used in the Target data breach.
Best practices: PsExec’s creator, Mark Russinovich, points out that in an attacker’s hands it can provide ways for lateral movement. Enforce, therefore, the principle of least privilege: Limit user write permissions to deter attacks that propagate across the network. Regularly review the privileges assigned to each user. And more importantly, restrict its use only to those who need it.
What they are: Command-line interfaces (also known as command language interpreters) enable users to interact with the OS or application/program and perform tasks through text-based commands. Examples include PowerShell, Windows Management Instrumentation Command-line (WMIC), Microsoft Register Server (regsvr32), and Command Prompt (cmd). Command-line tools are used by administrators, developers, and programmers to automate tasks and are vital components in operating systems or applications.
How they're abused: WMIC was used by Petya/NotPetya as a fail-safe option for installing the ransomware in case its version of PsExec is unsuccessful. The Cobalt hacking group abused three command-line tools to deliver their payload: PowerShell; odbcconf.exe, which is related to Microsoft Data Access Components; and regsvr32, which is used for registering dynamic-link libraries in the registry. Backdoors usually include a routine where cmd is launched to issue malicious commands, such as executing additional malware.
Best practices: For developers and programmers, apply security by design in applications. Most command-line tools are built in to the system, so administrators should enable them only when needed. Impose authentication and access policies for these tools. They are normally whitelisted, so deploy behavior monitoring mechanisms that can block anomalous modifications to the system or files.
What it is: Remote desktops allow users to remotely connect to other client machines (that is, virtual desktops). In Windows, remote desktops connect via the Remote Desktop Protocol (RDP), a network communications protocol that provides a graphical user interface from which users can remotely interact with other systems. RDP is built in to most Windows OSs.
How it's abused: Remote desktops become attack vectors when they’re not properly configured or secured, and exposed on the internet. Ransomware such as Crysis is known for brute-forcing RDP clients and manually executing the malware in the system. Point-of-sale malware also uses remote desktops to illicitly gain access to endpoints.
Best practices: Disable or restrict the use of remote desktops if not needed. Strengthen their credentials to make them more resistant to brute-force or dictionary attacks. Use encryption to deter hackers from spying on their network traffic. Employ authentication and account lockout policies.
Server Message Block (SMB)
What it is: SMB is a network communication protocol (using TCP port 445) that allows users to share files, printers, serial ports, and other resources across the network. The access given to users via SMB means the user (or the client application) can open, read, write (create or modify), copy, and delete files or folders on the remote server. SMB is available in all Windows OSs.
How it's abused: The notorious WannaCry and the fileless UIWIX ransomware, as well as the cryptocurrency-mining malware Adylkuzz, used EternalBlue, which exploits a vulnerability (CVE-2017-0144) in SMB v1, to spread to other systems. Other exploits from the Shadow Brokers group’s dump also targeted SMB vulnerabilities: EternalRocks, EternalRomance, and EternalChampion, to name a few. The Bad Rabbit ransomware used a custom version of EternalSynergy for propagation. SambaCry, a vulnerability in the implementation of SMB in Linux systems, was used to infect susceptible network-attached storage (NAS) devices with backdoors.
Best practices: Disable SMB v1 and its related protocols and ports; migrate to the latest version if SMB is used in the workplace. Using unneeded and outdated protocols only broadens the system’s attack surface. Proactively monitor the network for red flags. Firewalls as well as intrusion detection and prevention systems help in this regard. Virtual patching provides protection against vulnerabilities in end-of-life/legacy systems or networks.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases