It is known that malware utilizes the services of the Windows operating system to achieve the attacker's desired objectives.
For example, a Windows operating system service such as Vssadmin can be used by ransomware to hinder the system's ability to restore from backups on a Windows machine. Vssadmin is a system command that manages the Volume Shadow Copy Service (VSS), which is used for creating system backups. By using Vssadmin, ransomware can delete or disable system backups, thus preventing the system from being restored from backups in case the user's data has been encrypted by the ransomware.
This article focuses on how Cyber Radar can be used to detect when certain Windows operating system services are executed on a machine. We will attempt to detect when the following tools are executed in the Windows command line (cmd): Nltest, BCDedit, Vssadmin, Attrib, and Schtasks. Although running these tools is not typically malicious and does not necessarily indicate an active attack, they should be monitored for the following reasons:
1) To better analyze and understand the events occurring in the monitored systems, we utilize the process of forensic analysis. Through this process, we can retrieve data and information that will assist us in comprehending and accurately reconstructing these events.
2) To detect actions by malicious users.
Detection of malicious actions:
Cyber Radar detects actions performed on your machine by the Nltest, BCDedit, Vssadmin, Attrib and Schtasks services of the Windows operating system.
Nltest is a command-line utility used in Active Directory environments to query domain controllers and analyze the reliability of domains.
BCDEdit is a tool used to edit the boot settings of Windows systems. Microsoft says that running BCDEdit is likely to be an indication of ransomware activity. It can be used to "Disable warnings and automatic repairs after boot failures that can be caused by the encryption process". Rules have been created to detect when BCDEdit does the following:
1. Sets an input option value.
2. Deletes an item from a record.
3. Imports a file to restore the state of the saved system.
Vssadmin is used to manage volume shadow copy backups. Rules have been created to detect deletion and resizing of shadow copy backups.
Attrib is a Windows operating system tool used to remove or configure file attributes (hidden, read-only, system, and archive). Attackers use this tool to hide malicious files and folders anywhere on the system.
The Schtasks is a tool that allows system administrators to manage scheduled tasks. With Schtasks, you can create, delete, run, and terminate scheduled tasks on a local or remote computer. Attackers are known to exploit this tool for scheduling malicious tasks. However, there are rules for detecting when Schtasks performs the following actions:
1. Creates a new scheduled process.
2. Creates a new scheduled process using an XML file.
3. Deletes a scheduled process.