It’s unfair. No one ever said it wasn’t. But it’s disheartening nonetheless to constantly know that we as security providers have an uphill and constant battle to protect our company resources and information technology assets from attack. The adage of getting it right every time seems to constantly play under that tired old cadence we know all too well. But what’s worse is when the attacks seem to originate from those technologies we have already “secured” within our internal environment, often without additional forethought from us as to the damage that can be done. After all, we trust these products to provide us with a baseline level of security, so why would they fail us?
Let’s take a brief look at ten native Windows 10 commands that come enabled, and which attackers may be using to circumvent or bypass our security controls, policies or high-priced security appliances, often without fear or detection or signature-tripping.
bcdedit
One of the few Windows 10 commands on this list that requires administrator-level privileges to run. Bcdedit allows a user to view and/or make changes to boot configuration data. This command allows for the storage of boot configuration parameters while controlling how the operating system is booted. Before you ask yourself why would an attacker waste his or her time, ask yourself how easy it was to trace the attack steps back to origin from your last security incident? Then factor this command into the equation. Most persistent and trained attackers will elevate to administrator level privileges at some juncture, and what better way for them to hide or obfuscate their attacks, or put them in “sleeper” mode for future use than with bcdedit? Still not convinced, run the bcdedit command with the /? option at the command line to view the particulars. Take a gander specifically at /bootsequence, /eventsettings, and /export and /import options. Now ask yourself if your IR team is aware of this command and all it does? How about the forensics group?
certutil
This is a favorite attack vector for one of my colleagues. He absolutely loves the idea of using this native Windows 10 command to base64 encode and decode files. It’s an excellent utility for moving data unseen or undetected out of the internal environment, past DLP software/hardware, or through/across trust-boundaries. In addition, it also supports hexadecimal making it even more attractive to attackers in some cases. While it comes with a bevy of options, our favorites as penetration testers are -encode and -decode. Need to upload an executable? Certutil for the win!
cipher
Cipher has been around for several Microsoft Windows iterations, and I’m constantly amazed at just how many administrators, and especially forensics investigators aren’t aware of this native command. Cipher contains a /W option that will systematically and securely erase unused disk space. For attackers, best of all, it’s freely available from the windows command line and doesn’t require administrative rights to run.
getmac
This nifty little utility may seem like a let-down when compared to other tools on this list, but it’s ever so handy for attackers. Best of all in addition to displaying all the network and interfaces/controllers MAC addresses on a system, passing it the /S option will allow it to connect remotely to another system. Might this be helpful when pivoting or performing lateral movement? Yes, we definitely think so.
manage-bde
Configures Bitlocker encryption from the command line. What else needs to be said? Oh yes, it also requires administrator level privileges, just like bcdedit to work. Check out the -status option for a quick eye-opener.
reg | regini
Two commands for the price of one. Both are native Windows 10 commands, and both largely can be used to set or change Windows registry permissions and values from the command line interface. As a value add, they can work remotely as well.
shutdown
This command is a guaranteed yawner for anyone with Linux or Unix experience, and may arguably garner some big deal sentiments. We can’t disagree. This command includes flags such as -fw that will force the machine to reboot to a particular state – in this case, firmware user interface. But forget all that, what’s especially nasty about this command is an attacker can schedule a shutdown ten – yes, 10 – years in advance! APT anyone?
vssadmin
As the name implies, this command also requires administrator level access, and is actually used to start the volume shadow copy service administrative client. So what’s the big deal here? It can put a serious damper in anti-forensics and IR/CERT teams by allowing attackers to list, resize and delete shadows.
wevtutil
This neat command starts the Windows Events command line utility; from here, an attacker can list, modify, clear and export log details. Be sure you’re performing centralized logging or logging elsewhere as well.
winrm
This command is used to start the CLI for Windows remote management. Again, enough said.
Honorable mentions:
• recover
• sfc
The above list contains just a few of the commands that ship natively with Windows 10 that might be being used against you by attackers. Hopefully, there weren’t too many surprises. But if there were, be sure to implement tighter controls and higher levels of scrutiny on your security and system administration teams. If these commands are not needed, consider disabling them whenever possible through GPO or similar means, or at the very least add alerting and monitoring signatures to your security tools and SOC teams so that early detection is likely.