Spot Insider Threats: 10 Commands Commonly Used During the Cyber Attack Cycle

Today, CyberArk announced a new capability that helps organizations automatically detect insider threats and accelerate incident response times. With this integrated release of CyberArk Privileged Threat Analytics and CyberArk Privileged Session Manager, customers can now receive customizable, prioritized alerts on high-risk user activity – during privileged sessions – to help security teams swiftly investigate and disrupt potential insider attacks.

Throughout the course of this release, we worked closely with our customers to understand their privileged threat detection needs and gain insight into how they prefer to receive alerts. Over the course of this process, we heard two pieces of feedback time and again.

First, customers want to customize detection capabilities so that, over time, they can tailor alerts to their specific needs. I’m happy to share that with this release we’ve provided that flexibility.

Second, because of our expertise in the privileged account security space, customers have asked us for ideas on what types of high-risk activity to look for initially. To help answer this question, we consulted with experts from CyberArk Labs and our customers’ security operations teams to develop a list of ten commands that are frequently associated with malicious – or accidentally damaging – behavior.

It’s always worth noting that no two situations are the same, so an action that may be harmless in one situation may create a major security issue in another. However, in the spirit of sharing what we learned, here are ten highly sensitive commands that were frequently cited as being indicative of risk:

  1. mmc.exe, Active Directory Users and Computers – This action opens a window in which a Windows user can add new user accounts to the domain. This could indicate that an attacker is creating backdoor access to establish persistence throughout the entire Windows domain.
  1. explorer.exe, User Accounts – As suggested by its name, this action opens a window in which a Windows user is able add new accounts to the system. This could indicate that an attacker is creating backdoor access to the system to establish persistence.
  1. regedit.exe, Registry Editor – This action opens a window that provides access to the Windows registry. From the registry, a user can change critical system configurations, alter security settings and access sensitive credential data on the system. CyberArk Labs research demonstrates how malicious users can alter registry settings to steal credentials.
  1. mmc.exe, Windows Firewall with Advanced Security – Access to the Windows Firewall enables users to modify security configurations on a system. Access to firewall settings may indicate that an attacker is disabling security controls on the machine to make the next steps of the attack chain easier.
  1. mmc.exe, Network Policy Server – The Windows Network Policy Server enables users to modify the network configuration. Access to this window could indicate that an attacker is enabling unauthorized access to or from the machine.
  1. authorized_keys – Commands containing “authorized_keys” can provide access to the authorized keys files on *nix systems. From this file, a user can add unauthorized SSH keys to the machine. Access to this file may indicate that an attacker is creating backdoor access to the system to establish persistence.
  1. sudoers – Commands containing “sudoers” can provide access to the sudoers file on *nix systems. Within this file, a user is able to manipulate user privileges on the system. Such an action could indicate that an attacker is granting unauthorized permissions to an account, which can be used at a later time to cause damage.
  1. :(){ :|: & };: – When entered on *nix systems, this sequence of characters operates a fork bomb to consume all machine resources and make the server unusable. These characters would not be entered accidentally, and thus represent an intentional attempt to harm the organization.
  1. tcpdump – When entered on *nix systems, this action dumps all accessible network packets. The use of this command may indicate that an attacker is attempting to learn about the communication channels of the machine and use that information to plan the next steps in the attack.
  1. rm – When entered on *nix systems, this command enables a user to delete files and directories. Such an action may indicate that a user is trying to harm the machine to potentially disrupt business.

While this list can be used as a starting point, it’s always important to keep in mind that every environment is different. When deciding which commands to detect initially, it’s important to consider what systems you run, what systems store your most sensitive information and what actions occur on a day-to-day basis within your organization. We’re here to help you understand potential risks and share knowledge from both our in-house and customer experts.

To learn more about our new ability to automatically detect potential insider threats, read this article.



Keep up-to-date on security best practices, events and webinars.

Share This