Excavating Command Line History for Live Response

Security researchers build their understanding of attackers’ actions slowly—over time and with considerable attention to subtle details. It’s not unusual to examine hundreds or thousands of artifacts to find just one that will shine the light on an attacker’s activity.

Recently, illusive networks’ security research team exposed two artifacts that significantly accelerate attack identification. This was first published March 2017 by eForensics Magazine with the article The Archeology of Live Response: Examining the Artifacts, by Tom Sela, Head of Security Research at illusive networks, which describes their findings.

The illusive team was building a “Live Response” tool for collecting real-time forensic information from compromised machines. Successful Live Response has a number of challenges. Because it has to run on a live machine with an active adversary, investigators must be able to remotely access and run code on the compromised machine, remain invisible to the attacker, and not contaminate the crime scene by leaving behind telltale tracks.

The SANS Institute has documented a number of artifacts that Live Response collects, such as running processes, running services, login information, open files, and others. The illusive team discovered two artifacts that didn’t appear on the SANS list but could reveal the entire attack stack in a single place.

“Attackers commonly use consoles to execute commands and malicious code written in scripting languages,” said Sela. “Therefore, if we have the command line history and console output, we could resolve attackers’ strategies much faster.”

After unsuccessfully trying several native solutions to retrieve command line history, the illusive team reverse-engineered the relevant components in the windows operating system. There they found two undocumented kernel32 functions that gave them what they were looking for—a way to retrieve command prompt history and console output from any kind of console.

“These two pieces of critical information enable command prompt history and console output artifacts to be examined in Live Response. They help document an attacker’s tactics much faster, which is vital for the security community. We’re recommending that more analysts collect them as part of forensic investigations. There might be additional artifacts that help Live Response, and we encourage the community to share their findings as well.”

For the full analysis and source code, access the article “The Archaeology of Live Response: Examining the artifacts”.