ts

gh
Automating RMF Steps Using Lightweight Scripts

Ri
and Tools

ll
Fu
ns
Author: Brett Fry, [email protected]
Advisor: Jonathan Risto

ai
et
rR
Accepted: September 19, 2022

ho
Abstract

ut
,A
Many Risk Management Framework (RMF) steps and sub-tasks can be accomplished
te
using small, lightweight tools and scripting. Only specific administrative tasks can be
itu

automated or inherited in Enterprise Mission Assurance Support Service (eMASS). This

st

constraint results in many government organizations using different tools, creating their
In

own standards, and often buying costly tools to capture all the information needed. This
NS

research will explore the many tools and techniques that can be leveraged to accomplish
these steps and tasks using a set of scripts that focuses on efficiency and repeatability.
SA

Since RMF is not strictly a framework the United States government uses, this research
e

will benefit the community by providing tools and techniques to generate specific
Th

information required for implementing the RMF process or data collection activities.
22
20
©

© 2022 The SANS Institute Author retains full rights.

 ts
Automating RMF Steps Using Lightweight Scripts and Tools 2

gh

Ri
1. Introduction

ll
Fu
Automating many RMF steps, the primary Risk Management Framework for the
United States federal government, can be accomplished faster and more efficiently

ns
through scripting or using lightweight open-source tools than bulkier tools. Moreover,

ai
scripting can be used to baseline a system or network more efficiently and with more

et
specific results than bulkier tools that are usually cost-prohibitive or resource hogs.

rR
Using lightweight tools and scripts, an organization can automate many essential

ho
tasks in the Prepare step, which eMASS cannot. It can assist in assessing the

ut
effectiveness of the tools or security measures implemented in the Assess step and

,A
accomplish many of the tasks in the Monitor step.
te
itu

These scripts and techniques will assist the cybersecurity community by proving
st

the effectiveness of homegrown solutions and the benefits of collecting on multiple

In

endpoints instead of on network devices. These often rely on bloated/bulky commercial

NS

tools or appliances that often cost more resources.

SA

1.1. RMF and eMASS

1.1.1. What is the Risk Management Framework (RMF)
e
Th

The Risk Management Framework (RMF) provides a methodical and structured

22

process that integrates information security and risk management activities into the
20

system development life cycle.

©

1.1.2. What is Enterprise Mission Assurance Support Service (eMASS)

The United States government’s system of record used to store information for the
RMF process is eMASS. eMASS is a government-owned web application with a broad
range of services for comprehensive, fully integrated cybersecurity management (Defense
Counterintelligence and Security Agency). eMASS was developed by the Department of
Defense, in part, as a repository that unites technical/machine data generated from
endpoint scans with the human/non-technical data documented by security/IA personnel
(SteelCloud, 2022). This process is often accomplished by manually following a checklist
for each endpoint.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 3

gh

Ri
1.2. The problems with RMF and eMASS

ll
The RMF process can often be daunting and complicated. The federal government

Fu
does not use a single automated solution or product to collect information or complete

ns
required tasks that must be input into eMASS. All information and artifacts must be

ai
uploaded into eMASS to gain authorization for use.

et
eMASS, despite the current built-in automation, is often burdensome since no

rR
single script or solution can generate the requested information in the desired format.

ho
Using third-party products or applications that require installation or allocation of

ut
resources will often require a lengthy review process. Due to these constraints, built-in

,A
tools are the perfect solution to this problem. However, the staff tasked with assessing
te
and authorizing the systems or networks often have little experience with programming
itu

or scripting. Therefore, they will look to pre-built solutions, even if it generates more
st

information than required. Organizations often have to invest significant money and
In

resources in license fees for software that provides significantly more information than is
NS

needed and can greatly impact the application, system, or network performance. Since
SA

many applications are highly restricted, it usually requires detailed planning and a
stringent approval process to obtain authorization to install or run an application against
e
Th

the application, system, or enclave.

22

The benefit of developing a homegrown solution is that an organization can

20

collect the specific information required to implement RMF. A homegrown solution can
leverage the built-in tools available in eMASS to fully or partially automate the
©

authorization process without buying new tools, paying license fees, or training
personnel. This research targets particular areas that the current processes do not
automate. Moreover, eMASS and RMF leverage the National Institute of Standards and
Technology (NIST) Cybersecurity Frame to assist in validating and measuring aspects.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 4

gh

Ri
2. Research Method

ll
Fu
2.1. Lab Components and Functionality
The testing environment uses a combination of operating systems due to the

ns
nature of many businesses. The US Government, specifically the Department of Defense

ai
(DoD), relies heavily on Unix and Linux operating systems for backend, penetration

et
rR
testing, and tactical systems. Except for NASA, which uses Linux as its primary OS,
most US Government workstations are Windows (Gunter, 2013). The test network shown

ho
in Figure 1 is a flat network intended to simulate part of a production network in a small

ut
office/home office environment.

Figure 1 ,A
te
Network Diagram
itu
st
In
NS
SA
e
Th
22

Since the focus is on RMF and automating the steps and tasks listed above, the
20

network will simulate various operating systems. However, it can also be tailored or
©

expanded to other networks. Each system on the network has a fresh install and has not
been hardened in advance to demonstrate the effectiveness in automating various aspects.
Moreover, anti-virus has been disabled or modified to allow malware to infect each
system.

2.2. Tools
Each tool was carefully chosen based on the following criteria:

1. Impact on the system or network resources

2. Efficiency / Ability to accomplish the task

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 5

gh

Ri
3. Ease of Use

ll
4. Ability to automate

Fu
Additionally, the ability to run without elevated privileges was preferred but not a

ns
sole determining factor. By using the resources on the system, an organization can reduce

ai
training requirements and the overall cost of additional tools, which often require

et
additional training. Additionally, implementing a solution like this will typically require

rR
someone skilled in programming or an entire development team. It is important to note

ho
that the scripts can collect most of the required information, so administrator privileges

ut
were unnecessary for many tasks and information collection requirements. However,

,A
running the scripts as a privileged user or service is possible and can produce more
detailed results and information.
te
itu

Moreover, an organization can standardize the collection process by using a set of

st

scripts. Furthermore, the organization can modify the scripts if additional requirements
In

arise to collect the additional required information. The scripts use multiple methods to
NS

demonstrate the effectiveness of the tools commonly available to most users. Appendix A
SA

shows a detailed breakdown of the tools and scripts.

Many of the scripts developed can function on larger, more segmented networks
e
Th

that will allow for pivoting if desired. These are scalable for use in a domain
environment, but the use cases will focus on a flat network given the size and mixed
22

environment.
20

2.3. Research Methods and Testing

©

2.3.1. Quantitative Research Methods

The methods used to assess the effectiveness of each solution are multi-pronged.
The scripts must complete a percentage of the RMF steps or sub-tasks. The scripts
designed to assess, and monitor must be able to detect abnormal network and system
activity. The ability to detect or not detect a piece of malicious software using these tools
will determine its overall effectiveness. Moreover, most scripts run multiple tools and
compare the output to determine the effectiveness. Indicators of compromise would
include unexplainable differences in the tools' output.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 6

gh

Ri
Lastly, the NIST Cybersecurity and Privacy Frameworks will be used to do a

ll
crosswalk with RMF to determine the percentage of each step that the scripts completed.

Fu
2.3.2. Experiments and Testing

ns
Through rigorous and careful testing in a lab environment, this research

ai
demonstrated that using lightweight and tailored tools, an organization could accomplish

et
many RMF steps and tasks through automation. Additionally, these processes

rR
simultaneously address the various aspects of the Cybersecurity Framework

ho
Requirements.

ut
After establishing the baseline, a series of tests took place to assess the

,A
effectiveness of the scripts. These tests included generating malicious traffic and
te
installing malware on the VMs and IoT devices. After running the tests, the baseline was
itu

compared to the current state to determine the percentage of anomalies detected. This
st

enabled the assessment of the implemented controls and remediation action using the
In

assess scripts. Lastly, the systems and network were then periodically scanned to detect
NS

changes in the baseline for anomalous behavior which might indicate malicious activity.
SA

The testing and experiments demonstrate the practical benefits of identifying

e

various forms of malware using scripts. Coinminers and Trojan Horses were used based
Th

on industry findings that they are the most common types of malware in the wild (Center
22

for Internet Security, 2022; Cybersecurity and Infrastructure Security Agency &
20

Australian Cyber Security Centre, 2022; SonicWall Inc., 2022). However, the scripts also
identified Command and Control (C2) communications.
©

3. Findings and Discussion (Exposition of the Data)

In the information security world, risks must be addressed and assessed. To
effectively do this, many tools and resources can be used. However, at the fundamental
level, the following actions must be performed: an inventory, baseline, assessment, and
monitoring applications, systems, and networks. In RMF, these actions are found in the
Prepare, Assess, and Monitor steps.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 7

gh

Ri
3.1. Automation of RMF Steps and Tasks

ll
Since the RMF process is vast, this research will strictly focus on the steps and

Fu
tasks that are often manually completed or require significant information filtering if

ns
gathered by commercial tools. These tasks can be partially or fully automated using built-

ai
in applications or free and open-source software. Since RMF is not specifically for the

et
US Federal Government and is a decent framework for information systems and security,

rR
this process can significantly assist those wishing to transition to this Risk Management

ho
Framework.

ut
The three steps of the RMF Process that could greatly benefit from automation or

,A
partial automation are Prepare, Assess, and Monitor.
te
eMASS is currently unable to automate these steps or tasks. Therefore, an
itu

organization can automate information collection for the Prepare step through lightweight
st

tools and scripts. The tools and scripts can also assess the effectiveness of the security
In

measures implemented in the Assess step and accomplish many of the tasks in the
NS

Monitor step.
SA

3.2. Automating the Prepare Step

e

The purpose of the Prepare step is to carry out essential activities at all levels of
Th

the organization to help prepare the organization to manage its security and privacy risks
22

using the Risk Management Framework.

20

This step is often one of the most protracted because all other efforts that follow
©

use the information collected in this step. To accurately perform this step, the network's
boundary must be defined, assets identified, and system stakeholders identified. Scanning
the network to identify all systems residing within the network boundary can accomplish
these tasks. All data generated from this step must be captured and documented.

The main tasks that can be automated are Baselining, Common Control
Identification, System Stakeholders, Asset Identification, and Authorization Boundary.

3.2.1. Prepare Task 4 - Baselining

Baselining is an essential component of cybersecurity and often the foundation of
what all future states and actions on a system or network are measured. Through

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 8

gh

Ri
scripting, baseline information can be collected for the enclave and later compared to the

ll
current configuration. This information can assist in detecting anomalies or changes in

Fu
the network or systems. Since baseline information is essential in the future, it is crucial

ns
to determine what information is collected. More importantly, to speed detection, it is

ai
imperative to determine the best method of parsing the information and comparing it to a

et
future state.

rR
Baselining can be accomplished by collecting the system and network information

ho
or statistics and then storing the information in a format that can later be easily parsed or

ut
filtered to detect differences or deviations. This process cannot always be fully

,A
automated, but it can assist in detecting changes that require further review.
te
The prepare04 scripts collect all information and output it in the raw format first.
itu

Next, the scripts normalize the data and output the information to a comma-separated-
st

value (CSV) or text format using utf8 encoding. This technique enables retention of the
In

original file, faster change detection, and standardizes the format so that it can be read
NS

and parsed by all operating systems. The prepare04 scripts accomplished these tasks
SA

using various tools. While the raw output might look slightly different, the essential
elements and parsed output are the same. Moreover, the prepare04 scripts include
e
Th

multiple demonstrations of gathering system information and hashing files. This

implementation serves a dual purpose: first, to validate the results of the first tool, and
22

next, to demonstrate the multiple ways to collect the information.

20

System and data integrity are essential elements of any organization’s

©

information. Hashing is a mechanism used to assist in ensuring integrity. The tools used
for collecting and hashing the information will vary depending on the operating system,
but the process is nearly identical. It is essential to use a robust hashing tool to ensure
there are no possibilities of collisions.

For Windows systems, the PowerShell cmdlet Get-FileHash enabled the

recursive generation of hashes for files to verify file integrity and future state comparison.
Additionally, the certutil.exe, installed as part of the Certificate Services, also
accomplished the same function using the Windows command line.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 9

gh

Ri
Linux distributions come with numerous tools for hashing. Two command-line

ll
tools, shasum and sha256sum, were used to generate hashes and verify that the hashing

Fu
information output was correct. As with their Windows counterparts, these programs

ns
were integrated into the scripts to hash files or folders.

ai
Cross-platform tools, md5deep and hashdeep, are very robust. These programs

et
are often the tool of choice for the public sector in the United States. Moreover, these

rR
tools served as a mechanism to validate that the file hashing output was accurate.

ho
As demonstrated in Figure A1, the baseline_hash scripts gathered the required

ut
system file information and hashed it, accomplishing the sub-task of creating a baseline

,A
of the file system and folders. While this sub-task is not measurable per se, any person
te
could test and validate the script's accuracy by running it against a folder or folders and
itu

then comparing them. Additionally, the baseline_hash scripts use SHA256 hashing,
st

considered a very robust hashing algorithm and common throughout the industry
In

(Schatten, 2021).
NS

Next, ports, processes, services, and protocol information are collected and
SA

required to be uploaded in a specific format to eMASS.

e

Figure 2
Th

Prepare04_netstat.bat Output
22
20
©

Note. On both Windows and Linux systems, the prepare04_netstat scripts identified all
open or running ports on a system and output them to an easy-to-read file.

Since eMASS only requires the port and protocol information for the entire
enclave a separate file in the prepare04 scripts parses the information and outputs only
the information required. A tool exclusive to Linux, ss, was also capable of providing the
exact information required for eMASS.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 10

gh

Ri
The specific tools in Windows and Linux environments vary slightly for

ll
collecting process information. This sub-task quickly identifies malicious applications by

Fu
narrowing down changes in the system state.

ns
Collecting processes in a Windows environment was accomplished using tasklist,

ai
wmic, and the PowerShell cmdlets Get-Process and Get-WmiObject. Microsoft has

et
released a few robust programs as part of the Sysinternals Suite that can be run over the

rR
network or can locally investigate processes. Pslist is one of the tools integrated into the

ho
Windows scripts and used to identify detailed information about running processes. For

ut
Linux systems, ps is the best tool for the job. The ps tool is much more robust than

,A
tasklist, and it is comparable to wmic, PowerShell, and Sysinternals Pslist.
te
Figure 3
itu

Prepare04_processes.sh Output
st
In
NS

Note. The prepare04_processes.sh uses ps and other built-in Linux tools to format the
SA

output. The prepare04_processes scripts collect user, process, parent process, and
e

command line information and output it to an easy-to-read format. This information is

Th

later used to identify abnormal processes and “find evil.”

22

However, collecting service information is much easier on a Windows system

20

than on a Linux one. For the Windows systems, the scripts used the PowerShell Get-
©

Service cmdlet and command-line tools sc query and sc queryex to acquire the service
information. However, in a Linux environment, the method for identifying and collecting
service information varies depending on the distribution or system setup. One of Linux's
most common methods of obtaining service information is the service –status -all
command. On machines running systemd using the systemctl list-unit-files –type
service –all command works best. Therefore, the scripts written for Linux-based systems
enable users to select the method used to collect the information required.

In Windows and Linux environments, nmap, nc, and netstat can be used to
identify ports, protocols, and services running. After identifying and uploading the

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 11

gh

Ri
information, anything outside these processes, ports, protocols, or services captured will

ll
be deemed abnormal in the future.

Fu
Next, eMASS requires that network statistics, system states, and firewall rules are

ns
identified and documented during this step. Both Windows and Linux have a built-in

ai
solution for identifying firewall rules. In a Windows environment, the Netsh advfirewall

et
firewall show rule name =all command will output the current firewall rules. The

rR
iptables -l command can identify current configurations in a Linux environment. The

ho
prepare04_firewall scripts output the current information as a text file enabling the

ut
upload of the information.

,A
Since many organizations have Python installed on their systems, a cross-platform
te
solution to collect all the above information is using Python. This method is valuable
itu

since a single program collected and formatted all the information above using the os,
st

hashlib, csv, numpy, and psutil libraries. There is no need to go into detail since
In

specifics are within the Python scripts themselves and collecting most of the information
NS

leverages built-in tools for the operating systems.

SA

Figure 4
e

Prepare04.py Code Snippet

Th
22
20
©

Note. This code snippet demonstrates the logic used for the detection of the operating
system using the platform class of the sys library in Python.

Lastly, while only used for validation and collection of pcaps and statistics during
this research, more robust tools like Wireshark, pktmon, and tcpdump can monitor and
detect the ports and protocols running on a given system or network. Using these network
monitoring tools to capture information over a specific period can significantly assist in
identifying the requirements for network statistics.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 12

gh

Ri
Most importantly, using the tools above and the prepare4 scripts collected and

ll
formatted all the required information for eMASS.

Fu
3.2.2. Prepare Task 5 – Identify Common Controls to Implement

ns
The task aims to identify, document, and publish organization-wide standard

ai
controls available for inheritance by organizational systems. An essential element to note

et
is that eMASS can automatically select controls for a system based on the inputs from the

rR
hardware and software asset inventory. Since RMF is not strictly limited to use by the US

ho
Government and eMASS is not accessible to private entities, a handful of common

ut
controls have been identified, and scripts have been used to validate them.

,A
The example controls come from the Center for Internet Security (CIS)
te
Benchmarks for a specific operating system. The scripts apply three common system
itu

hardening standards based on the operating system. The prepare5 scripts identified and
st

applied all configuration changes designed to harden the system. However, Lynis, as
In

shown in Figure A2, which is standard on many Linux systems, was used to identify any
NS

standard controls that should be implemented and are not.

SA

The scripts designed for Windows systems extensively used reg query to locate
e

the information and reg add to make modifications. However, the PowerShell scripts
Th

used the Get-Item, New-Item, and Remove-Item cmdlets to query, modify, and delete
22

registry values. The scripts designed for Linux extensively used the cat, grep, and find
20

tools. The output of these tools was then used to determine values and, if not hardened, to
make the required changes.
©

3.2.3. Prepare Task 9 – Stakeholder Identification

Scripts enabled the partial automation of this task. The prepare09 scripts were
able to determine what user accounts are on a system by default. If users already exist on
a machine, the prepare09 scripts can determine which users have logged into a system
and, based on this information, determine who the system owner or stakeholders might
be. Moreover, the ability to identify newly created user accounts or administrators might
be an indicator of compromise to identify malicious activity.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 13

gh

Ri
For Windows systems, the PowerShell cmdlets Get-LocalUser and Get-

ll
LocalGroup were two effective methods of collecting user and group information used

Fu
in the prepare09 scripts. Other methods used for the Windows environment are net user

ns
and net localgroup. Since the lab environment does not contain an Active Directory

ai
setup, this research will not go in-depth about the tools available for this type of

et
environment. Moreover, using the scripts enabled the correlation of users to groups.

rR
For Linux systems, identifying users on the systems was accomplished using a

ho
similar process and filtering out any built-in accounts. Moreover, many Linux systems

ut
can identify users by searching the /home folder. Since automation is the key, the

,A
following commands were useful: cat /etc/passwd, cat /etc/group, getent passwd, and
te
getent group. Other commands used were compgen –u or compgen –g. However, since
itu

these commands are not always on every Linux distribution, using the /etc/passwd and
st

/etc/group files is the preferred method if running against multiple systems with different
In

Linux distributions.
NS

Overall, the prepare09 scripts quickly identified 100% of users and group
SA

accounts on each system. It is important to note that this task can only be partially
automated; it still requires direct interaction and validation by a human. However, it is
e
Th

easy to determine who logged in to a system or who last logged into it through scripting.
Moreover, it can determine what should be on the system. One approach is that an
22

organization can filter out the built-in account. Then using personnel data coupled with
20

login information, an organization can detect any irregularities such as stale or rogue
©

accounts.

3.2.4. Prepare Task 10 – Asset Identification

Asset identification is key to all security programs. Asset identification is so
important in information security that it is two of the Critical Security Controls (CSC)
Inventory Control of Enterprise Assets (CSC1) and Inventory Control of Software Assets
(CSC2). Organizations must identify what assets they have to protect their valuable
resources and detect any rogue systems on the network. By conducting a thorough
inventory of resources, an organization can identify what is inside the network and
determine what needs to be protected.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 14

gh

Ri
During the Prepare step, eMASS requires each system's asset information:

ll
Hostname, IP Address, Virtual Asset, Manufacturer, Model, Serial Number, Operating

Fu
System, and Memory Size. Next, eMASS requires inputting the following software

ns
information for Windows: Software Vendor, Software Name, and Software Version. For

ai
Linux systems, eMASS requires only the Software Name and Software Version.

et
The Windows system scripts used the PowerShell cmdlets Get-NetIPAddress,

rR
Get-NetConnectionProfile, Get-ComputerInfo, and Get-WmiObject. In the

ho
PowerShell scripts, two functions demonstrate how to accomplish the same task

ut
differently. Additionally, the batch scripts used the command line wmic tools to

,A
accomplish these tasks. In Linux, this is not a straightforward process.
First, many methods exist for identifying the hardware information on a Linux
te
itu

system. Since a Raspberry Pi is a System on Chip (SOC) device, the hardware

information was not in the traditional locations. Instead, it was located in /proc/device-
st
In

tree/model versus /sys/devices/virtual/dmi/id/. Using the same logic as with the Python
NS

scripts, an IF ELSE statement was used to detect if a file existed and if it did not, then it
parsed the information from the /proc/device-tree/model file. Next, identifying software
SA

will vary depending on the software installation method or Linux distribution. The two
e

methods to locate the information needed were dpkg -l and apt list.
Th

The prepare10 scripts quickly accomplished all requirements of this task. The
22

only portion not automated by these tasks are the software type and software license
20

information. This additional information can easily be input manually via eMASS. These
scripts are designed for individual hosts but can be modified to run against multiple
©

systems. As shown in Figure A3 and Figure A4, these scripts collected 100% of the
hardware and software information requirements by eMASS. Even better, the scripts
could format the output to match the required inputs by eMASS. Compared to the
Cybersecurity Framework, all scripts identified 100% of the requirements to complete
this step.

3.2.5. Prepare Task 11 –Boundary Identification Documented

Through network scanning and boundary identification, a user can determine
what devices are connected, their IP information, and where systems are located in

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 15

gh

Ri
relation to others. While the scripts written for this research will incorporate the ability to

ll
navigate the network and collect information, the research network is flat and, therefore,

Fu
will not go in-depth on this functionality.

ns
Both Windows and Linux environments use many of the same tools to accomplish

ai
this task. However, in a Windows environment, the netcat portable executable was used

et
instead of nc. Moreover, since Windows has limited packet capture abilities, Wireshark

rR
portable app was used to assist in the baseline of the network portion,

ho
In a Windows environment, command-line tools, the netsh interface ipv4 show

ut
neighbors, ipconfig, route, arp -a, and ping were very useful in collecting this

,A
information. PowerShell Test-Connection or Get-NetNeighbor cmdlets were used to
accomplish the bulk of the primary network discovery. Tools like netcat or nmap were
te
itu

used to automate network scans for more detailed network information.

In a Linux environment, like in a Windows environment, a basic scan and
st
In

information gathering were conducted using ping, ifconfig, ip route, ip addr, ip neigh,
NS

and arp -a. Since nc is already standard on many Linux systems, this tool is very
efficient at providing detailed information on ports. Since nmap is often pre-installed on
SA

many Linux distributions and is easily scriptable, this research included it in the tests.
e

By leveraging the tools above, the prepare11 scripts rapidly identified all systems within
Th

the network boundary and connected neighbors.

22

3.3. Automating the Assess Step

20

Scripting can identify common misconfigurations that might result in

©

compromise. The Assess step aims to determine if the controls selected are implemented
correctly, operating as intended, and producing the desired outcome to meet the security
and privacy requirements for the system and the organization.
During the Assess step, information collected during the Prepare step and
baselining process can assist in identifying any deficiencies in running configurations or
implementing a standardized hardening script to improve the system's overall security.

Standardizing systems and policies in a Windows environment with an active

directory become very simplified. However, this infrastructure might be cost-prohibitive
or unreasonable in a mixed environment or a small office/home office.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 16

gh

Ri
During this step and the following step, the vulnerabilities and detection methods

ll
will vary depending on the specific operating system.

Fu
3.3.1. Assess Task 3 – Control Assessments

ns
The automation of this task requires using available benchmarks or secure

ai
baseline information. CIS Benchmarks are an excellent place to obtain information on a

et
particular system or application and will provide an overview of hardening standards and

rR
risks to systems. Tools such as Microsoft Baseline Security Analyzer and Lynis for

ho
Linux can also detect any known issues that might need to be addressed.

ut
The first thing to reference when assessing controls is any documentation

,A
regarding secure configurations of the specific application or system. Next, determine the
te
implementation status of these configurations; if these configurations are not applied, run
itu

scripts to apply them and address the vulnerability. The information required to complete
st

this task is collected in the Prepare step. However, if it is not collected, this would be the
In

time to collect the information or run a script to identify any vulnerabilities and mitigate
NS

them. Using Boolean expressions and built-in tools in both Windows and Linux operating
SA

systems, a security professional can create a tool to identify if control is implemented and
also run a test against it.
e
Th

Lastly, assessing the control requires testing it to ensure it behaves correctly. The
assess3 scripts were able to address all the use cases done in this research. Later in this
22

paper, this topic will be covered more in-depth, but it is essential to point out that these
20

processes occur at this step or later in the Monitor step.

©

3.3.2. Assess Task 4 – Assessment Reports

As with many commercially available tools, the report information can be
partially automated using open-source tools or developed scripts. In this step, it is
possible to determine if the applied controls were successful using the information
collected during the previous task. This step can be automated by running a compliance
checking script and determining if the controls implemented and assessed were able to
prevent or detect malicious actions. The Lynis tool, as shown in Figure 5, is a near-
perfect product for producing assessment reports; however, custom scripts were

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 17

gh

Ri
developed to accomplish the same task. While Lynis is a near-perfect solution for

ll
identification it does not have the ability to automate correction of the issues identified.

Fu
Figure 5

ns
Lynis Output

ai
et
rR
ho
ut
,A
te
itu
st

3.3.3. Assess Task 5 – Remediation Actions

In

In this task, any configuration errors that might still exist after tasks 3 and 4 can
NS

again be programmatically addressed. These actions might entail data collection or the
SA

removal of malicious software. After remediation, Assess tasks 3 and 4 must be rerun to
ensure that remediation has been successful.
e
Th

3.3.4. Persistence
22

Using scheduled tasks, registry entries, crontab, initialization services, or scripts,

20

malicious actors can enable persistence on a system. While the implementation and
mechanisms for persistence vary by the operating system, finding and identifying them is
©

practically the same.

In a Windows environment, a user can quickly and easily create a script to parse
through locations commonly used for persistence. The two main PowerShell cmdlets
used for accomplishing this task were Get-ItemProperty and Get-ScheduledTask.
Additionally, the command-line tools reg query and schtasks /query are just as capable.
Using these tools enabled the creation of scripts to find specific indicators of
compromise, modify the registry, and implement some persistence.

Within the Linux environment, identifying persistence is somewhat more

complicated based on the running distribution. However, two common methods of

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 18

gh

Ri
finding persistence are running a script to check for any cron jobs using crontab -l or cat

ll
/etc/crontab file. Often malware will attempt to maintain persistence in Linux using this

Fu
method. However, if file or folder permissions are not properly set, an attacker can hide

ns
in numerous locations or maintain persistence using startup scripts. Some common

ai
locations for these scripts are: /etc/inittab, /etc/init.d, /etc/rc.d, /etc/init.conf, /etc/init,

et
/etc/rc, /sbin/rc, and /sbin/init.d.

rR
Organizations can determine if remediation is required by running the

ho
assess03_04 script to query current configurations and automated tasks. The services that

ut
need to be disabled will vary from organization to organization, and the scripts are

,A
designed to demonstrate one method of assessing controls.
One of the limitations of the assess03_to_05 scripts for Linux was that it searches
te
itu

for only common startup locations. Due to the nature of Linux, a service can be run from
any location. However, cron jobs can be viewed using the crontab-l or cat /etc/crontab.
st
In

However, as shown in Figures A5, A6, and A7, tasks 3, 4 and 5 can be
NS

accomplished using the assess03_to_05 scripts to determine if the actions are detected or
not. Suppose the changes are not functioning as planned. In that case, the assess03_to_05
SA

scripts will run to remove or disable any unneeded tasks or services and validate that the
e

controls are implemented and functional. The scripts identified the state of the control. If
Th

a concern was identified, the scripts prompted the user to take remediation action. If
22

remediation action is done, it validates the new state of the control.

20

3.4. Automating the Monitor Step

©

The purpose of the Monitor step is to maintain an ongoing situational awareness

about the security and privacy posture of the information system and the organization in
support of risk management decisions. Windows and Linux both have a built-in feature to
accomplish this step.

3.4.1. Monitor Task 1 – System and Environment Changes

Using hashtables and arrays to compare current data with the baseline data
enabled the rapid detection of changes in the system and environment. Comparing the
baselines to a specific running state is similar for the different operating systems.
However, the normalized data generated in the Prepare step determined how quickly the

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 19

gh

Ri
system and environmental changes were detected. On a Windows system, comparing two

ll
files using the PowerShell Compare-Object cmdlet was the best solution. However,

Fu
Windows systems do not possess a very robust tool for comparing files outside of

ns
PowerShell. Rudimentary tools, fc.exe and comp.exe, can be used but often generate

ai
more information than is practical or desired.

et
Linux distributions ship with many robust tools for comparing files or hashes.

rR
Since the number of applications commonly found on Linux is so vast, the research

ho
focused on the most common and those that can rapidly detect changes with ease. The

ut
diff, colordiff, cmp, sdiff, emacs, and vimdiff detected changes rapidly in Linux.

,A
Another standard is Meld; while this is a GUI-based tool, it is very robust and capable of
te
detecting changes. Moreover, Python’s filecmp module can quickly detect differences in
itu

text-based documents.
st

3.4.2. Hashing and Change Detection

In

Hash and change detection conducted in the Monitor step is crucial to finding
NS

issues with processes, services, files, folders, and system changes in general. Often
SA

malware will attempt to hide on a system by masquerading as another process or file or

outright replacing it. These changes can be detected by taking the information collected
e
Th

during baselining in the Prepare step and using it in the Assess and Monitor steps.
22

Figure 6
20

Monitor01_process.ps1 Output
©

Note. This output is not abnormal. If an executable path or name changed, that would be
a concern, but new or missing processes are not necessarily indicators of compromise.
New processes should be examined but could be a standard deviation from the baseline.

Figure 6 demonstrates how to identify new, missing, or changed elements using

hashtables to compare the different elements in the arrays of imported data. Using the

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 20

gh

Ri
baseline information and monitor01 scripts detected all the changes in minutes.

ll
While changes are not always specific indicators of malicious action, these scripts

Fu
were able to detect changes in critical files, processes, and services. This detection

ns
method is handy in detecting malware. Most importantly, it can detect actual

ai
indicators of compromise and known malicious hashes. Identifying malicious hashes

et
can be done by feeding the hashes of the files collected to a service like VirusTotal.

rR
3.4.3. Evasion Detection

ho
It is crucial to monitor all environments for signs of detection evasion. Often the

ut
most common method of hiding information is changing attributes to hidden.

,A
Additionally, Alternate Data Streams (ADS) can be used on the Windows system to hide
te
information from view. Since there are legitimate uses for Alternate Data Streams, the
itu

scripts only identify the Zone.Identifiers and not $DATA files. On the Windows systems,
st

the monitor01_evasion_detection scripts used PowerShell cmdlet Get-ChildItem and

In

command-line tools dir /r and streams -s to identify all Alternate Data Streams shown in
NS

Figure A8. The scripts used Powershell cmdlet, Get-ChildItem -Force, and the
SA

command-line tool dir /a:h /s to locate all hidden files and folders.
The monitor01_evasion_detection for Linux used the find, ls -a, and dir -a tools to
e
Th

locate all hidden files and folders. It is important to note that Alternate Data Streams in
Linux are just regular files and, therefore, not hidden from view. However, in both
22

environments, the monitor01_evasion_detection scripts identified 100% of the hidden

20

file and folders searched for on each system as demonstrated by Figure A9 and Figure
©

A10. While hidden files or folders are not always indicative of compromise, ensuring
they are identified can be used to detect deviations from the baseline. If an unexpected or
unexplainable file is detected, as shown in Figure 7, it should be investigated.

Figure 7
Compare-HiddenFilesList.ps1 Output

Note. This output is not abnormal. This only indicates that a new hidden file was located.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 21

gh

Ri
3.5. Remote Admin Tools

ll
3.5.1. PSEXEC.EXE

Fu
PsExec is a lightweight tool that allows executing processes on other systems,

ns
complete with full interactivity for console applications, without needing to install client

ai
software manually.

et
Using the psexec scripts, it can be determined if remote administrative tools were

rR
used on or against a Windows system. The scripts query the status of registry keys and

ho
system logs to detect the use of PSEXEC.

ut
If nothing is detected, the psexec scripts were able to remediate this and enable

,A
command-line auditing. The scripts detected each instance the registry was modified,
te
resulting in a 100% detection rate. This script was successful because PSEXEC requires
itu

acceptance of the EULA before use. Moreover, this action creates a registry artifact on
st

the system. As shown in Figure A11, this task can be assessed by running PSEXEC on
In

the system. If the script above identifies the use of PSEXEC, it is successful. If the
NS

PSEXEC is not detected, remediation actions should be taken.

SA

The psexec scripts can be used to harden the system by enabling auditing of
e

processes and the command-line. It can also block PSEXEC outright if it is not a standard
Th

tool used in that organization. The monitoring task was addressed using a scheduled task
22

to periodically run the psexec_query scripts on Windows and alert anyone that logs in if
20

the use of PSEXEC is detected. Since PSEXEC can be a legitimate administrative tool,
administrators should review alerts and correlate the time with a specific action.
©

Otherwise, they need to review Assess steps 3 and 4.

3.5.2. SSH
While SSH is a typical remote administration tool, monitoring is still essential.
The network_forensic scripts look for information inside log files to accomplish this
task. Moreover, the service status can be checked and disabled by the ssh scripts. Tools
like fail2ban can detect and respond to multiple bad authentication attempts without
locking the account and instead leverage iptables to restrict the offending network or ip
address.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 22

gh

Ri
It is best practice to disable unneeded or unused services. If ssh is not required, it

ll
can and should be turned off. Using the ssh scripts can identify if the service is running.

Fu
The ssh scripts can stop, disable, and create a cron job to periodically query the log files

ns
for specific terms and send an alert if something is detected. Using the information in

ai
Assess task 3, users can check the status of the service. If running, it can be stopped, or a

et
task can be created to query the ssh logs. If the service is needed and running, it can be

rR
tested by logging in multiple times using incorrect information. If fail2ban is configured,

ho
it should block after three tries, and the log queries should create some entries for each

ut
failed attempt. If not successful, it can be remediated by rerunning the ssh scripts and

,A
manually checking the status using the services or systemctl commands.
te
The ssh_monitor script checks if ssh is enabled. If it is, it will then check if
itu

fail2ban is installed; if not, it will install it. Next, it will create an iptables rule and a
st

cron job to schedule periodic querying of the ssh logs.

In

3.6. Credential Dumping

NS

Credential dumping is the process of stealing or collecting passwords from a system.

SA

Tools like mimkatz can dump credentials on a system with relative ease.
e

3.6.1. Windows – Assess Tasks

Th

Automation of this requires running the credentialGuard scripts. If Credential

22

Guard is not enabled, it will be selected as a control for this task. The credentialGuard
20

scripts can verify the registry values and determine if Credential Guard is enabled. If
©

Credential Guard is not enabled, the credentialGuard scripts will enable it. Furthermore,
the scripts will prompt the user if they would like to harden other password protection
mechanisms available in Windows.

3.6.2. Windows - Monitor Task

The sysmon tool by Sysinternals can detect lsass credential dumping. By running
this tool, users can automate monitoring the system for this malicious behavior.

3.6.3. Linux – Assess Tasks

Automation of this task requires running the assess03 scripts and Lynis. These
scripts will detect system settings. If the file and folder permissions are not correctly

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 23

gh

Ri
applied to system files, it can allow access to /etc/passwd and /etc/shadow files, thus

ll
enabling attackers to dump the credentials and later crack them. The assess04 scripts

Fu
which will in turn verify that the appropriate files and folders are hardened to prevent

ns
access or copying. Next, Lynis will be run to verify a secure configuration. If a secure

ai
configuration is not in place, the assess05 scripts can automate all the required changes.

et
3.6.4. Linux - Monitor Task 1

rR
Using tripwire or AIDE to monitor files and folders can alert and log any changes

ho
or attempts at unauthorized access.

ut
,A
3.7. Anomalous Network Behavior and C2 Channels
te
3.7.1. Host-Based Detection
itu

Netstat and ss are two methods of detecting C2 or anomalous activity on a single

st

system. In a Linux environment, scanning /proc/ and using lsof are terrific methods of
In

finding hidden processes and activities. However, in a Windows environment, netsh and
NS

pktmon can be used to detect malicious traffic. On most Linux systems, iptables can
also be used to detect and log unusual traffic. These command-line tools often go
SA

overlooked since GUI tools provide simple filtering of the activity or network-based
e

firewalls or tools for filtering with little training. However, these tools can enable a user
Th

or administrator to detect malicious activity quickly. Using the network_forensics,

22

prepare04, and monitor01 scripts detected all anomalous C2 traffic in minutes.

20

3.7.2. Traffic Detection

©

While the use of netsh, iptables, pktmon, netstat, or ss are all beneficial and
capable tools, there are times when tools designed to scan the network or capture traffic
are required. Tools like nmap, pf0, tshark, and tcpdump are all capable of performing
these tasks and can be automated. Moreover, while slightly outside the scope, a portable
executable of Wireshark can be used for graphically viewing and filtering pcaps
captured. It can also be used to collect the network information and then use the tools
above to filter out the relevant information.
The network_forensics scripts developed could detect anomalous behavior,
specifically the functions that focus on system detection. Since typically, tcpdump,

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 24

gh

Ri
tshark, pf0, and pktmon tools often require human interaction to look for specific

ll
anomalous activity, the functions in the script focused on this task require user input.

Fu
Therefore, results will vary based on the skill or experience of the user. However, using

ns
pcaps with specific known anomalous activity, the script could identify User-Agent

ai
strings, known malicious IP addresses, scanning, and packetcrafting.

et
3.7.3. Intrusion Detection

rR
Using honeyports, netsh, and iptables, all traffic directed at these systems was

ho
detected. While not always the case, honeyports can be used to identify malicious

ut
activity and block it quickly. Since it is a cross-platform solution, it can be used to

,A
automate the detection of scans and leverage netsh or iptables to alert and block
te
anomalous activity. These tools, therefore, can serve to automate the monitoring tasks.
itu

3.8. Malicious Code Identification

st
In

Using many of the tools outlined earlier in the research, users can combine them to
NS

detect infections on an operating system.

SA

The scripts used were explicitly created to detect specific pieces of malware and the
changes made in the environment. However, it is essential to note that the Compare
e

scripts and the information collected in the baseline process also detected the file
Th

changes.
22
20

3.8.1. Cryptominer
According to researchers at Trend Micro, one of the most common virus types
©

targeting users are crypto miners (Oliveira & Fiser, 2020). While these might appear
harmless, they can consume resources, reduce performance, and open additional
backdoors that malicious actors can leverage. For this reason, they must be detected
early. The task of locating active crypto miner viruses for Linux was near impossible. Of
the fifteen attempts, none were functional. The issue seems to be that domain registrars
and ISPs block nearly all C2 communication or shut down the C2 sites. However, the
executable worked on Windows, but only on the 64-bit OS. This virus behaved very
strangely. It appeared to make a massive number of requests which did not require a
script to identify because it was that obvious. Next, the malicious network traffic was so

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 25

gh

Ri
obvious using netstat that it enabled the quick identification of the malicious processes.

ll
Some running processes were hidden, which is another red flag, but these processes can

Fu
be identified. Multiple registry changes were made, and a handful of files changed,

ns
missing, or created in the filesystem. Most were stored within User\<Username>\App

ai
folders. The virus appeared to have issues connecting to some of its IP addresses, but it

et
seems to connect to many at once. Moreover, using the network_forensic scripts, User-

rR
Agent scripts and known malicious IP addresses were detected.

ho
3.8.2. Windows – Assess Tasks

ut
On a Windows system the control identified was DisableRunOnce and user access

,A
to the registry. Using this information, the coinminer script can validate run once, and
te
user access to the registry is disabled. Next, the coinminer script can make the
itu

appropriate changes to the registry, specifically the DisableRunOnce key and user
st

registry access.
In
NS

3.8.3. Windows – Monitor Task 1

With this specific virus, many indicators of compromise were rapidly detected
SA

using the basic scripts based on changes in the environment. The coinminer scripts were
e

created to periodically query the registry, scheduled tasks, processes, services, known file
Th

locations, and outbound network connections for the IOCs and generate an alert. These
22

scripts worked but were unnecessary since the virus was obvious and CPU usage was
20

near 100%.
©

3.8.4. Trojan - Remote Access Tool (RAT)

SysJoker is a cross-platform remote access trojan (RAT) that targets multiple
operating systems and could provide advanced backdoor capabilities to attackers
(Mechtinger et al., 2022). While the other malware above only impacts Windows
systems, this virus can infect multiple operating systems

Given that this virus is a Trojan horse, the best prevention method is training
users and administrators to continually validate the checksum of any software they wish
to install and ensure it is from a known or trustworthy source.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 26

gh

Ri
However, while prevention is ideal, detection is a must. Therefore, using a

ll
combination of the tools created to detect persistence, hashing, and beaconing, the

Fu
malware could be detected and removed.

ns
The scripts could detect the filesystem changes, persistence mechanism, and

ai
newly created processes by comparing the baseline to the current running configuration.

et
Using the hashes enabled it to alert on a possible known virus. The netstat portion of the

rR
script also identified the C2 channel being used to connect to the internet.

ho
While the commands used were not detected, this was an expected result of the

ut
setup and not a flaw in the script. This result should trigger a review of the controls and

,A
monitoring steps in a real-world environment. Implementing some basic command line
te
auditing could have been identified using a log query for the specific commands.
itu
st

3.8.5. Windows - Assess Tasks

In

On a Windows system a possible control identified is to Disable Run Once in the

NS

following registry location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
SA

DisableLocalMachineRunOnce
e
Th

Using this information, the sysjoker scripts will verify that it is not in use and then
generate a status report. Next, the sysjoker scripts will DisableRunOnce and re-validate
22

Assess tasks 3 and 4.

20

3.8.6. Windows – Monitor Task

©

With this specific virus, many indicators of compromise were rapidly detected
using the basic scripts based on changes in the environment. The sysjoker scripts were
created to periodically query the registry, scheduled tasks, processes, services, known file
locations, and outbound network connections for the IOCs and generate alerts.

3.8.7. Linux - Assess Tasks

The control identified to prevent this is to implement chroot jails to limit the
possible impact, but another method used is to lockdown vulnerable root files and
services. On the Linux systems, the sysjoker scripts search the system for vulnerable

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 27

gh

Ri
files and then report them. Using this information, the sysjoker scripts make the file

ll
permissions more restrictive based on any vulnerabilities identified.

Fu
3.8.8. Linux - Monitor Task

ns
As with the Windows monitoring steps the sysjoker scripts were created to check

ai
the system for changes periodically. Additionally, it checks the setuid bit to determine if

et
it is set.

rR
ho
4. Recommendations and Implications

ut
Organizations often do not take the proper time to research solutions that can

,A
reduce costs and collect the specific information required to meet their business needs. In
te
today’s fast-paced technology industry, the focus is often on the latest and greatest gadget
itu

or commercial solution, which is often not in line with business objectives. Most
st

commercial solutions are one-size-fits-all, but often this leads to excessive amounts of
In

unnecessary data for an organization.

NS
SA

4.1. Recommendations for Practice

By adopting a standardized and automated process, organizations can streamline
e
Th

data collection, baselining, assessing, and monitoring with reliable and repeatable
methods. Most importantly, by developing the tools in-house, an organization can tailor
22

the output to its business needs or requirements.

20

Using the RMF, an organization can address many risks using automated
©

processes. The step most often overlooked is the Prepare step. Vast resources and energy
must be allocated to collecting and parsing data for later comparison. Collecting and
documenting detailed baseline and system information can often rapidly detect even the
slightest deviations later. Moreover, ensuring a secure baseline configuration makes
completing the Assess and Monitor steps easier. In a production environment, scripts can
periodically collect a new system state and compare it to the baseline or a future state.
The more information is collected and updated, the more effectively it will identify
changes.

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 28

gh

Ri
One method of implementation would be creating a script each time the system

ll
boots and then comparing it to the previous version. If a change is detected, the system

Fu
should send an alert so that it can be addressed. Direct human interaction or review is a

ns
best practice to validate the findings since not all system changes are malicious.

ai
These techniques can also be used with great success in a larger organization. In a

et
Windows environment, Active Directory tools can usually be automated to gather this

rR
information more efficiently and effectively. AD Tools can quickly identify users of a

ho
system and also identify the location or department of the users if configured correctly.

ut
Through group policies, baselines and configurations can easily be pushed to systems

,A
ensuring they all comply with organizational standards. Lastly, tools like Ansible or
te
Puppet can be leveraged to implement these in larger mixed networks.
itu

4.2. Implications for Future Research

st

In the future, it might be beneficial to investigate how to automate the Prepare,

In

Assess, and Monitor Steps of the RMF process for mobile platforms. Another area often
NS

overlooked and not well documented is the many GUI applications native to Windows
SA

and Linux systems that can often be used to implement a more robust solution. Although
e

they are not easily automated, they are still often effective at accomplishing a specific
Th

task.
22

5. Conclusion
20
©

As demonstrated by the research above, lightweight tools and scripts can

automate many essential tasks in the Prepare, Assess, and Monitor Steps, which eMASS
cannot. Given the vast number of tools currently available for free or no cost, it is
negligent not to consider using them before buying costly tools. While the upfront
development cost might seem costly commercial software, licensing fees, support
agreement, and additional network equipment all add up over time.

Moreover, the ability to gather the specific information required is an added

benefit. Nearly every script developed, or technique discussed can be scaled to a more
extensive network. The most important finding was that baselining is paramount to the

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 29

gh

Ri
process. Using hashes and comparing system states is highly effective at detecting

ll
deviations even if they are not known or identified as malicious. Using these tools and

Fu
techniques, administrators can rapidly identify evil in their environment while collecting

ns
the information requirements for RMF and eMASS.

ai
et
rR
ho
ut
,A
te
itu
st
In
NS
SA
e
Th
22
20
©

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 30

gh

Ri
References

ll
Fu

Center for Internet Security. (2022, March 15). Blog: Top 10 malware February 2022.

ns
CIS. Retrieved August 14, 2022, from

ai
et
https://www.cisecurity.org/insights/blog/top-10-malware-february-2021

rR
Cybersecurity and Infrastructure Security Agency, & Australian Cyber Security Centre.

ho
(2022, August 4). Alert (AA22-216A) - 2021 Top Malware Strains. CISA.

ut
Retrieved August 19, 2022, from https://www.cisa.gov/uscert/ncas/alerts/aa22-

,A
te
216a
itu

Defense Counterintelligence and Security Agency. (n.d.). Enterprise Mission Assurance

st

Support Service (eMASS). Retrieved July 15, 2022, from

In
NS

https://www.dcsa.mil/is/emass/
SA

Gunter, J. (2013, May 10). International Space Station to boldly go with linux over
e

windows. The Telegraph. Retrieved August 7, 2022, from

Th

https://www.telegraph.co.uk/technology/news/10049444/International-Space-
22

Station-to-boldly-go-with-Linux-over-Windows.html
20

Mechtinger, A., Robinson, R., &amp; Fishbein, N. (2022, January 11). New SysJoker
©

backdoors and targets windows, linux, and macos. Retrieved July 16, 2022, from

https://www.intezer.com/blog/incident-response/new-backdoor-sysjoker/

Mihăilă, P., Bălan, T., Curpen, R., & Sandu, F. (2017). Network automation and

abstraction using Python programming methods. MACRo 2015, 2(1), 95–103.

https://doi.org/10.1515/macro-2017-0011

Oliveira, A., &amp; Fiser, D. (2020, September 10). War of linux cryptocurrency miners

a battle for resources. Trend Micro. Retrieved July 17, 2022, from

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 31

gh

Ri
https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-

ll
miners-a-battle-for-resources.html

Fu
Red Canary. (n.d.). Mitre ATT&CK technique T1003: Credential dumping. Red Canary.

ns
ai
Retrieved July 17, 2022, from https://redcanary.com/threat-detection-

et
report/techniques/credential-dumping/

rR
Schatten, J. (2021, March 24). Rehashing Hashing: What is SHA-256? Retrieved August

ho
ut
7, 2022, from https://www.ssltrust.com/blog/what-is-sha-256

,A
Slandau. (2022, June 6). 10 of the most dangerous malware threats in 2022. CyberTalk.
te
Retrieved August 19, 2022, from https://www.cybertalk.org/2022/06/06/10-of-
itu

the-most-dangerous-malware-threats-in-2022/
st
In

SonicWall Inc. (2022). (rep.). Mid-Year Update: 2022 SonicWall Cyber Threat Report.
NS

SonicWall Inc. Retrieved August 12, 2022, from

SA

https://www.sonicwall.com/medialibrary/en/white-paper/mid-year-2022-cyber-
e
Th

threat-report.pdf.

SteelCloud. (2022, May 27). EMASS automation and uniting the missing security
22
20

compliance data. Retrieved July 19, 2022, from

©

https://www.steelcloud.com/emass-automation-and-uniting-the-missing-security-

compliance-data/

Tegelaar, K. (2019, October 7). Monitoring with powershell: external port scanning.

CyberDrain. Retrieved May 12, 2022, from

https://www.cyberdrain.com/monitoring-with-powershell-external-port-scanning/

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 32

gh

Ri
Appendix

ll
Network Layout

Fu
The test environment consists of the following systems and devices: VMWare

ns
Workstation 16, one Netgear GS108E ProSAFE Plus Switch, one GLiNet wireless router,

ai
one 32-bit Windows 10 virtual machine, one 64-bit Windows 10 virtual machine, one

et
Debian 11 virtual machine, one Raspberry Pi 3 running RaspiOS, and two Raspberry Pi 2

rR
running RaspiOS.

ho
Tools and Scripts

ut
,A
These scripts and techniques will assist the cyber security community because
they will serve as a proof of concept in demonstrating the effectiveness of homegrown
te
itu

solutions and the benefits of collecting on multiple endpoints instead of collecting on

network devices, relying on bloated/bulky commercial tools, or appliances that often cost
st
In

more resources to implement. These scripts can also be modified to save to a network
NS

resource and append if the file already exists.

SA

Tools
Windows Powershell Linux Python
e

echo Get-WMIObject ss os
Th

ipconfig Get-NetIPAddress netstat sys

Get-
22

netstat NetConnectionProfile lsof psutil

20

net user Get-WmiObject ifconfig csv

hashlib
©

net localgroup Out-File ip addr

net local user Write-Host shasum numpy
netsh Read-Host compgen
ping Get-Process cat
schtasks Get-Service find
sha256su
wmic computersystem get name Get-ACL m
dmidecod
wmic bios get version Get-ChildItem e
wmic computersystem get
manufacturer Where-Object facter
wmic computersystem get model Get-ScheduledTask lynis
wmic bios get serialnumber Get-TCPConnection

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 33

gh

Ri
wmic os get caption Get-LocalGroup
wmic csproduct get vendor Get-LocalUser

ll
Fu
wmic service get Get-FileHash
wmic startup Get-WinEvent

ns
wmic memorychip

ai
wmic memphysical

et
wmic product
wmic share

rR
wmic useraccount

ho
ut
Scripts

,A
The scripts used in the research will be available shortly at
te
https://github.com/FryGuy01/ along with more detailed use cases, screenshots,
itu
and software use documentation. The repository is private, please send me a
request via email for access, thanks. I will make a publicly accessible page shortly.
st

In

Scripts/Tool Use Cases and Output

NS

Prepare Step
SA

Figure A1
Baseline_hash.ps1 Output
e
Th
22
20

Figure A2
©

Lynis Output

Figure A3
Prepare10.bat Hardware Output

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 34

gh

Ri
Figure A4

ll
Prepare10.bat Software Output

Fu
ns
ai
et
rR
Assess Step

ho
Figure A5

ut
Assess03_to_05.ps1 Script Output

,A
te
itu
st

Figure A6
In

Assess03_to_05.ps1 Script Output

NS
SA
e
Th
22
20
©

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 35

gh

Ri
Figure A7

ll
Assess03_to_05.ps1 Script Output

Fu
ns
ai
et
Monitor Step

rR
Figure A8

ho
Hidden.ps1 ADS_Scanner Output

ut
,A
te
itu
st

Figure A9
In

Hidden.ps1 Hidden_Scanner Output

NS
SA
e
Th
22
20
©

Figure A10
Hidden.sh Hidden_Scanner Output

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 36

gh

Ri
Multiple Steps

ll
Figure A11

Fu
Assess03_to_05.ps1 Script Output

ns
ai
et
rR
Note. This output is not abnormal. However, to accomplish the assess 3, 4, and 5 tasks

ho
the script prompts the user if they wish to perform testing or remediation action for the

ut
controls.

Malware IOCs
,A
te
SysJoker
itu

st

Windows IOCs
In

Type Name
NS

D8C4E8C28807A11B32E1C21D88096D854E2190C377A0E667548
Hash 7F2A275144EE6
SA

File C:\ProgramData\SystemData\tempo1.txt
File C:\ProgramData\SystemData\tempo2.txt
e

File C:\ProgramData\SystemData\tempo2.txt
Th

File C:\ProgramData\SystemData\tempi2.txt
22

File C:\ProgramData\SystemData\temps1.txt
File C:\ProgramData\SystemData\temps2.txt
20

File C:\ProgramData\SystemData\tempu.txt
©

File C:\ProgramData\SystemData\microsoft_windows.dll
File C:\ProgramData\SystemData
File C:\ProgramData\SystemData\igfxCUIService.exe
1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe771
Hash 8c901c
Service/Prog
ram igfxCUIService
HKEY_CURRENT_USER\Software\Microsoft\
Persistence Windows\CurrentVersion\Run igfxCUIService
IP 142.251.36.238
Linux IOCs
File /.Library/
File /.Library/SystemServices/updateSystem

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.
 ts
Automating RMF Steps Using Lightweight Scripts and Tools 37

gh

Ri
File /.Library/SystemNetwork
File /.Library/log.txt

ll
Fu
Persistence @reboot (/.Library/SystemServices/updateSystem)

ns
Coinminer

ai
Other than the file hash and a few strange user-agent strings found using the

et
network_forensic scripts there were too many IP addresses and files created and

rR
changed in the system to list here. The text file output from the programs will be located

ho
on GitHub. The raw baseline and post virus run will also be included. There were also

ut
many requests made to known malicious IP addresses.

,AWindows IOCs
te
Type Name
itu
st

Hash 75ac88c8819efbd6bb63137b2d9bee0bbda1e4f9b80c170cb9e97142eebb3694
In

User-
Agent Go HTTP Client
NS

User-
Agent Rocke
SA
e
Th
22
20
©

Author Name, email@address

© 2022 The SANS Institute Author retains full rights.