Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.

Output Description

The host on which the commands were executed, the time of execution, and what commands were executed

ATT&CK Detection

Technique Tactic Level of Coverage
Account Discovery Discovery Moderate
Credential Dumping Credential Access Moderate
Permission Groups Discovery Discovery Moderate
Process Discovery Discovery Moderate
Windows Admin Shares Lateral Movement Moderate
New Service Persistence, Privilege Escalation Moderate
Modify Existing Service Persistence, Privilege Escalation Moderate
Modify Registry Defense Evasion Moderate
Service Registry Permissions Weakness Persistence, Privilege Escalation Moderate
Remote System Discovery Discovery Moderate
Service Execution Persistence, Privilege Escalation Moderate
Scheduled Task Persistence, Privilege Escalation, Execution Moderate
Scheduled Transfer Exfiltration Moderate
System Owner/User Discovery Discovery Moderate
System Service Discovery Discovery Moderate
System Information Discovery Discovery Moderate
System Network Connections Discovery Discovery Moderate
System Network Configuration Discovery Discovery Moderate
Application Window Discovery Discovery Moderate
Security Software Discovery Discovery Moderate
Network Service Scanning Discovery Moderate
Disabling Security Tools Defense Evasion Moderate
Account Manipulation Credential Access Moderate
Indicator Blocking Defense Evasion Moderate
Command-Line Interface Execution Moderate
Query Registry Discovery Moderate

Pseudocode

processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe" 
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe" 
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe" 
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe" 
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe" 
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe" 
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe" 
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == tracert.exe" 
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Description: Within a command window, execute several of the commands in quick succession.
  • Commands:
    ipconfig /all
    hostname
    systeminfo
    reg.exe Query HKLM\Software\Microsoft
    

Additional Notes:

Commands of interest:

  • arp.exe
  • at.exe
  • attrib.exe
  • cscript.exe
  • dsquery.exe
  • hostname.exe
  • ipconfig.exe
  • mimikatz.exe
  • nbstat.exe
  • net.exe
  • netsh.exe
  • nslookup.exe
  • ping.exe
  • quser.exe
  • qwinsta.exe
  • reg.exe
  • runas.exe
  • sc.exe
  • schtasks.exe
  • ssh.exe
  • systeminfo.exe
  • taskkill.exe
  • telnet.exe
  • tracert.exe
  • wscript.exe
  • xcopy.exe

Data Model References

Object Action Field
process create hostname
process create ppid
process create exe