Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.

Commands of interest:

  • arp.exe
  • at.exe
  • attrib.exe
  • cscript.exe
  • dsquery.exe
  • hostname.exe
  • ipconfig.exe
  • mimikatz.exe
  • nbstat.exe
  • net.exe
  • netsh.exe
  • nslookup.exe
  • ping.exe
  • quser.exe
  • qwinsta.exe
  • reg.exe
  • runas.exe
  • sc.exe
  • schtasks.exe
  • ssh.exe
  • systeminfo.exe
  • taskkill.exe
  • telnet.exe
  • tracert.exe
  • wscript.exe
  • xcopy.exe

Output Description

The host on which the commands were executed, the time of execution, and what commands were executed

ATT&CK Detection

Technique Tactic Level of Coverage
Account Discovery Discovery Moderate
Credential Dumping Credential Access Moderate
Permission Groups Discovery Discovery Moderate
Process Discovery Discovery Moderate
Windows Admin Shares Lateral Movement Moderate
New Service Persistence, Privilege Escalation Moderate
Modify Existing Service Persistence Moderate
Modify Registry Defense Evasion Moderate
Service Registry Permissions Weakness Persistence, Privilege Escalation Moderate
Remote System Discovery Discovery Moderate
Service Execution Execution Moderate
Scheduled Task Persistence, Privilege Escalation, Execution Moderate
Scheduled Transfer Exfiltration Moderate
System Owner/User Discovery Discovery Moderate
System Service Discovery Discovery Moderate
System Information Discovery Discovery Moderate
System Network Connections Discovery Discovery Moderate
System Network Configuration Discovery Discovery Moderate
Application Window Discovery Discovery Moderate
Security Software Discovery Discovery Moderate
Network Service Scanning Discovery Moderate
Disabling Security Tools Defense Evasion Moderate
Account Manipulation Credential Access Moderate
Indicator Blocking Defense Evasion Moderate
Command-Line Interface Execution Moderate
Query Registry Discovery Moderate

Data Model References

Object Action Field
process create hostname
process create ppid
process create exe

Implementations

Pseudocode

processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == tracert.exe"
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped

Sigma

Sigma version of the above pseudocode, with some modifications.

Dnif, Sysmon native

DNIF version of the above pseudocode.

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include

Unit Tests

Test Case 1

Configurations: Windows 7

Within a command window, execute several of the commands in quick succession.

ipconfig /all
hostname
systeminfo
reg.exe Query HKLM\Software\Microsoft