Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.

Commands of interest:

  • arp.exe
  • at.exe
  • attrib.exe
  • cscript.exe
  • dsquery.exe
  • hostname.exe
  • ipconfig.exe
  • mimikatz.exe
  • nbstat.exe
  • net.exe
  • netsh.exe
  • nslookup.exe
  • ping.exe
  • quser.exe
  • qwinsta.exe
  • reg.exe
  • runas.exe
  • sc.exe
  • schtasks.exe
  • ssh.exe
  • systeminfo.exe
  • taskkill.exe
  • telnet.exe
  • tracert.exe
  • wscript.exe
  • xcopy.exe

Output Description

The host on which the commands were executed, the time of execution, and what commands were executed

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Account Discovery Local Account, Domain Account Discovery Low
OS Credential Dumping Security Account Manager Credential Access Low
Permission Groups Discovery Local Groups, Domain Groups Discovery Low
Process Discovery N/A Discovery Low
Remote Services SMB/Windows Admin Shares Lateral Movement Low
Create or Modify System Process Windows Service Persistence, Privilege Escalation Low
Modify Registry N/A Defense Evasion Low
Hijack Execution Flow Services Registry Permissions Weakness Persistence, Privilege Escalation Low
Remote System Discovery N/A Discovery Low
System Services Service Execution Execution Low
Scheduled Task/Job At (Windows), Scheduled Task Persistence, Privilege Escalation, Execution Low
Scheduled Transfer N/A Exfiltration Low
System Owner/User Discovery N/A Discovery Low
System Service Discovery N/A Discovery Low
System Information Discovery N/A Discovery Low
System Network Connections Discovery N/A Discovery Low
System Network Configuration Discovery N/A Discovery Low
Application Window Discovery N/A Discovery Low
Software Discovery Security Software Discovery Discovery Low
Network Service Scanning N/A Discovery Low
Impair Defenses Disable or Modify Tools, Indicator Blocking Defense Evasion Low
Account Manipulation N/A Credential Access Low
Command and Scripting Interpreter Visual Basic Execution Moderate
Query Registry N/A Discovery Low

Data Model References

Object Action Field
process create hostname
process create ppid
process create exe

Implementations

Pseudocode

processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == "tracert.exe"
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped

Sigma

Sigma version of the above pseudocode, with some modifications.

Dnif, Sysmon native

DNIF version of the above pseudocode.

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include

Unit Tests

Test Case 1

Configurations: Windows 7

Within a command window, execute several of the commands in quick succession.

ipconfig /all
hostname
systeminfo
reg.exe Query HKLM\Software\Microsoft