When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.
Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.
|Technique||Tactic||Level of Coverage|
|Permission Groups Discovery||Discovery||Moderate|
|System Network Configuration Discovery||Discovery||Moderate|
|System Information Discovery||Discovery||Moderate|
|System Owner/User Discovery||Discovery||Moderate|
|System Service Discovery||Discovery||Moderate|
To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.
process = search Process:Create info_command = filter process where ( exe == "hostname.exe" or exe == "ipconfig.exe" or exe == "net.exe" or exe == "quser.exe" or exe == "qwinsta.exe" or exe == "sc" and (command_line match " query" or command_line match " qc")) or exe == "systeminfo.exe" or exe == "tasklist.exe" or exe == "whoami.exe" ) output info_command
Data Model References
Within the built-in Windows Commands:
dsquery is only pre-existing on Windows servers.