When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.

ATT&CK Detection

Technique Tactic Level of Coverage
Account Discovery Discovery Moderate
Permission Groups Discovery Discovery Moderate
System Network Configuration Discovery Discovery Moderate
System Information Discovery Discovery Moderate
System Owner/User Discovery Discovery Moderate
Process Discovery Discovery Moderate
System Service Discovery Discovery Moderate

Pseudocode

To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

process = search Process:Create
info_command = filter process where (
 exe == "hostname.exe" or 
 exe == "ipconfig.exe" or 
 exe == "net.exe" or 
 exe == "quser.exe" or 
 exe == "qwinsta.exe" or
 exe == "sc" and (command_line match " query" or command_line match " qc")) or
 exe == "systeminfo.exe" or 
 exe == "tasklist.exe" or 
 exe == "whoami.exe"
)
output info_command

Data Model References

Object Action Field
process create command_line
process create exe

Additional Notes:

Within the built-in Windows Commands:

  • hostname
  • ipconfig
  • net
  • quser
  • qwinsta
  • sc with flags query, queryex, qc
  • systeminfo
  • tasklist
  • dsquery
  • whoami

Note dsquery is only pre-existing on Windows servers.