Edit

Detecting CommandLine Executions (MITRE ATT&CK: T1059)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Execution of Actor Tools and Command-line Activities (MITRE ATT&CK: T1059)

Overview:

Command-line interfaces (CLI) are often abused by adversaries to execute malicious tools and commands. Monitoring these activities is crucial for detecting malicious behaviour.

25 Example Queries for Execution of Actor Tools and Command-line Detection:

  1. Detect PowerShell Execution with Encoded Commands Encoded PowerShell commands often indicate obfuscation used in attacks.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "encodedCommand" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Execution of Scripts via CMD (Batch Files) Batch files may be used to automate malicious commands.

DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has ".bat" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Execution of Python Scripts for Malicious Activities Python scripts may be used to execute malicious code.

DeviceProcessEvents | where FileName == "python.exe" or ProcessCommandLine has ".py" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Execution of System Binaries Used by Attackers (LOLBins) Attackers often abuse legitimate system binaries (LOLBins) like msiexec, certutil, etc.

DeviceProcessEvents | where FileName in ("msiexec.exe", "certutil.exe", "rundll32.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Execution of VBS Scripts for Malicious Activity VBS scripts can be used to execute malicious code, download payloads, etc.

DeviceProcessEvents | where FileName == "wscript.exe" and ProcessCommandLine has ".vbs" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Use of PowerShell to Bypass Execution Policies Malicious PowerShell scripts often bypass execution policies.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "-ExecutionPolicy Bypass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Use of CertUtil for Malicious File Downloads CertUtil is often abused to download and decode malicious payloads.

  1. Track Use of MSHTA for Script Execution (Malicious Activity) MSHTA is commonly abused to execute malicious HTML applications.

  1. Detect Use of CMD for Remote Command Execution CMD may be used to execute commands on remote systems using tools like PsExec.

  1. Monitor Use of PowerShell for Downloading and Executing Scripts PowerShell can be used to download and execute malicious scripts.

  1. Track Execution of Python Tools Used by Attackers (e.g., Empire) Python-based post-exploitation tools like Empire are often used by attackers.

  1. Detect Use of PowerShell for Process Injection Techniques PowerShell scripts may be used to inject malicious code into legitimate processes.

  1. Monitor the Use of VSSAdmin for Shadow Copy Deletion VSSAdmin may be used to delete shadow copies, typically seen in ransomware attacks.

  1. Track Use of 7-Zip or WinRAR for Data Compression Before Exfiltration Attackers may compress data before exfiltration to minimize detection.

  1. Detect Use of Bitsadmin for File Downloads Bitsadmin is often abused to download or transfer malicious files.

  1. Monitor the Use of Command-line Tools for User Enumeration Commands like net user and net localgroup may be used to enumerate accounts.

  1. Track Use of Network Scanning Tools (e.g., Nmap) Network scanning tools may be used by attackers to discover systems and services.

  1. Detect Use of WMI for Remote Code Execution WMI is often used to execute commands on remote systems.

  1. Monitor Use of Netstat for Network Discovery Netstat is used to list active network connections, which can be abused for discovery.

  1. Track Execution of SQL Tools for Database Discovery (e.g., SQLCMD) SQL tools may be used by attackers to query databases and extract information.

  1. Detect Use of Regsvr32 for Malicious DLL Execution Regsvr32 can be used to execute DLLs and load malicious code.

  1. Monitor Execution of VBScript Files for Malicious Activity VBScript files may be used to download, execute, or perform malicious actions.

  1. Track Use of Network Monitoring Tools for Reconnaissance (e.g., Wireshark) Network monitoring tools may be used to capture and analyze network traffic for reconnaissance.

  1. Detect Use of Task Scheduler for Remote Command Execution (Schtasks.exe) Schtasks may be used to schedule and execute tasks on remote systems.

  1. Monitor Use of Remote Desktop Services for Command Execution Remote Desktop Services (mstsc.exe) may be used for lateral movement and command execution.

PreviousData Theft (MITRE ATT&CK: T1041, T1071)NextWindows Security Logs (Identity and Logon Activities)

Last updated