Command Execution (TA0002) Techniques

Introduction

Investigating command execution on a network, particularly in Windows workstations and servers, is crucial to understanding the extent and impact of a security incident. This process involves identifying and analysing the commands that an attacker executes after gaining access.

Understanding Common Command Execution Sources

• Command-Line Interface (CLI): Windows Command Prompt, PowerShell, and Unix/Linux terminals.

• Scripts: Batch files, PowerShell scripts, VBS scripts, etc.

• Scheduled Tasks: Tasks that execute commands at specified times.

• Remote Execution Tools: Tools like PsExec or remote desktop applications.

• Application Execution: Applications that execute system command

Collecting Data

• System Logs: Collect and examine Windows Event Logs, primarily focusing on the Security, System, and Application logs.

• Command History: In Windows, check PowerShell and Command Prompt history. PowerShell logs can be found in Event Viewer under "Windows Logs" > "Application and Services Logs" > "Windows PowerShell".

• Scheduled Tasks and Startup Programs: Check for any unknown or modified scheduled tasks and startup programs that could execute commands.

Analysing Execution Artifacts

• Prefetch Files: Analyse Prefetch files in Windows to identify executed programs.

• Registry Analysis: Examine registry keys associated with command execution, like Run, RunOnce, and PowerShell's Transcription logging.

• File System Analysis: Check the creation and modification dates of suspicious files.

• Shellbags: Analyse shellbags for evidence of command execution via Windows Explorer.

• Command-Line Interface (CLI): Windows Command Prompt, PowerShell, and Unix/Linux terminals.

• Scripts: Batch files, PowerShell scripts, VBScripts, etc.

• Scheduled Tasks: Tasks that execute commands at specified times.

• Remote Execution Tools: Tools like PsExec or remote desktop applications.

• Application Execution: Applications that execute system command

Memory Forensics

• Use tools like Volatility to analyse memory dumps for evidence of recently executed commands or processes.

Network Traffic Analysis

• Check for Command & Control Traffic: Analyse network traffic logs for any signs of command and control communication, which might indicate remote execution of commands.

• Data Exfiltration: Look for patterns or large data transfers that might indicate data being collected and sent out.

Analysis of Command Execution

• Windows Command Line Logs: Windows logs command line activity in Event ID 4688. These logs show the command line process creation events.

• PowerShell Logging: Review PowerShell script block logging (Event ID 4104), module logging, and transcription logs for executed commands.

• Bash History (for Unix/Linux): Analyse the .bash_history file for executed commands.

• Scheduled Tasks Analysis: Investigate the Windows Task Scheduler and cron jobs (for Unix/Linux) for any scheduled tasks running commands.

• Remote Execution Tools Logs: Examine logs from tools like PsExec or remote desktop software

User Account and Authentication Logs

• Review logs related to user authentication and account usage, particularly focusing on any elevation of privileges or use of administrative accounts.

Correlation and Timeline Analysis

• Correlate the gathered data to build a timeline of events, which will help you understand the sequence and scope of the executed commands.

Malware and Script Analysis

• If any scripts or malware are found, analyse them to determine their functionality and the commands they execute.

Interviews and Internal Investigations

• Talk to relevant personnel who might provide insights into usual and unusual command executions, especially in the case of internal threats.

Reporting and Documentation

• Document all findings, methodologies, and evidence in a detailed report for future reference and potential legal proceedings.

Investigating command execution requires a thorough analysis of various data sources, including system logs, memory, and network traffic. Each step, from data collection to detailed analysis and reporting, is crucial in understanding the scope and impact of the executed commands. Maintaining an updated knowledge of forensic tools and techniques is essential for effective investigation in the ever-evolving landscape of cybersecurity threats.

Using KQL to Investigate Command Execution Activities in an Environment Using Defender/Sentinel

Note: While there are other methods and tools for investigating these kinds of attacks, the goal is to tackle them from a beginner's point of view without utilising intricate KQL queries that a Level 1 SOC analyst wouldn't find difficult to comprehend. Other areas on the site will demonstrate the same process using other tools, such as Splunk, Velociraptor, or Eric Zimmerman Tools.

Execution techniques involve adversaries running malicious code on a target system. These techniques are crucial in the attack chain as they enable the adversary to execute their payloads, gain persistence, escalate privileges, and move laterally within the network.

1. T1059 - Command and Scripting Interpreter

Objective: Detect the use of command and scripting interpreters to execute malicious commands or scripts.

1. Detect PowerShell Script Execution

DeviceProcessEvents | where ProcessCommandLine has "powershell" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify instances of PowerShell being used to execute scripts.

1. Detect CMD.exe Execution

DeviceProcessEvents | where FileName == "cmd.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of the command prompt to run commands.

1. Identify the Use of Python Scripts

DeviceProcessEvents | where FileName == "python.exe" or FileName == "pythonw.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect execution of Python scripts on the system.

1. Monitor for VBScript Execution

DeviceProcessEvents | where FileName == "wscript.exe" or FileName == "cscript.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the execution of VBScript files.

1. Detect Bash Script Execution via WSL

DeviceProcessEvents | where FileName == "bash.exe" or FileName == "wsl.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of Bash scripting via the Windows Subsystem for Linux (WSL).

1. Identify JavaScript Execution via Node.js

DeviceProcessEvents | where FileName == "node.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the execution of JavaScript files using Node.js.

1. Detect PowerShell Command with Encoded Parameters

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine has "EncodedCommand" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify obfuscated PowerShell commands using encoded parameters.

1. Monitor for Scripting Engine Execution via Office Macros

DeviceProcessEvents | where ProcessCommandLine has_any ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") | where ProcessCommandLine has_any (".vbs", ".js", "powershell") | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect the use of Office applications to execute scripts.

1. Detect WMI Command Execution

DeviceProcessEvents | where ProcessCommandLine has "wmic" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of Windows Management Instrumentation (WMI) to execute commands.

1. Monitor for JScript Execution via MSHTA

DeviceProcessEvents | where FileName == "mshta.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the execution of JScript or VBScript using the MSHTA utility.

2. T1047 - Windows Management Instrumentation

Objective: Detect the use of WMI to execute commands or scripts remotely on the target system.

1. Detect Remote WMI Execution

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "process call create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of WMI to remotely execute processes.

1. Monitor WMI Commands Creating New Processes

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "process call create" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect WMI commands that create new processes on the system.

1. Identify WMI Execution via PowerShell

DeviceProcessEvents | where ProcessCommandLine has "Get-WmiObject" or ProcessCommandLine has "Invoke-WmiMethod" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for WMI usage through PowerShell.

1. Detect Suspicious WMI Execution with Credentials

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has " /user:" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify WMI execution using specific credentials, which may indicate lateral movement.

1. Monitor for WMI Execution from Non-Admin Accounts

DeviceProcessEvents | where ProcessCommandLine has "wmic" and InitiatingProcessAccountName != "Administrator" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect WMI execution by non-administrative accounts.

1. Identify WMI Execution to Start Services

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "service" and ProcessCommandLine has "start" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Monitor for WMI commands used to start services.

1. Detect WMI Execution for File Transfer

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "CIM_DataFile" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify WMI usage for file transfers.

1. Monitor for WMI Execution of Suspicious Scripts

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has_any (".vbs", ".js", "powershell") | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect the execution of scripts through WMI.

1. Identify WMI Execution to Modify Registry

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "RegWrite" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for WMI commands that modify the Windows registry.

1. Detect WMI Execution of DLL Files

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of WMI to execute DLL files.

3. T1203 - Exploitation for Client Execution

Objective: Detect exploitation attempts targeting client applications to execute malicious code.

1. Detect Exploitation Attempts in Web Browsers

DeviceProcessEvents | where FileName in ("iexplore.exe", "chrome.exe", "firefox.exe", "edge.exe") | where ProcessCommandLine has_any ("exploit", "shellcode", "heap spray") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify exploitation attempts targeting web browsers.

1. Monitor for Office Application Exploits

DeviceProcessEvents | where FileName in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") | where ProcessCommandLine has_any (".hta", ".exe", ".dll") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect exploitation attempts in Microsoft Office applications.

1. Identify Adobe Reader Exploitation

DeviceProcessEvents | where FileName == "acrord32.exe" | where ProcessCommandLine has_any (".exe", ".dll", "powershell") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for exploitation of Adobe Reader.

1. Detect Exploitation via Email Clients

DeviceProcessEvents | where FileName in ("outlook.exe", "thunderbird.exe") | where ProcessCommandLine has_any ("exploit", "shellcode") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify exploitation attempts targeting email clients.

1. Monitor for PDF Exploitation Attempts

DeviceProcessEvents | where FileName == "acrord32.exe" | where ProcessCommandLine has_any (".js", "powershell", ".vbs") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect exploitation attempts involving PDF files.

1. Detect Exploitation via Media Players

DeviceProcessEvents | where FileName in ("wmplayer.exe", "vlc.exe") | where ProcessCommandLine has_any ("exploit", "shellcode", "overflow") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for exploitation attempts targeting media players.

1. Identify Java Application Exploitation

DeviceProcessEvents | where FileName == "java.exe" or FileName == "javaw.exe" | where ProcessCommandLine has_any ("exploit", "shellcode") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect exploitation attempts in Java applications.

1. Monitor for Flash Player Exploitation

DeviceProcessEvents | where FileName == "flashplayer.exe" | where ProcessCommandLine has_any (".js", "powershell", ".vbs") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify exploitation attempts in Adobe Flash Player.

1. Detect Exploitation via Browsing History

DeviceProcessEvents | where FileName in ("iexplore.exe", "chrome.exe", "firefox.exe", "edge.exe") | where ProcessCommandLine has_any ("history", "cookies") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for exploitation attempts using browsing history.

1. Identify Exploitation Using Document Macros

DeviceProcessEvents | where FileName in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") | where ProcessCommandLine has "macro" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of macros in document exploitation.

4. T1106 - Native API

Objective: Detect the use of native Windows APIs to execute malicious code or commands.

1. Detect Use of Windows API Calls

DeviceProcessEvents | where ProcessCommandLine has_any ("CreateProcess", "VirtualAlloc", "LoadLibrary") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify processes making direct API calls.

1. Monitor for Execution via CreateProcess API

DeviceProcessEvents | where ProcessCommandLine has "CreateProcess" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect execution of processes using the CreateProcess API.

1. Identify Use of LoadLibrary API

DeviceProcessEvents | where ProcessCommandLine has "LoadLibrary" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the loading of dynamic link libraries (DLLs) using the LoadLibrary API.

1. Detect Memory Allocation via VirtualAlloc

DeviceProcessEvents | where ProcessCommandLine has "VirtualAlloc" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify memory allocation attempts using the VirtualAlloc API.

1. Monitor for Remote Thread Injection via CreateRemoteThread

DeviceProcessEvents | where ProcessCommandLine has "CreateRemoteThread" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect remote thread injection using the CreateRemoteThread API.

1. Identify API Calls for Process Injection

DeviceProcessEvents | where ProcessCommandLine has_any ("NtQueueApcThread", "RtlCreateUserThread", "WriteProcessMemory") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of APIs commonly associated with process injection.

1. Detect API Calls for Code Execution

DeviceProcessEvents | where ProcessCommandLine has_any ("WinExec", "ShellExecute", "CreateProcess") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for API calls used to execute code.

1. Identify Use of API for Privilege Escalation

DeviceProcessEvents | where ProcessCommandLine has_any ("AdjustTokenPrivileges", "SetThreadToken") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect API usage for privilege escalation.

1. Monitor for API Calls Modifying System Files

DeviceFileEvents | where FileName has_any ("kernel32.dll", "ntdll.dll", "user32.dll") | project Timestamp, DeviceName, FileName, FolderPath

Purpose: Identify attempts to modify system files via API calls.

1. Detect API Calls for Network Communications

DeviceNetworkEvents | where ProcessCommandLine has_any ("send", "recv", "connect") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for API calls initiating network communications.

5. T1202 - Indirect Command Execution

Objective: Detect the use of indirect methods to execute commands, such as through application features, scripting, or automated tasks.

1. Detect Execution via Scheduled Tasks

DeviceProcessEvents | where ProcessCommandLine has "schtasks /create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the creation of scheduled tasks for command execution.

1. Monitor for Execution via Registry Autorun

DeviceRegistryEvents | where RegistryKey has "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData

Purpose: Detect the use of registry autorun keys for indirect command execution.

1. Identify Execution via Office Macros

DeviceProcessEvents | where ProcessCommandLine has_any ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") | where ProcessCommandLine has "macro" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for command execution via Office macros.

1. Detect Execution via Task Scheduler

DeviceProcessEvents | where ProcessCommandLine has "at" or ProcessCommandLine has "schtasks" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of Task Scheduler for indirect command execution.

1. Monitor for Execution via WMI Event Subscriptions

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "wmi event" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of WMI event subscriptions for command execution.

1. Identify Execution via Application Debugging

DeviceProcessEvents | where ProcessCommandLine has_any ("windbg.exe", "cdb.exe", "ntsd.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for command execution using application debugging tools.

1. Detect Execution via Service Binary

DeviceProcessEvents | where ProcessCommandLine has "sc config" and ProcessCommandLine has "binpath=" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the modification of service binaries for command execution.

1. Monitor for Execution via COM Object Hijacking

DeviceProcessEvents | where ProcessCommandLine has "regsvr32" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of COM objects for indirect command execution.

1. Identify Execution via Autorun.inf Files

DeviceFileEvents | where FileName == "autorun.inf" | project Timestamp, DeviceName, FileName, FolderPath

Purpose: Monitor for the use of autorun.inf files for command execution.

1. Detect Execution via Remote Desktop Services

DeviceLogonEvents | where LogonType == "RemoteInteractive" | summarize count() by TargetUserName, DeviceName, LogonTime

Purpose: Identify command execution through Remote Desktop Services.

6. T1072 - Software Deployment Tools

Objective: Detect the use of software deployment tools to execute malicious code on multiple systems.

1. Detect Execution via SCCM

DeviceProcessEvents | where ProcessCommandLine has "ccmexec.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of System Center Configuration Manager (SCCM) for command execution.

1. Monitor for Execution via Ansible

DeviceProcessEvents | where ProcessCommandLine has "ansible-playbook" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of Ansible for software deployment and command execution.

1. Identify Execution via Puppet

DeviceProcessEvents | where ProcessCommandLine has "puppet apply" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of Puppet for executing commands on systems.

1. Detect Execution via Chef

DeviceProcessEvents | where ProcessCommandLine has "chef-client" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for command execution using Chef.

1. Monitor for Execution via SaltStack

DeviceProcessEvents | where ProcessCommandLine has "salt-call" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of SaltStack for command execution.

1. Detect Execution via PowerShell DSC

DeviceProcessEvents | where ProcessCommandLine has "Start-DscConfiguration" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of PowerShell Desired State Configuration (DSC) for command execution.

1. Identify Execution via GPO Scripts

DeviceProcessEvents | where ProcessCommandLine has "gpo.ps1" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of Group Policy Object (GPO) scripts for executing commands.

1. Monitor for Execution via Remote Software Installation

DeviceProcessEvents | where ProcessCommandLine has "msiexec" and ProcessCommandLine has "/i" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify remote software installations used for command execution.

1. Detect Execution via Orchestrator Runbooks

DeviceProcessEvents | where ProcessCommandLine has "orchestrator" and ProcessCommandLine has "runbook" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of Orchestrator Runbooks to execute commands.

1. Identify Execution via Custom Deployment Scripts

DeviceProcessEvents | where ProcessCommandLine has_any (".ps1", ".bat", ".sh") and ProcessCommandLine has "deploy" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect custom deployment scripts used for executing commands on multiple systems.

7. T1117 - Regsvr32

Objective: Detect the use of regsvr32.exe to execute DLLs or scripts, potentially as part of a living-off-the-land attack.

1. Detect Regsvr32 Execution

DeviceProcessEvents | where FileName == "regsvr32.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify instances where regsvr32.exe is used to execute DLLs or scripts.

1. Monitor for Regsvr32 with Suspicious Parameters

DeviceProcessEvents | where FileName == "regsvr32.exe" and ProcessCommandLine has_any ("/s", "/u", "/i") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect regsvr32 executions with suspicious command-line parameters.

1. Identify Regsvr32 Executing Remote Files

DeviceProcessEvents | where FileName == "regsvr32.exe" and ProcessCommandLine has "http://" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for regsvr32 executing remote files.

1. Detect Regsvr32 Used for Script Execution

DeviceProcessEvents | where FileName == "regsvr32.exe" and ProcessCommandLine has_any (".vbs", ".js") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify regsvr32 executions that involve running scripts.

1. Monitor for Regsvr32 with Unusual DLLs

DeviceProcessEvents | where FileName == "regsvr32.exe" and ProcessCommandLine has ".dll" | where ProcessCommandLine has_not_any ("kernel32.dll", "user32.dll") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect regsvr32 used to execute unusual or suspicious DLLs.

1. Identify Regsvr32 Executing from Non-Standard Locations

DeviceProcessEvents | where FileName == "regsvr32.exe" and FolderPath has_not "C:\\Windows\\System32" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for regsvr32 executing from non-standard locations.

1. Detect Regsvr32 with Network Connectivity

DeviceProcessEvents | where FileName == "regsvr32.exe" and ProcessCommandLine has_any (".dll", ".ocx") and ProcessCommandLine has "http://" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify regsvr32 executions that involve network connectivity.

1. Monitor for Regsvr32 Execution by Non-Admin Accounts

DeviceProcessEvents | where FileName == "regsvr32.exe" and InitiatingProcessAccountName != "Administrator" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect regsvr32 usage by non-administrative accounts.

1. Identify Regsvr32 with High Privileges

DeviceProcessEvents | where FileName == "regsvr32.exe" and TokenElevationType == "Full" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for regsvr32 executions with elevated privileges.

1. Detect Regsvr32 Used in Conjunction with UAC Bypass

DeviceProcessEvents | where FileName == "regsvr32.exe" and ProcessCommandLine has_any ("bypass", "UAC") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify regsvr32 executions associated with UAC bypass techniques.

8. T1086 - PowerShell

Objective: Detect the use of PowerShell for executing commands and scripts, which is often used in attacks.

1. Detect PowerShell Script Execution

DeviceProcessEvents | where FileName == "powershell.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify instances where PowerShell is used to execute scripts.

1. Monitor for Obfuscated PowerShell Commands

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine matches regex "(?i)[^a-zA-Z0-9\s]" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect obfuscated PowerShell commands.

1. Identify PowerShell Commands Downloading Files

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Invoke-WebRequest" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for PowerShell commands that download files from the internet.

1. Detect PowerShell Commands Executing Encoded Commands

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "EncodedCommand" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify PowerShell executions with encoded commands.

1. Monitor for PowerShell Execution with Admin Privileges

DeviceProcessEvents | where FileName == "powershell.exe" and TokenElevationType == "Full" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect PowerShell commands executed with administrative privileges.

1. Identify PowerShell Execution from Office Applications

DeviceProcessEvents | where FileName == "powershell.exe" and InitiatingProcessFileName in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect PowerShell commands executed from Office applications.

1. Detect PowerShell Commands Modifying the Registry

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Set-ItemProperty" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for PowerShell commands that modify the Windows registry.

1. Monitor for PowerShell Commands Invoking WMI

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Get-WmiObject" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify PowerShell commands that invoke WMI.

1. Detect PowerShell Commands Executing System Commands

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has_any ("cmd.exe", "sc.exe", "net.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNam

Purpose: Monitor for PowerShell commands that execute system commands.

1. Identify PowerShell Execution via Script Block Logging

DeviceEvents | where ActionType == "PowerShellScriptBlockLogging" | project Timestamp, DeviceName, InitiatingProcessCommandLine, ScriptBlockText

Purpose: Detect PowerShell execution using script block logging.