Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.
Execution of Actor Tools and Command-line Activities (MITRE ATT&CK: T1059)
Overview:
Command-line interfaces (CLI) are often abused by adversaries to execute malicious tools and commands. Monitoring these activities is crucial for detecting malicious behaviour.
25 Example Queries for Execution of Actor Tools and Command-line Detection:
Detect PowerShell Execution with Encoded CommandsEncoded PowerShell commands often indicate obfuscation used in attacks.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "encodedCommand" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Execution of Scripts via CMD (Batch Files)Batch files may be used to automate malicious commands.
DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has ".bat" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Execution of Python Scripts for Malicious ActivitiesPython scripts may be used to execute malicious code.
DeviceProcessEvents | where FileName == "python.exe" or ProcessCommandLine has ".py" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Execution of System Binaries Used by Attackers (LOLBins)Attackers often abuse legitimate system binaries (LOLBins) like msiexec, certutil, etc.
DeviceProcessEvents | where FileName in ("msiexec.exe", "certutil.exe", "rundll32.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Execution of VBS Scripts for Malicious ActivityVBS scripts can be used to execute malicious code, download payloads, etc.
DeviceProcessEvents | where FileName == "wscript.exe" and ProcessCommandLine has ".vbs" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of PowerShell to Bypass Execution PoliciesMalicious PowerShell scripts often bypass execution policies.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "-ExecutionPolicy Bypass" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Use of CertUtil for Malicious File DownloadsCertUtil is often abused to download and decode malicious payloads.
DeviceProcessEvents | where FileName == "certutil.exe" and ProcessCommandLine has "download" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Use of MSHTA for Script Execution (Malicious Activity)MSHTA is commonly abused to execute malicious HTML applications.
DeviceProcessEvents | where FileName == "mshta.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of CMD for Remote Command ExecutionCMD may be used to execute commands on remote systems using tools like PsExec.
DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has_any ("psexec", "wmic", "mstsc") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Use of PowerShell for Downloading and Executing ScriptsPowerShell can be used to download and execute malicious scripts.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has_any ("download", "Invoke-WebRequest") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Execution of Python Tools Used by Attackers (e.g., Empire)Python-based post-exploitation tools like Empire are often used by attackers.
DeviceProcessEvents | where FileName == "python.exe" and ProcessCommandLine has_any ("empire", "exploit") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of PowerShell for Process Injection TechniquesPowerShell scripts may be used to inject malicious code into legitimate processes.
DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has_any ("Invoke-ReflectivePEInjection", "Invoke-Mimikatz") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor the Use of VSSAdmin for Shadow Copy DeletionVSSAdmin may be used to delete shadow copies, typically seen in ransomware attacks.
DeviceProcessEvents | where FileName == "vssadmin.exe" and ProcessCommandLine has "delete shadows" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Use of 7-Zip or WinRAR for Data Compression Before ExfiltrationAttackers may compress data before exfiltration to minimize detection.
DeviceProcessEvents | where FileName in ("7z.exe", "winrar.exe") and ProcessCommandLine has "compress" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of Bitsadmin for File DownloadsBitsadmin is often abused to download or transfer malicious files.
DeviceProcessEvents | where FileName == "bitsadmin.exe" and ProcessCommandLine has "transfer" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor the Use of Command-line Tools for User EnumerationCommands like net user and net localgroup may be used to enumerate accounts.
DeviceProcessEvents | where FileName == "net.exe" and ProcessCommandLine has_any ("user", "localgroup") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Use of Network Scanning Tools (e.g., Nmap)Network scanning tools may be used by attackers to discover systems and services.
DeviceProcessEvents | where FileName == "nmap.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of WMI for Remote Code ExecutionWMI is often used to execute commands on remote systems.
DeviceProcessEvents | where FileName == "wmic.exe" and ProcessCommandLine has_any ("process call create", "os get") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Use of Netstat for Network DiscoveryNetstat is used to list active network connections, which can be abused for discovery.
DeviceProcessEvents | where FileName == "netstat.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Execution of SQL Tools for Database Discovery (e.g., SQLCMD)SQL tools may be used by attackers to query databases and extract information.
DeviceProcessEvents | where FileName == "sqlcmd.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of Regsvr32 for Malicious DLL ExecutionRegsvr32 can be used to execute DLLs and load malicious code.
DeviceProcessEvents | where FileName == "regsvr32.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Execution of VBScript Files for Malicious ActivityVBScript files may be used to download, execute, or perform malicious actions.
DeviceProcessEvents | where FileName == "wscript.exe" and ProcessCommandLine has ".vbs" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Track Use of Network Monitoring Tools for Reconnaissance (e.g., Wireshark)Network monitoring tools may be used to capture and analyze network traffic for reconnaissance.
DeviceProcessEvents | where FileName == "wireshark.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Detect Use of Task Scheduler for Remote Command Execution (Schtasks.exe)Schtasks may be used to schedule and execute tasks on remote systems.
DeviceProcessEvents | where FileName == "schtasks.exe" and ProcessCommandLine has "create" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
Monitor Use of Remote Desktop Services for Command ExecutionRemote Desktop Services (mstsc.exe) may be used for lateral movement and command execution.
DeviceProcessEvents | where FileName == "mstsc.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine