Command

A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task[1][2]

ID: DS0017
Platforms: Android, Containers, Linux, Network, Windows, iOS, macOS
Collection Layers: Container, Host
Contributors: Center for Threat-Informed Defense (CTID); Austin Clark, @c2defense
Version: 1.1
Created: 20 October 2021
Last Modified: 20 April 2023

Data Components

Command: Command Execution

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Command: Command Execution

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

Monitor executed commands and arguments that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.

.001 Setuid and Setgid

Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.

.002 Bypass User Account Control

Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system.

.003 Sudo and Sudo Caching

Monitor executed commands and arguments that may perform sudo caching and/or use the suoders file to elevate privileges, such as the sudo command.

Enterprise T1134 Access Token Manipulation

Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[3]

.001 Token Impersonation/Theft

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[3]

.002 Create Process with Token

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.[3]

.003 Make and Impersonate Token

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.[3]

Enterprise T1087 Account Discovery

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

.001 Local Account

Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as net user, net account, net localgroup, Get-LocalUser, and dscl.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

.002 Domain Account

Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as net user /domain and net group /domain, dscacheutil -q groupon macOS, and ldapsearch on Linux.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

.003 Email Account

Monitor for execution of commands and arguments associated with enumeration or information gathering of email addresses and accounts such as Get-AddressList, Get-GlobalAddressList, and Get-OfflineAddressBook.

.004 Cloud Account

Monitor logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Enterprise T1098 Account Manipulation

Monitor executed commands and arguments for suspicious commands to modify accounts or account settings (including files such as the authorized_keys or /etc/ssh/sshd_config).

Monitor executed commands and arguments of suspicious commands (such as Add-MailboxPermission) that may be indicative of modifying the permissions of Exchange and other related service settings.

.004 SSH Authorized Keys

Monitor executed commands and arguments to modify the authorized_keys or /etc/ssh/sshd_config files.

Enterprise T1010 Application Window Discovery

Monitor executed commands and arguments for actions that could be taken to gather system and network information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Note: Commands can also be obtained from Payload event field for PowerShell event id 4103. For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management.

Analytic 1 - Suspicious Commands

suspicious_commands = filter commands where event_id == "4103" AND ((command_line LIKE '%Get-Process%' AND command_line_parameter LIKE '%mainWindowTitle%'))

Enterprise T1560 Archive Collected Data

Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.

.001 Archive via Utility

Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.

Enterprise T1123 Audio Capture

Monitor executed commands and arguments for actions that can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Enterprise T1119 Automated Collection

Monitor executed commands and arguments for actions that could be taken to collect internal data.

ICS T0802 Automated Collection

Monitor executed commands and arguments for actions that could be taken to collect internal data.

Enterprise T1020 Automated Exfiltration

Monitor executed commands and arguments that may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection

Enterprise T1197 BITS Jobs

Monitor executed commands and arguments from the BITSAdmin tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)[4] Admin logs, PowerShell logs, and the Windows Event log for BITS activity.[5] Also consider investigating more detailed information about jobs by parsing the BITS job database.[6]

Enterprise T1547 Boot or Logon Autostart Execution

Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

.001 Registry Run Keys / Startup Folder

Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

.002 Authentication Package

Monitor executed commands and arguments that may abuse authentication packages to execute DLLs when the system boots.

.003 Time Providers

Monitor executed commands and arguments that may abuse time providers to execute DLLs when the system boots.

.004 Winlogon Helper DLL

Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

Analytic 1 - Modification of the Winlogon Registry Key

suspicious_processes = filter processes where (event_id == "1" OR event_id == "4688") AND (ProcessCommandLine LIKE '%Microsoft\Windows NT\CurrentVersion\Winlogon%' AND (ProcessCommandLine LIKE '%Userinit%' OR ProcessCommandLine LIKE '%Shell%' OR ProcessCommandLine LIKE '%Notify%')) AND (ProcessCommandLine LIKE '%reg%' OR ProcessCommandLine LIKE '%add%' OR ProcessCommandLine LIKE '%/d%' OR ProcessCommandLine LIKE '%Set-ItemProperty%' OR ProcessCommandLine LIKE '%New-ItemProperty%' ProcessCommandLine LIKE '%-value%')

.005 Security Support Provider

Monitor executed commands and arguments that may abuse security support providers (SSPs) to execute DLLs when the system boots.

.006 Kernel Modules and Extensions

Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo [7] Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. [8] Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.[9] Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package.

On macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.[10][11][12]

.007 Re-opened Applications

Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in.

.013 XDG Autostart Entries

Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot.

.014 Active Setup

Monitor executed commands and arguments that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

Enterprise T1037 Boot or Logon Initialization Scripts

Monitor executed commands and arguments that may consist of logon scripts for unusual access by abnormal users or at abnormal times.

.001 Logon Script (Windows)

Monitor executed commands and arguments for logon scripts

.002 Login Hook

Monitor executed commands with arguments to install or modify login hooks.

.003 Network Logon Script

Monitor executed commands and arguments for logon scripts

.004 RC Scripts

Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior

.005 Startup Items

Monitor executed commands and arguments for logon scripts

Enterprise T1176 Browser Extensions

Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration.

Enterprise T1217 Browser Information Discovery

Monitor executed commands and arguments for actions that could be taken to gather browser information, such as local files and databases (e.g., %APPDATA%/Google/Chrome).[13] Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell.

Enterprise T1110 Brute Force

Monitor executed commands and arguments that may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

Enterprise T1115 Clipboard Data

Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.

Enterprise T1651 Cloud Administration Command

Monitor commands and scripts executed on virtual machines. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.[14]

Enterprise T1059 Command and Scripting Interpreter

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

.001 PowerShell

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [15] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[16] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

.002 AppleScript

Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

.003 Windows Command Shell

Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.004 Unix Shell

Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

.005 Visual Basic

Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.

.006 Python

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution.

.007 JavaScript

Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.

.008 Network Device CLI

Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. [17] Consider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.

.009 Cloud API

Consider reviewing command history in either host machines or cloud audit logs to determine if unauthorized or suspicious commands were executed.

Cloud API activity logging is typically enabled by default and may be reviewed in sources like the Microsoft Unified Audit Log, AWS CloudTrail, and GCP Admin Acitivty logs. Review these sources for history of executed API commands. Host logs may also be reviewed to capture CLI commands or PowerShell module usage to invoke Cloud API functions.

Mobile T1623 Command and Scripting Interpreter

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.

.001 Unix Shell

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.

ICS T0807 Command-Line Interface

On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.

On network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.

Enterprise T1609 Container Administration Command

Monitor commands and arguments executed by container services. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster.

Enterprise T1136 Create Account

Monitor executed commands and arguments for actions that are associated with account creation, such as net user or useradd

.001 Local Account

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, dscl -create, and kubectl create serviceaccount.

.002 Domain Account

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add /domain.

Enterprise T1543 Create or Modify System Process

Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques.

.001 Launch Agent

Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.

.002 Systemd Service

Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.

.003 Windows Service

Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.

.004 Launch Daemon

Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present. [18]

Enterprise T1555 Credentials from Password Stores

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

.001 Keychain

Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials.

.002 Securityd Memory

Monitor executed commands and arguments that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.

.003 Credentials from Web Browsers

Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.[19]

.004 Windows Credential Manager

Monitor executed commands and arguments for suspicious activity listing credentials from the Windows Credentials locker (e.g. vaultcmd /listcreds:"Windows Credentials").[20]

.005 Password Managers

Monitor executed commands and arguments that may acquire user credentials from third-party password managers. [21]

Enterprise T1485 Data Destruction

Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.

Mobile T1662 Data Destruction

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.

ICS T0809 Data Destruction

Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.

Enterprise T1486 Data Encrypted for Impact

Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit

Enterprise T1005 Data from Local System

Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

ICS T0893 Data from Local System

Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Enterprise T1039 Data from Network Shared Drive

Monitor executed commands and arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Enterprise T1025 Data from Removable Media

Monitor executed commands and arguments for actions that could be taken to collect files from a system's connected removable media. For example, data may be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Enterprise T1074 Data Staged

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

.001 Local Data Staging

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

.002 Remote Data Staging

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Enterprise T1622 Debugger Evasion

Monitor executed commands and arguments that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.

Enterprise T1652 Device Driver Discovery

Monitor executed commands (lsmod, driverquery, etc.) with arguments highlighting potentially malicious attempts to enumerate device drivers.

Enterprise T1006 Direct Volume Access

Monitor executed commands and arguments that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.

Enterprise T1561 Disk Wipe

Monitor for direct access read/write attempts using the \\.\ notation.[22] Monitor for unusual kernel driver installation activity.

.001 Disk Content Wipe

Monitor executed commands and arguments that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

.002 Disk Structure Wipe

Monitor executed commands and arguments that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Enterprise T1484 Domain Policy Modification

Monitor executed commands and arguments for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.[23][24]

.001 Group Policy Modification

Monitor executed commands and arguments that may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain.

.002 Domain Trust Modification

Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.[23] Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.[25]

Enterprise T1482 Domain Trust Discovery

Monitor executed commands and arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information.

Enterprise T1114 Email Collection

Monitor executed processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

On Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule PowerShell cmdlets.[26][27]

.001 Local Email Collection

Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

.002 Remote Email Collection

Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

.003 Email Forwarding Rule

On Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule PowerShell cmdlets.[26][27]

Enterprise T1546 Event Triggered Execution

Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.

.001 Change Default File Association

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by a file type association.

.002 Screensaver

Monitor executed commands and arguments of .scr files.

Analytic 1 - Modify the HKCU\Control Panel\Desktop registry key

suspicious_processes = filter processes where (event_id == "1" OR event_id == "4688") AND (ProcessCommandLine LIKE '%reg%' AND ProcessCommandLine LIKE '%add%' AND ProcessCommandLine LIKE '%HKCU\Control Panel\Desktop\%')

.003 Windows Management Instrumentation Event Subscription

Monitor executed commands and arguments that can be used to register WMI persistence, such as the Register-WmiEvent PowerShell cmdlet [28]

.004 Unix Shell Configuration Modification

Monitor executed commands and arguments that may establish persistence through executing malicious commands triggered by a user’s shell.

.005 Trap

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal.

.006 LC_LOAD_DYLIB Addition

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by the execution of tainted binaries.

.007 Netsh Helper DLL

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs.

.008 Accessibility Features

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of Accessibility Features.

.009 AppCert DLLs

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

.010 AppInit DLLs

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

.011 Application Shimming

Monitor executed commands and arguments for sdbinst.exe for potential indications of application shim abuse.

.012 Image File Execution Options Injection

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.

.013 PowerShell Profile

Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules.

.014 Emond

Monitor executed commands and arguments that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).

.015 Component Object Model Hijacking

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on changes to COM registry keys, including HKCU\Software\Classes\CLSID*.

.016 Installer Packages

Monitor executed commands and arguments that may be related to abuse of installer packages, including malicious commands triggered by application installations.

Enterprise T1480 Execution Guardrails

Monitor executed commands and arguments that may gather information about the victim's business relationships that can be used during targeting. Detecting the use of guardrails may be difficult depending on the implementation.

.001 Environmental Keying

Monitor executed commands and arguments that may gather the victim's physical location(s) that can be used during targeting. Detecting the use of environmental keying may be difficult depending on the implementation.

Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor executed commands and arguments that may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.

.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

.003 Exfiltration Over Unencrypted Non-C2 Protocol

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Enterprise T1041 Exfiltration Over C2 Channel

Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel.

Enterprise T1011 Exfiltration Over Other Network Medium

Monitor executed commands and arguments that may attempt to exfiltrate data over a different network medium than the command and control channel

.001 Exfiltration Over Bluetooth

Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel.

Enterprise T1052 Exfiltration Over Physical Medium

Monitor executed commands and arguments that may attempt to exfiltrate data via a physical medium, such as a removable drive.

.001 Exfiltration over USB

Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device.

Enterprise T1567 Exfiltration Over Web Service

Monitor executed commands and arguments that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

.001 Exfiltration to Code Repository

Monitor executed command and arguments that may exfiltrate data to a code repository rather than over their primary command and control channel.

.002 Exfiltration to Cloud Storage

Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

.004 Exfiltration Over Webhook

Monitor executed commands and arguments that may exfiltrate data to a webhook as a malicious command and control channel. Additionally, monitor commands that may create new webhook configurations in SaaS services - for example, gh webhook forward in Github or mgc subscriptions create in Office 365.[29][30]

Enterprise T1083 File and Directory Discovery

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

Enterprise T1222 File and Directory Permissions Modification

Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

.001 Windows File and Directory Permissions Modification

Monitor for executed commands and arguments for PowerShell cmdlets that can be used to retrieve or modify file and directory DACLs.

.002 Linux and Mac File and Directory Permissions Modification

Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.[31]

ICS T0823 Graphical User Interface

Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI.

Enterprise T1615 Group Policy Discovery

Monitor for suspicious use of gpresult. Monitor for the use of PowerShell functions such as Get-DomainGPO and Get-DomainGPOLocalGroup and processes spawning with command-line arguments containing GPOLocalGroup.

Enterprise T1564 Hide Artifacts

Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection.

.001 Hidden Files and Directories

Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.

.002 Hidden Users

Monitor executed commands and arguments that could be taken to add a new user and subsequently hide it from login screens.

.003 Hidden Window

Monitor executed commands and arguments that may use hidden windows to conceal malicious activity from the plain sight of users. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style.

.004 NTFS File Attributes

The Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. [32] Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. [33] [34]

Analytic 1 - NTFS Alternate Data Stream Execution : System Utilities (Powershell)

ads_processes = filter processes where (event_id = 1 exe = "C:\Windows\\powershell.exe" AND command_line = "Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.\b(\w+(.\w+)?):(\w+(.\w+)?)|-ep bypass\s+-\s+<.\b(\w+(.\w+)?):(\w+(.\w+)?)|-command.Get-Content.-Stream.Set-Content.start-process .(\w+(.\w+)?)"

Analytic 2 - NTFS Alternate Data Stream Execution : System Utilities (WMIC)

ads_processes = filter processes where (event_id = 1 exe = "C:\Windows\\wmic.exe" AND command_line = "process call create.\"(\w+(.\w+)?):(\w+(.\w+)?)"

Analytic 3 - NTFS Alternate Data Stream Execution : System Utilities (rundll32)

ads_processes = filter processes where (event_id = 1 exe = "C:\Windows\\rundll32.exe" AND command_line = "\"?(\w+(.\w+)?):(\w+(.\w+)?)?\"?,\w+\|(advpack.dll\|ieadvpack.dll),RegisterOCX\s+(\w+.\w+):(\w+(.\w+)?)\|(shdocvw.dll\|ieframe.dll),OpenURL.(\w+.\w+):(\w+(.\w+)?)"

Analytic 4 - NTFS Alternate Data Stream Execution : System Utilities (wscript/cscript)

ads_processes = filter processes where (event_id = 1 exe = "C:\Windows\\wscript.exe" OR exe = "C:\Windows\\cscript.exe)" AND command_line = "(?<!\/)\b\w+(.\w+)?:\w+(.\w+)?$"

.006 Run Virtual Instance

Consider monitoring for commands and arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).[35] Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages "all"). Monitor for commands which enable hypervisors such as Hyper-V.

.008 Email Hiding Rules

On Windows and Exchange systems, monitor for creation or modification of suspicious inbox rules through the use of the New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule PowerShell cmdlets.[26][27][36]

.009 Resource Forking

Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.

.011 Ignore Process Interrupts

Monitor executed commands and arguments, such as nohup, that may attempt to hide processes from interrupt signals.

Enterprise T1574 Hijack Execution Flow

Monitor executed commands and arguments that may execute their own malicious payloads by hijacking the way operating systems run programs.

.006 Dynamic Linker Hijacking

Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

.011 Services Registry Permissions Weakness

Monitor for the execution of commands and arguments that can be used for adversaries to modify services' registry keys and values through applications such as Windows Management Instrumentation and PowerShell. Additional logging may need to be configured to gather the appropriate data.

.012 COR_PROFILER

Extra scrutiny should be placed on suspicious modification of Registry keys such as COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH by command line tools like wmic.exe, setx.exe, and Reg. Monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection.

Enterprise T1562 Impair Defenses

Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

.001 Disable or Modify Tools

Monitor for the execution of commands and arguments associated with disabling or modification of security software processes or services such as Set-MpPreference-DisableScriptScanning 1 in Windows,sudo spctl --master-disable in macOS, and setenforce 0 in Linux. Furthermore, on Windows monitor for the execution of taskkill.exe or Net Stop commands which may deactivate antivirus software and other security systems.

.002 Disable Windows Event Logging

Monitor executed commands and arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, sc stop EventLog, reg add, Set- or Stop-Service, Set- or New-ItemProperty, sc config, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.[37][38][39]

.003 Impair Command History Logging

Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. For network devices, monitor for missing or inconsistencies in Network Device CLI logging present in AAA logs as well as in specific RADIUS and TACAS+ logs.

.004 Disable or Modify System Firewall

Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes,ufw disable, and ufw logging off.

.006 Indicator Blocking

Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.

Analytic 1 - Indicator Blocking - Driver Unloaded

fltmc_processes = filter processes where (exe = "fltmc.exe" AND command_line = "unload")

.009 Safe Mode Boot

Monitor executed commands and arguments associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.[40][41][42]

.010 Downgrade Attack

Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).

.012 Disable or Modify Linux Audit System

Command-line invocation of the auditctl utility may be unusual, depending on how systems are typically used in a particular environment. At runtime, look for commands to modify or create rules using the auditctl utility.

Enterprise T1070 Indicator Removal

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.001 Clear Windows Event Logs

Monitor executed commands and arguments for actions that would delete Windows event logs (via PowerShell) such as Remove-EventLog -LogName Security.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on attempts to Clear Windows Event Logs. In particular, Powershell has a built-in Clear-EventLog cmdlet that allows for a specified log to be cleared.

.002 Clear Linux or Mac System Logs

Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs.

.003 Clear Command History

Monitor executed commands and arguments for actions that could be taken to clear command history, such as Clear-History on Windows or clear logging / clear history via a Network Device CLI in AAA logs, or to disable writing command history, such as history -c in bash/zsh .

Analytic 1 : Clear Powershell Console Command History

suspicious_commands = filter ProcessId, ProcessFilePath, command_line where (event_id == "1" OR event_id == "4688") AND (command_line LIKE '%rm (Get-PSReadlineOption).HistorySavePath%' OR command_line LIKE '%del (Get-PSReadlineOption).HistorySavePath%' OR command_line LIKE '%Set-PSReadlineOption –HistorySaveStyle SaveNothing%’ OR command_line LIKE '%Remove-Item (Get-PSReadlineOption).HistorySavePath%' OR (command_line LIKE '%del%' AND command_line LIKE '%Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt%'))

Analytic 2 : Powershell Commands

suspicious_commands = filter CommandName, CommandType where event_id == "4103" AND (CommandName LIKE '%Clear-History%' OR (CommandName LIKE '%Remove-Item%' AND CommandParameterValue LIKE '%ConsoleHost_history.text%'))

.004 File Deletion

Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.

.005 Network Share Connection Removal

Monitor executed commands and arguments of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares.

.007 Clear Network Connection History and Configurations

Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as Default.rdp or /var/log/.

.008 Clear Mailbox Data

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. In Exchange environments, monitor for PowerShell cmdlets that may create or alter transport rules, such as New-TransportRule and Set-TransportRule.[27]

.009 Clear Persistence

Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.

ICS T0872 Indicator Removal on Host

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Enterprise T1202 Indirect Command Execution

Monitor executed commands and arguments to bypass security restrictions that limit the use of command-line interpreters.

Enterprise T1105 Ingress Tool Transfer

Monitor executed commands and arguments for suspicious activity associated with downloading external content.

Enterprise T1490 Inhibit System Recovery

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit.

Enterprise T1056 .002 Input Capture: GUI Input Capture

Monitor executed commands and arguments, such as requests for credentials and/or strings related to creating password prompts that may be malicious.[43]

Enterprise T1570 Lateral Tool Transfer

Monitor executed commands and arguments for actions for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files

ICS T0867 Lateral Tool Transfer

Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.

Enterprise T1654 Log Enumeration

Monitor for the use of commands and arguments of utilities and other tools used to access and export logs.

Enterprise T1036 Masquerading

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [44]

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading.

.003 Rename System Utilities

Monitor executed commands and arguments that may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

.004 Masquerade Task or Service

Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.

.008 Masquerade File Type

Monitor for abnormal command execution from otherwise non-executable file types (such as .txt and .jpg).

ICS T0849 Masquerading

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.[44]

Enterprise T1556 .005 Modify Authentication Process: Reversible Encryption

Monitor command-line usage for -AllowReversiblePasswordEncryption $true or other actions that could be related to malicious tampering of user settings (i.e. Group Policy Modification).

Enterprise T1112 Modify Registry

Monitor executed commands and arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

ICS T0840 Network Connection Enumeration

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Enterprise T1046 Network Service Discovery

Monitor executed commands and arguments that may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.

Enterprise T1135 Network Share Discovery

Monitor executed commands and arguments that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.

Enterprise T1040 Network Sniffing

Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network

ICS T0842 Network Sniffing

Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.

Enterprise T1027 Obfuscated Files or Information

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

.004 Compile After Delivery

Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

.010 Command Obfuscation

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

Enterprise T1137 Office Application Startup

Monitor executed commands and arguments that may leverage Microsoft Office-based applications for persistence between startups. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[45] SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[46]

.001 Office Template Macros

Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system.

.002 Office Test

Monitor executed commands and arguments that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

.003 Outlook Forms

Monitor executed commands and arguments that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[45]

.004 Outlook Home Page

Monitor executed commands and arguments that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[45]

.005 Outlook Rules

Monitor executed commands and arguments that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.[45] This PowerShell script is ineffective in gathering rules with modified PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.[47]

.006 Add-ins

Monitor executed commands and arguments that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Enterprise T1003 OS Credential Dumping

Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

.001 LSASS Memory

Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 from the "Microsoft-Windows-PowerShell/Operational" log captures Powershell script blocks, whose contents can be further analyzed to determine if they’re performing LSASS dumping.

.002 Security Account Manager

Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.

.003 NTDS

Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit.

Note: Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of commands and parameters being executed via creation of a new process. Event 800 (PowerShell) provides context of commands and parameters being executed via PowerShell. This detection is based on known Windows utilities commands and parameters that can be used to copy the ntds.dit file. It is recommended to keep the list of commands and parameters up to date.

Analytic 1 - Command line attempt to access or create a copy of ntds.dit file

suspicious_command = filter command_execution where ((event_id = "4688" OR event_id = "1" OR event_id = "800") AND ((command_line = "ntds" AND command_line = "ntdsutil" AND command_line = "create") OR (command_line = "vssadmin" AND command_line = "create" AMD command_line = "shadow") OR (command_line = "copy" AND command_line = "ntds.dit"))

.004 LSA Secrets

Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

.005 Cached Domain Credentials

Monitor executed commands and arguments that may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.[49]. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.Detection of compromised Valid Accounts in-use by adversaries may help as well.

.007 Proc Filesystem

Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or /proc.

.008 /etc/passwd and /etc/shadow

Monitor executed commands and arguments that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.

Enterprise T1201 Password Policy Discovery

Monitor executed commands and arguments for actions that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

Enterprise T1120 Peripheral Device Discovery

Monitor executed commands and arguments that may attempt to gather information about attached peripheral devices and components connected to a computer system.

Enterprise T1069 Permission Groups Discovery

Monitor executed commands and arguments acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

.001 Local Groups

Monitor for executed commands and arguments that may attempt to find local system groups and permission settings.

.002 Domain Groups

Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.

.003 Cloud Groups

Monitor for executed commands and arguments that may attempt to find cloud groups and permission settings.

Enterprise T1647 Plist File Modification

Monitor for commands with arguments (such as opening common command-line editors) used to modify plist files, especially commonly abused files such as those in \~/LaunchAgents, \~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist.

Enterprise T1653 Power Settings

Monitor and inspect commands and arguments associated with manipulating the power settings of a system.

Enterprise T1542 Pre-OS Boot

Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.

.005 TFTP Boot

Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.

Enterprise T1057 Process Discovery

Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.

Enterprise T1012 Query Registry

Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Analytic 1 - Suspicious Commands

suspicious_commands = filter command_line where EventId == "4103" AND (CommandName LIKE '%New-PSDrive%' AND (CommandParameterValue LIKE ‘%Registry%’ OR CommandParameterValue LIKE '%HKEY_CLASSES_ROOT%' OR CommandParameterValue LIKE '%HKCR%'))

Enterprise T1563 Remote Service Session Hijacking

Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment.

.001 SSH Hijacking

Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment.

.002 RDP Hijacking

monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to detect RDP session hijacking. Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName.

Enterprise T1021 Remote Services

Monitor executed commands and arguments that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.

Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include

  • PuTTY
  • port forwarding -R * -pw
  • secure copy (scp) -pw * * @
  • mimikatz sekurlsa::
  • RAR  -hp
  • Archive* a * Additionally, it may be useful to find IP addresses in the command line
  • \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

Analytic 1 - Suspicious Arguments

port_fwd = filter process where (command_line match "-R . -pw")scp = filter process where (command_line match "-pw . . .@."mimikatz = filter process where (command_line match "sekurlsa")rar = filter process where (command_line match " -hp ")archive = filter process where (command_line match ". a .*")ip_addr = filter process where (command_line match \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})

.002 SMB/Windows Admin Shares

Monitor executed commands and arguments that connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.[50]

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential connections and writing to remote shares.

.006 Windows Remote Management

Monitor executed commands and arguments that may invoke a WinRM script to correlate it with other related events.[51]

ICS T0886 Remote Services

Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using Valid Accounts.

Enterprise T1018 Remote System Discovery

Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP Hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName.

Enterprise T1496 Resource Hijacking

Monitor executed commands and arguments that may indicate common cryptomining or proxyware functionality.

Enterprise T1053 Scheduled Task/Job

Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

.002 At

Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

.003 Cron

Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.

.005 Scheduled Task

Monitor executed commands and arguments for actions that could be taken to gather tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

Analytic 1 : New processes whose command line includes commands that create or modify scheduled tasks with a suspicious script, extension or user writable path

suspicious_processes = filter ProcessId, ProcessFilePath, command_line, ProcessParentFilePath,ProcessParentCommandLine where (EventId == "1" OR EventId == "4688") AND command_line LIKE '%SCHTASKS%' AND (command_line LIKE '%/CREATE%' OR command_line LIKE '%/CHANGE%') AND (command_line LIKE '%.cmd%' OR command_line LIKE '%.ps1%' OR command_line LIKE '%.vbs%' OR command_line LIKE '%.py%' OR command_line LIKE '%.js%' OR command_line LIKE '%.exe%' OR command_line LIKE '%.bat%' OR command_line LIKE '%javascript%' OR command_line LIKE '%powershell%' OR command_line LIKE '%rundll32%' OR command_line LIKE '%wmic%' OR command_line LIKE '%cmd%' OR command_line LIKE '%cscript%' OR command_line LIKE '%wscript%' OR command_line LIKE '%regsvr32%' OR command_line LIKE '%mshta%' OR command_line LIKE '%bitsadmin%' OR command_line LIKE '%certutil%' OR command_line LIKE '%msiexec%' OR command_line LIKE '%javaw%' OR command_line LIKE '%[%]APPDATA[%]%' OR command_line LIKE '%\AppData\Roaming%' OR command_line LIKE '%[%]PUBLIC[%]%' OR command_line LIKE '%C:\Users\Public%' OR command_line LIKE '%[%]ProgramData[%]%' OR command_line LIKE '%C:\ProgramData%' OR command_line LIKE '%[%]TEMP[%]%' OR command_line LIKE '%\AppData\Local\Temp%' OR command_line LIKE '%\Windows\PLA\System%' OR command_line LIKE '%\tasks%' OR command_line LIKE '%\Registration\CRMLog%' OR command_line LIKE '%\FxsTmp%' OR command_line LIKE '%\spool\drivers\color%' OR command_line LIKE '%\tracing%' OR)

.006 Systemd Timers

Monitor executed commands and arguments the 'systemd-run' utility as it may be used to create timers

Enterprise T1113 Screen Capture

Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.

ICS T0852 Screen Capture

Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.

ICS T0853 Scripting

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Enterprise T1505 .004 Server Software Component: IIS Components

Monitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.[52][53][54]

.005 Server Software Component: Terminal Services DLL

Monitor executed commands and arguments for potential adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

Enterprise T1489 Service Stop

Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.

ICS T0881 Service Stop

Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.

Enterprise T1518 Software Discovery

Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

.001 Security Software Discovery

Monitor executed commands and arguments that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Security Software Discovery.

Enterprise T1649 Steal or Forge Authentication Certificates

Monitor for the execution of commands and other utilities abused to forge and/or steal certificates and related private keys.[55]

Enterprise T1558 Steal or Forge Kerberos Tickets

Monitor executed commands and arguments that may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.

Enterprise T1553 Subvert Trust Controls

Command monitoring may reveal malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.

.001 Gatekeeper Bypass

Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

.004 Install Root Certificate

Monitor for commands, such as security add-trusted-cert (macOS) or certutil -addstore (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. [56] Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. [56] The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. [57]

.006 Code Signing Policy Modification

Monitor for the execution of commands that could modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON[58]

Enterprise T1218 System Binary Proxy Execution

Monitor executed commands and arguments that may forge credential materials that can be used to gain access to web applications or Internet services.

.001 Compiled HTML File

Monitor executed commands and arguments that may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.[59]

.002 Control Panel

When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before Rundll32 is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter Rundll32 command, which may bypass detections and/or execution filters for control.exe.[60]

.003 CMSTP

Monitor executed commands and arguments that may gather information about the victim's hosts that can be used during targeting.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

.004 InstallUtil

Monitor executed commands and arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

.005 Mshta

Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.

.007 Msiexec

Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.

.008 Odbcconf

Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.

.009 Regsvcs/Regasm

Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

.010 Regsvr32

Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. [61]

.011 Rundll32

Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is "rundll32.exe DllFile,EntryPoint" where DllFile is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file.

DLLs stored on SMB shares can similarly be called using the syntax of "rundll32.exe \\DllFile,EntryPoint" where is the IPv4 address of the host of the SMB share.

Rundll32 can also be used to execute arbitrary Javascript using the syntax "rundll32.exe javascript:<code_block>"where <code_block> is a string defining the Javascript code to be executed.

.012 Verclsid

Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed.

.013 Mavinject

Adversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.

.014 MMC

Monitor executed commands and arguments that may gather information about the victim's DNS that can be used during targeting.

Enterprise T1082 System Information Discovery

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

Enterprise T1614 System Location Discovery

Monitor executed commands and arguments that may gather information in an attempt to calculate the geographical location of a victim host.

.001 System Language Discovery

Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Enterprise T1016 System Network Configuration Discovery

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

.001 Internet Connection Discovery

Monitor executed commands and arguments that may check for Internet connectivity on compromised systems.

.002 Wi-Fi Discovery

Monitor executed commands and arguments that may collect Wi-Fi information on compromised systems.

Enterprise T1049 System Network Connections Discovery

Monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

Enterprise T1033 System Owner/User Discovery

Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

Enterprise T1216 System Script Proxy Execution

Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.

.001 PubPrn

Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.

Enterprise T1007 System Service Discovery

Monitor executed commands and arguments that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Enterprise T1569 System Services

Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc.

.001 Launchctl

Monitor command-line execution of the launchctl command immediately followed by abnormal network connections.

.002 Service Execution

Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads.

Enterprise T1529 System Shutdown/Reboot

Monitor executed commands and arguments of binaries involved in shutting down or rebooting systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

Enterprise T1124 System Time Discovery

Monitor executed commands and arguments for actions that may gather the system time and/or time zone from a local or remote system.

Enterprise T1127 Trusted Developer Utilities Proxy Execution

Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

.001 MSBuild

Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

Enterprise T1552 Unsecured Credentials

While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

.001 Credentials In Files

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

.002 Credentials in Registry

Monitor executed commands and arguments that may search the Registry on compromised systems for insecurely stored credentials.

.003 Bash History

While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

.004 Private Keys

Monitor executed commands and arguments that may search for private key certificate files on compromised systems for insecurely stored credentials.

.006 Group Policy Preferences

Monitor executed commands and arguments that may search for SYSVOL data and/or GPP XML files, especially on compromised domain controllers.

.007 Container API

Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.

Enterprise T1204 User Execution

Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

.003 Malicious Image

Monitor executed commands and arguments that may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.

ICS T0863 User Execution

Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. For added context on adversary procedures and background see User Execution and applicable sub-techniques.

Enterprise T1125 Video Capture

Monitor executed commands and arguments that can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information.

Enterprise T1497 Virtualization/Sandbox Evasion

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

.001 System Checks

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

.002 User Activity Based Checks

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

.003 Time Based Evasion

Monitor executed commands and arguments that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Enterprise T1047 Windows Management Instrumentation

Monitor executed commands and arguments for actions that are used to perform remote behavior

References

  1. Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.
  2. Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.
  3. Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
  4. Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.
  5. French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.
  6. Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.
  7. Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018.
  8. Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved April 6, 2018.
  9. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  10. Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021.
  11. Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021.
  12. Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021.
  13. Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.
  14. Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023.
  15. Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
  16. Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.
  17. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.
  18. Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.
  19. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  20. Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.
  21. ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.
  22. Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.
  23. Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.
  24. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  25. Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.
  26. Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.
  27. Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023.
  28. Microsoft. (n.d.). Retrieved January 24, 2020.
  29. Github. (n.d.). Receiving webhooks with the GitHub CLI. Retrieved August 4, 2023.
  30. Microsoft . (n.d.). Create subscription. Retrieved August 4, 2023.
  31. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  1. Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018.
  2. Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.
  3. Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.
  4. Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021.
  5. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
  6. Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.
  7. svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.
  8. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
  9. Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.
  10. Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021.
  11. Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.
  12. Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.
  13. Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.
  14. Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.
  15. SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.
  16. Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.
  17. PowerSploit. (n.d.). Retrieved December 4, 2014.
  18. Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.
  19. French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.
  20. French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019.
  21. Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.
  22. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  23. Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.
  24. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
  25. Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
  26. Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.
  27. Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.
  28. Lambert, J. (2020, December 13). Important steps for customers to protect themselves from recent nation-state cyberattacks. Retrieved December 17, 2020.
  29. Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.
  30. Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.