• QOMPLX Knowledge
  • May 6, 2021

QOMPLX Knowledge: Detecting Use of Built-In Windows Utilities

QOMPLX Knowledge: Detecting Use of Built-In Windows Utilities

This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Cyber adversaries who compromise an IT environment are keen to avoid detection. One way they do that is by “living off the land.” That is: they use existing administrative tools, rather than external programs or malware, to carry out their objectives. Organizations that want to spot and stop sophisticated cyber actors need to pay attention to “dual use” applications. We have talked about malicious activity linked to Microsoft’s PowerShell. But a range of other administrative utilities bundled with Windows are also commonly deployed by malicious actors including tools such as whoami, ipconfig and more. Detecting malicious use of these tools, apart from ordinary use, is a challenge. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot patterns of behavior that may indicate malicious use of built-in Windows utilities.

Key Points

  • Monitoring for the use of Windows utilities used by attackers to “live off the land” within compromised environments is an important means of spotting efforts by malicious applications or actors to conduct surveillance without being noticed.
  • Use of Windows utilities like whoami, ipconfig, net, net1, systeminfo and others is characteristic of attackers “living off the land” and also legitimate administrative activities.
  • Using “windowed detection” to spot suspicious combinations of actions within a set period of time is critical to sorting out legitimate from malicious use of these tools.
  • Windows Event ID 4688 (a new process has been created) is a critical event for capturing utilities launched via command line.
  • QOMPLX’s Identity Assurance product monitors for more than 40 patterns of behavior around Windows Event ID 4688 that are indicative of malicious or suspicious activities.

How Built-In Windows Utilities are Abused

Most advanced persistent threat (APT) groups and sophisticated attackers make use of bundled Windows utilities to gather information about systems and the network environment they occupy. Among the tasks these utilities help malicious actors accomplish are system owner or user discovery (T1033), System Network Configuration Discovery (T1016) and more.

These efforts at reconnaissance are often some of the first commands to be run upon initial access by an adversary. Often, several are run in short order and in sequence. That activity is a telltale sign of an emerging attack that can provide early warning about a compromise. And, as we have noted, the earlier defenders can detect and respond to the early stage malicious activities the more likely they are to stop the attacker before damage can be done.

QOMPLX Detection

QOMPLX Identity Assurance uses windowed detection to monitor for Windows Event ID 4688  (a new process has been created) that feature a command line prompt containing one of 40 patterns that indicate the use of built-in Windows utilities. Examples of the utilities IA looks for are whoami, ipconfig, net, net1, systeminfo, and so on. To avoid false positive detections for these commonly used utilities, QOMPLX IA uses windowed detection to identify if several of these utilities are executed within a short period of time.

Additional Reading

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Detecting Lateral Movement Through Tracking Event Logs

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.