QOMPLX Knowledge: Detecting Use of Built-In Windows Utilities

This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Cyber adversaries who compromise an IT environment are keen to avoid detection. One way they do that is by “living off the land.” That is: they use existing administrative tools, rather than external programs or malware, to carry out their objectives. Organizations that want to spot and stop sophisticated cyber actors need to pay attention to “dual use” applications. We have talked about malicious activity linked to Microsoft’s PowerShell. But a range of other administrative utilities bundled with Windows are also commonly deployed by malicious actors including tools such as whoami, ipconfig and more. Detecting malicious use of these tools, apart from ordinary use, is a challenge. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot patterns of behavior that may indicate malicious use of built-in Windows utilities.

Key Points

  • Monitoring for the use of Windows utilities used by attackers to “live off the land” within compromised environments is an important means of spotting efforts by malicious applications or actors to conduct surveillance without being noticed.
  • Use of Windows utilities like whoami, ipconfig, net, net1, systeminfo and others is characteristic of attackers “living off the land” and also legitimate administrative activities.
  • Using “windowed detection” to spot suspicious combinations of actions within a set period of time is critical to sorting out legitimate from malicious use of these tools.
  • Windows Event ID 4688 (a new process has been created) is a critical event for capturing utilities launched via command line.
  • QOMPLX’s Identity Assurance product monitors for more than 40 patterns of behavior around Windows Event ID 4688 that are indicative of malicious or suspicious activities.

How Built-In Windows Utilities are Abused

Most advanced persistent threat (APT) groups and sophisticated attackers make use of bundled Windows utilities to gather information about systems and the network environment they occupy. Among the tasks these utilities help malicious actors accomplish are system owner or user discovery (T1033), System Network Configuration Discovery (T1016) and more.

These efforts at reconnaissance are often some of the first commands to be run upon initial access by an adversary. Often, several are run in short order and in sequence. That activity is a telltale sign of an emerging attack that can provide early warning about a compromise. And, as we have noted, the earlier defenders can detect and respond to the early stage malicious activities the more likely they are to stop the attacker before damage can be done.

QOMPLX Detection

QOMPLX Identity Assurance uses windowed detection to monitor for Windows Event ID 4688  (a new process has been created) that feature a command line prompt containing one of 40 patterns that indicate the use of built-in Windows utilities. Examples of the utilities IA looks for are whoami, ipconfig, net, net1, systeminfo, and so on. To avoid false positive detections for these commonly used utilities, QOMPLX IA uses windowed detection to identify if several of these utilities are executed within a short period of time.

Additional Reading

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Detecting Lateral Movement Through Tracking Event Logs