Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Microsoft Windows cmd/Powershell

Microsoft Windows cmd/Powershell
Microsoft Windows cmd/Powershell icon

Out-of-the-Box Security For Microsoft Windows cmd/Powershell Includes:

Alerts - 11

Stay on top of Microsoft Windows cmd/Powershell key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

remote process created via WMI

The command 'process call create' using WMI can be used to execute a script or application on a remote computer. This command might throw false positives as IT teams also use it for troubleshooting activities so it can be fine-tuned according to specific machines or user groups. Impact Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. They can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. Mitigation Review the executed command and arguments. Investigate user privileges who ran this command and check whether the initiating process has executed additional suspicious commands. Check for any 'discovery' or 'lateral movement' related commands ran around the timeframe of running the WMI command. The parent process and the child process for this command can be reviewed in any available EDR solution to check for any suspicious behavior. MITRE Tactic: TA0002 MITRE Technique: T1047

whoami.exe process was executed

'whoami' command displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, 'whoami' displays the current domain and the user name. Impact Adversaries may run 'whoami' command to identify the currently logged-in user. They do so to access the privileges associated with that user to further carry out malicious activities. Mitigation Review the privileges of the user who ran this command. Check the follow-up activities to see if any suspicious behavior was observed. MITRE Tactic: TA0007 MITRE Technique: T1033

'net user' command was executed

'net user' is a command-line tool built into Windows. This command adds or modifies user accounts, or displays user account information. Impact Adversaries can use 'net user' command to list local users and groups. This information can help the adversaries to determine which local accounts exist on a system. Mitigation Review user privileges who ran this command and check whether the initiating process has executed additional discovery commands. Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. MITRE Tactic: TA0007 MITRE Technique: T1087

'net share' command was executed

The 'net share' command is used by administrators to create, configure and delete network shares from the command line. This command might throw false positives as IT teams also use it for administrative activities. Impact Adversaries use 'net share' command to query shared drives on the local system. Networks often contain shared network drives and folders that enable adversaries to access file directories on various systems across a network. Mitigation Investigate the command executed and the user privileges with which it was run. The parent process and the child process for this command can be reviewed in any available EDR solution to check for any suspicious behavior. Administrators can be recommended to enable Windows Group Policy 'Do Not Allow' Anonymous Enumeration of SAM Accounts and Shares' security settings to limit those users who have the ability to enumerate network shares. MITRE Tactic: TA0007 MITRE Technique: T1135

'net localgroup' command was executed

'net localgroup' is a command-line tool built into Windows. This command adds, displays, or modifies local groups. 'net localgroup' displays the name of the server and the names of local groups on the computer. This command might throw false positives as IT teams also use it for administrative activities. Impact Attackers can attempt to use 'net localgroup' command to find endpoint groups and permissions or modify local group memberships. Mitigation Review the executed command and arguments that may attempt to find local groups and permissions. Investigate the privileges of the user who ran this command and check if the initiating process has executed an additional discovery commands. The parent process and the child process for this command can be reviewed in any available EDR solution to check for any suspicious behavior. MITRE Tactic: TA0007 MITRE Technique: T1069

nltest.exe process was executed

'nltest' is a command-line tool that helps system administrators to perform network administrative tasks. This command can be used to get a list of domain controllers (DC) in your domain, check the status of trust, check trust relationships and the status of DC, etc. This command might throw false positives due to its legitimate usage by the IT teams so it can be fine-tuned according to specific machines or user groups. Impact Adversaries may run this command to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Mitigation Review the privileges of the user who ran the command. Investigate if the follow-up activities look suspicious. Analysts can check for any other suspicious network discovery commands run around the timeframe of running this command. The parent process and the child process for this command can be reviewed in any available EDR solution to check for any suspicious behavior.nAdministrators can be recommended to map the trusts within existing domains/forests and keep trust relationships to a minimum. MITRE Tactic: TA0007 MITRE Technique: T1482

wevtutil.exe process was executed

'wevtutil' command enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, run queries, and to export, archive, and clear logs. This command might throw potential false positives due to its legitimate usage by the IT teams for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact Adversaries may use this command to clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. Mitigation Review the privileges of the user who ran the command. Analysts can check for any other suspicious network discovery commands run around the timeframe of running this command. The parent process and the child process for this command can be reviewed in any available EDR solution to check for any suspicious behavior. Administrators can be recommended to automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. MITRE Tactic: TA0005 MITRE Technique: T1070

systeminfo.exe process was executed

'systeminfo' command displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties. This command throws potential false positives as administrators and power users may use it for troubleshooting and administrative activities so it can be fine-tuned according to specific machines or user groups. Impact Adversaries may use this command to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Mitigation Review the privileges of the user who ran this command. Check for any suspicious commands run around the time 'systeminfo' command was run. If found any, investigate it further. The parent and child processes of the 'systeminfo.exe' process can be reviewed in any available EDR solution. MITRE Tactic: TA0007 MITRE Technique: T1082

ipconfig.exe process was executed

'ipconfig' command displays IPv4 and IPv6 addresses, subnet mask, and default gateways for all adapters. When used with '/all' parameter, displays the full TCP/IP configuration for all adapters. This command throws potential false positives as administrators and power users may use it for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact Adversaries run this command to get the details about the network configuration and settings, such as IP and MAC addresses of the systems they access. Mitigation Review the privileges of the user who ran the command. Check for any suspicious network discovery commands run around the time 'ipconfig' command was run. If found any, investigate it further. The parent and child processes of the 'ipconfig.exe' process can be reviewed in any available EDR solution. MITRE Tactic: TA0007 MITRE Technique: T1016

tasklist.exe process was executed

The command 'tasklist' displays a list of currently running processes on the local computer or on a remote computer. This command might throw potential false positives due to its legitimate usage by the IT teams for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact Adversaries could obtain details on the running processes using the 'tasklist' command via PowerShell or cmd. Information obtained could be used to gain an understanding of the applications running on systems in a network. Mitigation Review the privileges of the user who ran the command. Analysts can check for any other suspicious network discovery commands run around the timeframe of running this command. The parent process and the child process for this command can be reviewed in any available EDR solution to check for any suspicious behavior. MITRE Tactic: TA0007 MITRE Technique: T1007

No logs from Microsoft Windows cmd/Powershell

This rule detects if there are no logs in the last 12 hours for Microsoft Windows cmd/Powershell in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Documentation

Learn more about Coralogix's out-of-the-box integration with Microsoft Windows cmd/Powershell in our documentation.

Read More
Schedule Demo