Windows Command-Line Tool Execution from Non-Shell Process
Detection of command-line tools such as `ipconfig.exe` and `systeminfo.exe` being executed from non-standard parent processes can indicate system discovery activity by threat actors like FIN7 using injected processes.
This analytic identifies instances where command-line tools such as ipconfig.exe, systeminfo.exe, net1.exe, arp.exe, nslookup.exe, route.exe, netstat.exe, hostname.exe, and whoami.exe are executed by a non-standard shell parent process, excluding cmd.exe, powershell.exe, powershell_ise.exe, pwsh.exe, and explorer.exe. This activity is often indicative of adversaries using injected processes to perform system discovery, as seen in FIN7's JSSLoader campaign. The JSSLoader malware, associated with FIN7, utilizes this technique to gather host information after initial compromise. This behavior is significant because it allows attackers to gather critical host information, which can be used for further exploitation or lateral movement within the network. The detection relies on Endpoint Detection and Response (EDR) telemetry to monitor process creation events.
Attack Chain
- Initial Access: The attacker gains initial access through unspecified means. (Observed in FIN7 campaigns but not detailed here.)
- Process Injection: The attacker injects malicious code into a legitimate running process, such as explorer.exe or a third-party application.
- Discovery: The injected process spawns command-line tools like
ipconfig.exe,systeminfo.exe,net1.exe,arp.exe,nslookup.exe,route.exe,netstat.exe,hostname.exe, orwhoami.exe. - System Reconnaissance: These tools are used to gather information about the compromised host, including IP configuration, system details, network statistics, and routing tables.
- Data Collection: The attacker collects the output from these command-line tools.
- Lateral Movement: The collected information is used to identify potential targets for lateral movement within the network.
- Further Exploitation: Using the gathered information, the attacker exploits vulnerabilities or misconfigurations to gain access to additional systems.
- Goal: The attacker aims to steal data, deploy ransomware, or achieve other malicious objectives.
Impact
Successful exploitation can lead to the compromise of critical systems, data theft, and potential ransomware deployment. The observed activity is associated with FIN7, a financially motivated threat actor known for targeting various sectors. The compromise of systems can result in significant financial losses, reputational damage, and operational disruption. Multiple organizations have been affected by similar campaigns.
Recommendation
- Enable Sysmon process creation logging (Event ID 1) or Windows Event Log Security auditing (4688) to capture process GUID, process name, parent process, and command-line executions.
- Deploy the Sigma rule
Detect Cmdline Tool Execution From Non Shell Processto your SIEM to identify suspicious process execution patterns. - Investigate any instances of command-line tools being executed by unexpected parent processes as identified by the Sigma rule.
- Monitor network connections originating from processes identified as anomalous by the Sigma rule, to identify potential C2 traffic.
- Review historical process execution data to identify potential past compromises using this technique.
- Use endpoint detection and response (EDR) systems to collect the process GUID, process name, and parent process information.
Detection coverage 2
Detect Cmdline Tool Execution From Non Shell Process
highDetects command-line tools executed from non-shell parent processes.
Detect Cmdline Tool Execution From Non Shell Process Suspicious Path
highDetects command-line tools executed from non-shell parent processes with a suspicious path.
Detection queries are available on the platform. Get full rules →