When malware or an adversary compromise a system, they often employ Excessive Windows discovery and execution processes, which are binaries native to Windows systems (LOLB, Living off the Land Binaries), to scope out the system and network that they infiltrated, gain credentials, or establish persistence. This includes gathering information on the host and domain they landed on, or using tools such as schtasks to means of maintaining access to the system using those Windows discovery and execution processes. The reason they often utilize binaries native to Windows to accomplish this is due to them appearing less conspicuous and more legitimate in comparison to custom tools, in addition to anti-virus and other endpoint protection not alerting on them.
Tactic: Discovery
Techniques: System Network Configuration Discovery (T1016)
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.MITRE ATT&CK
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.