May 23, 2019
Living off the Land – WST
Many malicious users try to fly under the radar by using built in system commands or living off the land as its often called. Built in system commands typically don’t look out of the norm and allow
s the malicious user to perform tasks such as: domain enumeration, load malicious code using a scheduled task, start remote processes, and more.
Figure 1: user enumeration using system commands
By default, these commands are not logged on windows hosts owever, logging can be enabled. Once enabled you can go a step further and forward these logs into your central logging or SIEM solution for additional parsing and alerting.
Figure 2: Event viewer show command line usage
To enable edit the following GPO or registry settings. For additional information, visit the following Microsoft article: https://devblogs.microsoft.
com/commandline/how-to- determine-what-just-ran-on- windows-console/
Enable the Audit Process Creation audit policy so that 4688 events are generated by editing the following GPO Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking
Enable the Include command line in process creation events by editing the following GPO Computer Configuration\Administrative Templates\System\Audit Process Creation.
Or enable on the local system by, editing the local registry HKLM\Software\Microsoft\
Enabled registry key value to “1”.