DS0017 Command コマンド

Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.

chmod などのユーティリティとそのコマンドライン引数の実行を監視し、setuid または setguid ビットが設定されているかどうかを監視する。

Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system.

UACの仕組みを回避してシステム上のプロセス権限を昇格させる可能性のある、実行されたコマンドと引数を監視する。

Monitor executed commands and arguments that may perform sudo caching and/or use the suoders file to elevate privileges, such as the sudo command.

sudoコマンドのような、sudoキャッシュを実行したり、権限を昇格させるためにsuodersファイルを使用する可能性のある、実行されたコマンドと引数を監視します。

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.^[3]

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.^[3]

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.^[3]

Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as net user, net account, net localgroup, Get-LocalUser, and dscl.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as net user /domain and net group /domain, dscacheutil -q groupon macOS, and ldapsearch on Linux.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor for execution of commands and arguments associated with enumeration or information gathering of email addresses and accounts such as Get-AddressList, Get-GlobalAddressList, and Get-OfflineAddressBook.

Monitor logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor executed commands and arguments to modify the authorized_keys or /etc/ssh/sshd_config files.

Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.

Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

Monitor executed commands and arguments that may abuse authentication packages to execute DLLs when the system boots.

Monitor executed commands and arguments that may abuse time providers to execute DLLs when the system boots.

Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

Monitor executed commands and arguments that may abuse security support providers (SSPs) to execute DLLs when the system boots.

Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo ^[7] Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. ^[8] Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.^[9] Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package.

On macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.^[10][11][12]

Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in.

Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot.

Monitor executed commands and arguments that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

Monitor executed commands and arguments for logon scripts

Monitor executed commands with arguments to install or modify login hooks.

Monitor executed commands and arguments for logon scripts

Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior

Monitor executed commands and arguments for logon scripts

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). ^[13] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.^[14] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution.

Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.

Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. ^[15] Consider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add , useradd , and dscl -create

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add /domain.

Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.

Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.

Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.

Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present. ^[16]

Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials.

Monitor executed commands and arguments that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.

Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.^[17]

Monitor executed commands and arguments for suspicious activity listing credentials from the Windows Credentials locker (e.g. vaultcmd /listcreds:"Windows Credentials").^[18]

Monitor executed commands and arguments that may acquire user credentials from third-party password managers. ^[19]

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor executed commands and arguments that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor executed commands and arguments that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor executed commands and arguments that may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain.

Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.^[21] Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.^[23]

Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by a file type association.

Monitor executed commands and arguments of .scr files.

Monitor executed commands and arguments that can be used to register WMI persistence, such as the Register-WmiEvent PowerShell cmdlet ^[24]

Monitor executed commands and arguments that may establish persistence through executing malicious commands triggered by a user’s shell.

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal.

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by the execution of tainted binaries.

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

Monitor executed commands and arguments for sdbinst.exe for potential indications of application shim abuse.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.

Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules.

Monitor executed commands and arguments that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

Monitor executed commands and arguments that may be related to abuse of installer packages, including malicious commands triggered by application installations.

Monitor executed commands and arguments that may gather the victim's physical location(s) that can be used during targeting. Detecting the use of environmental keying may be difficult depending on the implementation.

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel.

Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device.

Monitor executed command and arguments that may exfiltrate data to a code repository rather than over their primary command and control channel.

Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

Monitor for executed commands and arguments for PowerShell cmdlets that can be used to retrieve or modify file and directory DACLs.

Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.^[25]

Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.

Monitor executed commands and arguments that could be taken to add a new user and subsequently hide it from login screens.

Monitor executed commands and arguments that may use hidden windows to conceal malicious activity from the plain sight of users. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style.

The Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. ^[26] Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. ^{[27] [28]}

Consider monitoring for commands and arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).^[29] Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages "all"). Monitor for commands which enable hypervisors such as Hyper-V.

On Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.^[30]

Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.

Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

Monitor for the execution of commands and arguments that can be used for adversaries to modify services' registry keys and values through applications such as Windows Management Instrumentation and PowerShell. Additional logging may need to be configured to gather the appropriate data.

Extra scrutiny should be placed on suspicious modification of Registry keys such as COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH by command line tools like wmic.exe, setx.exe, and Reg. Monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection.

Monitor for the execution of commands and arguments associated with disabling or modification of security software processes or services such as Set-MpPreference-DisableScriptScanning 1 in Windows,sudo spctl --master-disable in macOS, and setenforce 0 in Linux. Furthermore, on Windows monitor for the execution of taskkill.exe or Net Stop commands which may deactivate antivirus software and other security systems.

Monitor executed commands and arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, sc stop EventLog, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs.^[31][32]

Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. For network devices, monitor for missing or inconsistencies in Network Device CLI logging present in AAA logs as well as in specific RADIUS and TACAS+ logs.

Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes,ufw disable, and ufw logging off.

Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.

Monitor executed commands and arguments associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.^[33][34][35]

Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).

Monitor executed commands and arguments for actions that would delete Windows event logs (via PowerShell)

Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs.

Monitor executed commands and arguments for actions that could be taken to clear command history, such as Clear-History on Windows or clear logging / clear history via a Network Device CLI in AAA logs, or to disable writing command history, such as history -c in bash/zsh, .

Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.

Monitor executed commands and arguments of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares.

Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as Default.rdp or /var/log/.

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails.

Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.

Monitor executed commands and arguments for actions that could be taken to gather...

Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.

Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system.

Monitor executed commands and arguments that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

Monitor executed commands and arguments that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.^[41]

Monitor executed commands and arguments that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.^[41]

Monitor executed commands and arguments that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.^[41] This PowerShell script is ineffective in gathering rules with modified PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.^[43]

Monitor executed commands and arguments that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,^[44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.

Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit.

Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,^[44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Monitor executed commands and arguments that may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.^[45]. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,^[44] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.Detection of compromised Valid Accounts in-use by adversaries may help as well.

Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or /proc.

Monitor executed commands and arguments that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.

Monitor for executed commands and arguments that may attempt to find local system groups and permission settings.

Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.

Monitor for executed commands and arguments that may attempt to find cloud groups and permission settings.

Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.

Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment.

monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to detect RDP session hijacking.

Monitor executed commands and arguments that connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.^[46]

Monitor executed commands and arguments that may invoke a WinRM script to correlate it with other related events.^[47]

Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.

Monitor executed commands and arguments for actions that could be taken to gather tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

Monitor executed commands and arguments the 'systemd-run' utility as it may be used to create timers

Monitor executed commands and arguments for potential adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

Monitor executed commands and arguments that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Monitor for commands, such as security add-trusted-cert (macOS) or certutil -addstore (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. ^[52] Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. ^[52] The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. ^[53]

Monitor for the execution of commands that could modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON. ^[54]

Monitor executed commands and arguments that may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.^[55]

When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before Rundll32 is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter Rundll32 command, which may bypass detections and/or execution filters for control.exe.^[56]

Monitor executed commands and arguments that may gather information about the victim's hosts that can be used during targeting.

Monitor executed commands and arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.

Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.

Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.

Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. ^[57]

Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.

Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed.

Adversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.

Monitor executed commands and arguments that may gather information about the victim's DNS that can be used during targeting.

Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Monitor executed commands and arguments that may check for Internet connectivity on compromised systems.

Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.

Monitor command-line execution of the launchctl command immediately followed by abnormal network connections.

Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads.

Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.

Monitor executed commands and arguments that may search the Registry on compromised systems for insecurely stored credentials.

While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

Monitor executed commands and arguments that may search for private key certificate files on compromised systems for insecurely stored credentials.

Monitor executed commands and arguments that may search for SYSVOL data and/or GPP XML files, especially on compromised domain controllers.

Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.

Monitor executed commands and arguments that may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Monitor executed commands and arguments that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.