Detecting When Attackers Use Trusted Windows Components Like cmd, powershell, wmic, mshta, regsvr32 for Malicious Operations

Webinar Registration

Sophisticated attackers are constantly improving their ability to fly under the radar and live off the land. One way they do this is through trusted Microsoft applications which are commonly abused by an attacker to perform malicious behavior, in an attempt to avoid detection. 

In this real training for free session, we will go step-by-step through an attack from a few months ago that leveraged cmd.exe, PowerShell and other trusted Windows apps.

The initial investigation discovered that a batch file was executed on the targeted system. This batch file then invoked PowerShell with a base64 encoded command. Decoding the command revealed a series of PowerShell cmdlets which were utilized to download and decrypt a second stage payload. The first stage of base64 decoded command appears to be a payload created by a popular PowerShell Framework, like PowerShell Empire. The second stage payload also leveraged other legitimate Microsoft applications to complete the series of malicious events. Later stages utilized a WMIC bypass technique.

This is where an understanding of what is normal behavior for these trusted applications becomes paramount in order to quickly detect outlying activity. For instance, there is rarely a legitimate use case for PowerShell to be reading memory from lsass. 

In this real training for free event, I’ll be joined by Marina Liang and Jared Myers who are threat researchers from our sponsor Carbon Black and are familiar with this attack.

We will not only discuss how the attack worked but also identify telltale signs you can look for in logs and other system telemetry. You can’t simply monitor for the execution of wmic, PowerShell and other exes because there’s nothing unusual about them starting. Most of the time there is nothing even unusual about an end user as the account running the process. You have to look deeper – at things like process lineage, command line parameters and if the process initiates network communication.

In addition to the educational content, Marina and Jared will briefly talk about the day-to-day security problems they’re solving and show you the most effective ways to detect, investigate, and mitigate similar living off the land attacks, using Carbon Black’s cloud endpoint protection platform, the CB Predictive Security Cloud.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources