THREAT DESCRIPTION – Windows Discovery and Execution Processes
When malware or an adversary compromise a system, they often employ Excessive Windows discovery and execution processes, which are binaries native to Windows systems (LOLB, Living off the Land Binaries), to scope out the system and network that they infiltrated, gain credentials, or establish persistence. This includes gathering information on the host and domain they landed on, or using tools such as schtasks to means of maintaining access to the system using those Windows discovery and execution processes. The reason they often utilize binaries native to Windows to accomplish this is due to them appearing less conspicuous and more legitimate in comparison to custom tools, in addition to anti-virus and other endpoint protection not alerting on them.
MITRE ATT&CK
Tactic: Discovery
Techniques: System Network Configuration Discovery (T1016)
MITRE ATT&CK Description
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
MITRE ATT&CK