- Netsh.exe is the most misconduct Windows tool, and it still hides in plain vision
- Powershell shows 73% at closing points, not only in the administrator hands
- WMIC’s amazing return shows the attackers that no person is watching anymore
A new analysis of 700,000 security events has shown how large -scale cyber criminals have exploited reliable Microsoft Tools that are not to bare the system.
While the tendency of attackers using native utilities, known as the Living of the Land (Lottle) strategy, is not new, the latest data of the Gravitijone platform of the bitDender shows that it is already more wider.
84% of high-seriousness attacks included the use of valid system binergies already existing on a shocking machines. It reduces the effectiveness of traditional rescue, even those who are marketed as the best antivirus or best malware security.
The most misused some of the equipment would be very familiar to systems administrators, including Powershell.exe and wscript.exe.
However, a device unexpectedly emerged at the top: Netsh.exe. A command -line utility for the management of network configurations, Netsh.exe was found in one -third of the major attacks – and while it is still used for firewall and interface management, its frequent presence in the attack chain suggests that its ability to misuse has been underestimated.
Powershell remains a major component of both legitimate operation and malicious activity – although 96% of organizations use Powershell, it was running at 73% closing points, which is beyond the scope of being expected from administrative use alone.
Bitdefender found, “Third-party applications running the powershel code without a visible interface” were a common reason.
This dual-use is difficult to detect nature, especially for devices supported by behavioral-quiet engines.
The question raises whether the best EPP solutions for this blurred line between normal and nefarious use are adequately tuned.
Another amazing discovery was the continuous use of wmic.exe, a device that Microsoft has demolished.
Regardless of its age, analysis suggests that it is still widely present in the atmosphere, which is often invited by the software seeking information of the system. This is particularly attractive when the attackers are trying to mix due to its valid appearance.
To deal with the issue, Bitdefnder developed PhasR (active strict and attack on surface deficiency). This device employs a targeted approach that goes beyond disabled only.
The company said, “PhasR goes beyond blocking the entire tool, also monitors and prevents the attackers on specific tasks used within them.”
Nevertheless, this approach is not without business. The fundamental dilemma, “cannot live with them, cannot live without them”, remains unresolved.
