- Netsh.exe is the most abused Windows tool, and still hides in view
- Powershell appears in 73% of the final points, not only in the hands of administration
- WMIC’s surprising return shows the attackers favors the tools that nobody is looking at
A new analysis of 700,000 security incidents has revealed how extensively cybercriminals exploit Microsoft’s trust tools to violate the systems.
While the trend of attackers who use native profits, known as tactics of living off the Land (Lotl), is not new, the latest data on the Bitdefender Gravityzone platform suggest that it is even more generalized than it was previously believed.
An amazing 84% of the high severity attacks involved the use of legitimate system already present in the machines. This undermines the effectiveness of conventional defenses, including those marketed as the best antivirus or the best malware protection.
Some of the most commonly abused tools will be very familiar to system administrators, including Powershell.exe and WSCRIP.Exe.
However, a tool emerged unexpectedly at the top: Netsh.exe. A command line utility was found to administer the network configuration, Netsh.exe in a third of the main attacks, and although it is still used for the management of Firewall and Interface, its frequent appearance in the attack aspects suggests that its improper use potential is underestimated.
Powershell remains a key component of legitimate operations and malicious activity, although 96% of organizations use Powershell, it was found that it is executed with 73% of the final points, far beyond the scope of what would be expected only with administrative use.
Bitdefender discovered that “third -party applications that execute the Powershell code without a visible interface” were a common cause.
This double -use nature hinders detection, especially for non -backed tools for behavioral engines.
Ask questions about whether the best EPP solutions are properly tuned to account for this blurred line between normal and disastrous use.
Another surprising finding was the continuous use of WMIC.exe, a tool that Microsoft has disapproved.
Despite its age, the analysis shows that it is still widely present in the environments, often invoked by the information of the software search system. It is particularly attractive when the attackers try to mix due to their legitimate appearance.
To address this problem, Bitdefender developed Phasr (proactive hardening and reduction of the attack surface). This tool uses a specific approach that goes beyond simply disableing tools.
“Phasr goes beyond blocking entire tools, it also monitors and stops the specific actions that the attackers use within them,” said the company.
Even so, this approach is not exempt from compensation. The fundamental dilemma, “cannot live with them, cannot live without them,” still does not resolve.
