TTP Analysis: LOLBAS and Windows Reconnaissance

Danger

Executive Summary: “Living Off The Land” (LOL) is a post-compromise operational paradigm where threat actors completely abandon custom, compiled malware in favor of native operating system tools. By weaponizing digitally signed, pre-installed Microsoft binaries (LOLBAS), adversaries can perform extensive host and Active Directory reconnaissance while remaining completely invisible to signature-based legacy Antivirus (AV) solutions. For DFIR analysts, detecting LOLBAS activity requires shifting from binary identity analysis to behavioral process lineage analysis.

1. The LOLBAS Philosophy: Blending into the Noise

The primary objective of an adversary leveraging Living Off The Land Binaries and Scripts (LOLBAS) is to masquerade as a legitimate system administrator.

The network traffic generated by these commands is standard Windows RPC/SMB traffic, and the executables (like cmd.exe, powershell.exe, or certutil.exe) are whitelisted by default across all enterprise environments. The malicious intent cannot be determined by what binary is running, but rather by the context of its execution: who launched it, what arguments were passed, and which parent process spawned it.

2. Host Reconnaissance Phase: Situational Awareness

Immediately upon achieving an initial foothold (e.g., via a successful Phishing payload or an exploited web vulnerability), an attacker is effectively blind. They must execute a series of fundamental questions to gain situational awareness without dropping external discovery tools.

Q: Who am I? (Privilege Check)

Command: whoami /all Forensic Value: Reveals the current username, Security Identifier (SID), and crucially, all group memberships and enabled privileges (e.g., SeDebugPrivilege). This is almost always the very first command executed to determine if local escalation is required. Command: quser or query user Forensic Value: Enumerates other users currently logged into the machine, helping the attacker avoid colliding with an active IT administrator.

Q: What is this machine? (System Check)

Command: hostname Command: systeminfo Forensic Value: systeminfo is a goldmine. It reveals the OS version, architecture, domain membership, and most importantly, the list of installed security patches (Hotfixes). Attackers pipe this output to find missing patches for Local Privilege Escalation (LPE) exploits.

Q: How is the network structured?

Command: ipconfig /all (Reveals DNS and DHCP servers, outlining the domain structure). Command: netstat -anob Forensic Value: Lists all active network connections (-an), the executables that initiated them (-b), and listening ports (-o). Attackers use this to understand outbound egress rules and find local services they can pivot to.

Q: What defenses are active?

Command: tasklist /svc Forensic Value: Maps running processes to their underlying Windows Services. This is used to identify active Endpoint Detection and Response (EDR) agents or Antivirus engines before attempting memory injection or payload drops.

3. Domain Reconnaissance: Active Directory Mapping

Once the attacker understands the local host, they pivot to querying the Active Directory (AD) environment to identify the “Crown Jewels” (Domain Controllers and Domain Admins).

• net user /domain: Enumerates all user accounts within the AD domain.
• net group "Domain Admins" /domain: Retrieves the exact list of highly privileged targets the attacker needs to compromise to achieve total domain dominance.
• net view /domain: Lists active computer accounts across the domain.
• net share \\[target-server]: Enumerates shared folders on a remote server, setting the stage for lateral movement or data exfiltration.

Tip

Advanced Reconnaissance: While net.exe is the traditional method, modern adversaries increasingly rely on the Active Directory module for PowerShell (e.g., Get-ADUser) or LDAP queries via ADSI to bypass simple cmd.exe monitoring. Once this native reconnaissance is complete, attackers typically deploy advanced graphing tools like BloodHound for complex attack path mapping.

4. DFIR Investigation Strategy

Because LOLBAS utilizes trusted binaries, traditional File Integrity Monitoring (FIM) or Hash blacklisting will fail. DFIR analysts must rely entirely on Behavioral Telemetry.

A. The Prerequisite: Command-Line Logging

None of the commands listed above can be reliably detected unless the organization has enabled Event ID 4688 Command-Line Auditing or deployed Sysmon (Event ID 1). Without the specific command-line arguments, a benign execution of net.exe is indistinguishable from a malicious domain enumeration.

B. Process Lineage Analysis

As detailed in our Process Lineage Foundations, the parent-child relationship is the ultimate betrayer of LOLBAS attacks.

• A whoami.exe executed by explorer.exe is unusual but potentially benign.
• A whoami.exe executed by winword.exe, w3wp.exe (IIS), or sqlservr.exe is a definitive, high-fidelity indicator of a remote code execution exploit or malicious macro.

C. The “Reconnaissance Cascade”

Human administrators type commands slowly and read the output. Automated malware, Web Shells, or Cobalt Strike beacons execute initial reconnaissance commands programmatically. Analysts should look for a Reconnaissance Cascade: the execution of whoami, systeminfo, ipconfig, and netstat occurring within milliseconds of each other from the same parent process.

5. Threat Hunting Queries

KQL (Reconnaissance Cascade)

hunt_recon_cascade.kql

// Detects a rapid succession of native discovery commands (Recon Cascade)
// executed by the same parent process within a 1-minute window.
let ReconCommands = dynamic(["whoami.exe", "systeminfo.exe", "ipconfig.exe", "netstat.exe", "tasklist.exe", "quser.exe"]);

DeviceProcessEvents
| where FileName in~ (ReconCommands)
// Group executions by the specific Parent Process and a 1-minute time bin
| summarize ReconCount = dcount(FileName), CommandsExecuted = make_set(ProcessCommandLine)
  by InitiatingProcessIdentifier, InitiatingProcessFileName, DeviceName, bin(TimeGenerated, 1m)
// Alert threshold: At least 3 distinct recon tools used in under a minute
| where ReconCount >= 3
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ReconCount, CommandsExecuted
| sort by TimeGenerated desc

Sigma (Suspicious AD Enumeration)

sigma_suspicious_domain_recon.yaml

title: Suspicious Active Directory Enumeration via Net.exe
id: 9b8c7d6e-5f4a-3b2c-1d0e-9f8a7b6c5d4e
status: stable
description: Detects usage of the net.exe command to enumerate domain groups or users, a common LOLBAS technique during the post-compromise discovery phase.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\net.exe'
        CommandLine|contains|all:
            - 'group'
            - 'domain admins'
            - '/domain'
    selection_user:
        Image|endswith: '\net.exe'
        CommandLine|contains|all:
            - 'user'
            - '/domain'
    condition: selection or selection_user
level: high
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002

---

References & Further Reading

• LOLBAS Project: Living Off The Land Binaries and Scripts
• MITRE ATT&CK: System Information Discovery (T1082)
• Related Artifact: Process Lineage Analysis
• Related Artifact: Event ID 4688 & Command Line Auditing
• Related Action: PsExec and Lateral Movement Traces