- Netsh.exe is the most abused Windows tool, and he is still hiding in sight
- PowerShell appears on 73% of ending points, not just in the hands of the administrator
- The surprising return of the WMIC shows that the attackers favor the tools that no one is looking at
A new analysis of 700,000 security incidents has revealed to how much cybercriminals largely exploit the Microsoft tools for confidence to break untepped systems.
Although the trend of attackers using indigenous public services, known as life tactics (lotl), is not new, the latest data from the Bitdefender Gravityzone platform suggest that it is even more widespread than we thought before.
An 84% of high severity attacks involved the use of legitimate system binaries already present on machines. This undermines the effectiveness of conventional defenses, even those marketed as the best antivirus or the best protection against malware.
Some of the most commonly abused tools will be very familiar to system administrators, including PowerShell.exe and WScript.exe.
However, a tool has emerged unexpected at the top: Netsh.exe. Usefulness of the command line to manage the configuration of the network, Netsh.exe was found in a third of major attacks-and although it is still used for the management of firewall and the interface, its frequent appearance in attack chains suggests that its abusive potential is underestimated.
PowerShell remains a key element in legitimate operations and malicious activities – although 96% of organizations use PowerShell, it was found on 73% of the termination criteria, well beyond the scope of what would be expected from administrative use.
Bitdefender noted that “third -party applications running the PowerShell code without visible interface” were a common cause.
This double -use nature makes detection difficult, especially for tools not supported by engines aware of behavior.
He raises questions about the question of whether the best EPP solutions are correctly set to take this blurred line between normal and harmful use.
Another surprising discovery was the continuous use of wmic.exe, a tool that Microsoft has obsolete.
Despite its age, the analysis shows that it is still largely present in the environments, often invoked by software information. It is particularly attractive when the attackers try to blend due to their legitimate appearance.
To solve this problem, Bitdefender has developed Phasr (proactive hardening and reduction of the attack surface). This tool uses a targeted approach that goes beyond the simple deactivation tools.
“Phasr goes beyond the blocking of whole tools, it also monitors and stops the specific actions that attackers use,” said the company.
However, this approach is not without compromise. The fundamental dilemma, “cannot live with them, cannot live without them”, remains unresolved.
