Quick Execution of a Series of Suspicious Commands

 1title: Quick Execution of a Series of Suspicious Commands
 2id: 61ab5496-748e-4818-a92f-de78e20fe7f1
 3status: unsupported
 4description: Detects multiple suspicious process in a limited timeframe
 5references:
 6    - https://car.mitre.org/wiki/CAR-2013-04-002
 7author: juju4
 8date: 2019/01/16
 9modified: 2023/02/24
10tags:
11    - car.2013-04-002
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains:
20            - arp.exe
21            - at.exe
22            - attrib.exe
23            - cscript.exe
24            - dsquery.exe
25            - hostname.exe
26            - ipconfig.exe
27            - mimikatz.exe
28            - nbtstat.exe
29            - net.exe
30            - netsh.exe
31            - nslookup.exe
32            - ping.exe
33            - quser.exe
34            - qwinsta.exe
35            - reg.exe
36            - runas.exe
37            - sc.exe
38            - schtasks.exe
39            - ssh.exe
40            - systeminfo.exe
41            - taskkill.exe
42            - telnet.exe
43            - tracert.exe
44            - wscript.exe
45            - xcopy.exe
46            - pscp.exe
47            - copy.exe
48            - robocopy.exe
49            - certutil.exe
50            - vssadmin.exe
51            - powershell.exe
52            - pwsh.exe
53            - wevtutil.exe
54            - psexec.exe
55            - bcedit.exe
56            - wbadmin.exe
57            - icacls.exe
58            - diskpart.exe
59    timeframe: 5m
60    condition: selection | count() by MachineName > 5
61falsepositives:
62    - False positives depend on scripts and administrative tools used in the monitored environment
63level: low