Quick Execution of a Series of Suspicious Commands
Detects multiple suspicious process in a limited timeframe
Sigma rule (View on GitHub)
1title: Quick Execution of a Series of Suspicious Commands
2id: 61ab5496-748e-4818-a92f-de78e20fe7f1
3status: unsupported
4description: Detects multiple suspicious process in a limited timeframe
5references:
6 - https://car.mitre.org/wiki/CAR-2013-04-002
7author: juju4
8date: 2019/01/16
9modified: 2023/02/24
10tags:
11 - car.2013-04-002
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains:
20 - arp.exe
21 - at.exe
22 - attrib.exe
23 - cscript.exe
24 - dsquery.exe
25 - hostname.exe
26 - ipconfig.exe
27 - mimikatz.exe
28 - nbtstat.exe
29 - net.exe
30 - netsh.exe
31 - nslookup.exe
32 - ping.exe
33 - quser.exe
34 - qwinsta.exe
35 - reg.exe
36 - runas.exe
37 - sc.exe
38 - schtasks.exe
39 - ssh.exe
40 - systeminfo.exe
41 - taskkill.exe
42 - telnet.exe
43 - tracert.exe
44 - wscript.exe
45 - xcopy.exe
46 - pscp.exe
47 - copy.exe
48 - robocopy.exe
49 - certutil.exe
50 - vssadmin.exe
51 - powershell.exe
52 - pwsh.exe
53 - wevtutil.exe
54 - psexec.exe
55 - bcedit.exe
56 - wbadmin.exe
57 - icacls.exe
58 - diskpart.exe
59 timeframe: 5m
60 condition: selection | count() by MachineName > 5
61falsepositives:
62 - False positives depend on scripts and administrative tools used in the monitored environment
63level: low
References
Related rules
- Suspicious RASdial Activity
- Sysprep on AppData Folder
- Suspicious Runscripthelper.exe
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Renamed FTP.EXE Execution