Reconnaissance Activity Using BuiltIn Commands

calendar Apr 21, 2023 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001  ·
Share on: linkedin copy

Detects execution of a set of builtin commands often used in recon stages by different attack groups

Sigma rule (View on GitHub)

 1title: Reconnaissance Activity Using BuiltIn Commands
 2id: 2887e914-ce96-435f-8105-593937e90757
 3status: unsupported
 4description: Detects execution of a set of builtin commands often used in recon stages by different attack groups
 5references:
 6    - https://twitter.com/haroonmeer/status/939099379834658817
 7    - https://twitter.com/c_APT_ure/status/939475433711722497
 8    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
 9author: Florian Roth (Nextron Systems), Markus Neis
10date: 2018/08/22
11modified: 2023/02/24
12tags:
13    - attack.discovery
14    - attack.t1087
15    - attack.t1082
16    - car.2016-03-001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - CommandLine:
23            - tasklist
24            - net time
25            - systeminfo
26            - whoami
27            - nbtstat
28            - net start
29            - qprocess
30            - nslookup
31            - hostname.exe
32            - 'netstat -an'
33        - CommandLine|endswith:
34            - '\net1 start'
35            - '\net1 user /domain'
36            - '\net1 group /domain'
37            - '\net1 group "domain admins" /domain'
38            - '\net1 group "Exchange Trusted Subsystem" /domain'
39            - '\net1 accounts /domain'
40            - '\net1 user net localgroup administrators'
41    timeframe: 15s
42    condition: selection | count() by CommandLine > 4
43falsepositives:
44    - False positives depend on scripts and administrative tools used in the monitored environment
45level: medium

References

Related rules

to-top