Reconnaissance Activity Using BuiltIn Commands
Detects execution of a set of builtin commands often used in recon stages by different attack groups
Sigma rule (View on GitHub)
1title: Reconnaissance Activity Using BuiltIn Commands
2id: 2887e914-ce96-435f-8105-593937e90757
3status: unsupported
4description: Detects execution of a set of builtin commands often used in recon stages by different attack groups
5references:
6 - https://twitter.com/haroonmeer/status/939099379834658817
7 - https://twitter.com/c_APT_ure/status/939475433711722497
8 - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
9author: Florian Roth (Nextron Systems), Markus Neis
10date: 2018/08/22
11modified: 2023/02/24
12tags:
13 - attack.discovery
14 - attack.t1087
15 - attack.t1082
16 - car.2016-03-001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - CommandLine:
23 - tasklist
24 - net time
25 - systeminfo
26 - whoami
27 - nbtstat
28 - net start
29 - qprocess
30 - nslookup
31 - hostname.exe
32 - 'netstat -an'
33 - CommandLine|endswith:
34 - '\net1 start'
35 - '\net1 user /domain'
36 - '\net1 group /domain'
37 - '\net1 group "domain admins" /domain'
38 - '\net1 group "Exchange Trusted Subsystem" /domain'
39 - '\net1 accounts /domain'
40 - '\net1 user net localgroup administrators'
41 timeframe: 15s
42 condition: selection | count() by CommandLine > 4
43falsepositives:
44 - False positives depend on scripts and administrative tools used in the monitored environment
45level: medium
References
Related rules
- System Information Discovery - Auditd
- Suspicious Execution of Hostname
- Suspicious Query of MachineGUID
- Hacktool Ruler
- Renamed Whoami Execution