Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Sigma rule (View on GitHub)
1title: Suspicious Remote Logon with Explicit Credentials
2id: 941e5c45-cda7-4864-8cea-bbb7458d194a
3status: test
4description: Detects suspicious processes logging on with explicit credentials
5references:
6 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
7author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton
8date: 2020-10-05
9modified: 2022-08-03
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.initial-access
14 - attack.defense-evasion
15 - attack.t1078
16 - attack.lateral-movement
17logsource:
18 product: windows
19 service: security
20detection:
21 selection:
22 EventID: 4648
23 ProcessName|endswith:
24 - '\cmd.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - '\winrs.exe'
28 - '\wmic.exe'
29 - '\net.exe'
30 - '\net1.exe'
31 - '\reg.exe'
32 filter1:
33 TargetServerName: 'localhost'
34 filter2:
35 SubjectUserName|endswith: '$'
36 TargetUserName|endswith: '$'
37 condition: selection and not 1 of filter*
38falsepositives:
39 - Administrators that use the RunAS command or scheduled tasks
40level: medium
References
Related rules
- AWS Suspicious SAML Activity
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt
- Password Provided In Command Line Of Net.EXE
- AWS Key Pair Import Activity