Network Reconnaissance Activity

calendar Aug 12, 2024 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001  ·
Share on: linkedin copy

Detects a set of suspicious network related commands often used in recon stages

Sigma rule (View on GitHub)

 1title: Network Reconnaissance Activity
 2id: e6313acd-208c-44fc-a0ff-db85d572e90e
 3status: test
 4description: Detects a set of suspicious network related commands often used in recon stages
 5references:
 6    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
 7author: Florian Roth (Nextron Systems)
 8date: 2022-02-07
 9tags:
10    - attack.discovery
11    - attack.t1087
12    - attack.t1082
13    - car.2016-03-001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'nslookup'
21            - '_ldap._tcp.dc._msdcs.'
22    condition: selection
23falsepositives:
24    - False positives depend on scripts and administrative tools used in the monitored environment
25level: high

References

  • Qbot Likes to Move It, Move It

    Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary I…


    Read More

Related rules

to-top