Network Reconnaissance Activity

calendar Feb 26, 2024 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001  ·
Share on: linkedin copy

Detects a set of suspicious network related commands often used in recon stages

Sigma rule (View on GitHub)

 1title: Network Reconnaissance Activity
 2id: e6313acd-208c-44fc-a0ff-db85d572e90e
 3status: test
 4description: Detects a set of suspicious network related commands often used in recon stages
 5references:
 6    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
 7author: Florian Roth (Nextron Systems)
 8date: 2022/02/07
 9tags:
10    - attack.discovery
11    - attack.t1087
12    - attack.t1082
13    - car.2016-03-001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'nslookup'
21            - '_ldap._tcp.dc._msdcs.'
22    condition: selection
23falsepositives:
24    - False positives depend on scripts and administrative tools used in the monitored environment
25level: high

References

  • Qbot Likes to Move It, Move It

    In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment while stealing browser information and emails.


    Read More

Related rules

to-top