Weak or Abused Passwords In CLI

calendar Nov 6, 2023 · attack.defense_evasion attack.execution  ·
Share on: linkedin copy

Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline

Sigma rule (View on GitHub)

 1title: Weak or Abused Passwords In CLI
 2id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4
 3status: test
 4description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
 5references:
 6    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
 7    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 8    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/09/14
11modified: 2022/11/06
12tags:
13    - attack.defense_evasion
14    - attack.execution
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains:
21            # Add more passwords
22            - 'Asd123.aaaa'
23            - 'password123' # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
24            - '123456789'
25            - 'P@ssw0rd!'
26            - 'Decryptme'
27    condition: selection
28falsepositives:
29    - Legitimate usage of the passwords by users via commandline (should be discouraged)
30    - Other currently unknown false positives
31level: medium

References

Related rules

to-top