SigmaHQ/rules/windows/process_creation/win_susp_recon_activity.yml

title: Suspicious Reconnaissance Activity
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: experimental
description: Detects suspicious command line activity on Windows systems
author: Florian Roth
tags:
    - attack.discovery
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - net group "domain admins" /domain
            - net localgroup administrators
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Inventory tool runs
    - Penetration tests
    - Administrative activity
analysis:
    recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
level: medium
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Suspicious Reconnaissance Activity`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`status: experimental`
			`description: Detects suspicious command line activity on Windows systems`
			`author: Florian Roth`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`tags:`
			`- attack.discovery`
			`- attack.t1087`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
			`CommandLine:`
			`- net group "domain admins" /domain`
			`- net localgroup administrators`
			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`fields:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Inventory tool runs`
			`- Penetration tests`
			`- Administrative activity`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`analysis:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: medium`