SigmaHQ/rules/windows/sysmon/sysmon_susp_recon_activity.yml

title: Suspicious Reconnaissance Activity
status: experimental
description: Detects suspicious command line activity on Windows systems
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine:
            - 'net group "domain admins" /domain'
            - 'net localgroup administrators'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Inventory tool runs
    - Penetration tests
    - Administrative activity
analysis:
    recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
level: medium
Rule: Windows recon activity 2017-03-16 17:59:17 +00:00			`title: Suspicious Reconnaissance Activity`
			`status: experimental`
			`description: Detects suspicious command line activity on Windows systems`
			`author: Florian Roth`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 1`
			`CommandLine:`
			`- 'net group "domain admins" /domain'`
			`- 'net localgroup administrators'`
			`condition: selection`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
Rule: Windows recon activity 2017-03-16 17:59:17 +00:00			`falsepositives:`
			`- Inventory tool runs`
			`- Penetration tests`
			`- Administrative activity`
			`analysis:`
			`recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)`
			`level: medium`