SigmaHQ/rules/windows/process_creation/win_multiple_suspicious_cli.yml

title: Quick Execution of a Series of Suspicious Commands
id: 61ab5496-748e-4818-a92f-de78e20fe7f1
description: Detects multiple suspicious process in a limited timeframe
status: experimental
references:
    - https://car.mitre.org/wiki/CAR-2013-04-002
author: juju4
date: 2019/01/16
tags:
    - car.2013-04-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - arp.exe
            - at.exe
            - attrib.exe
            - cscript.exe
            - dsquery.exe
            - hostname.exe
            - ipconfig.exe
            - mimikatz.exe
            - nbtstat.exe
            - net.exe
            - netsh.exe
            - nslookup.exe
            - ping.exe
            - quser.exe
            - qwinsta.exe
            - reg.exe
            - runas.exe
            - sc.exe
            - schtasks.exe
            - ssh.exe
            - systeminfo.exe
            - taskkill.exe
            - telnet.exe
            - tracert.exe
            - wscript.exe
            - xcopy.exe
            - pscp.exe
            - copy.exe
            - robocopy.exe
            - certutil.exe
            - vssadmin.exe
            - powershell.exe
            - wevtutil.exe
            - psexec.exe
            - bcedit.exe
            - wbadmin.exe
            - icacls.exe
            - diskpart.exe
    timeframe: 5m
    condition: selection | count() by MachineName > 5
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: low
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Quick Execution of a Series of Suspicious Commands`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 61ab5496-748e-4818-a92f-de78e20fe7f1`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`description: Detects multiple suspicious process in a limited timeframe`
			`status: experimental`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://car.mitre.org/wiki/CAR-2013-04-002`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: juju4`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2019/01/16`
Added CAR tags 2019-03-15 23:37:09 +00:00			`tags:`
			`- car.2013-04-002`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
			`CommandLine:`
			`- arp.exe`
			`- at.exe`
			`- attrib.exe`
			`- cscript.exe`
			`- dsquery.exe`
			`- hostname.exe`
			`- ipconfig.exe`
			`- mimikatz.exe`
nbstat.exe -> nbtstat.exe 2019-03-11 18:28:29 +00:00			`- nbtstat.exe`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- net.exe`
			`- netsh.exe`
			`- nslookup.exe`
			`- ping.exe`
			`- quser.exe`
			`- qwinsta.exe`
			`- reg.exe`
			`- runas.exe`
			`- sc.exe`
			`- schtasks.exe`
			`- ssh.exe`
			`- systeminfo.exe`
			`- taskkill.exe`
			`- telnet.exe`
			`- tracert.exe`
			`- wscript.exe`
			`- xcopy.exe`
			`- pscp.exe`
			`- copy.exe`
			`- robocopy.exe`
			`- certutil.exe`
			`- vssadmin.exe`
			`- powershell.exe`
			`- wevtutil.exe`
			`- psexec.exe`
			`- bcedit.exe`
			`- wbadmin.exe`
			`- icacls.exe`
			`- diskpart.exe`
			`timeframe: 5m`
			`condition: selection \| count() by MachineName > 5`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- False positives depend on scripts and administrative tools used in the monitored environment`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: low`