Merge pull request #23 from MHaggis/master

wmic and net

rules/windows/sysmon/sysmon_susp_net_execution.yml

@@ -0,0 +1,25 @@
+title: Net.exe execution
+status: experimental
+description: Detects execution of Net.exe, whether suspicious or benign.
+reference: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
+author: Michael Haag
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:
+            - '*\net.exe'
+        CommandLine:
+            - 'net group*'
+            - 'net localgroup*'
+            - 'net user*'
+            - 'net view*'
+            - 'net share'
+            - 'net accounts*'
+            - 'net use*'
+    condition: selection
+falsepositives:
+    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
+level: medium

rules/windows/sysmon/sysmon_susp_wmi_execution.yml

@@ -0,0 +1,20 @@
+title: WMI execution
+status: experimental
+description: Detects WMI executing suspicious commands.
+reference: https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
+author: Michael Haag
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:
+            - '*\wmic.exe'
+        CommandLine:
+            - '*process call create*'
+            - '*/NODE:*'
+    condition: selection
+falsepositives:
+    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by computer/CommandLine.
+level: medium