New recon activity rule

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -0,0 +1,42 @@
+---
+action: global
+title: Detects Reconnaissance Activity with Net Command
+status: experimental
+description: 'Detects a set of commands often used in recon stages by different attack groups' 
+reference: 
+    - https://twitter.com/haroonmeer/status/939099379834658817
+    - https://twitter.com/c_APT_ure/status/939475433711722497
+author: Florian Roth
+date: 2017/12/12
+detection:
+    selection:
+        CommandLine: 
+            - 'tasklist'
+            - 'net time'
+            - 'systeminfo'
+            - 'whoami'
+            - 'nbtstat'
+            - 'net start'
+            - '*\net1 start'
+            - 'qprocess'
+            - 'nslookup'
+    timeframe: 1m 
+    condition: selection | count() > 2
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688