From 379b2dd207fee54a290852c5ef015c29321c22e1 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 11 Dec 2017 09:31:41 +0100
Subject: [PATCH] New recon activity rule

---
 .../win_susp_commands_recon_activity.yml      | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 rules/windows/builtin/win_susp_commands_recon_activity.yml

diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml
new file mode 100644
index 00000000..b8a9224d
--- /dev/null
+++ b/rules/windows/builtin/win_susp_commands_recon_activity.yml
@@ -0,0 +1,42 @@
+---
+action: global
+title: Detects Reconnaissance Activity with Net Command
+status: experimental
+description: 'Detects a set of commands often used in recon stages by different attack groups' 
+reference: 
+    - https://twitter.com/haroonmeer/status/939099379834658817
+    - https://twitter.com/c_APT_ure/status/939475433711722497
+author: Florian Roth
+date: 2017/12/12
+detection:
+    selection:
+        CommandLine: 
+            - 'tasklist'
+            - 'net time'
+            - 'systeminfo'
+            - 'whoami'
+            - 'nbtstat'
+            - 'net start'
+            - '*\net1 start'
+            - 'qprocess'
+            - 'nslookup'
+    timeframe: 1m 
+    condition: selection | count() > 2
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688