valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

T1033

Browse Source
This commit is contained in:
zinint 2019-10-27 23:49:07 +03:00 committed by GitHub
parent 55eaae1cea
commit 87c8326133
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
rules/windows/process_creation/win_system_owner_user_discovery.yml Normal file
View File

@ -0,0 +1,30 @@
title: System Owner/User Discovery
status: experimental
description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
author: Timur Zinniatullin, oscd.community
references:
- https://attack.mitre.org/techniques/T1033/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*cmd.exe*/c*whoami*'
- '*wmic*useraccount*get*'
- '*quser*'
- '*qwinsta*'
condition: selection
fields:
- Image
- CommandLine
- User
- LogonGuid
- Hashes
- ParentProcessGuid
- ParentCommandLine
level: low
tags:
- attack.discovery
- attack.t1033