mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
37 lines
1.1 KiB
YAML
37 lines
1.1 KiB
YAML
title: Suspicious Reconnaissance Activity
|
|
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
|
|
status: experimental
|
|
description: Detects suspicious command line activity on Windows systems
|
|
author: Florian Roth, omkar72
|
|
date: 2019/01/16
|
|
modified: 2021/08/09
|
|
references:
|
|
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
|
|
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1087.001
|
|
- attack.t1087.002
|
|
- attack.t1087 # an old one
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
CommandLine:
|
|
- net group "domain admins" /dom
|
|
- net localgroup administrators
|
|
- net group "enterprise admins" /dom
|
|
- net accounts /dom
|
|
condition: selection
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- Inventory tool runs
|
|
- Penetration tests
|
|
- Administrative activity
|
|
analysis:
|
|
recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
|
|
level: medium
|