mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
72 lines
1.8 KiB
YAML
72 lines
1.8 KiB
YAML
action: global
|
|
title: Quick Execution of a Series of Suspicious Commands
|
|
description: Detects multiple suspicious process in a limited timeframe
|
|
status: experimental
|
|
references:
|
|
- https://car.mitre.org/wiki/CAR-2013-04-002
|
|
author: juju4
|
|
detection:
|
|
selection:
|
|
CommandLine:
|
|
- arp.exe
|
|
- at.exe
|
|
- attrib.exe
|
|
- cscript.exe
|
|
- dsquery.exe
|
|
- hostname.exe
|
|
- ipconfig.exe
|
|
- mimikatz.exe
|
|
- nbstat.exe
|
|
- net.exe
|
|
- netsh.exe
|
|
- nslookup.exe
|
|
- ping.exe
|
|
- quser.exe
|
|
- qwinsta.exe
|
|
- reg.exe
|
|
- runas.exe
|
|
- sc.exe
|
|
- schtasks.exe
|
|
- ssh.exe
|
|
- systeminfo.exe
|
|
- taskkill.exe
|
|
- telnet.exe
|
|
- tracert.exe
|
|
- wscript.exe
|
|
- xcopy.exe
|
|
# others
|
|
- pscp.exe
|
|
- copy.exe
|
|
- robocopy.exe
|
|
- certutil.exe
|
|
- vssadmin.exe
|
|
- powershell.exe
|
|
- wevtutil.exe
|
|
- psexec.exe
|
|
- bcedit.exe
|
|
- wbadmin.exe
|
|
- icacls.exe
|
|
- diskpart.exe
|
|
timeframe: 5min
|
|
condition: selection | count() > 5
|
|
falsepositives:
|
|
- False positives depend on scripts and administrative tools used in the monitored environment
|
|
level: low
|
|
---
|
|
# Windows Audit Log
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
|
detection:
|
|
selection:
|
|
EventID: 4688
|
|
---
|
|
# Sysmon
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 1
|