SigmaHQ/rules/windows/sysmon/sysmon_susp_recon_activity.yml

title: Suspicious Reconnaissance Activity
status: experimental
description: Detects suspicious command line activity on Windows systems
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine:
            - 'net group "domain admins" /domain'
            - 'net localgroup administrators'
    condition: selection
falsepositives:
    - Inventory tool runs
    - Penetration tests
    - Administrative activity
analysis:
    recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
level: medium