SigmaHQ/rules/windows/builtin/win_susp_commands_recon_activity.yml

---
action: global
title: Reconnaissance Activity with Net Command
status: experimental
description: 'Detects a set of commands often used in recon stages by different attack groups' 
references:
    - https://twitter.com/haroonmeer/status/939099379834658817
    - https://twitter.com/c_APT_ure/status/939475433711722497
author: Florian Roth
date: 2017/12/12
detection:
    selection:
        CommandLine: 
            - 'tasklist'
            - 'net time'
            - 'systeminfo'
            - 'whoami'
            - 'nbtstat'
            - 'net start'
            - '*\net1 start'
            - 'qprocess'
            - 'nslookup'
    timeframe: 1m 
    condition: selection | count() > 2
falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
---
logsource:
    product: windows
    service: security
    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688