valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fc8901fa1a
SigmaHQ/rules/windows/process_creation/win_remote_time_discovery.yml
RRRabbit becfca6b41 Added Atomic Blue Detections Repo
2019-10-28 11:59:49 +01:00

25 lines
719 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: Command-Line Creation of a RAR file
description: Identifies use of various commands to query a remote systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame)
date: 2019/10/24
tags:
- attack.discovery
- attack.t1124
detection:
selection1:
Image:
- '*net.exe'
CommandLine:
- '* time *'
selection2:
CommandLine:
- '*\\\*'
condition: selection1 and selection2
falsepositives:
- legit admin usage
level: high
logsource:
category: process_creation
product: windows
Reference in New Issue View Git Blame Copy Permalink