mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-07 01:55:21 +00:00
56 lines
1.7 KiB
YAML
Executable File
56 lines
1.7 KiB
YAML
Executable File
---
|
|
action: global
|
|
title: Reconnaissance Activity with Net Command
|
|
status: experimental
|
|
description: 'Detects a set of commands often used in recon stages by different attack groups'
|
|
references:
|
|
- https://twitter.com/haroonmeer/status/939099379834658817
|
|
- https://twitter.com/c_APT_ure/status/939475433711722497
|
|
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
|
|
author: Florian Roth, Markus Neis
|
|
date: 2018/08/22
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1073
|
|
- attack.t1012
|
|
detection:
|
|
selection:
|
|
CommandLine:
|
|
- 'tasklist'
|
|
- 'net time'
|
|
- 'systeminfo'
|
|
- 'whoami'
|
|
- 'nbtstat'
|
|
- 'net start'
|
|
- '*\net1 start'
|
|
- 'qprocess'
|
|
- 'nslookup'
|
|
- 'hostname.exe'
|
|
- '*\net1 user /domain'
|
|
- '*\net1 group /domain'
|
|
- '*\net1 group "domain admins" /domain'
|
|
- '*\net1 group "Exchange Trusted Subsystem" /domain'
|
|
- '*\net1 accounts /domain'
|
|
- '*\net1 user net localgroup administrators'
|
|
- 'netstat -an'
|
|
timeframe: 15s
|
|
condition: selection | count() by CommandLine > 4
|
|
falsepositives:
|
|
- False positives depend on scripts and administrative tools used in the monitored environment
|
|
level: medium
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 1
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
|
detection:
|
|
selection:
|
|
EventID: 4688
|