Techniques
Sample rules
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
- source: sigma
- technicques:
- t1087
- t1087.001
- t1087.002
Description
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
Detection logic
condition: selection_img and ((all of selection_group_* and not filter_group_add)
or all of selection_accounts_*)
filter_group_add:
CommandLine|contains: ' /add'
selection_accounts_flags:
CommandLine|contains: ' /do'
selection_accounts_root:
CommandLine|contains: ' accounts '
selection_group_flags:
CommandLine|contains:
- domain admins
- ' administrator'
- ' administrateur'
- enterprise admins
- Exchange Trusted Subsystem
- Remote Desktop Users
- "Utilisateurs du Bureau \xE0 distance"
- Usuarios de escritorio remoto
- ' /do'
selection_group_root:
CommandLine|contains:
- ' group '
- ' localgroup '
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe