Michael Haag
2.2 KiB
2.2 KiB
Chain Reaction - Reactor - Detection
Tactic: Discovery
Technique: System Owner/User Discovery
Baseline
process_name:qwinsta.exe
process_name:rwinsta.exe
process_name:quser.exe
Monitor
process_name:qwinsta.exe OR process_name:rwinsta.exe OR process_name:quser.exe
Tactic: Credential Access, Lateral Movement
Technique: Brute Force
Technique: Windows Admin Shares
Baseline
process_name:net.exe
process_name:net.exe cmdline:ipc$
process_name:net.exe AND netconn_count:[1 TO *]
Monitor
process_name:net.exe AND cmdline:ipc$
process_name:net.exe AND netconn_count:[1 TO *]
Tactic: Discovery
Technique: Security Software Discovery
Baseline
process_name:tasklist.exe
parent_name:tasklist.exe process_name:findstr.exe
process_name:powershell.exe cmdline:iex
process_name:powershell.exe AND netconn_count:[1 TO *]
Monitor
process_name:findstr.exe cmdline:cb
(process_name:powershell.exe AND (cmdline:{iex\(\(New-Object OR cmdline:\"iex\(New-Object OR cmdline:iex or cmdline:\"iex)
process_name:powershell.exe AND netconn_count:[1 TO *]
Tactic: Execution, Discovery
Technique: PowerShell
Technique: Multiple Discovery
Baseline
process_name:powershell.exe AND netconn_count:[1 TO *]
Monitor
process_name:powershell.exe AND netconn_count:[1 TO *]
Tactic: Collection
Technique: Automated Collection
Baseline:
filemod_count:[1 TO 1000] (process_name:cmd.exe OR process_name:powershell.exe)
Tactic: Exfiltration
Technique: Data Compressed
Baseline
process_name:winrar.exe
process_name:rar.exe
process_name:tar
process_name:7z.exe
process_name:unzip
process_name:winzip.exe
Process_name:powershell.exe cmdline:compress-archive
Monitor
Process_name:powershell.exe cmdline:compress-archive