Merge branch 'CAR-2013-04-002b' of https://github.com/juju4/sigma into juju4-CAR-2013-04-002b

rules/windows/builtin/win_multiple_suspicious_cli.yml

@@ -0,0 +1,59 @@
+title: Detects Quick execution of a series of suspicious commands
+description: Detects multiple suspicious process in a limited timeframe
+status: experimental
+reference: 
+    - https://car.mitre.org/wiki/CAR-2013-04-002
+author: juju4
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: 
+            - arp.exe
+            - at.exe
+            - attrib.exe
+            - cscript.exe
+            - dsquery.exe
+            - hostname.exe
+            - ipconfig.exe
+            - mimikatz.exe
+            - nbstat.exe
+            - net.exe
+            - netsh.exe
+            - nslookup.exe
+            - ping.exe
+            - quser.exe
+            - qwinsta.exe
+            - reg.exe
+            - runas.exe
+            - sc.exe
+            - schtasks.exe
+            - ssh.exe
+            - systeminfo.exe
+            - taskkill.exe
+            - telnet.exe
+            - tracert.exe
+            - wscript.exe
+            - xcopy.exe
+# others
+            - pscp.exe
+            - copy.exe
+            - robocopy.exe
+            - certutil.exe
+            - vssadmin.exe
+            - powershell.exe
+            - wevtutil.exe
+            - psexec.exe
+            - bcedit.exe
+            - wbadmin.exe
+            - icacls.exe
+            - diskpart.exe
+#    timeframe: 30min
+    timeframe: 5min
+    condition: selection | count() > 5 within timeframe
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium