action: global title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental references: - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 modified: 2012/12/11 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: low --- # Windows Audit Log logsource: product: windows service: security definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688 ProcessCommandLine: - arp.exe - at.exe - attrib.exe - cscript.exe - dsquery.exe - hostname.exe - ipconfig.exe - mimikatz.exe - nbstat.exe - net.exe - netsh.exe - nslookup.exe - ping.exe - quser.exe - qwinsta.exe - reg.exe - runas.exe - sc.exe - schtasks.exe - ssh.exe - systeminfo.exe - taskkill.exe - telnet.exe - tracert.exe - wscript.exe - xcopy.exe # others - pscp.exe - copy.exe - robocopy.exe - certutil.exe - vssadmin.exe - powershell.exe - wevtutil.exe - psexec.exe - bcedit.exe - wbadmin.exe - icacls.exe - diskpart.exe timeframe: 5m condition: selection | count() by MachineName > 5 --- # Sysmon logsource: product: windows service: sysmon detection: selection: EventID: 1 CommandLine: - arp.exe - at.exe - attrib.exe - cscript.exe - dsquery.exe - hostname.exe - ipconfig.exe - mimikatz.exe - nbstat.exe - net.exe - netsh.exe - nslookup.exe - ping.exe - quser.exe - qwinsta.exe - reg.exe - runas.exe - sc.exe - schtasks.exe - ssh.exe - systeminfo.exe - taskkill.exe - telnet.exe - tracert.exe - wscript.exe - xcopy.exe # others - pscp.exe - copy.exe - robocopy.exe - certutil.exe - vssadmin.exe - powershell.exe - wevtutil.exe - psexec.exe - bcedit.exe - wbadmin.exe - icacls.exe - diskpart.exe timeframe: 5m condition: selection | count() by MachineName > 5