Nasreddine Bencherchali
56 lines
1.9 KiB
YAML
56 lines
1.9 KiB
YAML
title: Suspicious Reconnaissance Activity Using Net
|
|
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
|
|
status: experimental
|
|
description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
|
|
author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali
|
|
date: 2019/01/16
|
|
modified: 2022/08/22
|
|
references:
|
|
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
|
|
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
|
|
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1087.001
|
|
- attack.t1087.002
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
net_img:
|
|
- Image|endswith:
|
|
- '\net.exe'
|
|
- '\net1.exe'
|
|
- OriginalFileName:
|
|
- 'net.exe'
|
|
- 'net1.exe'
|
|
# Covers group and localgroup flags
|
|
selection_group_root:
|
|
CommandLine|contains:
|
|
- ' group '
|
|
- ' localgroup '
|
|
selection_group_flags:
|
|
CommandLine|contains:
|
|
# Add more groups for other languages
|
|
- 'domain admins'
|
|
- ' administrators'
|
|
- ' administrateurs'
|
|
- 'enterprise admins'
|
|
- 'Exchange Trusted Subsystem'
|
|
- ' /do' # short for domain
|
|
# Covers 'accounts' flag
|
|
selection_accounts_root:
|
|
CommandLine|contains: ' accounts '
|
|
selection_accounts_flags:
|
|
CommandLine|contains: ' /do' # short for domain
|
|
condition: net_img and (all of selection_group_* or all of selection_accounts_*)
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- Inventory tool runs
|
|
- Administrative activity
|
|
analysis:
|
|
recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
|
|
level: medium
|