Skip to content

Commit

Permalink
Update windows_process_with_netexec_command_line_parameters.yml
Browse files Browse the repository at this point in the history 
Update detection logic to include "nxc.exe" for process_name or original_file_name as detection points as requested.

Reduce confidence as requested.
  • Loading branch information
@nterl0k
nterl0k authored Dec 30, 2024
1 parent a53cfeb commit 2fcd0ec
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions detections/endpoint/windows_process_with_netexec_command_line_parameters.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ description: The following analytic detects the use of NetExec (formally Crackma
data_source:
- Windows Security EID 4688
- Sysmon EID 1
search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* --*") BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name
search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* -M *","* --*")) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name
|`drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
Expand All @@ -25,7 +25,7 @@ tags:
- Active Directory Kerberos Attacks
- Active Directory Privilege Escalation
asset_type: Endpoint
confidence: 100
confidence: 80
impact: 80
message: NetExec command line parameters were used on $dest$ by $user$
mitre_attack_id:
Expand Down Expand Up @@ -58,11 +58,11 @@ tags:
- Processes.dest
- Processes.process_name
- Processes.parent_process_name
risk_score: 80
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
sourcetype: XmlWinEventLog

0 comments on commit 2fcd0ec

Please sign in to comment.