Skip to content

Commit 6e06a19

Browse files
authored
Update windows_process_with_netexec_command_line_parameters.yml
1 parent 771f423 commit 6e06a19

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

detections/endpoint/windows_process_with_netexec_command_line_parameters.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ description: The following analytic detects the use of NetExec (formally Crackma
99
data_source:
1010
- Windows Security EID 4688
1111
- Sysmon EID 1
12-
search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* -M *","* --*")) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name
12+
search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name
1313
|`drop_dm_object_name(Processes)`
1414
| `security_content_ctime(firstTime)`
1515
| `security_content_ctime(lastTime)`

0 commit comments

Comments
 (0)