Skip to content

Commit c1d7d2c

Browse files
nterl0knterl0k
authored
Update windows_process_with_netexec_command_line_parameters.yml
1 parent 6e06a19 commit c1d7d2c

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

detections/endpoint/windows_process_with_netexec_command_line_parameters.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@ status: production
77
type: TTP
88
description: The following analytic detects the use of NetExec (formally CrackmapExec) a toolset used for post-exploitation enumeration and attack within Active Directory environments through command line parameters. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network.
99
data_source:
10-
- Windows Security EID 4688
11-
- Sysmon EID 1
10+
- Windows Security Event ID 4688
11+
- Sysmon Event ID 1
1212
search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name
1313
|`drop_dm_object_name(Processes)`
1414
| `security_content_ctime(firstTime)`
@@ -36,11 +36,11 @@ tags:
3636
- T1558.004
3737
observable:
3838
- name: user
39-
type: user
39+
type: User
4040
role:
4141
- Victim
4242
- name: dest
43-
type: system
43+
type: Hostname
4444
role:
4545
- Victim
4646
- name: parent_process_name

0 commit comments

Comments
 (0)