Rules: First Seen Common Windows Recon Commands From User
Detects a set of commands often used in recon stages by different attack groups.
Detail | Value |
---|---|
Type | First Seen |
Category | Discovery |
Apply Risk to Entities | device_hostname, user_username |
Signal Name | First Seen Common Windows Recon Commands From User |
Summary Expression | Detected reconnaissance activity from user: {{user_username}} on host: {{device_hostname}} |
Retention Window | 7776000000 |
Baseline Window | 1209600000 |
Baseline Type | GLOBAL |
Score/Severity | Static: 2 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0007, _mitreAttackTechnique:T1018 |
- Bitdefender - GravityZone
- Citrix - ADC
- CrowdStrike - FDR
- CrowdStrike - Falcon
- Linux - Linux OS Syslog
- Microsoft - Azure
- Microsoft - Windows
Origin | Field |
---|---|
Normalized Schema | commandLine |
Normalized Schema | device_hostname |
Normalized Schema | listMatches |
Normalized Schema | lower |
Normalized Schema | parentBaseImage |
Normalized Schema | user_username |