heroui logo

Suspicious Scan Loop Network

Sigma Rules

View Source
Summary
The rule detects suspicious network scan activities that may indicate lateral movement attempts by adversaries using common command line tools. In particular, it focuses on processes that utilize loop structures in their command lines (e.g., 'for' and 'foreach') as well as known networking tools like 'nslookup' and 'ping'. The presence of these patterns in command line arguments is coupled with a medium-level threat assessment, highlighting the potential for legitimate usage but also the risk of exploitation. The detection combines the identification of selection loops and specific tools under the same condition requiring all criteria to trigger an alert.
Categories
  • Network
  • Endpoint
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1018
Created: 2022-03-12