See matching posts in thread - #[Fixed Defects] for Nov 22, ...
Threat: Powershell spawning and running an encoded command False Positives : None that I am aware of Recommended Score: Number (1-100) 100 Query (example): process name:powershell.exe AND (cmdline:-e OR cmdline:-ec OR cmdline:-en OR cmdline:-enc OR cmdline:-enco OR cmdline:-encod OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedc OR cmdline:-encodedco OR cmdline:-encodedcom OR cmdline:-encodedcomm OR cmdline:-encodedcomma OR cmdline:-encodedcomman OR cmdline:-encodedcommand) (os type:"windows") URL Query (example) : cb.urlver=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22)&rows=10&facet=false&facet.field=process name&facet.field=group&facet.field=hostname&facet.field=parent name&facet.field=path full&facet.field=process md5&sort=&cb.min last update=2017-07-03T15%3A52%3A20Z&cb.max last update=2017-07-06T15%3A52%3A20Z&cb.query source=ui&start=0&q=process name%3Apowershell.exe%20AND%20(cmdline%3A-e%20OR%20cmdline%3A-ec%20OR%20cmdline%3A-en%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-enco%20OR%20cmdline%3A-encod%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedc%20OR%20cmdline%3A-encodedco%20OR%20cmdline%3A-encodedcom%20OR%20cmdline%3A-encodedcomm%20OR%20cmdline%3A-encodedcomma%20OR%20cmdline%3A-encodedcomman%20OR%20cmdline%3A-encodedcommand)%20(os type%3A%22windows%22 #CbResponse
Los ataques cibernéticos están aumentando en número y sofisticación. Las actuales amenazas son diferentes de las encontradas hace un mes. ¿Qué es lo que usted puede hacer para mejorar su postura de seguridad? Inscríbase en este Webinar y reciba información acerca de cómo proteger su...
Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - no search term matches found in comments.