Discovery Correlation Rule 📝
Leveraging our Sigma Correlation engine we have introduced several weeks ago a new rule that we hope will be very helpful for defenders: "Discovery Commands Correlation" with an intermediate effort level. The rule detects during a one minute period of time, a chain of commands using either Windows command prompt or powershell, nltest, then net command. Enabling this rule in your commnuity allows you to detect the commonly used commands a ransomware operator would do, with a very low probability of false postive!
During the first steps an attacker would take once installed in a compromised host, reconnaissance actions are not that simple to detect. Many false positives would occur because the attacker will use simple and builtin commands that are commonly used by IT administrators.
In our Detection Rules Catalog, several rules already exist to detect some of the most specific reconnaissance commands. Theses rules have, of course, a master level effort considering the possible false positives. We are therefore really glad to provide this new powerful correlation rule that will greatly help defenders in detecting attacks at the very beginning and with a very low false positive rate.
You could find our correlation rules using the tag "correlation" in the catalog.