detection.wiki

Detection rules › Sigma

Weak or Abused Passwords In CLI

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: 123123qwE
CommandLine|contains: 123456789
CommandLine|contains: Asd123.aaaa
CommandLine|contains: Decryptme
CommandLine|contains: 'P@ssw0rd!'
CommandLine|contains: Pass8080
CommandLine|contains: password123
CommandLine|contains: 'test@202'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • 123123qwE
  • 123456789
  • Asd123.aaaa
  • Decryptme
  • P@ssw0rd!
  • Pass8080
  • password123
  • test@202