Detectionmediumtest
Suspicious Git Clone
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jan 03Updated Tue Jan 10aef9d1f1-7396-4e92-a927-4567c7a495c1windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
- Image|endswith:
- '\git.exe'
- '\git-remote-https.exe'
- OriginalFileName: 'git.exe'
selection_cli:
CommandLine|contains:
- ' clone '
- 'git-remote-https '
selection_keyword:
CommandLine|contains:
# Add more suspicious keywords
- 'exploit'
- 'Vulns'
- 'vulnerability'
- 'RemoteCodeExecution'
- 'Invoke-'
- 'CVE-'
- 'poc-'
- 'ProofOfConcept'
# Add more vuln names
- 'proxyshell'
- 'log4shell'
- 'eternalblue'
- 'eternal-blue'
- 'MS17-'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
attack.t1593.003
Rule Metadata
Rule ID
aef9d1f1-7396-4e92-a927-4567c7a495c1
Status
test
Level
medium
Type
Detection
Created
Tue Jan 03
Modified
Tue Jan 10
Path
rules/windows/process_creation/proc_creation_win_git_susp_clone.yml
Raw Tags
attack.reconnaissanceattack.t1593.003