attack.lateral_movement

Remote Server Service Abuse for Lateral Movement
level
status experimental

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Remote Server Service Abuse
level
status experimental

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

Remote Schedule Task Lateral Movement via SASec
level
status experimental

Detects remote RPC calls to create or execute a scheduled task via SASec

Remote Schedule Task Lateral Movement via ITaskSchedulerService
level
status experimental

Detects remote RPC calls to create or execute a scheduled task

Remote Schedule Task Lateral Movement via ATSvc
level
status experimental

Detects remote RPC calls to create or execute a scheduled task via ATSvc

Remote Registry Lateral Movement
level
status experimental

Detects remote RPC calls to modify the registry and possible execute code

Remote Printing Abuse for Lateral Movement
level
status experimental

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

Remote Encrypting File System Abuse
level
status experimental

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Remote DCOM/WMI Lateral Movement
level
status experimental

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Possible Exploitation of Exchange RCE CVE-2021-42321
level
status experimental

Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321

AWS Suspicious SAML Activity
level
status experimental

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

OMIGOD HTTP No Authentication RCE
level
status stable

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

AWS STS GetSessionToken Misuse
level
status experimental

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWS STS AssumeRole Misuse
level
status experimental

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Impacket PsExec Execution
level
status test

Detects execution of Impacket’s psexec.py.

PSExec and WMI Process Creations Block
level
status experimental

Detects blocking of process creations originating from PSExec and WMI commands

Denied Access To Remote Desktop
level
status test

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Remote File Copy
level
status stable

Detects the use of tools that copy files from or to remote systems

MSTSC Shadowing
level
status test

Detects RDP session hijacking by using MSTSC shadowing

Audit CVE Event
level
status experimental

Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)

Copy from Admin Share
level
status test

Detects a suspicious copy command to or from an Admin share

External Disk Drive Or USB Storage Device
level
status experimental

Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later

Cisco Stage Data
level
status test

Various protocols maybe used to put data on the device for exfil or infil

Protected Storage Service Access
level
status test

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
level
status experimental

The ‘LsaRegisterLogonProcess’ function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Suspicious Outbound Kerberos Connection
level
status test

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Suspicious Outbound Kerberos Connection
level
status test

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Register new Logon Process by Rubeus
level
status experimental

Detects potential use of Rubeus via registered new trusted logon process

Remote PowerShell Session
level
status test

Detects remote PowerShell sessions

Remote PowerShell Session
level
status test

Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.

Potential RDP Exploit CVE-2019-0708
level
status experimental

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Terminal Service Process Spawn
level
status test

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Mimikatz through Windows Remote Management
level
status stable

Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.

RDP over Reverse SSH Tunnel WFP
level
status experimental

Detects svchost hosting RDP termsvcs communicating with the loopback address

RDP Login from Localhost
level
status experimental

RDP login with localhost source address may be a tunnelled login

Suspicious RDP Redirect Using TSCON
level
status test

Detects a suspicious RDP session redirect using tscon.exe

Rubeus Hack Tool
level
status stable

Detects command line parameters used by Rubeus hack tool

Net.exe Execution
level
status experimental

Detects execution of Net.exe, whether suspicious or benign.

smbexec.py Service Installation
level
status test

Detects the use of smbexec.py tool by detecting a specific service installation

Successful Overpass the Hash Attempt
level
status test

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz’s sekurlsa::pth module.

Admin User Remote Logon
level
status experimental

Detect remote login by Administrator user (depending on internal pattern).

Microsoft Binary Suspicious Communication Endpoint
level
status test

Detects an executable in the Windows folder accessing suspicious domains

Microsoft Binary Github Communication
level
status test

Detects an executable in the Windows folder accessing github.com

Interactive Logon to Server Systems
level
status test

Detects interactive console logons to Server Systems

Access to ADMIN$ Share
level
status test

Detects access to $ADMIN share

Mimikatz Use
level
status experimental

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Zerologon Exploitation Using Well-known Tools
level
status stable

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with “kali” hostname.

Writing Local Admin Share
level
status experimental

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Wmiprvse Wbemcomn DLL Hijack
level
status experimental

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Wmiprvse Wbemcomn DLL Hijack
level
status experimental

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

WMI Script Host Process Image Loaded
level
status test

Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.

WinRM Access with Evil-WinRM
level
status experimental

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Turla Group Lateral Movement
level
status experimental

Detects automated lateral movement by Turla group

T1047 Wmiprvse Wbemcomn DLL Hijack
level
status test

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
level
status experimental

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.

T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
level
status test

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Suspicious UltraVNC Execution
level
status experimental

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

Suspicious Remote Logon with Explicit Credentials
level
status experimental

Detects suspicious processes logging on with explicit credentials

Suspicious PsExec Execution - Zeek
level
status test

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Suspicious PsExec Execution
level
status test

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Suspicious Plink Remote Forwarding
level
status experimental

Detects suspicious Plink tunnel remote forarding to a local port

Suspicious Non PowerShell WSMAN COM Provider
level
status experimental

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Suspicious New-PSDrive to Admin Share
level
status experimental

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Suspicious Add User to Remote Desktop Users Group
level
status experimental

Detects suspicious command line in which a user gets added to the local Remote Desktop Users group

SMB Spoolss Name Piped Usage
level
status experimental

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

SMB Create Remote File Admin Share
level
status test

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

Scanner PoC for CVE-2019-0708 RDP RCE Vuln
level
status experimental

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Rundll32 Without Parameters
level
status experimental

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Remote WMI ActiveScriptEventConsumers
level
status test

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Remote Task Creation via ATSVC Named Pipe - Zeek
level
status test

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Remote Task Creation via ATSVC Named Pipe
level
status test

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Remote Service Activity via SVCCTL Named Pipe
level
status test

Detects remote service activity via remote access to the svcctl named pipe

Remote Desktop Protocol Use Mstsc
level
status experimental

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

PsExec Pipes Artifacts
level
status test

Detecting use PsExec via Pipe Creation/Access to pipes

PortProxy Registry Key
level
status experimental

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.

Persistence and Execution at Scale via GPO Scheduled Task
level
status test

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Pass the Hash Activity
level
status test

Detects the attack technique pass the hash which is used to move laterally inside the network

NTLM Logon
level
status experimental

Detects logons using NTLM, which could be caused by a legacy source or attackers

Netsh RDP Port Forwarding
level
status test

Detects netsh commands that configure a port forwarding of port 3389 used for RDP

Netsh Port Forwarding
level
status experimental

Detects netsh commands that configure a port forwarding (PortProxy)

Mounted Windows Admin Shares with net.exe
level
status experimental

Detects when an admin share is mounted using net.exe

Metasploit SMB Authentication
level
status experimental

Alerts on Metasploit host’s authentications on the domain.

Logon Scripts (UserInitMprLogonScript) Registry
level
status test

Detects creation or execution of UserInitMprLogonScript persistence method

Lateral Movement Indicator ConDrv
level
status deprecated

This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.

Impacket Lateralization Detection
level
status stable

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

First Time Seen Remote Named Pipe - Zeek
level
status test

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

First Time Seen Remote Named Pipe
level
status test

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Execute Invoke-command on Remote Host
level
status experimental

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Enable Windows Remote Management
level
status experimental

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

DCERPC SMB Spoolss Named Pipe
level
status test

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

CobaltStrike Service Installations in Registry
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.

CobaltStrike Service Installations
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.