Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Sponsored by
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
Detects remote RPC calls to create or execute a scheduled task via SASec
Detects remote RPC calls to create or execute a scheduled task
Detects remote RPC calls to create or execute a scheduled task via ATSvc
Detects remote RPC calls to modify the registry and possible execute code
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
Detects execution of Impacket’s psexec.py.
Detects blocking of process creations originating from PSExec and WMI commands
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Detects the use of tools that copy files from or to remote systems
Detects RDP session hijacking by using MSTSC shadowing
Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
Detects a suspicious copy command to or from an Admin share
Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later
Various protocols maybe used to put data on the device for exfil or infil
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
The ‘LsaRegisterLogonProcess’ function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Detects potential use of Rubeus via registered new trusted logon process
Detects remote PowerShell sessions
Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
Detects svchost hosting RDP termsvcs communicating with the loopback address
RDP login with localhost source address may be a tunnelled login
Detects a suspicious RDP session redirect using tscon.exe
Detects command line parameters used by Rubeus hack tool
Detects execution of Net.exe, whether suspicious or benign.
Detects the use of smbexec.py tool by detecting a specific service installation
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz’s sekurlsa::pth module.
Detect remote login by Administrator user (depending on internal pattern).
Detects an executable in the Windows folder accessing suspicious domains
Detects an executable in the Windows folder accessing github.com
Detects interactive console logons to Server Systems
Detects access to $ADMIN share
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with “kali” hostname.
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.
Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Detects automated lateral movement by Turla group
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.
Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Detects suspicious processes logging on with explicit credentials
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Detects suspicious Plink tunnel remote forarding to a local port
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Detects suspicious command line in which a user gets added to the local Remote Desktop Users group
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Detects remote service activity via remote access to the svcctl named pipe
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Detecting use PsExec via Pipe Creation/Access to pipes
Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Detects the attack technique pass the hash which is used to move laterally inside the network
Detects Pandemic Windows Implant
Detects logons using NTLM, which could be caused by a legacy source or attackers
Detects netsh commands that configure a port forwarding of port 3389 used for RDP
Detects netsh commands that configure a port forwarding (PortProxy)
Detects when an admin share is mounted using net.exe
Alerts on Metasploit host’s authentications on the domain.
Detects creation or execution of UserInitMprLogonScript persistence method
This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement