attack.t1021.002

Impacket PsExec Execution
level
status test

Detects execution of Impacket’s psexec.py.

Copy from Admin Share
level
status test

Detects a suspicious copy command to or from an Admin share

Protected Storage Service Access
level
status test

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

Net.exe Execution
level
status experimental

Detects execution of Net.exe, whether suspicious or benign.

smbexec.py Service Installation
level
status test

Detects the use of smbexec.py tool by detecting a specific service installation

Access to ADMIN$ Share
level
status test

Detects access to $ADMIN share

Wmiprvse Wbemcomn DLL Hijack
level
status experimental

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Wmiprvse Wbemcomn DLL Hijack
level
status experimental

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Turla Group Lateral Movement
level
status experimental

Detects automated lateral movement by Turla group

T1047 Wmiprvse Wbemcomn DLL Hijack
level
status test

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
level
status experimental

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.

T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
level
status test

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Suspicious PsExec Execution - Zeek
level
status test

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Suspicious PsExec Execution
level
status test

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Suspicious New-PSDrive to Admin Share
level
status experimental

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB Spoolss Name Piped Usage
level
status experimental

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

SMB Create Remote File Admin Share
level
status test

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

Rundll32 Without Parameters
level
status experimental

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Remote Service Activity via SVCCTL Named Pipe
level
status test

Detects remote service activity via remote access to the svcctl named pipe

PsExec Pipes Artifacts
level
status test

Detecting use PsExec via Pipe Creation/Access to pipes

Mounted Windows Admin Shares with net.exe
level
status experimental

Detects when an admin share is mounted using net.exe

Metasploit SMB Authentication
level
status experimental

Alerts on Metasploit host’s authentications on the domain.

First Time Seen Remote Named Pipe - Zeek
level
status test

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

First Time Seen Remote Named Pipe
level
status test

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

DCERPC SMB Spoolss Named Pipe
level
status test

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

CobaltStrike Service Installations in Registry
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.

CobaltStrike Service Installations
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.