Detects execution of Impacket’s psexec.py.
Detects execution of Impacket’s psexec.py.
Detects a suspicious copy command to or from an Admin share
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
Detects execution of Net.exe, whether suspicious or benign.
Detects the use of smbexec.py tool by detecting a specific service installation
Detects access to $ADMIN share
Detects a threat actor creating a file named wbemcomn.dll
in the C:\Windows\System32\wbem\
directory over the network and loading it for a WMI DLL Hijack scenario.
Detects a threat actor creating a file named wbemcomn.dll
in the C:\Windows\System32\wbem\
directory over the network and loading it for a WMI DLL Hijack scenario.
Detects automated lateral movement by Turla group
Detects a threat actor creating a file named wbemcomn.dll
in the C:\Windows\System32\wbem\
directory over the network for a WMI DLL Hijack scenario.
Detects a threat actor creating a file named iertutil.dll
in the C:\Program Files\Internet Explorer\
directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
Detects a threat actor creating a file named iertutil.dll
in the C:\Program Files\Internet Explorer\
directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Detects remote service activity via remote access to the svcctl named pipe
Detecting use PsExec via Pipe Creation/Access to pipes
Detects when an admin share is mounted using net.exe
Alerts on Metasploit host’s authentications on the domain.
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement