Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alerts
The following rules are used to identify suspicious activity with Windows Network Share File or Folder Access. Any one or more of these will trigger Sensitive Windows Network Share File or Folder Accessed Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
Impacket PsExec Execution |
Detects execution of Impacket's psexec.py. More details
Rule IDQuery{'selection1': {'EventID': 5145, 'ShareName': '\\\\*\\IPC$', 'RelativeTargetName|contains': ['RemCom_stdin', 'RemCom_stdout', 'RemCom_stderr']}, 'condition': 'selection1'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,32d56ea1-417f-44ff-822b-882873f5f43b Author: Bhabesh Raj Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Remote Task Creation via ATSVC Named Pipe |
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe More details
Rule IDQuery{'selection': {'EventID': 5145, 'ShareName': '\\\\*\\IPC$', 'RelativeTargetName': 'atsvc', 'Accesses|contains': ['WriteData', '%%4417']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f6de6525-4509-495a-8a82-1f8b0ed73a00 Author: Samir Bousseaden Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Protected Storage Service Access |
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers More details
Rule IDQuery{'selection': {'EventID': 5145, 'ShareName|contains': 'IPC', 'RelativeTargetName': 'protected_storage'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,45545954-4016-43c6-855e-eae8f1c369dc Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Persistence and Execution at Scale via GPO Scheduled Task |
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale More details
Rule IDQuery{'selection': {'EventID': 5145, 'ShareName': '\\\\*\\SYSVOL', 'RelativeTargetName|endswith': 'ScheduledTasks.xml', 'Accesses|contains': ['WriteData', '%%4417']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a8f29a7b-b137-4446-80a0-b804272f3da2 Author: Samir Bousseaden Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
First Time Seen Remote Named Pipe |
This detection excludes known named pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes More details
Rule IDQuery{'selection1': {'EventID': 5145, 'ShareName': '\\\\*\\IPC$'}, 'false_positives': {'RelativeTargetName': ['atsvc', 'samr', 'lsarpc', 'lsass', 'winreg', 'netlogon', 'srvsvc', 'protected_storage', 'wkssvc', 'browser', 'netdfs', 'svcctl', 'spoolss', 'ntsvcs', 'LSM_API_service', 'HydraLsPipe', 'TermSrv_API_service', 'MsFteWds', 'sql\\query', 'eventlog']}, 'condition': 'selection1 and not false_positives'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,52d8b0c6-53d6-439a-9e41-52ad442ad9ad Author: Samir Bousseaden Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
DCERPC SMB Spoolss Named Pipe |
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. More details
Rule IDQuery{'selection': {'EventID': 5145, 'ShareName': '\\\\*\\IPC$', 'RelativeTargetName': 'spoolss'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,214e8f95-100a-4e04-bb31-ef6cba8ce07e Author: OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
T1047 Wmiprvse Wbemcomn DLL Hijack |
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario. More details
Rule IDQuery{'selection': {'EventID': 5145, 'RelativeTargetName|endswith': '\\wbem\\wbemcomn.dll'}, 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f6c68d5f-e101-4b86-8c84-7d96851fd65c Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
CVE-2021-1675 Print Spooler Exploitation IPC Access |
Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 More details
Rule IDQuery{'selection': {'EventID': 5145, 'ShareName': '\\\\*\\IPC$', 'RelativeTargetName': 'spoolss', 'AccessMask': '0x3', 'ObjectType': 'File'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8fe1c584-ee61-444b-be21-e9054b229694 Author: INIT_6 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Possible PetitPotam Coerce Authentication Attempt |
Detect PetitPotam coerced authentication activity. More details
Rule IDQuery{'selection': {'EventID': 5145, 'ShareName|startswith': '\\\\', 'ShareName|endswith': '\\IPC$', 'RelativeTargetName': 'lsarpc', 'SubjectUserName': 'ANONYMOUS LOGON'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1ce8c8a3-2723-48ed-8246-906ac91061a6 Author: Mauricio Velazco, Michael Haag Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Possible Impacket SecretDump Remote Activity |
Detect AD credential dumping using impacket secretdump HKTL More details
Rule IDQuery{'selection': {'EventID': 5145, 'ShareName': '\\\\*\\ADMIN$', 'RelativeTargetName|contains|all': ['SYSTEM32\\', '.tmp']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,252902e3-5830-4cf6-bf21-c22083dfd5cf Author: Samir Bousseaden, wagga Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious PsExec Execution |
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one More details
Rule IDQuery{'selection1': {'EventID': 5145, 'ShareName': '\\\\*\\IPC$', 'RelativeTargetName|endswith': ['-stdin', '-stdout', '-stderr']}, 'filter': {'RelativeTargetName|startswith': 'PSEXESVC'}, 'condition': 'selection1 and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 Author: Samir Bousseaden Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security |
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. More details
Rule IDQuery{'selection': {'EventID': 5145, 'RelativeTargetName|endswith': '\\Internet Explorer\\iertutil.dll'}, 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c39f0c81-7348-4965-ab27-2fde35a1b641 Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
