Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alerts

The following rules are used to identify suspicious activity with Windows network share file or folder access. Any one or more of these will trigger Sensitive Windows Network Share File or Folder Accessed Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Impacket PsExec Execution

Detects execution of Impacket's psexec.py.

Remote Task Creation via ATSVC Named Pipe

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Protected Storage Service Access

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

Persistence and Execution at Scale via GPO Scheduled Task

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

First Time Seen Remote Named Pipe

This detection excludes known named pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

DCERPC SMB Spoolss Named Pipe

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

T1047 Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.

CVE-2021-1675 Print Spooler Exploitation IPC Access

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

Possible PetitPotam Coerce Authentication Attempt

Detect PetitPotam coerced authentication activity.

Possible Impacket SecretDump Remote Activity

Detect AD credential dumping using impacket secretdump HKTL

Suspicious PsExec Execution

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.