Process Execution from Admin Share (RedCanary Threat Detection Report)
Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Process Execution from Admin Share (RedCanary Threat Detection Report)
2id: 508ffe6a-8d07-4162-a000-fbf939a23b92
3status: experimental
4description: Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.lateral_movement
11 - attack.t1021.002
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains:
18 - 'ADMIN$'
19 - 'IPC$'
20 - 'C$'
21 condition: selection
22falsepositives:
23 - Depends; may require baselining and exclusions for legitimate use.
24level: low```
References
-
Adversaries abuse Windows Admin Shares and the Server Message Block (SMB) protocol to move laterally and stage payloads for execution.
Read More
Related rules
- Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
- File Writes Within Admin Shares (RedCanary Threat Detection Report)
- Failed Mounting of Hidden Share
- Metasploit Or Impacket Service Installation Via SMB PsExec
- CobaltStrike Service Installations - System