Remote Event Log Recon

 1title: Remote Event Log Recon
 2id: 2053961f-44c7-4a64-b62d-f6e72800af0d
 3status: test
 4description: Detects remote RPC calls to get event log information via EVEN or EVEN6
 5references:
 6    - https://github.com/zeronetworks/rpcfirewall
 7    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
 8author: Sagie Dulce, Dekel Paz
 9date: 2022-01-01
10modified: 2022-01-01
11tags:
12    - attack.discovery
13logsource:
14    product: rpc_firewall
15    category: application
16    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
17detection:
18    selection:
19        EventLog: RPCFW
20        EventID: 3
21        InterfaceUuid:
22            - 82273fdc-e32a-18c3-3f78-827929dc23ea
23            - f6beaff7-1e19-4fbb-9f8f-b89e2018337c
24    condition: selection
25falsepositives:
26    - Remote administrative tasks on Windows Events
27level: high

References

• GitHub - zeronetworks/rpcfirewall

  

  Contribute to zeronetworks/rpcfirewall development by creating an account on GitHub.

  
  Read More

• Stopping Lateral Movement via the RPC Firewall - Sagie Dulce

  

  RPC Firewall is a free & open source tool, which detects and protects against RPC based attacks used by ransomware for lateral movement and other attacks

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AD Groups Or Users Enumeration Using PowerShell - PoshModule
• AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
• AD Privileged Users or Groups Reconnaissance