Remote Event Log Recon

 1title: Remote Event Log Recon
 2id: 2053961f-44c7-4a64-b62d-f6e72800af0d
 3status: test
 4description: Detects remote RPC calls to get event log information via EVEN or EVEN6
 5references:
 6    - https://github.com/zeronetworks/rpcfirewall
 7    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
 8author: Sagie Dulce, Dekel Paz
 9date: 2022-01-01
10tags:
11    - attack.discovery
12logsource:
13    product: rpc_firewall
14    category: application
15    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
16detection:
17    selection:
18        EventLog: RPCFW
19        EventID: 3
20        InterfaceUuid:
21            - 82273fdc-e32a-18c3-3f78-827929dc23ea
22            - f6beaff7-1e19-4fbb-9f8f-b89e2018337c
23    condition: selection
24falsepositives:
25    - Remote administrative tasks on Windows Events
26level: high

References

• GitHub - zeronetworks/rpcfirewall

  

  Contribute to zeronetworks/rpcfirewall development by creating an account on GitHub.

  
  Read More

• Stopping Lateral Movement via the RPC Firewall - Sagie Dulce

  

  RPC Firewall is a free & open source tool, which detects and protects against RPC based attacks used by ransomware for lateral movement and other attacks

  
  Read More

Related rules

• HackTool - SharpView Execution
• HackTool - TruffleSnout Execution
• Possible DCSync Attack
• Recon Activity via SASec
• Remote Registry Recon