Recon Activity via SASec

Detects remote RPC calls to read information about scheduled tasks via SASec

Sigma rule (View on GitHub)

 1title: Recon Activity via SASec
 2id: 0a3ff354-93fc-4273-8a03-1078782de5b7
 3status: test
 4description: Detects remote RPC calls to read information about scheduled tasks via SASec
 5references:
 6    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
 7    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
 8    - https://github.com/zeronetworks/rpcfirewall
 9    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
10author: Sagie Dulce, Dekel Paz
11date: 2022/01/01
12modified: 2022/11/17
13tags:
14    - attack.discovery
15logsource:
16    product: rpc_firewall
17    category: application
18    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
19detection:
20    selection:
21        EventLog: RPCFW
22        EventID: 3
23        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
24    filter:
25        OpNum:
26            - 0
27            - 1
28    condition: selection and not filter
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top