MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
Sigma rule (View on GitHub)
1title: MITRE BZAR Indicators for Execution
2id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
3status: test
4description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
5references:
6 - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
7author: '@neu5ron, SOC Prime'
8date: 2020-03-19
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.execution
14 - attack.t1047
15 - attack.t1053.002
16 - attack.t1569.002
17logsource:
18 product: zeek
19 service: dce_rpc
20detection:
21 op1:
22 endpoint: 'JobAdd'
23 operation: 'atsvc'
24 op2:
25 endpoint: 'ITaskSchedulerService'
26 operation: 'SchRpcEnableTask'
27 op3:
28 endpoint: 'ITaskSchedulerService'
29 operation: 'SchRpcRegisterTask'
30 op4:
31 endpoint: 'ITaskSchedulerService'
32 operation: 'SchRpcRun'
33 op5:
34 endpoint: 'IWbemServices'
35 operation: 'ExecMethod'
36 op6:
37 endpoint: 'IWbemServices'
38 operation: 'ExecMethodAsync'
39 op7:
40 endpoint: 'svcctl'
41 operation: 'CreateServiceA'
42 op8:
43 endpoint: 'svcctl'
44 operation: 'CreateServiceW'
45 op9:
46 endpoint: 'svcctl'
47 operation: 'StartServiceA'
48 op10:
49 endpoint: 'svcctl'
50 operation: 'StartServiceW'
51 condition: 1 of op*
52falsepositives:
53 - Windows administrator tasks or troubleshooting
54 - Windows management scripts or software
55level: medium
References
Related rules
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation
- HackTool - CrackMapExec Execution Patterns
- HackTool - SharpUp PrivEsc Tool Execution