MITRE BZAR Indicators for Execution

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Sigma rule (View on GitHub)

 1title: MITRE BZAR Indicators for Execution
 2id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
 3status: test
 4description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
 5references:
 6    - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
 7author: '@neu5ron, SOC Prime'
 8date: 2020-03-19
 9modified: 2021-11-27
10tags:
11    - attack.execution
12    - attack.t1047
13    - attack.t1053.002
14    - attack.t1569.002
15logsource:
16    product: zeek
17    service: dce_rpc
18detection:
19    op1:
20        endpoint: 'JobAdd'
21        operation: 'atsvc'
22    op2:
23        endpoint: 'ITaskSchedulerService'
24        operation: 'SchRpcEnableTask'
25    op3:
26        endpoint: 'ITaskSchedulerService'
27        operation: 'SchRpcRegisterTask'
28    op4:
29        endpoint: 'ITaskSchedulerService'
30        operation: 'SchRpcRun'
31    op5:
32        endpoint: 'IWbemServices'
33        operation: 'ExecMethod'
34    op6:
35        endpoint: 'IWbemServices'
36        operation: 'ExecMethodAsync'
37    op7:
38        endpoint: 'svcctl'
39        operation: 'CreateServiceA'
40    op8:
41        endpoint: 'svcctl'
42        operation: 'CreateServiceW'
43    op9:
44        endpoint: 'svcctl'
45        operation: 'StartServiceA'
46    op10:
47        endpoint: 'svcctl'
48        operation: 'StartServiceW'
49    condition: 1 of op*
50falsepositives:
51    - Windows administrator tasks or troubleshooting
52    - Windows management scripts or software
53level: medium

References

Related rules

to-top