MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
Sigma rule (View on GitHub)
1title: MITRE BZAR Indicators for Execution
2id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
3status: test
4description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
5references:
6 - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
7author: '@neu5ron, SOC Prime'
8date: 2020/03/19
9modified: 2021/11/27
10tags:
11 - attack.execution
12 - attack.t1047
13 - attack.t1053.002
14 - attack.t1569.002
15logsource:
16 product: zeek
17 service: dce_rpc
18detection:
19 op1:
20 endpoint: 'JobAdd'
21 operation: 'atsvc'
22 op2:
23 endpoint: 'ITaskSchedulerService'
24 operation: 'SchRpcEnableTask'
25 op3:
26 endpoint: 'ITaskSchedulerService'
27 operation: 'SchRpcRegisterTask'
28 op4:
29 endpoint: 'ITaskSchedulerService'
30 operation: 'SchRpcRun'
31 op5:
32 endpoint: 'IWbemServices'
33 operation: 'ExecMethod'
34 op6:
35 endpoint: 'IWbemServices'
36 operation: 'ExecMethodAsync'
37 op7:
38 endpoint: 'svcctl'
39 operation: 'CreateServiceA'
40 op8:
41 endpoint: 'svcctl'
42 operation: 'CreateServiceW'
43 op9:
44 endpoint: 'svcctl'
45 operation: 'StartServiceA'
46 op10:
47 endpoint: 'svcctl'
48 operation: 'StartServiceW'
49 condition: 1 of op*
50falsepositives:
51 - Windows administrator tasks or troubleshooting
52 - Windows management scripts or software
53level: medium
References
Related rules
- Possible PrintNightmare Print Driver Install
- Scheduled Task/Job At
- Space After Filename
- PCRE.NET Package Temp Files
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.