MITRE BZAR Indicators for Persistence
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
Sigma rule (View on GitHub)
1title: MITRE BZAR Indicators for Persistence
2id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
3status: test
4description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
5references:
6 - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
7author: '@neu5ron, SOC Prime'
8date: 2020-03-19
9modified: 2021-11-27
10tags:
11 - attack.persistence
12 - attack.t1547.004
13logsource:
14 product: zeek
15 service: dce_rpc
16detection:
17 op1:
18 endpoint: 'spoolss'
19 operation: 'RpcAddMonitor'
20 op2:
21 endpoint: 'spoolss'
22 operation: 'RpcAddPrintProcessor'
23 op3:
24 endpoint: 'IRemoteWinspool'
25 operation: 'RpcAsyncAddMonitor'
26 op4:
27 endpoint: 'IRemoteWinspool'
28 operation: 'RpcAsyncAddPrintProcessor'
29 op5:
30 endpoint: 'ISecLogon'
31 operation: 'SeclCreateProcessWithLogonW'
32 op6:
33 endpoint: 'ISecLogon'
34 operation: 'SeclCreateProcessWithLogonExW'
35 condition: 1 of op*
36falsepositives:
37 - Windows administrator tasks or troubleshooting
38 - Windows management scripts or software
39level: medium
References
Related rules
- Winlogon Helper DLL
- Winlogon Notify Key Logon Persistence
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain