MITRE BZAR Indicators for Persistence
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
Sigma rule (View on GitHub)
1title: MITRE BZAR Indicators for Persistence
2id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
3status: test
4description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
5references:
6 - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
7author: '@neu5ron, SOC Prime'
8date: 2020-03-19
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.004
14logsource:
15 product: zeek
16 service: dce_rpc
17detection:
18 op1:
19 endpoint: 'spoolss'
20 operation: 'RpcAddMonitor'
21 op2:
22 endpoint: 'spoolss'
23 operation: 'RpcAddPrintProcessor'
24 op3:
25 endpoint: 'IRemoteWinspool'
26 operation: 'RpcAsyncAddMonitor'
27 op4:
28 endpoint: 'IRemoteWinspool'
29 operation: 'RpcAsyncAddPrintProcessor'
30 op5:
31 endpoint: 'ISecLogon'
32 operation: 'SeclCreateProcessWithLogonW'
33 op6:
34 endpoint: 'ISecLogon'
35 operation: 'SeclCreateProcessWithLogonExW'
36 condition: 1 of op*
37falsepositives:
38 - Windows administrator tasks or troubleshooting
39 - Windows management scripts or software
40level: medium
References
Related rules
- Winlogon Helper DLL
- Winlogon Notify Key Logon Persistence
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain