MITRE BZAR Indicators for Persistence

Oct 25, 2022 · attack.persistence attack.t1547.004 ·

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Sigma rule (View on GitHub)

 1title: MITRE BZAR Indicators for Persistence
 2id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
 3status: test
 4description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
 5references:
 6    - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
 7author: '@neu5ron, SOC Prime'
 8date: 2020/03/19
 9modified: 2021/11/27
10tags:
11    - attack.persistence
12    - attack.t1547.004
13logsource:
14    product: zeek
15    service: dce_rpc
16detection:
17    op1:
18        endpoint: 'spoolss'
19        operation: 'RpcAddMonitor'
20    op2:
21        endpoint: 'spoolss'
22        operation: 'RpcAddPrintProcessor'
23    op3:
24        endpoint: 'IRemoteWinspool'
25        operation: 'RpcAsyncAddMonitor'
26    op4:
27        endpoint: 'IRemoteWinspool'
28        operation: 'RpcAsyncAddPrintProcessor'
29    op5:
30        endpoint: 'ISecLogon'
31        operation: 'SeclCreateProcessWithLogonW'
32    op6:
33        endpoint: 'ISecLogon'
34        operation: 'SeclCreateProcessWithLogonExW'
35    condition: 1 of op*
36falsepositives:
37    - Windows administrator tasks or troubleshooting
38    - Windows management scripts or software
39level: medium

References

GitHub - mitre-attack/bzar: A set of Zeek scripts to detect ATT&CK techniques.

A set of Zeek scripts to detect ATT&CK techniques. - mitre-attack/bzar

Read More

MITRE BZAR Indicators for Persistence

Sigma rule (View on GitHub)

References

GitHub - mitre-attack/bzar: A set of Zeek scripts to detect ATT&CK techniques.

Related rules