Failed Mounting of Hidden Share

calendar Apr 21, 2023 · attack.t1021.002 attack.lateral_movement  ·
Share on: linkedin copy

Detects repeated failed (outgoing) attempts to mount a hidden share

Sigma rule (View on GitHub)

 1title: Failed Mounting of Hidden Share
 2id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb
 3status: unsupported
 4description: Detects repeated failed (outgoing) attempts to mount a hidden share
 5references:
 6    - https://twitter.com/moti_b/status/1032645458634653697
 7    - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5
 8author: Fabian Franz
 9date: 2022/08/30
10modified: 2023/02/24
11tags:
12    - attack.t1021.002
13    - attack.lateral_movement
14logsource:
15    product: windows
16    service: smbclient-security
17detection:
18    selection:
19        EventID: 31010
20        ShareName|endswith: '$'
21    timeframe: 1m
22    condition: selection | count() > 10
23fields:
24    - ShareName
25falsepositives:
26    - Legitimate administrative activity
27    - Faulty scripts
28level: medium

References

  • x.com


    Read More

  • %PDF-1.5 %���� 10284 0 obj endobj 10297 0 obj /Filter/FlateDecode/ID[ ]/Index[10284 23]/Info 10283 0 R/Length 77/Prev 1114880/Root 10285 0 R/Size 10307/Type/XRef/W[1 2 1]>>stream h�bbd``b`��s@�'...


    Read More

Related rules

to-top