Writing Local Admin Share
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
Sigma rule (View on GitHub)
1title: Writing Local Admin Share
2id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
3status: test
4description: |
5 Aversaries may use to interact with a remote network share using Server Message Block (SMB).
6 This technique is used by post-exploitation frameworks.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
9author: frack113
10date: 2022-01-01
11modified: 2022-08-13
12tags:
13 - attack.lateral-movement
14 - attack.t1546.002
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|contains|all:
21 - '\\\\127.0.0'
22 - '\ADMIN$\'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- APT31 Judgement Panda Activity
- AWS Console GetSigninToken Potential Abuse
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity