Writing Local Admin Share
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
Sigma rule (View on GitHub)
1title: Writing Local Admin Share
2id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
3status: test
4description: |
5 Aversaries may use to interact with a remote network share using Server Message Block (SMB).
6 This technique is used by post-exploitation frameworks.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
9author: frack113
10date: 2022/01/01
11modified: 2022/08/13
12tags:
13 - attack.lateral_movement
14 - attack.t1546.002
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|contains|all:
21 - '\\\\127.0.0'
22 - '\ADMIN$\'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- Audit CVE Event
- Metasploit Or Impacket Service Installation Via SMB PsExec
- NTLM Logon
- OpenSSH Server Listening On Socket
- Outgoing Logon with New Credentials