Suspicious Epmap Connection

Sep 7, 2023 · attack.lateral_movement ·

Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)

Sigma rule (View on GitHub)

 1title: Suspicious Epmap Connection
 2id: 628d7a0b-7b84-4466-8552-e6138bc03b43
 3status: experimental
 4description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)
 5references:
 6    - https://github.com/RiccardoAncarani/TaskShell/
 7author: frack113, Tim Shelton (fps)
 8date: 2022/07/14
 9modified: 2023/09/01
10tags:
11    - attack.lateral_movement
12logsource:
13    category: network_connection
14    product: windows
15detection:
16    selection:
17        Protocol: tcp
18        Initiated: 'true'
19        DestinationPort: 135
20        #DestinationPortName: epmap
21    filter_image:
22        Image|startswith:
23            - C:\Windows\
24            - C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater
25    filter_image_null1:
26        Image: null
27    filter_image_null2:
28        Image: ''
29    condition: selection and not 1 of filter_*
30falsepositives:
31    - Unknown
32level: high

References

GitHub - RiccardoAncarani/TaskShell

Contribute to RiccardoAncarani/TaskShell development by creating an account on GitHub.

Read More

Suspicious Epmap Connection

Sigma rule (View on GitHub)

References

GitHub - RiccardoAncarani/TaskShell

Related rules