Suspicious New-PSDrive to Admin Share

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Sigma rule (View on GitHub)

 1title: Suspicious New-PSDrive to Admin Share
 2id: 1c563233-030e-4a07-af8c-ee0490a66d3a
 3status: test
 4description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
 7    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
 8author: frack113
 9date: 2022/08/13
10tags:
11    - attack.lateral_movement
12    - attack.t1021.002
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection:
19        ScriptBlockText|contains|all:
20            - 'New-PSDrive'
21            - '-psprovider '
22            - 'filesystem'
23            - '-root '
24            - '\\\\'
25            - '$'
26    condition: selection
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top