Capture Credentials with Rpcping.exe
Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Sigma rule (View on GitHub)
1title: Capture Credentials with Rpcping.exe
2id: 93671f99-04eb-4ab4-a161-70d446a84003
3status: test
4description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
7 - https://twitter.com/vysecurity/status/974806438316072960
8 - https://twitter.com/vysecurity/status/873181705024266241
9 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
10author: Julia Fomina, oscd.community
11date: 2020/10/09
12modified: 2024/03/13
13tags:
14 - attack.credential_access
15 - attack.t1003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 use_rpcping:
21 Image|endswith: '\rpcping.exe'
22 remote_server:
23 CommandLine|contains|windash: '-s'
24 ntlm_auth:
25 - CommandLine|contains|all|windash:
26 - '-u'
27 - 'NTLM'
28 - CommandLine|contains|all|windash:
29 - '-t'
30 - 'ncacn_np'
31 condition: use_rpcping and remote_server and ntlm_auth
32falsepositives:
33 - Unlikely
34level: medium
References
Related rules
- OpenCanary - MSSQL Login Attempt Via SQLAuth
- OpenCanary - MSSQL Login Attempt Via Windows Authentication
- OpenCanary - MySQL Login Attempt
- OpenCanary - REDIS Action Command Attempt
- HackTool - Rubeus Execution - ScriptBlock