Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Sigma rule (View on GitHub)
1title: Suspicious Redirection to Local Admin Share
2id: ab9e3b40-0c85-4ba1-aede-455d226fd124
3status: test
4description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
5references:
6 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
7 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
8author: Florian Roth (Nextron Systems)
9date: 2022/01/16
10modified: 2023/12/28
11tags:
12 - attack.exfiltration
13 - attack.t1048
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_redirect:
19 CommandLine|contains: '>'
20 selection_share:
21 CommandLine|contains:
22 - '\\\\127.0.0.1\\admin$\\'
23 - '\\\\localhost\\admin$\\'
24 condition: all of selection_*
25falsepositives:
26 - Unknown
27level: high
References
-
Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.
Read More
Related rules
- Copy From Or To Admin Share Or Sysvol Folder
- Powershell DNSExfiltration
- Large domain name request
- Tap Driver Installation
- DNS TOR Proxies