attack.lateral_movement | Detection.FYI

Abuse of the Windows Server Update Services (WSUS) for lateral movement.

Aug 10, 2024 · attack.execution attack.lateral_movement attack.T1210 ·
Share on:

Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose.

Read More
Enabling RDP service via reg.exe command execution

Aug 10, 2024 · attack.defense_evasion attack.lateral_movement attack.t1021.001 attack.t1112 ·
Share on:

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More
Execution of ZeroLogon PoC executable

Aug 10, 2024 · attack.execution attack.lateral_movement attack.T1210 ·
Share on:

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More
SMBexec.py Execution

Mar 26, 2024 · attack.s0357 attack.execution attack.t1569 attack.t1569.002 attack.lateral_movement attack.t1021 attack.t1021.003 ·
Share on:

Similar to the wmiexec.py detector logic, this detection analytic is looking for services.exe spawning cmd.exe with a command line that has the following strings: '/Q', '/c', 'echo',' > ', ' 2>&1'. These strings are unique to the execution of smbexec.py, which allows a semi-interactive shell used through SMB. This script functions similar to psexec.py, but does not write a service binary to disk on the target machine. Part of the RedCanary 2024 Threat Detection Report.

Read More
Wmiexec.py Execution

Mar 26, 2024 · attack.s0357 attack.execution attack.t1047 attack.lateral_movement attack.t1021 attack.t1021.003 ·
Share on:

This detection analytic looks for wmiprvse.exe spawn cmd.exe with the following command line, cmd.exe /Q /c ', ' 1 \\', ' 2 &1. These strings are specific to the execution of wmiexe.py, which allows a semi-interactive shell used via WMI. Part of the RedCanary 2024 Threat Detection Report.

Read More
Execution of ZeroLogon PoC executable

Feb 23, 2024 · attack.execution attack.lateral_movement attack.t1210 ·
Share on:

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More
Potential Qbot SMB DLL Lateral Movement

Feb 23, 2024 · attack.lateral_movement attack.t1570 ·
Share on:

Detection of potential us of SMB to transfer DLL's into the C$ folder of hosts unique to Qbot malware for purposes of lateral movement.

Read More
Enabling RDP service via reg.exe command execution

Feb 22, 2024 · attack.defense_evasion attack.lateral_movement attack.t1021.001 attack.t1112 ·
Share on:

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More
Possible Impacket DCOMExec Connection Attempt - Zeek

Sep 1, 2023 · attack.s0357 attack.execution attack.lateral_movement attack.t1021 attack.t1021.003 ·
Share on:

Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.

Read More
Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)

May 10, 2023 · attack.lateral_movement attack.t1021.002 ·
Share on:

Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.

Read More
File Writes Within Admin Shares (RedCanary Threat Detection Report)

May 10, 2023 · attack.lateral_movement attack.t1021.002 ·
Share on:

Detects files written to an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More
Process Execution from Admin Share (RedCanary Threat Detection Report)

May 10, 2023 · attack.lateral_movement attack.t1021.002 ·
Share on:

Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More
Failed Mounting of Hidden Share

Apr 21, 2023 · attack.t1021.002 attack.lateral_movement ·
Share on:

Detects repeated failed (outgoing) attempts to mount a hidden share

Read More
Metasploit Or Impacket Service Installation Via SMB PsExec

Apr 21, 2023 · attack.lateral_movement attack.t1021.002 attack.t1570 attack.execution attack.t1569.002 ·
Share on:

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More
Remote Service Creation

Apr 21, 2023 · attack.lateral_movement attack.persistence attack.execution attack.t1543.003 ·
Share on:

Detects remote execution via service creation on the destination host

Read More
Suspicious Exe File Event With System Image

Apr 16, 2023 · attack.lateral_movement attack.t1105 ·
Share on:

Detects potential SMB file creation activity associated with Impacket smbclient.py.

Read More
Potential SMB DLL Lateral Movement

Jan 8, 2023 · attack.lateral_movement attack.t1570 ·
Share on:

Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.

Read More
AnyDesk Network

Jan 8, 2023 · attack.lateral_movement attack.t1133 attack.command_and_control attack.t1219 ·
Share on:

Detects use of AnyDesk

Read More
SplashTop Network

Jan 8, 2023 · attack.lateral_movement attack.t1133 attack.command_and_control attack.t1219 ·
Share on:

Detects use of SplashTop

Read More
SplashTop Process

Jan 8, 2023 · attack.lateral_movement attack.t1133 attack.command_and_control attack.t1219 ·
Share on:

Detects use of SplashTop

Read More
Executable Deployment from Remote Share

Nov 29, 2022 · attack.lateral_movement attack.command_and_control attack.t1105 attack.t1021 ·
Share on:

Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.

Read More