Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Read MoreCobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Read MoreRundll32 Execution Without Parameters
Mar 16, 2023 · attack.lateral_movement attack.t1021.002 attack.t1570 attack.execution attack.t1569.002 ·Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Read MoreThis detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Read MoreDetects a threat actor creating a file named
wbemcomn.dll
in theC:\Windows\System32\wbem\
directory over the network for a WMI DLL Hijack scenario.
Read MoreDetects a threat actor creating a file named
iertutil.dll
in theC:\Program Files\Internet Explorer\
directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Read MoreDetects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
Read MoreDetects a threat actor creating a file named
wbemcomn.dll
in theC:\Windows\System32\wbem\
directory over the network and loading it for a WMI DLL Hijack scenario.
Read MoreDetects a threat actor creating a file named
wbemcomn.dll
in theC:\Windows\System32\wbem\
directory over the network and loading it for a WMI DLL Hijack scenario.
Read MoreCobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Read MoreCobaltStrike Service Installations in Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
Read MoreAdversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Read MoreThis detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Read Moredetects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Read MoreDetects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
Read MoreDetects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Read MoreMetasploit Or Impacket Service Installation Via SMB PsExec
Oct 25, 2022 · attack.lateral_movement attack.t1021.002 attack.t1570 attack.execution attack.t1569.002 ·Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Read MoreLook for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Read Moredetects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Read MoreDetects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Read More