Detects the use of smbexec.py tool by detecting a specific service installation

Read More

Detects a suspicious copy command to or from an Admin share or remote

Read More

Detects execution of Net.exe, whether suspicious or benign.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects automated lateral movement by Turla group

Read More

Detects when an admin share is mounted using net.exe

Read More

Detects when an internet hosted webdav share is mounted using the "net.exe" utility

Read More

Detects when a share is mounted using the "net.exe" utility

Read More

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More

Detects rundll32 execution where the DLL is located on a remote location (share)

Read More

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.

Read More

Detects default CSExec pipe creation

Read More

Detects default RemCom pipe creation

Read More

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Read More

Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects files written to an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects repeated failed (outgoing) attempts to mount a hidden share

Read More

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Read More

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Read More

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Read More

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Detects access to $ADMIN share

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Read More

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More

Detects execution of Impacket's psexec.py.

Read More

Detects remote service activity via remote access to the svcctl named pipe

Read More

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Read More

Alerts on Metasploit host's authentications on the domain.

Read More

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More