attack.t1021

OpenCanary - FTP Login Attempt

Feb 3, 2025 · attack.initial-access attack.exfiltration attack.t1190 attack.t1021 ·

Share on:

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

OpenCanary - SMB File Open Request

Feb 3, 2025 · attack.lateral-movement attack.collection attack.t1021 attack.t1005 ·

Share on:

Detects instances where an SMB service on an OpenCanary node has had a file open request.

OpenCanary - SNMP OID Request

Feb 3, 2025 · attack.discovery attack.lateral-movement attack.t1016 attack.t1021 ·

Share on:

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

OpenCanary - SSH Login Attempt

Feb 3, 2025 · attack.initial-access attack.lateral-movement attack.persistence attack.t1133 attack.t1021 attack.t1078 ·

Share on:

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

OpenCanary - SSH New Connection Attempt

Feb 3, 2025 · attack.initial-access attack.lateral-movement attack.persistence attack.t1133 attack.t1021 attack.t1078 ·

Share on:

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

OpenCanary - VNC Connection Attempt

Feb 3, 2025 · attack.lateral-movement attack.t1021 ·

Share on:

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

Potential Remote Desktop Tunneling

Aug 12, 2024 · attack.lateral-movement attack.t1021 ·

Share on:

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

Privilege Escalation via Named Pipe Impersonation

Aug 12, 2024 · attack.lateral-movement attack.t1021 ·

Share on:

Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.

Psexec Execution

Aug 12, 2024 · attack.execution attack.t1569 attack.t1021 ·

Share on:

Detects user accept agreement execution in psexec commandline

SMBexec.py Execution

Mar 26, 2024 · attack.s0357 attack.execution attack.t1569 attack.t1569.002 attack.lateral_movement attack.t1021 attack.t1021.003 ·

Share on:

Similar to the wmiexec.py detector logic, this detection analytic is looking for services.exe spawning cmd.exe with a command line that has the following strings: '/Q', '/c', 'echo',' > ', ' 2>&1'. These strings are unique to the execution of smbexec.py, which allows a semi-interactive shell used through SMB. This script functions similar to psexec.py, but does not write a service binary to disk on the target machine. Part of the RedCanary 2024 Threat Detection Report.

Wmiexec.py Execution

Mar 26, 2024 · attack.s0357 attack.execution attack.t1047 attack.lateral_movement attack.t1021 attack.t1021.003 ·

Share on:

This detection analytic looks for wmiprvse.exe spawn cmd.exe with the following command line, cmd.exe /Q /c ', ' 1 \\', ' 2 &1. These strings are specific to the execution of wmiexe.py, which allows a semi-interactive shell used via WMI. Part of the RedCanary 2024 Threat Detection Report.

Possible Impacket DCOMExec Connection Attempt - Zeek

Sep 1, 2023 · attack.s0357 attack.execution attack.lateral_movement attack.t1021 attack.t1021.003 ·

Share on:

Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.

Executable Deployment from Remote Share

Nov 29, 2022 · attack.lateral_movement attack.command_and_control attack.t1105 attack.t1021 ·

Share on:

Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.