Detectionhightest

Recon Activity via SASec

Detects remote RPC calls to read information about scheduled tasks via SASec

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sagie Dulce, Dekel PazCreated Sat Jan 010a3ff354-93fc-4273-8a03-1078782de5b7application

Log Source

rpc_firewallapplication

Productrpc_firewall← raw: rpc_firewall

Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"

Detection Logic

detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
    filter:
        OpNum:
            - 0
            - 1
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0007 · Discovery

Rule Metadata

Rule ID

0a3ff354-93fc-4273-8a03-1078782de5b7

Status

test

Level

high

Type

Detection

Created

Sat Jan 01

Author

Sagie Dulce, Dekel Paz

Path

rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml

Raw Tags

attack.discovery

View on GitHub