Detectionhightest

Remote Server Service Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sagie Dulce, Dekel PazCreated Sat Jan 0110018e73-06ec-46ec-8107-9172f1e04ff2application

Log Source

rpc_firewallapplication

Productrpc_firewall← raw: rpc_firewall

Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003

Detection Logic

detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
    condition: selection

False Positives

Administrative tasks on remote services

References

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement TA0002 · Execution

Sub-techniques

T1569.002 · Service Execution

Rule Metadata

Rule ID

10018e73-06ec-46ec-8107-9172f1e04ff2

Status

test

Level

high

Type

Detection

Created

Sat Jan 01

Author

Sagie Dulce, Dekel Paz

Path

rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml

Raw Tags

attack.lateral-movementattack.executionattack.t1569.002

View on GitHub