Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

SMB over QUIC Via Net.EXE

Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jul 212238d337-42fb-4971-9a68-63570f2aede4windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: '/TRANSPORT:QUIC'
    condition: all of selection_*
False Positives

Administrative activity

References
1
Resolving title…
github.com
2
Resolving title…
trustedsec.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
SimilarThreat Huntmedium

SMB over QUIC Via PowerShell Script

Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
2238d337-42fb-4971-9a68-63570f2aede4
Status
test
Level
medium
Type
Threat Hunt
Created
Fri Jul 21
Author
François Hubaut
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml
Raw Tags
attack.lateral-movementattack.t1570detection.threat-hunting
View on GitHub