Detectionmediumtest

Writing Local Admin Share

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Sat Jan 01Updated Sat Aug 134aafb0fa-bff5-4b9d-b99e-8093e659c65fwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains|all:
            - '\\\\127.0.0'
            - '\ADMIN$\'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

4aafb0fa-bff5-4b9d-b99e-8093e659c65f

Status

test

Level

medium

Type

Detection

Created

Sat Jan 01

Modified

Sat Aug 13

Author

Path

rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.lateral-movementattack.t1546.002