Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

MITRE BZAR Indicators for Persistence

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@neu5ron, SOC PrimeCreated Thu Mar 19Updated Sat Nov 2753389db6-ba46-48e3-a94c-e0f2cefe1583network
Log Source
Zeek (Bro)dce_rpc
ProductZeek (Bro)← raw: zeek
Servicedce_rpc← raw: dce_rpc
Detection Logic
Detection Logic6 selectors
detection:
    op1:
        endpoint: 'spoolss'
        operation: 'RpcAddMonitor'
    op2:
        endpoint: 'spoolss'
        operation: 'RpcAddPrintProcessor'
    op3:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddMonitor'
    op4:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddPrintProcessor'
    op5:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonW'
    op6:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonExW'
    condition: 1 of op*
False Positives

Windows administrator tasks or troubleshooting

Windows management scripts or software

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
53389db6-ba46-48e3-a94c-e0f2cefe1583
Status
test
Level
medium
Type
Detection
Created
Thu Mar 19
Modified
Sat Nov 27
Author
@neu5ron, SOC Prime
Path
rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.004
View on GitHub