Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Remote Encrypting File System Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sagie Dulce, Dekel PazCreated Sat Jan 015f92fff9-82e2-48eb-8fc1-8b133556a551application
Log Source
rpc_firewallapplication
Productrpc_firewall← raw: rpc_firewall
Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - df1941c5-fe89-4e79-bf10-463657acf44d
            - c681d488-d850-11d0-8c52-00c04fd90f7e
    condition: selection
False Positives

Legitimate usage of remote file encryption

References
1
Resolving title…
msrc.microsoft.com
2
Resolving title…
github.com
3
Resolving title…
github.com
4
Resolving title…
zeronetworks.com
MITRE ATT&CK
Rule Metadata
Rule ID
5f92fff9-82e2-48eb-8fc1-8b133556a551
Status
test
Level
high
Type
Detection
Created
Sat Jan 01
Author
Sagie Dulce, Dekel Paz
Path
rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml
Raw Tags
attack.lateral-movement
View on GitHub