Detectionhightest

SharpHound Recon Sessions

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sagie Dulce, Dekel PazCreated Sat Jan 016d580420-ff3f-4e0e-b6b0-41b90c787e28application

Log Source

rpc_firewallapplication

Productrpc_firewall← raw: rpc_firewall

Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12

Detection Logic

detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
        OpNum: 12
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1033 · System Owner/User Discovery

Rule Metadata

Rule ID

6d580420-ff3f-4e0e-b6b0-41b90c787e28

Status

test

Level

high

Type

Detection

Created

Sat Jan 01

Author

Sagie Dulce, Dekel Paz

Path

rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml

Raw Tags

attack.discoveryattack.t1033

View on GitHub