Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

SMB over QUIC Via PowerShell Script

Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jul 216df07c3b-8456-4f8b-87bb-fe31ec964caewindows
Hunting Hypothesis
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-SmbMapping'
            - '-TransportType QUIC'
    condition: selection
False Positives

Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
trustedsec.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
SimilarThreat Huntmedium

SMB over QUIC Via Net.EXE

Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
6df07c3b-8456-4f8b-87bb-fe31ec964cae
Status
test
Level
medium
Type
Threat Hunt
Created
Fri Jul 21
Author
François Hubaut
Path
rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml
Raw Tags
attack.lateral-movementattack.t1570detection.threat-hunting
View on GitHub