Detectionhightest

Suspicious Redirection to Local Admin Share

Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Jan 16Updated Thu Dec 28ab9e3b40-0c85-4ba1-aede-455d226fd124windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_redirect:
        CommandLine|contains: '>'
    selection_share:
        CommandLine|contains:
            - '\\\\127.0.0.1\\admin$\\'
            - '\\\\localhost\\admin$\\'
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

microsoft.com

Resolving title…

blog.talosintelligence.com

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Techniques

T1048 · Exfiltration Over Alternative Protocol

Rule Metadata

Rule ID

ab9e3b40-0c85-4ba1-aede-455d226fd124

Status

test

Level

high

Type

Detection

Created

Sun Jan 16

Modified

Thu Dec 28

Author

Florian Roth (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml

Raw Tags

attack.exfiltrationattack.t1048

View on GitHub