Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

MITRE BZAR Indicators for Execution

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@neu5ron, SOC PrimeCreated Thu Mar 19Updated Sat Nov 27b640c0b8-87f8-4daa-aef8-95a24261dd1dnetwork
Log Source
Zeek (Bro)dce_rpc
ProductZeek (Bro)← raw: zeek
Servicedce_rpc← raw: dce_rpc
Detection Logic
Detection Logic10 selectors
detection:
    op1:
        endpoint: 'JobAdd'
        operation: 'atsvc'
    op2:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcEnableTask'
    op3:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRegisterTask'
    op4:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRun'
    op5:
        endpoint: 'IWbemServices'
        operation: 'ExecMethod'
    op6:
        endpoint: 'IWbemServices'
        operation: 'ExecMethodAsync'
    op7:
        endpoint: 'svcctl'
        operation: 'CreateServiceA'
    op8:
        endpoint: 'svcctl'
        operation: 'CreateServiceW'
    op9:
        endpoint: 'svcctl'
        operation: 'StartServiceA'
    op10:
        endpoint: 'svcctl'
        operation: 'StartServiceW'
    condition: 1 of op*
False Positives

Windows administrator tasks or troubleshooting

Windows management scripts or software

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
b640c0b8-87f8-4daa-aef8-95a24261dd1d
Status
test
Level
medium
Type
Detection
Created
Thu Mar 19
Modified
Sat Nov 27
Author
@neu5ron, SOC Prime
Path
rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.executionattack.t1047attack.t1053.002attack.t1569.002
View on GitHub