Detectionhightest

Remote Server Service Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sagie Dulce, Dekel PazCreated Sat Jan 01b6ea3cc7-542f-43ef-bbe4-980fbed444c7application

Log Source

rpc_firewallapplication

Productrpc_firewall← raw: rpc_firewall

Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188

Detection Logic

detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
    condition: selection

False Positives

Legitimate remote share creation

References

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Rule Metadata

Rule ID

b6ea3cc7-542f-43ef-bbe4-980fbed444c7

Status

test

Level

high

Type

Detection

Created

Sat Jan 01

Author

Sagie Dulce, Dekel Paz

Path

rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml

Raw Tags

attack.lateral-movement

View on GitHub