Sigma Rules
17 rules found
Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
Remote Schedule Task Recon via AtScv
Detects remote RPC calls to read information about scheduled tasks via AtScv
Possible DCSync Attack
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
Remote Encrypting File System Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Remote Event Log Recon
Detects remote RPC calls to get event log information via EVEN or EVEN6
Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
Remote Schedule Task Recon via ITaskSchedulerService
Detects remote RPC calls to read information about scheduled tasks
Remote Printing Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
Remote DCOM/WMI Lateral Movement
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
Remote Registry Lateral Movement
Detects remote RPC calls to modify the registry and possible execute code
Remote Registry Recon
Detects remote RPC calls to collect information
Remote Server Service Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
Remote Server Service Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
Recon Activity via SASec
Detects remote RPC calls to read information about scheduled tasks via SASec
SharpHound Recon Account Discovery
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.