Sigma Rules
43 rules found for "attack.T1569.002"
Remote Server Service Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
Metasploit Or Impacket Service Installation Via SMB PsExec
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
PowerShell Scripts Installed as Services - Security
Detects powershell script installed as a Service
Remote Access Tool Services Have Been Installed - Security
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
PowerShell Scripts Installed as Services
Detects powershell script installed as a Service
CSExec Service Installation
Detects CSExec service installation and execution events
HackTool Service Registration or Execution
Detects installation or execution of services
PAExec Service Installation
Detects PAExec service installation
ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
RemCom Service Installation
Detects RemCom service installation and execution events
Remote Access Tool Services Have Been Installed - System
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
PsExec Service Installation
Detects PsExec service installation and execution events
PSExec and WMI Process Creations Block
Detects blocking of process creations originating from PSExec and WMI commands
CSExec Service File Creation
Detects default CSExec service filename which indicates CSExec service installation and execution
RemCom Service File Creation
Detects default RemCom service filename which indicates RemCom service installation and execution
PsExec Service File Creation
Detects default PsExec service filename which indicates PsExec service installation and execution
PUA - CSExec Default Named Pipe
Detects default CSExec pipe creation
PUA - PAExec Default Named Pipe
Detects PAExec default named pipe
PUA - RemCom Default Named Pipe
Detects default RemCom pipe creation
PsExec Tool Execution From Suspicious Locations - PipeName
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
Start Windows Service Via Net.EXE
Detects the usage of the "net.exe" command to start a service using the "start" flag
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
PUA - NirCmd Execution
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
PUA - NirCmd Execution As LOCAL SYSTEM
Detects the use of NirCmd tool for command execution as SYSTEM user
PUA - NSudo Execution
Detects the use of NSudo tool for command execution
PUA - RunXCmd Execution
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
PowerShell as a Service in Registry
Detects that a powershell code is written to the registry as a service.
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
CosmicDuke Service Installation
Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
PsExec Default Named Pipe
Detects PsExec service default pipe creation