Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

190 rules found for "lateral-movement"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Bitbucket Global SSH Settings Changed

Detects Bitbucket global SSH access configuration changes.

bitbucketaudit
TA0008 · Lateral MovementTA0005 · Defense EvasionT1562.001 · Disable or Modify ToolsT1021.004 · SSH
Muhammad FaisalSun Feb 25application
Detectionmediumtest

Bitbucket User Login Failure Via SSH

Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.

bitbucketaudit
TA0008 · Lateral MovementTA0006 · Credential AccessT1021.004 · SSHT1110 · Brute Force
Muhammad FaisalSun Feb 25application
Detectionhightest

OpenCanary - FTP Login Attempt

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0001 · Initial AccessTA0010 · ExfiltrationTA0008 · Lateral MovementT1190 · Exploit Public-Facing Application+1
Security Onion SolutionsFri Mar 08application
Detectionhighexperimental

OpenCanary - RDP New Connection Attempt

Detects instances where an RDP service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0001 · Initial AccessTA0008 · Lateral MovementT1133 · External Remote ServicesT1021.001 · Remote Desktop Protocol
Marco PedrinazziTue Jan 06application
Detectionhightest

OpenCanary - SMB File Open Request

Detects instances where an SMB service on an OpenCanary node has had a file open request.

opencanaryapplication
TA0008 · Lateral MovementTA0009 · CollectionT1021 · Remote ServicesT1005 · Data from Local System
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SNMP OID Request

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

opencanaryapplication
TA0007 · DiscoveryTA0008 · Lateral MovementT1016 · System Network Configuration DiscoveryT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH Login Attempt

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - SSH New Connection Attempt

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral Movement+4
Security Onion SolutionsFri Mar 08application
Detectionhightest

OpenCanary - VNC Connection Attempt

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

opencanaryapplication
TA0008 · Lateral MovementT1021 · Remote Services
Security Onion SolutionsFri Mar 08application
Detectionhightest

Remote Schedule Task Lateral Movement via ATSvc

Detects remote RPC calls to create or execute a scheduled task via ATSvc

rpc_firewallapplication
TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Recon via AtScv

Detects remote RPC calls to read information about scheduled tasks via AtScv

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

rpc_firewallapplication
T1033 · System Owner/User DiscoveryTA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Encrypting File System Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Event Log Recon

Detects remote RPC calls to get event log information via EVEN or EVEN6

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

rpc_firewallapplication
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionTA0008 · Lateral Movement+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Recon via ITaskSchedulerService

Detects remote RPC calls to read information about scheduled tasks

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Printing Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote DCOM/WMI Lateral Movement

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

rpc_firewallapplication
TA0008 · Lateral MovementTA0002 · ExecutionT1021.003 · Distributed Component Object ModelT1047 · Windows Management Instrumentation
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Registry Lateral Movement

Detects remote RPC calls to modify the registry and possible execute code

rpc_firewallapplication
TA0005 · Defense EvasionTA0008 · Lateral MovementT1112 · Modify RegistryTA0003 · Persistence
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Registry Recon

Detects remote RPC calls to collect information

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Server Service Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

rpc_firewallapplication
TA0008 · Lateral Movement
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Server Service Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

rpc_firewallapplication
TA0008 · Lateral MovementTA0002 · ExecutionT1569.002 · Service Execution
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Remote Schedule Task Lateral Movement via SASec

Detects remote RPC calls to create or execute a scheduled task via SASec

rpc_firewallapplication
TA0004 · Privilege EscalationTA0008 · Lateral MovementTA0002 · ExecutionTA0003 · Persistence+2
Sagie Dulce+1Sat Jan 01application
Detectionhightest

Recon Activity via SASec

Detects remote RPC calls to read information about scheduled tasks via SASec

rpc_firewallapplication
TA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

SharpHound Recon Account Discovery

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication
T1087 · Account DiscoveryTA0007 · Discovery
Sagie Dulce+1Sat Jan 01application
Detectionhightest

SharpHound Recon Sessions

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

rpc_firewallapplication
TA0007 · DiscoveryT1033 · System Owner/User Discovery
Sagie Dulce+1Sat Jan 01application
Detectionmediumtest

AWS Console GetSigninToken Potential Abuse

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

AWScloudtrail
TA0008 · Lateral MovementTA0005 · Defense EvasionT1021.007 · Cloud ServicesT1550.001 · Application Access Token
Chester Le BronMon Feb 26cloud
Detectionlowtest

AWS STS AssumeRole Misuse

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

AWScloudtrail
TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0005 · Defense EvasionT1548 · Abuse Elevation Control Mechanism+2
Austin SongerSat Jul 24cloud
Detectionlowtest

AWS STS GetSessionToken Misuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWScloudtrail
TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0005 · Defense EvasionT1548 · Abuse Elevation Control Mechanism+2
Austin SongerSat Jul 24cloud
Detectionmediumtest

AWS Suspicious SAML Activity

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

AWScloudtrail
TA0005 · Defense EvasionTA0001 · Initial AccessTA0008 · Lateral MovementTA0003 · Persistence+5
Austin SongerWed Sep 22cloud
Detectionlowstable

Remote File Copy

Detects the use of tools that copy files from or to remote systems

Linux
TA0011 · Command and ControlTA0008 · Lateral MovementT1105 · Ingress Tool Transfer
Ömer GünalThu Jun 18linux
Detectionlowtest

Cisco Stage Data

Various protocols maybe used to put data on the device for exfil or infil

Ciscoaaa
TA0009 · CollectionTA0008 · Lateral MovementTA0011 · Command and ControlTA0010 · Exfiltration+3
Austin ClarkMon Aug 12network
Detectionmediumtest

SMB Spoolss Name Piped Usage

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Zeek (Bro)smb_files
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
OTR (Open Threat Research)Wed Nov 28network
Detectionhightest

Publicly Accessible RDP Service

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Zeek (Bro)rdp
TA0008 · Lateral MovementT1021.001 · Remote Desktop Protocol
Josh BrowerSat Aug 22network
Detectionmediumtest

Remote Task Creation via ATSVC Named Pipe - Zeek

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Zeek (Bro)smb_files
TA0004 · Privilege EscalationTA0002 · ExecutionTA0008 · Lateral MovementTA0003 · Persistence+3
Samir BousseadenFri Apr 03network
Detectionhightest

First Time Seen Remote Named Pipe - Zeek

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Zeek (Bro)smb_files
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Samir Bousseaden+1Thu Apr 02network
Detectionhightest

Suspicious PsExec Execution - Zeek

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Zeek (Bro)smb_files
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Samir Bousseaden+1Thu Apr 02network
Detectionmediumtest

Apache Threading Error

Detects an issue in apache logs that reports threading related errors

apache
TA0001 · Initial AccessTA0008 · Lateral MovementT1190 · Exploit Public-Facing ApplicationT1210 · Exploitation of Remote Services
Florian Roth (Nextron Systems)Tue Jan 22web
Detectioncriticaltest

Audit CVE Event

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Windowsapplication
TA0002 · ExecutionT1203 · Exploitation for Client ExecutionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation+8
Florian Roth (Nextron Systems)+1Wed Jan 15windows
Detectionhightest

Restricted Software Access By SRP

Detects restricted access to applications by the Software Restriction Policies (SRP) policy

Windowsapplication
TA0008 · Lateral MovementTA0002 · ExecutionTA0005 · Defense EvasionT1072 · Software Deployment Tools
François HubautThu Jan 12windows
Detectionlowtest

NTLM Logon

Detects logons using NTLM, which could be caused by a legacy source or attackers

Windowsntlm
TA0005 · Defense EvasionTA0008 · Lateral MovementT1550.002 · Pass the Hash
Florian Roth (Nextron Systems)Fri Jun 08windows
Detectionmediumtest

OpenSSH Server Listening On Socket

Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.

Windowsopenssh
TA0008 · Lateral MovementT1021.004 · SSH
mdecrevoisierTue Oct 25windows
Detectionlowtest

Admin User Remote Logon

Detect remote login by Administrator user (depending on internal pattern).

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0008 · Lateral Movement+5
juju4Sun Oct 29windows
Detectionhightest

Successful Overpass the Hash Attempt

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Windowssecurity
TA0005 · Defense EvasionTA0008 · Lateral MovementS0002 · MimikatzT1550.002 · Pass the Hash
Roberto Rodriguez (Cyb3rWard0g)+1Mon Feb 12windows
Detectionmediumstable

Pass the Hash Activity 2

Detects the attack technique pass the hash which is used to move laterally inside the network

Windowssecurity
TA0005 · Defense EvasionTA0008 · Lateral MovementT1550.002 · Pass the Hash
Dave Kennedy+1Fri Jun 14windows
Detectionhightest

RDP Login from Localhost

RDP login with localhost source address may be a tunnelled login

Windowssecurity
TA0008 · Lateral Movement2013-07-002 · CAR 2013-07-002T1021.001 · Remote Desktop Protocol
Thomas PatzkeMon Jan 28windows
Detectionlowtest

Outgoing Logon with New Credentials

Detects logon events that specify new credentials

Windowssecurity
TA0005 · Defense EvasionTA0008 · Lateral MovementT1550 · Use Alternate Authentication Material
Max Altgelt (Nextron Systems)Wed Apr 06windows
Detectionlowtest

Access To ADMIN$ Network Share

Detects access to ADMIN$ network share

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Florian Roth (Nextron Systems)Sat Mar 04windows
1234