Techniques
Sample rules
Remote Server Service Abuse for Lateral Movement
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003