Techniques
Sample rules
Remote Encrypting File System Abuse
- source: sigma
- technicques:
Description
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid:
- df1941c5-fe89-4e79-bf10-463657acf44d
- c681d488-d850-11d0-8c52-00c04fd90f7e