Techniques
Sample rules
Powershell Enable SMB1Protocol Feature
- source: splunk
- technicques:
- T1027
- T1027.005
Description
The following analytic detects the enabling of the SMB1 protocol via powershell.exe. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the Enable-WindowsOptionalFeature cmdlet with the SMB1Protocol parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_enable_smb1protocol_feature_filter`