Techniques
Sample rules
Powershell Enable SMB1Protocol Feature
- source: splunk
- technicques:
- T1027
- T1027.005
Description
This search is to detect a suspicious enabling of smb1protocol through powershell.exe. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_enable_smb1protocol_feature_filter`