Techniques
Sample rules
Powershell Enable SMB1Protocol Feature
- source: splunk
- technicques:
- T1027
- T1027.005
Description
This search is to detect a suspicious enabling of smb1protocol through powershell.exe
. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_enable_smb1protocol_feature_filter`