Techniques
Sample rules
Remote Registry Lateral Movement
- source: sigma
- technicques:
- t1112
Description
Detects remote RPC calls to modify the registry and possible execute code
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
Remote Registry Recon
- source: sigma
- technicques:
Description
Detects remote RPC calls to collect information
Detection logic
condition: selection and not filter
filter:
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003