Techniques
Sample rules
Remote DCOM/WMI Lateral Movement
- source: sigma
- technicques:
- t1021
- t1021.003
- t1047
Description
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid:
- 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- 99fcfec4-5260-101b-bbcb-00aa0021347a
- 000001a0-0000-0000-c000-000000000046
- 00000131-0000-0000-c000-000000000046
- 00000143-0000-0000-c000-000000000046
- 00000000-0000-0000-c000-000000000046