Techniques
Sample rules
MITRE BZAR Indicators for Persistence
- source: sigma
- technicques:
- t1547
- t1547.004
Description
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
Detection logic
condition: 1 of op*
op1:
endpoint: spoolss
operation: RpcAddMonitor
op2:
endpoint: spoolss
operation: RpcAddPrintProcessor
op3:
endpoint: IRemoteWinspool
operation: RpcAsyncAddMonitor
op4:
endpoint: IRemoteWinspool
operation: RpcAsyncAddPrintProcessor
op5:
endpoint: ISecLogon
operation: SeclCreateProcessWithLogonW
op6:
endpoint: ISecLogon
operation: SeclCreateProcessWithLogonExW
MITRE BZAR Indicators for Execution
- source: sigma
- technicques:
- t1047
- t1053
- t1053.002
- t1569
- t1569.002
Description
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
Detection logic
condition: 1 of op*
op1:
endpoint: JobAdd
operation: atsvc
op10:
endpoint: svcctl
operation: StartServiceW
op2:
endpoint: ITaskSchedulerService
operation: SchRpcEnableTask
op3:
endpoint: ITaskSchedulerService
operation: SchRpcRegisterTask
op4:
endpoint: ITaskSchedulerService
operation: SchRpcRun
op5:
endpoint: IWbemServices
operation: ExecMethod
op6:
endpoint: IWbemServices
operation: ExecMethodAsync
op7:
endpoint: svcctl
operation: CreateServiceA
op8:
endpoint: svcctl
operation: CreateServiceW
op9:
endpoint: svcctl
operation: StartServiceA