Create proc_creation_win_susp_NtlmRelay.yml
This commit is contained in:
Tobias Michalski
@@ -0,0 +1,30 @@
|
||||
title: Suspicious WebDav Client Execution
|
||||
id: bb76d96b-821c-47cf-944b-7ce377864492
|
||||
status: experimental
|
||||
description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
|
||||
author: Elastic (idea), Tobias Michalski
|
||||
references:
|
||||
- https://twitter.com/med0x2e/status/1520402518685200384
|
||||
- https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
|
||||
date: 2022/05/04
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\rundll32.exe'
|
||||
CommandLine|contains|all:
|
||||
- 'C:\windows\system32\davclnt.dll,DavSetCookie'
|
||||
- "http"
|
||||
CommandLine|contains:
|
||||
- "spoolss"
|
||||
- "srvsvc"
|
||||
- "/print/pipe/"
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.ta0004
|
||||
- attack.ta0006
|
||||
- attack.t1212
|
||||
Reference in New Issue
Block a user