Merge pull request #3452 from FabFaeb/master

Add rule: Repeated failed mounting of administrative share

rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml

@@ -0,0 +1,28 @@
+title: Failed Mounting of Hidden Share
+id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb
+description: Detects repeated failed (outgoing) attempts to mount a hidden share
+author: Fabian Franz
+status: experimental
+level: medium
+references:
+    - https://twitter.com/moti_b/status/1032645458634653697
+    - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5
+date: 2022/08/30
+modified: 2022/08/30
+logsource:
+    product: windows
+    service: smbclient-security
+detection:
+    selection:
+        EventID: 31010
+        ShareName|endswith: '$'
+    timeframe: 1m
+    condition: selection | count() > 10
+fields:
+    - ShareName
+falsepositives:
+    - Legitimate administrative activity
+    - Faulty scripts
+tags:
+    - attack.t1021.002
+    - attack.lateral_movement