From 3a020ce4997d0b1e05fae771ad215632d47071ff Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 31 Aug 2022 09:57:09 +0200 Subject: [PATCH 1/7] added "failed admin share mount" rule --- .../win_susp_failed_admin_share_mount.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml new file mode 100644 index 000000000..6d6470981 --- /dev/null +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -0,0 +1,28 @@ +title: Repeated failed mounting of administrative share +id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb +description: Detects failed (outgoing) attempts to mount an administrative share +author: Fabian Franz +status: experimental +level: medium +references: + - https://twitter.com/moti_b/status/1032645458634653697 + - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 +date: 2022/08/30 +modified: 2022/08/30 +logsource: + product: windows + service: smbclient-security +detection: + selection: + EventID: 31010 + ShareName|endswith: '$' + condition: + - selection | count() > 10 +fields: + - ShareName +falsepositives: + - Legitimate administrative activity + - Faulty scripts +tags: + - attack.t1021.002 + - attack.lateral_movement \ No newline at end of file From df2ef5a2ee7c2a35d4cb93c45efd8f46a4bf8533 Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 31 Aug 2022 09:59:29 +0200 Subject: [PATCH 2/7] added missing newline --- .../builtin/smbclient/win_susp_failed_admin_share_mount.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index 6d6470981..2fbc5497e 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -25,4 +25,4 @@ falsepositives: - Faulty scripts tags: - attack.t1021.002 - - attack.lateral_movement \ No newline at end of file + - attack.lateral_movement From ab9e15f4563b899953b6b7ce628714ef00a2cfa4 Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Thu, 1 Sep 2022 17:05:32 +0200 Subject: [PATCH 3/7] fix title --- .../builtin/smbclient/win_susp_failed_admin_share_mount.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index 2fbc5497e..d18cc79b7 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -1,6 +1,6 @@ -title: Repeated failed mounting of administrative share +title: Failed Mounting of Administrative Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb -description: Detects failed (outgoing) attempts to mount an administrative share +description: Detects repeated failed (outgoing) attempts to mount an administrative share author: Fabian Franz status: experimental level: medium From 3d9d90f43efc41692047e3ca0ba527f87c78b1f1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:24:28 +0200 Subject: [PATCH 4/7] Update win_susp_failed_admin_share_mount.yml --- .../smbclient/win_susp_failed_admin_share_mount.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index d18cc79b7..9ff0745f6 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -1,12 +1,14 @@ -title: Failed Mounting of Administrative Share +title: Multiple Failed Mount Attempts of Admin Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb description: Detects repeated failed (outgoing) attempts to mount an administrative share author: Fabian Franz status: experimental -level: medium references: - https://twitter.com/moti_b/status/1032645458634653697 - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 +tags: + - attack.t1021.002 + - attack.lateral_movement date: 2022/08/30 modified: 2022/08/30 logsource: @@ -16,13 +18,10 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - condition: - - selection | count() > 10 + condition: selection | count() > 10 fields: - ShareName falsepositives: - Legitimate administrative activity - Faulty scripts -tags: - - attack.t1021.002 - - attack.lateral_movement +level: medium From a8eb1ba9723ff94c8cd4bf7545ce393d24bc06af Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 7 Sep 2022 16:52:09 +0200 Subject: [PATCH 5/7] rename rule --- ...share_mount.yml => win_susp_failed_hidden_share_mount.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/builtin/smbclient/{win_susp_failed_admin_share_mount.yml => win_susp_failed_hidden_share_mount.yml} (91%) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml similarity index 91% rename from rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml rename to rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index d18cc79b7..5b3c831e7 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -1,6 +1,6 @@ -title: Failed Mounting of Administrative Share +title: Failed Mounting of Hidden Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb -description: Detects repeated failed (outgoing) attempts to mount an administrative share +description: Detects repeated failed (outgoing) attempts to mount an hidden share author: Fabian Franz status: experimental level: medium From 860c45a0380c0814f292831996864b10d36fc6bc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Sep 2022 17:07:45 +0200 Subject: [PATCH 6/7] added time frame --- .../builtin/smbclient/win_susp_failed_hidden_share_mount.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index 1089f8c9c..ab736de4d 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -16,8 +16,8 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - condition: - - selection | count() > 10 + timeframe: 10m + condition: selection | count() > 10 fields: - ShareName falsepositives: From 92b6ba95e62d2d5514b39be94cdd60e9ef0861fd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:12:08 +0200 Subject: [PATCH 7/7] reduce the timeframe to 1min --- .../builtin/smbclient/win_susp_failed_hidden_share_mount.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index ab736de4d..fd5cdf40b 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -16,7 +16,7 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - timeframe: 10m + timeframe: 1m condition: selection | count() > 10 fields: - ShareName