security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
23a9f98eae7ed0c3ceb77485202f65da03321ccb
blue-team-tools/rules-unsupported/windows/win_susp_failed_hidden_share_mount.yml
T
Nasreddine Bencherchali 23a9f98eae chore: move more rules
2023-04-21 15:00:36 +02:00

29 lines
840 B
YAML
Raw Blame History

title: Failed Mounting of Hidden Share
id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb
status: unsupported
description: Detects repeated failed (outgoing) attempts to mount a hidden share
references:
- https://twitter.com/moti_b/status/1032645458634653697
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5
author: Fabian Franz
date: 2022/08/30
modified: 2023/02/24
tags:
- attack.t1021.002
- attack.lateral_movement
logsource:
product: windows
service: smbclient-security
detection:
selection:
EventID: 31010
ShareName|endswith: '$'
timeframe: 1m
condition: selection | count() > 10
fields:
- ShareName
falsepositives:
- Legitimate administrative activity
- Faulty scripts
level: medium
Reference in New Issue View Git Blame Copy Permalink