security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml
T
phantinuss b23eee6ebf fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00

31 lines
1.1 KiB
YAML
Raw Blame History

title: Remote Schedule Task Lateral Movement via SASec
id: 0a3ff354-93fc-4273-8a03-1078782de5b7
description: Detects remote RPC calls to read information about scheduled tasks via SASec
references:
- https://attack.mitre.org/tactics/TA0007/
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
status: experimental
author: Sagie Dulce, Dekel Paz
date: 2022/01/01
modified: 2022/01/01
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
filter:
OpNum:
- 0
- 1
condition: selection and not filter
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink