itiB
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
|
|
title: Lateral Movement Indicator ConDrv
|
|
ruletype: Sigma
|
|
author: Janantha Marasinghe
|
|
date: 2021/04/27
|
|
description: This event was observed on the target host during lateral movement. The
|
|
process name within the event contains the process spawned post compromise. Account
|
|
Name within the event contains the compromised user account name. This event should
|
|
to be correlated with 4624 and 4688 for further intrusion context.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 4674
|
|
SELECTION_2:
|
|
ObjectServer: Security
|
|
SELECTION_3:
|
|
ObjectType: File
|
|
SELECTION_4:
|
|
ObjectName: \Device\ConDrv
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
|
|
falsepositives:
|
|
- legal admin action
|
|
- Penetration tests where lateral movement has occurred. This event will be created
|
|
on the target host.
|
|
id: 29d31aee-30f4-4006-85a9-a4a02d65306c
|
|
level: low
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
modified: 2021/12/09
|
|
references:
|
|
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
|
|
- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
|
|
status: deprecated
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.execution
|
|
- attack.t1021
|
|
- attack.t1059
|