Sigma
Sigma rules for CVE-2018-7886
3 rules · scoped to cve · back to CVE-2018-7886
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
3 of 3
direct
high
Mimikatz DC Sync
Detects Mimikatz DC sync security events
view Sigma YAML
title: Mimikatz DC Sync
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
status: test
description: Detects Mimikatz DC sync security events
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu
date: 2018-06-03
modified: 2022-04-26
tags:
- attack.credential-access
- attack.s0002
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- 'Replicating Directory Changes All'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '9923a32a-3607-11d2-b9be-0000f87a36b2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
AccessMask: '0x100'
filter1:
SubjectDomainName: 'Window Manager'
filter2:
SubjectUserName|startswith:
- 'NT AUT'
- 'MSOL_'
filter3:
SubjectUserName|endswith: '$'
condition: selection and not 1 of filter*
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
level: high
direct
medium
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
view Sigma YAML
title: Microsoft Sync Center Suspicious Network Connections
id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
status: test
description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2024-03-12
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1218
- attack.execution
logsource:
product: windows
category: network_connection
detection:
selection:
Image|endswith: '\mobsync.exe'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
direct
medium
Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
view Sigma YAML
title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1218
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection_mobsync:
Image|endswith: '\mobsync.exe'
filter_created_file:
TargetFilename|endswith:
- '.dll'
- '.exe'
condition: selection_mobsync and filter_created_file
falsepositives:
- Unknown
level: medium
Showing 1-3 of 3