-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBIOC-PetitPotam-Authentication-Coercer.bioc
2 lines (2 loc) · 3.08 KB
/
BIOC-PetitPotam-Authentication-Coercer.bioc
1
2
57434055d9d9152bba3da822dc54991a
[{"rule_id":388,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1683118061196,"modify_time":1694168591898,"severity":"SEV_040_HIGH","source":"frank.bussink@e-xpertsolutions.com","comment":"SCRT BIOC to detect MS-EFSR RPC calls","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"f6473e3c9013984ff967251d17884890","indicator_text":"dataset = xdr_data \r\n| filter EVENT_TYPE = RPC_CALL\r\n| filter event_rpc_interface_uuid = \"{C681D488-D850-11D0-8C52-00C04FD90F7E}\" \r\n| filter ((action_rpc_func_opnum = 0) or (action_rpc_func_opnum = 4) or (action_rpc_func_opnum = 5) or (action_rpc_func_opnum = 6) or (action_rpc_func_opnum = 7) or (action_rpc_func_opnum = 8) or (action_rpc_func_opnum = 9) or (action_rpc_func_opnum = 12) or (action_rpc_func_opnum = 13) or(action_rpc_func_opnum = 15)) ","name":"BIOC-PetitPotam-Authentication-Coercer","mitre_technique_id_and_name":"T1003 - OS Credential Dumping","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$EVENT_TYPE\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$RPC_CALL\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_rpc_interface_uuid\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"{C681D488-D850-11D0-8C52-00C04FD90F7E}\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 0, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 4, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 5, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 6, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 7, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 8, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 9, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 12, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 13, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 15, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1694168591976,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}]