-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc
2 lines (2 loc) · 1.54 KB
/
BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc
1
2
00de32ae2b959e17d36946a2d0c5d687
[{"rule_id":535,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1658397007681,"modify_time":1658410787888,"severity":"SEV_020_LOW","source":"frank.bussink@scrt.ch","comment":"SCRT BIOC to detect MS-RPRN RpcRemoteFindFirstPrinterChangeNotificationEx","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"2b19fe216d6e1efff594f0453f07dc67","indicator_text":"dataset = xdr_data \r\n| filter EVENT_TYPE = RPC_CALL\r\n| filter event_rpc_interface_uuid = \"{12345678-1234-ABCD-EF00-0123456789AB}\" \r\n| filter ((action_rpc_func_opnum = 65) ) ","name":"SCRT-PetitPotam-Spoolss-Authentication-Coercer","mitre_technique_id_and_name":"","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$EVENT_TYPE\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$RPC_CALL\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_rpc_interface_uuid\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"{12345678-1234-ABCD-EF00-0123456789AB}\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 65, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1658404769097}]