SigmaHQ/rules/windows/builtin/win_admin_share_access.yml

title: Access to ADMIN$ Share
description: Detects access to $ADMIN share
tags:
    - attack.lateral_movement
    - attack.t1077
status: experimental
author: Florian Roth
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5140
        ShareName: Admin$
    filter:
        SubjectUserName: '*$'
    condition: selection and not filter
falsepositives: 
    - Legitimate administrative activity
level: low
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`title: Access to ADMIN$ Share`
Rule: Fixed missing description 2018-06-08 09:38:27 +00:00			`description: Detects access to $ADMIN share`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.lateral_movement`
			`- attack.t1077`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`status: experimental`
			`author: Florian Roth`
			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`detection:`
			`selection:`
Bugfixes and improvements 2017-03-21 09:24:20 +00:00			`EventID: 5140`
			`ShareName: Admin$`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`filter:`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`SubjectUserName: '*$'`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`condition: selection and not filter`
			`falsepositives:`
			`- Legitimate administrative activity`
			`level: low`