← Back to Explore
sigmahighHunting
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Detection Query
selection_redirect:
CommandLine|contains: ">"
selection_share:
CommandLine|contains:
- \\\\127.0.0.1\\admin$\\
- \\\\localhost\\admin$\\
condition: all of selection_*
Author
Florian Roth (Nextron Systems)
Created
2022-01-16
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.exfiltrationattack.t1048
Raw Content
title: Suspicious Redirection to Local Admin Share
id: ab9e3b40-0c85-4ba1-aede-455d226fd124
status: test
description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-01-16
modified: 2023-12-28
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
CommandLine|contains: '>'
selection_share:
CommandLine|contains:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high