
Summary
This detection rule is designed to identify potential SMB relay attacks utilizing the RemoteKrbRelay exploit module. Specifically, it detects the creation of temporary files named 'sam.tmp', 'sec.tmp', or 'sys.tmp' in the Windows temp directory, which are commonly associated with this type of attack. The rule inspects file events at the operating system level to catch any unauthorized or suspicious activity tied to these known file names during the execution of SMB relay attacks. As such, this rule contributes significantly to monitoring and safeguarding systems against impersonation and data capture techniques employed by adversaries.
Categories
- Endpoint
- Windows
Data Sources
- File
Created: 2024-06-27