← Library
splApache-2.0from splunk/security_content

Powershell Enable SMB1Protocol Feature

The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.

Quality
51
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/powershell_enable_smb1protocol_feature.yml
`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `powershell_enable_smb1protocol_feature_filter`