Expand File Over Admin Share

Rule Info

Name
Expand File Over Admin Share
Author
MalGamy (Nextron System)
Description
Detects the use of expand command to extract files from located on an administrative share, potentially used for lateral movement or staging files.
Reference
https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html
Date
2024-11-10 00:00:00
Modified
None
Id
5f6e3b6c-9ab2-4b7e-b5bc-13a9e02753d4
Tags
attack.execution attack.t1071
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022