Powershell Enable Smb1Protocol Feature

Powershell Enable Smb1Protocol Feature

Description

This search is to detect a suspicious enabling of smb1protocol through "powershell.exe". This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system.

   Help

Powershell Enable Smb1Protocol Feature Help

To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.

   Search

Open in Search