```yaml title: Anonymous Share Staging (Null-Session Payload Pull) id: edr-win-lat-anon-share-pull status: experimental description: > Detects the inverted SMB staging pattern documented in Check Point's DFIR on TheGentlemen (April 2026). Rather than push payloads to target admin shares via net use /user:, the operator creates a share on the source host, grants anonymous access, and lets targets pull the payload through one of the four code-execution primitives (WMI, Task Scheduler, SCM, WinRM). The source-side staging sequence combines a share creation with Everyone:FULL, an icacls grant to ANONYMOUS LOGON, and two registry modifications that enable null-session share access and anonymous inclusion. Legitimate enterprise Windows virtually never enables null-session share access. references: - https://research.checkpoint.com/2026/dfir-report-the-gentlemen/ - https://attack.mitre.org/techniques/T1135/ - https://attack.mitre.org/techniques/T1021/002/ author: ShroudCloud date: 2026/04/20 tags: - attack.lateral_movement - attack.defense_evasion - attack.t1021.002 - attack.t1135 logsource: category: process_creation product: windows detection: selection_anon_icacls: Image|endswith: '\icacls.exe' CommandLine|contains|all: - 'ANONYMOUS LOGON' - ':F' selection_null_session_reg: Image|endswith: - '\reg.exe' - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - 'LanmanServer\Parameters' - 'NullSessionShares' selection_everyone_anon_reg: Image|endswith: - '\reg.exe' - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - 'Control\Lsa' - 'EveryoneIncludesAnonymous' selection_net_share_everyone: Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains|all: - 'share' - '/GRANT:Everyone' CommandLine|contains: - 'FULL' - 'F' condition: 1 of selection_* level: high falsepositives: - Legacy SMB1 environments with intentional null-session shares (extremely rare; should be baselined and excluded explicitly if present) - Legitimate share creation with Everyone:FULL for a transient file drop (typically limited to known helpdesk/admin workflows — baseline) ``` ## Detection Logic Notes ### Severity tiers by co-occurrence Single-signal match (`1 of selection_*`) is the entry threshold — individually suspicious, worth review. But the real signal is **co-occurrence within a short window**: | Signals within 120s on same host | Severity | Rationale | |---|---|---| | 1 | High (as written) | Could be legitimate-but-unusual admin action | | 2 | Critical | Pattern match to known ransomware staging | | 3+ | P0 (ransomware in progress) | Exact TheGentlemen signature — the three-command prep sequence | The Sigma rule alone cannot express the multi-signal correlation cleanly — implement the 2+ and 3+ tiers as a SIEM correlation rule on top of this rule's output. ### Recommended correlation rule (SIEM-layer) ``` FROM edr-win-lat-anon-share-pull alerts GROUP BY source_host WITHIN 120s IF distinct_signal_types >= 2 THEN severity = CRITICAL IF distinct_signal_types >= 3 THEN severity = P0, AUTO_ESCALATE ``` Where `signal_type` = which of the four `selection_*` sub-rules fired. ### Why this is near-zero false positive Legitimate enterprise Windows virtually never: 1. Grants `ANONYMOUS LOGON` full access to a share (`icacls ... "ANONYMOUS LOGON":F`) 2. Registers a share in `NullSessionShares` (legacy SMB1 feature effectively dead since ~2015) 3. Sets `EveryoneIncludesAnonymous = 1` in LSA (reverses a post-2003 default hardening) Any one of these is a material security regression. All three in sequence is operator tradecraft. ### Complementary detection Pair with a network-side rule that flags inbound null-session SMB connections to internal workstations — if anonymous share staging is succeeding, targets will connect to the source with null credentials to fetch the payload. That's a dead-simple signature on the DC auth side (Logon Type 3 with empty username/domain).