```yaml
title: Anonymous Share Staging (Null-Session Payload Pull)
id: edr-win-lat-anon-share-pull
status: experimental
description: >
Detects the inverted SMB staging pattern documented in Check Point's DFIR on
TheGentlemen (April 2026). Rather than push payloads to target admin shares
via net use /user:, the operator creates a share on the source host, grants
anonymous access, and lets targets pull the payload through one of the four
code-execution primitives (WMI, Task Scheduler, SCM, WinRM). The source-side
staging sequence combines a share creation with Everyone:FULL, an icacls
grant to ANONYMOUS LOGON, and two registry modifications that enable
null-session share access and anonymous inclusion. Legitimate enterprise
Windows virtually never enables null-session share access.
references:
- https://research.checkpoint.com/2026/dfir-report-the-gentlemen/
- https://attack.mitre.org/techniques/T1135/
- https://attack.mitre.org/techniques/T1021/002/
author: ShroudCloud
date: 2026/04/20
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.t1021.002
- attack.t1135
logsource:
category: process_creation
product: windows
detection:
selection_anon_icacls:
Image|endswith: '\icacls.exe'
CommandLine|contains|all:
- 'ANONYMOUS LOGON'
- ':F'
selection_null_session_reg:
Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'LanmanServer\Parameters'
- 'NullSessionShares'
selection_everyone_anon_reg:
Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Control\Lsa'
- 'EveryoneIncludesAnonymous'
selection_net_share_everyone:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains|all:
- 'share'
- '/GRANT:Everyone'
CommandLine|contains:
- 'FULL'
- 'F'
condition: 1 of selection_*
level: high
falsepositives:
- Legacy SMB1 environments with intentional null-session shares (extremely rare; should be baselined and excluded explicitly if present)
- Legitimate share creation with Everyone:FULL for a transient file drop (typically limited to known helpdesk/admin workflows — baseline)
```
## Detection Logic Notes
### Severity tiers by co-occurrence
Single-signal match (`1 of selection_*`) is the entry threshold — individually suspicious, worth review. But the real signal is **co-occurrence within a short window**:
| Signals within 120s on same host | Severity | Rationale |
|---|---|---|
| 1 | High (as written) | Could be legitimate-but-unusual admin action |
| 2 | Critical | Pattern match to known ransomware staging |
| 3+ | P0 (ransomware in progress) | Exact TheGentlemen signature — the three-command prep sequence |
The Sigma rule alone cannot express the multi-signal correlation cleanly — implement the 2+ and 3+ tiers as a SIEM correlation rule on top of this rule's output.
### Recommended correlation rule (SIEM-layer)
```
FROM edr-win-lat-anon-share-pull alerts
GROUP BY source_host
WITHIN 120s
IF distinct_signal_types >= 2 THEN severity = CRITICAL
IF distinct_signal_types >= 3 THEN severity = P0, AUTO_ESCALATE
```
Where `signal_type` = which of the four `selection_*` sub-rules fired.
### Why this is near-zero false positive
Legitimate enterprise Windows virtually never:
1. Grants `ANONYMOUS LOGON` full access to a share (`icacls ... "ANONYMOUS LOGON":F`)
2. Registers a share in `NullSessionShares` (legacy SMB1 feature effectively dead since ~2015)
3. Sets `EveryoneIncludesAnonymous = 1` in LSA (reverses a post-2003 default hardening)
Any one of these is a material security regression. All three in sequence is operator tradecraft.
### Complementary detection
Pair with a network-side rule that flags inbound null-session SMB connections to internal workstations — if anonymous share staging is succeeding, targets will connect to the source with null credentials to fetch the payload. That's a dead-simple signature on the DC auth side (Logon Type 3 with empty username/domain).