[Emerging-Sigs] SIG: ET NETBIOS DCERPC WMI Remote Process Execution

Kevin Ross kevross33 at googlemail.com
Tue Apr 9 04:08:05 HDT 2019

Here you go https://car.mitre.org/analytics/CAR-2014-12-001.html,
"false" positives can occur around software management solutions and Dell
Open Manage in terms that they can do this activity and not just bad guys.

alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote
Process Execution"; flow:to_server,established;
dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown;
sid:135518; rev:1;)

Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190409/916737e9/attachment.html>

More information about the Emerging-sigs mailing list