[Emerging-Sigs] SIG: ET NETBIOS DCERPC WMI Remote Process Execution
Kevin Ross
kevross33 at googlemail.com
Tue Apr 9 04:08:05 HDT 2019
Here you go https://car.mitre.org/analytics/CAR-2014-12-001.html,
https://countercept.com/blog/endpoint-detection-of-remote-service-creation-and-psexec/,
Some
"false" positives can occur around software management solutions and Dell
Open Manage in terms that they can do this activity and not just bad guys.
alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote
Process Execution"; flow:to_server,established;
dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown;
sid:135518; rev:1;)
Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190409/916737e9/attachment.html>
More information about the Emerging-sigs
mailing list