[Emerging-Sigs] SIG: ET NETBIOS DCERPC WMI Remote Process Execution
Travis Green
tgreen at emergingthreats.net
Tue Apr 9 08:06:40 HDT 2019
Thanks Kevin! I'll get these in for today's release.
-Travis
On Tue, Apr 9, 2019 at 7:08 AM Kevin Ross via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
>
> Here you go https://car.mitre.org/analytics/CAR-2014-12-001.html, https://countercept.com/blog/endpoint-detection-of-remote-service-creation-and-psexec/, Some "false" positives can occur around software management solutions and Dell Open Manage in terms that they can do this activity and not just bad guys.
>
> alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote Process Execution"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown; sid:135518; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>
--
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc
More information about the Emerging-sigs
mailing list