[Emerging-Sigs] SIG: ET NETBIOS DCERPC WMI Remote Process Execution

Travis Green tgreen at emergingthreats.net
Tue Apr 9 08:06:40 HDT 2019

Thanks Kevin! I'll get these in for today's release.


On Tue, Apr 9, 2019 at 7:08 AM Kevin Ross via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
> Here you go https://car.mitre.org/analytics/CAR-2014-12-001.html, https://countercept.com/blog/endpoint-detection-of-remote-service-creation-and-psexec/, Some "false" positives can occur around software management solutions and Dell Open Manage in terms that they can do this activity and not just bad guys.
> alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote Process Execution"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown; sid:135518; rev:1;)
> Kind Regards,
> Kevin Ross
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc

More information about the Emerging-sigs mailing list