[Emerging-Sigs] SIG: ET NETBIOS DCERPC WMI Remote Process Execution
Tiago Faria
tiago.faria.backups at gmail.com
Tue Apr 9 08:13:48 HDT 2019
Thanks for putting these out Kevin. When MITRE published CAR I thought it
would be really nice to have these in ET. Glad to see you're working on it.
A big thank you for your contributions!
On Tue, Apr 9, 2019 at 2:08 PM Kevin Ross via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:
> Here you go https://car.mitre.org/analytics/CAR-2014-12-001.html,
> https://countercept.com/blog/endpoint-detection-of-remote-service-creation-and-psexec/, Some
> "false" positives can occur around software management solutions and Dell
> Open Manage in terms that they can do this activity and not just bad guys.
>
> alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote
> Process Execution"; flow:to_server,established;
> dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown;
> sid:135518; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190409/7009a948/attachment-0001.html>
More information about the Emerging-sigs
mailing list