[Emerging-Sigs] SIG: ET NETBIOS DCERPC WMI Remote Process Execution
tiago.faria.backups at gmail.com
Tue Apr 9 08:13:48 HDT 2019
Thanks for putting these out Kevin. When MITRE published CAR I thought it
would be really nice to have these in ET. Glad to see you're working on it.
A big thank you for your contributions!
On Tue, Apr 9, 2019 at 2:08 PM Kevin Ross via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:
> Here you go https://car.mitre.org/analytics/CAR-2014-12-001.html,
> https://countercept.com/blog/endpoint-detection-of-remote-service-creation-and-psexec/, Some
> "false" positives can occur around software management solutions and Dell
> Open Manage in terms that they can do this activity and not just bad guys.
> alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote
> Process Execution"; flow:to_server,established;
> dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown;
> sid:135518; rev:1;)
> Kind Regards,
> Kevin Ross
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs