[Emerging-Sigs] SIGS: Command Shell Activity Over SMB
Kevin Ross
kevross33 at googlemail.com
Wed Apr 10 02:55:19 HDT 2019
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity
Over SMB - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"cmd.exe"; nocase; distance:0;
classtype:bad-unknown; sid:120001; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell
ActivityOver SMB - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|";
nocase; distance:0; classtype:bad-unknown; sid:120002; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity
Over SMB - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"cmd "; nocase; distance:0;
classtype:bad-unknown; sid:120003; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell
ActivityOver SMB - Possible Lateral Movement"; flow:established,to_server;
content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00 20 00|"; nocase;
distance:0; classtype:bad-unknown; sid:120004; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity
Using Comspec Environmental Variable Over SMB - Very Likely Lateral
Movement"; flow:established,to_server; content:"SMB"; depth:8;
content:"%comspec"; nocase; distance:0; classtype:bad-unknown; sid:120005;
rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity
Using Comspec Environmental Variable Over SMB - Very Likely Lateral
Movement"; flow:established,to_server; content:"SMB"; depth:8;
content:"|00|%|00|c|00|o|00|m|00|s|00|p|00|e|00|c|00|"; nocase; distance:0;
classtype:bad-unknown; sid:120006; rev:1;)
Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190410/9f2fc7d2/attachment.html>
More information about the Emerging-sigs
mailing list