[Emerging-Sigs] SIG Update
Kevin Ross
kevross33 at googlemail.com
Wed Apr 10 05:08:08 HDT 2019
Updated to negate false positive I have seem (probably rare) and added in
additional sigs to cover
# Changed (why fast pattern? I don't remember putting this on but shouldn't
it already be automatic?)
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
depth:8; content:"|00|w|00|m|00|i|00|c|00 20 00|"; nocase; distance:0;
fast_pattern; metadata: former_category POLICY; classtype:trojan-activity;
sid:2025726; rev:2; metadata:attack_target SMB_Client, deployment
Perimeter, deployment Internal, signature_severity Major, created_at
2018_07_17, performance_impact Low, updated_at 2018_07_18;)
# New
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
depth:8; content:"|00|w|00|m|00|i|00|c|00|.|00|e|00|x|00|e|00|"; nocase;
distance:0; classtype:trojan-activity; sid:123451; rev:1;)
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
depth:8; content:"wmic.exe"; nocase; distance:0;
classtype:trojan-activity; sid:123452; rev:1;)
alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
depth:8; content:"wmic "; nocase; distance:0; classtype:trojan-activity;
sid:123453; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190410/9a31cfac/attachment.html>
More information about the Emerging-sigs
mailing list