[Emerging-Sigs] SIG Update
Jason Williams
jwilliams at emergingthreats.net
Wed Apr 10 08:57:49 HDT 2019
Thanks Kevin!
Sometimes fast_pattern gets added by whomever puts the rules in. Generally
speaking, some of us are just in a habit of always adding it.
Will get these in for today.
On Wed, Apr 10, 2019 at 8:08 AM Kevin Ross via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:
> Updated to negate false positive I have seem (probably rare) and added in
> additional sigs to cover
>
> # Changed (why fast pattern? I don't remember putting this on but
> shouldn't it already be automatic?)
> alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
> SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
> depth:8; content:"|00|w|00|m|00|i|00|c|00 20 00|"; nocase; distance:0;
> fast_pattern; metadata: former_category POLICY; classtype:trojan-activity;
> sid:2025726; rev:2; metadata:attack_target SMB_Client, deployment
> Perimeter, deployment Internal, signature_severity Major, created_at
> 2018_07_17, performance_impact Low, updated_at 2018_07_18;)
>
> # New
> alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
> SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
> depth:8; content:"|00|w|00|m|00|i|00|c|00|.|00|e|00|x|00|e|00|"; nocase;
> distance:0; classtype:trojan-activity; sid:123451; rev:1;)
>
> alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
> SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
> depth:8; content:"wmic.exe"; nocase; distance:0;
> classtype:trojan-activity; sid:123452; rev:1;)
>
> alert smb any any -> $HOME_NET 445 (msg:"ET POLICY WMIC WMI Request Over
> SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB";
> depth:8; content:"wmic "; nocase; distance:0; classtype:trojan-activity;
> sid:123453; rev:1;)
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190410/a5a8a4f9/attachment.html>
More information about the Emerging-sigs
mailing list