[Emerging-Sigs] SIGS: PS1 and MOF file Use Over SMB
Kevin Ross
kevross33 at googlemail.com
Fri Apr 12 04:04:08 HDT 2019
# .PS1 Possible FP cases - IT admin scripts
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1
Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8;
content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:145511;
rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1
Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8;
content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0;
classtype:bad-unknown; sid:145512; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof
Managed Object File Use Over SMB"; flow:established,to_server;
content:"SMB"; depth:8; content:".mof"; nocase; distance:0;
classtype:bad-unknown; reference:url,
www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf;
sid:145513; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof
Managed Object File Use Over SMB"; flow:established,to_server;
content:"SMB"; depth:8; content:"|00|.|00|m|00|o|00|f|00|"; nocase;
distance:0; classtype:bad-unknown; reference:url,
www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf;
sid:145514; rev:1;)
Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190412/efc098c4/attachment-0001.html>
More information about the Emerging-sigs
mailing list