[Emerging-Sigs] SIGS: PS1 and MOF file Use Over SMB

[Travis Green]

Thanks Kevin, I'll get those into QA for today's release.

On Fri, Apr 12, 2019 at 7:04 AM Kevin Ross via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
>
> # .PS1 Possible FP cases - IT admin scripts
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:145511; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:145512; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".mof"; nocase; distance:0; classtype:bad-unknown; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; sid:145513; rev:1;)
>
> alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|m|00|o|00|f|00|"; nocase; distance:0; classtype:bad-unknown; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; sid:145514; rev:1;)
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


-- 
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc