ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement - Suricata Rule 2025723 (et/open)

ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement

SID: 2025723Rev: 26 viewsHistory

Sourceet/open

CreatedJuly 17, 2018

UpdatedJuly 26, 2019

Classificationtrojan-activity

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|x|00|e|00|c|00|"; nocase; distance:0; content:"|00|b|00|y|00|p|00|a|00|s|00|s|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025723; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1570, mitre_technique_name Lateral_Tool_Transfer;)

Metadata

attack targetSMB_Client

created at2018_07_17

deploymentInternal

performance impactLow

confidenceHigh

signature severityMajor

updated at2019_07_26

mitre tactic idTA0008

mitre tactic nameLateral_Movement

mitre technique idT1570

mitre technique nameLateral_Tool_Transfer

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!