🐾 - 🔔 Remote WMI Win32_Process create - Possible Lateral Movement 🥷 - T1021.006
Sourcepawpatrules
CreatedDecember 8, 2021
UpdatedNovember 3, 2022
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET any (msg:"🐾 - 🔔 Remote WMI Win32_Process create - Possible Lateral Movement 🥷 - T1021.006"; flow:stateless,to_server; content:"|05 00 00|"; depth:3; content:"W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00 00 00|"; fast_pattern; content:"c|00|r|00|e|00|a|00|t|00|e|00|"; distance:16; within:12; nocase; flowbits:set, WMI.Win32_Process.Create; reference:url,https://attack.mitre.org/techniques/T1021/006/; reference:url,https://github.com/ptresearch/AttackDetection/; metadata:created_at 2021_12_08, updated_at 2022_11_03; sid:3300308; rev:5; classtype:attempted-recon;)
References
Metadata
created at2021_12_08
updated at2022_11_03
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!