🐾 - 🔔 Antivirus WMI Reply 🪟 - Possible Lateral Movement 🥷 - T1021.006

SID: 3300325Rev: 65 views
Sourcepawpatrules
CreatedJuly 14, 2023
UpdatedJuly 17, 2023
Classificationattempted-recon
alert tcp $HOME_NET any -> any any (msg:"🐾 - 🔔 Antivirus WMI Reply 🪟 - Possible Lateral Movement 🥷 - T1021.006"; flow:to_client, stateless; content:"|05 00 02 03|"; content:"|41 6e 74 69 56 69 72 75 73 50 72 6f 64 75 63 74 00 00 64 69 73 70 6c 61 79 4e 61 6d 65|"; fast_pattern; reference:url,https://wikipedia.org/wiki/Windows_Management_Instrumentation; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; classtype:attempted-recon; sid:3300325; rev:6; metadata:created_at 2023_07_14, updated_at 2023_07_17;)

References

urlhttps://wikipedia.org/wiki/Windows_Management_Instrumentation
urlhttps://github.com/GhostPack/Seatbelt#remote-enumeration
urlhttps://attack.mitre.org/techniques/T1021/006/

Metadata

created at2023_07_14
updated at2023_07_17

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!