🐾 - 🔔 System infos WMI Reply 🪟 - Possible Lateral Movement 🥷 - T1021.006

SID: 3300326Rev: 34 views
Sourcepawpatrules
CreatedJuly 15, 2023
UpdatedJuly 17, 2023
Classificationattempted-recon
alert tcp $HOME_NET any -> any any (msg:"🐾 - 🔔 System infos WMI Reply 🪟 - Possible Lateral Movement 🥷 - T1021.006"; flow:to_client, stateless; content:"|05 00 02 00|"; content:"|5f 5f 50 41 52 41 4d 45 54 45 52 53 00 00 61 62 73 74 72 61 63 74 00 13|"; content:"|44 65 66 4b 65 79 00 00 75 69 6e 74 33 32|"; content:"|61 63 36 64 31 33 35 30 36 30 30 30 30 35 51 00 00 52 4f 4f 54 5c 44 65 66 61 75 6c 74|"; fast_pattern; reference:url,https://wikipedia.org/wiki/Windows_Management_Instrumentation; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; reference:url,https://www.microsoft.com/en-us/download/details.aspx?id=46899; classtype:attempted-recon; sid:3300326; rev:3; metadata:created_at 2023_07_15, updated_at 2023_07_17;)

References

urlhttps://wikipedia.org/wiki/Windows_Management_Instrumentation
urlhttps://github.com/GhostPack/Seatbelt#remote-enumeration
urlhttps://attack.mitre.org/techniques/T1021/006/
urlhttps://www.microsoft.com/en-us/download/details.aspx?id=46899

Metadata

created at2023_07_15
updated at2023_07_17

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!