🐾 - 🔔 Installed Products WMI Request 🪟 - Possible Lateral Movement 🥷 - T1021.006

SID: 3300327Rev: 15 views
Sourcepawpatrules
CreatedJuly 17, 2023
UpdatedJuly 17, 2023
Classificationattempted-recon
alert tcp any any -> $HOME_NET any (msg:"🐾 - 🔔 Installed Products WMI Request 🪟 - Possible Lateral Movement 🥷 - T1021.006"; flow:to_server, stateless; content:"|05 00 00 83|"; content:"|50 41 52 41 4d 45 54 45 52 53 00 00 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 55 6e 69 6e 73 74 61 6c 6c 5c|"; fast_pattern; reference:url,https://wikipedia.org/wiki/Windows_Management_Instrumentation; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; classtype:attempted-recon; sid:3300327; rev:1; metadata:created_at 2023_07_17, updated_at 2023_07_17;)

References

urlhttps://wikipedia.org/wiki/Windows_Management_Instrumentation
urlhttps://github.com/GhostPack/Seatbelt#remote-enumeration
urlhttps://attack.mitre.org/techniques/T1021/006/

Metadata

created at2023_07_17
updated at2023_07_17

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!