🐾 - 🔔 DCERPC - Bind request to 🪟 WKSSVC interface - Possible System Information Discovery 🥷 - T1082

SID: 3300328Rev: 20 views
Sourcepawpatrules
CreatedJuly 26, 2023
UpdatedJuly 27, 2023
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 445 (msg:"🐾 - 🔔 DCERPC - Bind request to 🪟 WKSSVC interface - Possible System Information Discovery 🥷 - T1082"; flow:to_server, stateless; content:"|fe 53 4d 42|"; content:"|05 00 0b 03|"; content:"|98 d0 ff 6b 12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/5b1384ee-dad3-4c5f-942a-e35fc89442a2; reference:url,https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/; reference:url,https://www.pingcastle.com/; metadata:created_at 2023_07_26, updated_at 2023_07_27; sid:3300328; rev:2; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1082/
urlhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/5b1384ee-dad3-4c5f-942a-e35fc89442a2
urlhttps://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/
urlhttps://www.pingcastle.com/

Metadata

created at2023_07_26
updated at2023_07_27

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!