🐾 - 🔔 DCERPC - Bind_ack reply from 🪟 WKSSVC interface - Possible System Information Discovery 🥷 - T1082

SID: 3300329Rev: 30 views
Sourcepawpatrules
CreatedJuly 26, 2023
UpdatedMarch 4, 2024
Classificationattempted-recon
alert tcp-pkt $HOME_NET 445 -> any any (msg:"🐾 - 🔔 DCERPC - Bind_ack reply from 🪟 WKSSVC interface - Possible System Information Discovery 🥷 - T1082"; flow:to_client, stateless; content:"|fe 53 4d 42|"; content:"|05 00 0c 03|"; content:"|5c 50 49 50 45 5c 77 6b 73 73 76 63 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/5b1384ee-dad3-4c5f-942a-e35fc89442a2; reference:url,https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/; reference:url,https://www.pingcastle.com/; metadata:created_at 2023_07_26, updated_at 2024_03_04; sid:3300329; rev:3; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1082/
urlhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/5b1384ee-dad3-4c5f-942a-e35fc89442a2
urlhttps://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/
urlhttps://www.pingcastle.com/

Metadata

created at2023_07_26
updated at2024_03_04

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!