🐾 - 🔔 DCERPC - ORPCTHIS Request 🪟 - Possible WMI over DCOM abuse with NTLM authentication 🥷 - T1047

SID: 3301093Rev: 325 views
Sourcepawpatrules
CreatedNovember 23, 2023
UpdatedNovember 23, 2023
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 135 (msg:"🐾 - 🔔 DCERPC - ORPCTHIS Request 🪟 - Possible WMI over DCOM abuse with NTLM authentication 🥷 - T1047"; flow:to_server, stateless; content:"|05 00 00|"; content:"|05 00 07 00 01 00 00 00 00 00 00 00|"; fast_pattern; content:"|0a 05 0c 00 00 00 00 00 01 00 00 00|"; reference:url,https://attack.mitre.org/techniques/T1047/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/d57e9fd9-8e8b-45b8-99ea-9b0266009676; metadata:created_at 2023_11_23, updated_at 2023_11_23; sid:3301093; rev:3; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1047/
urlhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/d57e9fd9-8e8b-45b8-99ea-9b0266009676

Metadata

created at2023_11_23
updated at2023_11_23

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!