🐾 - 🔔 Application Identity service WMI Reply 🪟 - Possible remote AppLocker state check for Lateral Movement 🥷 - T1021.006 - Suricata Rule 3301098 (pawpatrules)

🐾 - 🔔 Application Identity service WMI Reply 🪟 - Possible remote AppLocker state check for Lateral Movement 🥷 - T1021.006

SID: 3301098Rev: 160 views

Sourcepawpatrules

CreatedDecember 23, 2023

UpdatedDecember 23, 2023

Classificationattempted-recon

alert tcp $HOME_NET any -> any any (msg:"🐾 - 🔔 Application Identity service WMI Reply 🪟 - Possible remote AppLocker state check for Lateral Movement 🥷 - T1021.006"; flow:to_client, stateless; content:"|05 00 02 03|"; content:"|57 69 6e 33 32 5f 53 65 72 76 69 63 65|"; fast_pattern; content:"|41 70 70 49 44 53 76 63|"; reference:url,https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; classtype:attempted-recon; sid:3301098; rev:1; metadata:created_at 2023_12_23, updated_at 2023_12_23;)

References

url	https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview
url	https://github.com/GhostPack/Seatbelt#remote-enumeration
url	https://attack.mitre.org/techniques/T1021/006/

🐾 - 🔔 Application Identity service WMI Reply 🪟 - Possible remote AppLocker state check for Lateral Movement 🥷 - T1021.006

References

Metadata

Comments (0)