πΎ - π DCERPC - Service Control Manager Remote Protocol - Map Response from πͺ SVCTL interface - Possible Remote Service Stop π₯· - T1489
Sourcepawpatrules
CreatedMarch 4, 2024
UpdatedMarch 4, 2024
Classificationattempted-recon
alert tcp-pkt $HOME_NET 135 -> any any (msg:"πΎ - π DCERPC - Service Control Manager Remote Protocol - Map Response from πͺ SVCTL interface - Possible Remote Service Stop π₯· - T1489"; flow:to_client, stateless; content:"|05 00 02|"; content:"|81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; fast_pattern; content:"|04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60|"; reference:url,https://attack.mitre.org/techniques/T1489/; reference:url,https://learn.microsoft.com/fr-fr/openspecs/windows_protocols/ms-scmr/15fcdce1-424a-4c99-9965-629f2cd53126; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/MS-SCMR/705b624a-13de-43cc-b8a2-99573da3635f; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/e7a38186-cde2-40ad-90c7-650822bd6333; target:src_ip; metadata:created_at 2024_03_04, updated_at 2024_03_04, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1489, mitre_technique_name Service_Stop; sid:3301155; rev:3; classtype:attempted-recon;)
References
Metadata
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!