""ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement""
SID: 2025723
Revision: 1
Class Type: trojan-activity
Metadata: attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, performance_impact Low, signature_severity Major, updated_at 2018_07_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1570, mitre_technique_name Lateral_Tool_Transfer
Reference:
Protocol: tcp
Source Network: any
Source Port: any
Destination Network: $HOME_NET
Destination Port: 445
Flow: established,to_server
Contents:
-
Value: "SMB" Depth: 8
-
Value: "|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"
-
Value: "|00|e|00|x|00|e|00|c|00|"
-
Value: "|00|b|00|y|00|p|00|a|00|s|00|s|00|"
Within:
PCRE:
Special Options:
-
nocase
-
fast_pattern
-
nocase
-
nocase