""ET EXPLOIT Suspicious SVCCTL CreateService Command via SMB - Observed Zerologon Post Compromise Activity""
SID: 2035287
Revision: 2
Class Type: attempted-admin
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_25, deployment Internal, signature_severity Major, updated_at 2022_02_25
Reference:
-
md5
-
59e7f22d2c290336826700f05531bd30
Protocol: tcp
Source Network: any
Source Port: any
Destination Network: $HOME_NET
Destination Port: 445
Flow: established,to_server
Contents:
-
Value: "SMB" Depth: 8
-
Value: "|09 00|"
-
Value: "|05 00 00|"
-
Value: "|0c 00|"
-
Value: "|15 00 00 00 00 00 00 00 15 00 00 00|"
-
Value: "|15 00 00 00 00 00 00 00 15 00 00 00|"
-
Value: "|03 00 00 00|"
Within: 4
PCRE: "/^(?:[A-Z]\x00){20}\x00\x00/R"
Special Options:
- fast_pattern