""ET INFO Suspected Impacket WMIExec Activity""
SID: 2043996
Revision: 1
Class Type: bad-unknown
Metadata: attack_target Client_Endpoint, created_at 2023_01_26, deployment Internal, confidence Low, signature_severity Informational, updated_at 2023_01_26
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_server
Contents:
- Value: "|3e 00 20 00 5c 00 5c 00 31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 5c 00 41 00 44 00 4d 00 49 00 4e 00 24 00 5c 00 5f 00 5f 00|"
Within:
PCRE:
Special Options:
- fast_pattern