SID 1:1292

Report a false positive

Rule Category

INDICATOR-COMPROMISE -- Snort detected a system behavior that suggests the system has been affected by malware. That behavior is known as an Indicator of Compromise (IOC). The symptoms could be a wide range of behaviors, from a suspicious file name to an unusual use of a utility. Symptoms do not guarantee an infection; your network configuration may not be affected by malware, but showing indicators as a result of a normal function. In this case, attackers may be attempting to gain privileges and access other systems, spread influence, and make calls and commands with elevated access. The context of the traffic is important to determine intrusion; traffic from an administration utility performing commands on a user's computer is likely not a compromise, but a user laptop accessing a webserver may indicate intrusion.

Alert Message

INDICATOR-COMPROMISE directory listing

Rule Explanation

This may be post-compromise behavior indicating the use of Windows directory listing tools. Impact: Varies, an attacker might have gained an ability to execute commands remotely Details: This rule is aimed at catching the standard Windows commands for listing directories. The string "Volume Serial Number" is typically shown in front of the directory listing on Windows NT/2000/XP. Seeing such a response in the HTTP traffic indicates that somebody have managed to "convince" the web server to spawn a shell bound to a web port and have successfully executed at least one command to list the directory. Note that the source address of this signature is actually the victim and not the attacker as for the exploit signatures. Ease of Attack: Simple. This post-attack behavior can accompany different attacks.

What To Look For

This may be post-compromise behavior indicating the use of Windows directory listing tools.

Known Usage

No public information

False Positives

Known false positives, with the described conditions

The rule will generate an event if the string "Volume Serial Number" appears in the content distributed by the web server, in which case the rule should be tuned.

Contributors

Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org> Cisco Talos Brian Caswell Nigel Houghton

Rule Groups

No rule groups

CVE

None

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None

MITRE ATT&CK Framework

Tactic: Reconnaissance

Technique: Gather Victim Host Information

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org