SID 1:45515

Report a false positive

Rule Category

NETBIOS -- Snort has flagged on traffic on the netbios protocol, which is used to share files across a local network.

Alert Message

NETBIOS SMB SESSION_SETUP subcommand detected

Rule Explanation

This event is generated when the SMB SESSION_SETUP subcommand is detected. Impact: Generic Protocol Command Decode Details: Ease of Attack:

What To Look For

This rule alerts when the SMB SESSION_SETUP subcommand is detected. This is sometimes a precursor to SMB vulnerability exploitation.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

None

Additional Links

countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None

MITRE ATT&CK Framework

Tactic: Lateral Movement

Technique: Exploitation of Remote Services

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org