1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
Rule:
--
Sid:
2941
--
Summary:
This event is generated when an attempt is made to bind to the Windows
registry service via SMB.
--
Impact:
Serious. Remote administration of the Windows reqistry may be possible.
--
Detailed Information:
This event indicates that an attempt was made to bind to the Windows
registry service via SMB across the network.
It may be possible for an attacker to manipulate the Windows registry
from a remote location. This could give the attacker administrative
privileges on the target host as well as the opportunity to execute code
of their choosing.
--
Affected Systems:
Microsoft Windows systems.
--
Attack Scenarios:
If the Windows registry is accessible via SMB the attacker can
manipulate the operating system registry settings.
--
Ease of Attack:
Simple.
--
False Positives:
None known.
--
False Negatives:
None Known.
--
Corrective Action:
Check the host for signs of system compromise.
Turn off file and print sharing on the target host.
Use a packet filtering firewall to disallow SMB access to the host from
sources external to the protected network.
Disallow remote registry manipulation.
--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
