Skip to content

Instantly share code, notes, and snippets.

@Samirbous

Samirbous/EntAppSvc Incoming Netcon dcom

Created October 13, 2022 19:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Samirbous/fe1cbf2e776b64544452bfc7994afae4 to your computer and use it in GitHub Desktop.
Save Samirbous/fe1cbf2e776b64544452bfc7994afae4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
EntAppSvc Incoming Netcon dcom
sequence by host.id, process.entity_id with maxspan=3s
[process where event.type == "start" and process.name : "svchost.exe" and process.args : "appmodel"]
[network where event.action == "connection_accepted" and
process.name : "svchost.exe" and
source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment