NF - SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration

NF – SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration

This alert is triggered when detecting a NetBIOS status communication sent from an internal asset to an axternal destination.

Categories:

Cyber Attack
Radiflow

ID Number

5024712

Signature

alert udp $HOME_NET 137 -> any any (msg:"NF - SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; reference:url,networkforensic.dk; metadata:22122017; classtype:network-scan; sid:5024712; rev:1;)

MITRE ATT&CK Technique

Severity

Low

Recommendations/Investigative actions

it is recommended to disable this alert since it is probably a false positive alert caused by Windows Network Enumeration.