1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. Audit: Unimplemented Trans2 Subcommand

Audit: Unimplemented Trans2 Subcommand

Severity: Low

This attack poses a minor threat. Corrective action may not be possible or is not required.

Description

This signature detects a reserved unimplemented Trans2 subcommand; possibly used for DoublePulsar backdoor covert communication.

Additional Information

SMB Trans2 Request/Response is used by DoublePulsar with an unimplemented subcommand 'Session Setup' for it's covert communication. Microsoft documents this subcommand as reserved/unimplemented.

Affected

  • Various Windows Platforms.

Response

Unless otherwise known, any unintended SMB Trans2 Request/Response in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.

If you want to block this traffic, refer following link:
https://support.symantec.com/en_US/article.HOWTO80883.html
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube