Microsoft Windows System32 write file to the directory has been detected (SMB_System32_FileWritten)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, BlackICE Agent for Server, BlackICE Server Protection, BlackICE PC Protection, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network IPS, Virtual Server Protection for Vmware:

This signature detects attempts to write files to the Windows\System32\ directory.This may indicate an attempt to modify or install software in a protected directory.

RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Server IPS for Linux technology, Proventia Network IPS, Virtual Server Protection for Vmware: This signature may trigger on legitimate directory write operations such asupdates to exisiting Windows\System32\ binaries.

Default risk level

 Medium

Sensors that have this signature

RealSecure Network: XPU 24.3, RealSecure Server Sensor: XPU 24.3, BlackICE Agent for Server: 3.6eof, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, Proventia Network MFS: XPU 1.42, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 24.3, Proventia-G 1.1 and earlier: XPU 24.3, RealSecure Desktop Protector 3.6: eob, Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: XPU 1.42, RealSecure Desktop: eob, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows

Type

Suspicious Activity

Vulnerability description

How to remove this vulnerability

References