Rule: -- Sid: 2476 -- Summary: This event is generated when an attempt is made to create an AndX entry via SMB. -- Impact: Unknown. -- Detailed Information: This event is generated when an attempt is made to create an AndX entry via SMB. -- Affected Systems: Windows systems -- Attack Scenarios: An attacker may attempt to bind to the service to manipulate host settings then create an entry in the winreg service. -- Ease of Attack: Simple. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Block access to RPC ports 135, 139 and 445 for both TCP and UDP protocols from external sources using a packet filtering firewall. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: Microsoft Technet http://support.microsoft.com/support/kb/articles/q153/1/83.asp CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 Winreg http://www.rutherfurd.net/python/winreg/ --