Versions (3)
Version DetailsCurrent
Rev: 1 • Apr 28, 2021, 12:00 PMET EXPLOIT Possible Local Active Directory Federation Services (AD FS) Replication Attempt
alert http $HOME_NET any -> $HOME_NET 80 (msg:"ET EXPLOIT Possible Local Active Directory Federation Services (AD FS) Replication Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/services/policystoretransfer"; startswith; fast_pattern; threshold:type limit,track by_src,count 1,seconds 600; reference:url,fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html; classtype:web-application-attack; sid:2032884; rev:1; metadata:attack_target Server, created_at 2021_04_28, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_04_28;)
Apr 28, 2021, 12:00 PM
Apr 28, 2021, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 21, 2024, 3:00 AM
rules/emerging-exploit.rules