Rule History

alert smb $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING External SMB ANDX Request for Outlook Calendar Invite File (.ics) - Possible NTLM Hash Leak Attempt"; flow:established,to_server; content:"|ff|SMB"; depth:8; content:"|00 2E 00|i|00|c|00|s|00 00 00|"; nocase; fast_pattern; endswith; reference:url,www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes; reference:cve,2023-35636; classtype:credential-theft; sid:2050432; rev:1; metadata:affected_product Windows_11, attack_target Client_Endpoint, created_at 2024_01_24, cve CVE_2023_35636, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, updated_at 2024_01_24; target:src_ip;)