Versions (4)
Version DetailsCurrent
Rev: 18 • Mar 17, 2024, 12:00 PM🐾 - 🔔 LDAP - SASL GSS-API Privacy accepted DNS record from Windows DNS Server 🪟 Possible DNS Server Compromised 🥷 - T1584.002 - Check if legitimate client request
alert tcp $HOME_NET 389 -> any any (msg:"🐾 - 🔔 LDAP - SASL GSS-API Privacy accepted DNS record from Windows DNS Server 🪟 Possible DNS Server Compromised 🥷 - T1584.002 - Check if legitimate client request"; flow:to_client, stateless; dsize:<200; threshold:type limit, track by_src,count 1, seconds 10; content:"|00 00 00 52 05 04 07 ff 00 00 00 1c|"; reference:url,https://attack.mitre.org/techniques/T1584.002/; reference:url,https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/; reference:url,https://github.com/Kevin-Robertson/Powermad; metadata:created_at 2024_03_17, updated_at 2024_03_17, signature_severity Informational, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1584.002, mitre_technique_name Compromise_Infrastructure_DNS_Server; sid:3301159; rev:18; classtype:misc-attack;)
Mar 17, 2024, 12:00 PM
Mar 17, 2024, 12:00 PM
Mar 17, 2024, 11:00 PM
Mar 17, 2024, 11:00 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules