Versions (5)
Version DetailsCurrent
Rev: 7 • Feb 21, 2025, 12:00 PM🐾 - 🔔 Suspicious Kerberos TGS-Request to Active Directory 🪟 for CIFS service - Possible TGS requested from Impacket 🥷 - T1558
alert tcp any any -> $HOME_NET 88 (msg:"🐾 - 🔔 Suspicious Kerberos TGS-Request to Active Directory 🪟 for CIFS service - Possible TGS requested from Impacket 🥷 - T1558"; flow:to_server, stateless; flowbits:set,pptrls.suspkrbtgsrep; flowbits:isnotset,pptrls.suspkrbtgsrep; content:"|30 82|"; content:"|03 02 01 05|"; distance:2; content:"|03 02 01 0c|"; distance:1; target:dest_ip; content:"|6b 72 62 74 67 74|"; content:"|a0 07 03 05 00 40 81 00 10|"; fast_pattern; content:"|63 69 66 73|"; content:!"|ff 79|"; reference:url,https://attack.mitre.org/techniques/T1558/; reference:url,https://github.com/fortra/impacket/; metadata:created_at 2025_02_21, updated_at 2025_03_30, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets; sid:3321414; rev:7; classtype:credential-theft;)
Feb 21, 2025, 12:00 PM
Mar 30, 2025, 12:00 PM
Feb 25, 2025, 5:10 AM
May 29, 2025, 11:12 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules