Versions (6)
Version DetailsCurrent
Rev: 5 • Jun 24, 2025, 4:00 PMATTACK AD [PTsecurity] Possible MS-RPRN abuse (PrinterBug). Hash or Ticket theft
alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] Possible MS-RPRN abuse (PrinterBug). Hash or Ticket theft"; flow:to_server, established, no_stream; content:"SMB"; offset:5; depth:3; content:"|05 00 00|"; distance:0; byte_test:1, &, 0x80, 0, relative; content:"|41 00|"; distance:19; within:2; content:"|00 01 00 00|"; distance:36; within:4; content:"|5C 00 5C 00|"; fast_pattern; distance:0; flowbits:isset, DCERPC.BIND.SPOOLSS; xbits:set, CoercedAuth, track ip_dst, expire 10; reference:url, posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10004153; rev:5;)
Jun 24, 2025, 4:00 PM
Jun 24, 2025, 4:00 PM
Oct 16, 2025, 10:34 AM
Oct 16, 2025, 10:34 AM
rules/ptopen-windows.rules