Rule History

SID: 10014548 • Source: ptrules/open

Versions (2)

Version DetailsCurrent

Rev: 1 • Nov 11, 2025, 11:57 AM

Message:

TOOLS [PTsecurity] Possible AD Attacking Tool JA3 fingerprint

Rule:

alert tls any any -> any 636 (msg: "TOOLS [PTsecurity] Possible AD Attacking Tool JA3 fingerprint"; flow: established, to_server; ja3.hash; content: "a417a71ed5c13f099bb930ea68f6104e"; threshold: type limit, track by_src, seconds 300, count 1; reference: url, github.com/layer8secure/SilentHound; reference: url, github.com/Pennyw0rth/NetExec; reference: url, github.com/dirkjanm/ldapdomaindump; reference: url, github.com/SpecterOps/BloodHound; reference: url, github.com/franc-pentest/ldeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10014548; rev: 1;)

Created:

Nov 11, 2025, 11:57 AM

Updated:

Feb 10, 2026, 7:45 AM

DB Created:

Dec 4, 2025, 9:34 PM

DB Updated:

Mar 2, 2026, 1:34 PM

Filename:

rules/ptopen-tools.rules