Rule History

SID: 10014548 • Source: ptrules/open

Versions (2)

Rev: 1

Mar 2, 2026, 1:34 PM

Version DetailsCurrent

Rev: 1 • Nov 11, 2025, 11:57 AM

Message:

TOOLS [PTsecurity] Possible AD Attacking Tool JA3 fingerprint

Rule:

alert tls any any -> any 636 (msg:"TOOLS [PTsecurity] Possible AD Attacking Tool JA3 fingerprint"; flow:established, to_server; ja3.hash; content:"a417a71ed5c13f099bb930ea68f6104e"; threshold:type limit, track by_src, seconds 300, count 1; reference:url, github.com/layer8secure/SilentHound; reference:url, github.com/Pennyw0rth/NetExec; reference:url, github.com/dirkjanm/ldapdomaindump; reference:url, github.com/SpecterOps/BloodHound; reference:url, github.com/franc-pentest/ldeep; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10014548; rev:1;)

Created:

Nov 11, 2025, 11:57 AM

Updated:

Feb 10, 2026, 7:45 AM

DB Created:

Dec 4, 2025, 9:34 PM

DB Updated:

Mar 2, 2026, 1:34 PM

Filename:

rules/ptopen-tools.rules