ET EXPLOIT CreateService via SMB to Reset-ComputerMachinePassword - Observed Post Zerologon Activity - Suricata Rule 2035285 (et/open)

ET EXPLOIT CreateService via SMB to Reset-ComputerMachinePassword - Observed Post Zerologon Activity

SID: 2035285Rev: 20 viewsHistory

Sourceet/open

CreatedFebruary 24, 2022

UpdatedFebruary 25, 2022

Classificationattempted-admin

alert smb any any -> $HOME_NET 445 (msg:"ET EXPLOIT CreateService via SMB to Reset-ComputerMachinePassword - Observed Post Zerologon Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|00|R|00|e|00|s|00|e|00|t|00|-|00|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00|M|00|a|00|c|00|h|00|i|00|n|00|e|00|P|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; distance:0; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_24, deployment Internet, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_02_25;)

References

url	thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

Metadata

affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit

attack targetServer

created at2022_02_24

deploymentInternet

performance impactLow

confidenceHigh

signature severityMajor

updated at2022_02_25

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!