ET HUNTING External SMB ANDX Request for Outlook Calendar Invite File (.ics) - Possible NTLM Hash Leak Attempt - Suricata Rule 2050432 (et/open)

ET HUNTING External SMB ANDX Request for Outlook Calendar Invite File (.ics) - Possible NTLM Hash Leak Attempt

SID: 2050432Rev: 13 viewsHistory

Sourceet/open

CreatedJanuary 24, 2024

UpdatedJanuary 24, 2024

Classificationcredential-theft

alert smb $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING External SMB ANDX Request for Outlook Calendar Invite File (.ics) - Possible NTLM Hash Leak Attempt"; flow:established,to_server; content:"|ff|SMB"; depth:8; content:"|00 2E 00|i|00|c|00|s|00 00 00|"; nocase; fast_pattern; endswith; reference:url,www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes; reference:cve,2023-35636; classtype:credential-theft; sid:2050432; rev:1; metadata:affected_product Windows_11, attack_target Client_Endpoint, created_at 2024_01_24, cve CVE_2023_35636, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, updated_at 2024_01_24; target:src_ip;)

References

url	www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes
cve	2023-35636

Metadata

affected productWindows_11

attack targetClient_Endpoint

created at2024_01_24

cveCVE-2023-35636

deploymentSSLDecrypt

performance impactLow

confidenceLow

signature severityMajor

updated at2024_01_24

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!