🐾 - 🔔 DRSUAPI DsGetDomainControllerInfo - Possible Impacket secrectsdump DCSync attack 🥷 - T1003.006 - Check if source is a legit 🪟 Domain Controler - Suricata Rule 3300320 (pawpatrules)

🐾 - 🔔 DRSUAPI DsGetDomainControllerInfo - Possible Impacket secrectsdump DCSync attack 🥷 - T1003.006 - Check if source is a legit 🪟 Domain Controler

SID: 3300320Rev: 1414 viewsHistory

Sourcepawpatrules

CreatedNovember 3, 2022

UpdatedAugust 21, 2025

Classificationattempted-recon

alert tcp-pkt any any -> $HOME_NET any (msg:"🐾 - 🔔 DRSUAPI DsGetDomainControllerInfo - Possible Impacket secrectsdump DCSync attack 🥷 - T1003.006 - Check if source is a legit 🪟 Domain Controler"; flow:to_server, stateless; content:"|05 00 00|"; depth:3; content:"|03 00 00 00 44 00 00 00 00 00 10 00|"; fast_pattern; content:"|0a 06 00 00|"; reference:url,https://attack.mitre.org/techniques/T1003/006/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2022_11_03, updated_at 2025_08_21, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1003_006, mitre_technique_name OS_Credential_Dumping_DCSync; sid:3300320; rev:14; classtype:attempted-recon;)

References

url	https://attack.mitre.org/techniques/T1003/006/
url	https://www.secureauth.com/labs/open-source-tools/impacket/

Metadata

created at2022_11_03

updated at2025_08_21

signature severityMajor

attack targetServer_Endpoint

affected productWindows_Server_32_64_Bit

mitre tactic idTA0006

mitre tactic nameCredential_Access

mitre technique idT1003_006

mitre technique nameOS_Credential_Dumping_DCSync

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!