🐾 - 🔔 LSARPC LsarOpenPolicy2 Response from 🪟 DC - Possible infos request (net user / PingCastle / Mimikatz DCSync) 🥷 - T1003 - Check if destination is legitimate - Suricata Rule 3300321 (pawpatrules)

🐾 - 🔔 LSARPC LsarOpenPolicy2 Response from 🪟 DC - Possible infos request (net user / PingCastle / Mimikatz DCSync) 🥷 - T1003 - Check if destination is legitimate

SID: 3300321Rev: 60 views

Sourcepawpatrules

CreatedNovember 12, 2022

UpdatedMarch 17, 2023

Classificationattempted-recon

alert tcp $HOME_NET 445 -> any any (msg:"🐾 - 🔔 LSARPC LsarOpenPolicy2 Response from 🪟 DC - Possible infos request (net user / PingCastle / Mimikatz DCSync) 🥷 - T1003 - Check if destination is legitimate"; flow:to_client, stateless; content:"|05 00 02 03|"; content:"|02 00 00 00 18 00 00 00|"; fast_pattern; content:"|00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1003/006/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2c6f3cf9-d792-4e8b-9af5-5470f636c20a; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b; reference:url,https://github.com/gentilkiwi/mimikatz; reference:url,https://www.pingcastle.com/; metadata:created_at 2022_11_12, updated_at 2023_03_17; sid:3300321; rev:6; classtype:attempted-recon;)

References

url	https://attack.mitre.org/techniques/T1003/006/
url	https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2c6f3cf9-d792-4e8b-9af5-5470f636c20a
url	https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b
url	https://github.com/gentilkiwi/mimikatz
url	https://www.pingcastle.com/

🐾 - 🔔 LSARPC LsarOpenPolicy2 Response from 🪟 DC - Possible infos request (net user / PingCastle / Mimikatz DCSync) 🥷 - T1003 - Check if destination is legitimate

References

Metadata

Comments (0)