🐾 - 🔔 DCERPC - SAMR EnumDomainUsers response from 🪟 DC - Possible Domain Account Discovery 🥷 - T1087.002

SID: 3300334Rev: 50 views
Sourcepawpatrules
CreatedAugust 9, 2023
UpdatedAugust 23, 2023
Classificationattempted-recon
alert tcp-pkt $HOME_NET 445 -> any any (msg:"🐾 - 🔔 DCERPC - SAMR EnumDomainUsers response from 🪟 DC - Possible Domain Account Discovery 🥷 - T1087.002"; flow:to_client, stateless; content:"|fe 53 4d 42|"; content:"|05 00 02|"; content:"|00 00 00 00|"; content:"|00 00 02 00|"; fast_pattern; distance:4; content:"|f4 01 00 00|"; content:"|f6 01 00 00|"; reference:url,https://attack.mitre.org/techniques/T1087/002/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6bdc92c0-c692-4ffb-9de7-65858b68da75; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/672e23b6-16eb-45f7-a0eb-f7969d56c209; metadata:created_at 2023_08_09, updated_at 2023_08_23; sid:3300334; rev:5; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1087/002/
urlhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6bdc92c0-c692-4ffb-9de7-65858b68da75
urlhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/672e23b6-16eb-45f7-a0eb-f7969d56c209

Metadata

created at2023_08_09
updated at2023_08_23

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!