🐾 - 🔔 DCERPC - SAMR DispEntryFullGroup response from 🪟 DC - Possible Domain Groups Discovery 🥷 - T1069.002

SID: 3300335Rev: 30 views
Sourcepawpatrules
CreatedAugust 10, 2023
UpdatedAugust 23, 2023
Classificationattempted-recon
alert tcp-pkt $HOME_NET 445 -> any any (msg:"🐾 - 🔔 DCERPC - SAMR DispEntryFullGroup response from 🪟 DC - Possible Domain Groups Discovery 🥷 - T1069.002"; flow:to_client, stateless; content:"|fe 53 4d 42|"; content:"|00 00 00 00|"; content:"|03 00 00 00|"; fast_pattern; distance:4; content:"|00 00 02 00 00 00 00 00|"; distance:8; content:"|0e 02 00 00|"; content:"|0f 02 00 00|"; content:"|00 02 00 00|"; reference:url,https://attack.mitre.org/techniques/T1069/002/; reference:url,https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021; metadata:created_at 2023_08_10, updated_at 2023_08_23; sid:3300335; rev:3; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1069/002/
urlhttps://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021

Metadata

created at2023_08_10
updated at2023_08_23

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!