🐾 - 🔔 KeePass 🔐 config file searching over SMB 🪟 - Possible Lateral Movement 🥷 - T1021.002

SID: 3301099Rev: 165 views
Sourcepawpatrules
CreatedDecember 23, 2023
UpdatedDecember 23, 2023
Classificationattempted-recon
alert tcp any any -> any 445 (msg:"🐾 - 🔔 KeePass 🔐 config file searching over SMB 🪟 - Possible Lateral Movement 🥷 - T1021.002"; flow:to_server, stateless; content:"|fe 53 4d 42|"; content:"|55 00 73 00 65 00 72 00 73 00 5c|"; content:"|41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 4b 00 65 00 65 00 50 00 61 00 73 00 73 00 5c 00 4b 00 65 00 65 00 50 00 61 00 73 00 73 00 2e 00 63 00 6f 00 6e 00 66 00 69 00 67 00 2e 00 78 00 6d 00 6c|"; fast_pattern; reference:url,https://keepass.info/; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/002/; classtype:attempted-recon; sid:3301099; rev:1; metadata:created_at 2023_12_23, updated_at 2023_12_23;)

References

urlhttps://keepass.info/
urlhttps://github.com/GhostPack/Seatbelt#remote-enumeration
urlhttps://attack.mitre.org/techniques/T1021/002/

Metadata

created at2023_12_23
updated at2023_12_23

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!