🐾 - πŸ”” SAMR - Suspicious Map Request πŸͺŸ to an IP Address - Possible Impacket addcomputer script targeting Active Directory πŸ₯· - S0357 - T1136.002

SID: 3301105Rev: 412 views
Sourcepawpatrules
CreatedDecember 29, 2023
UpdatedJanuary 3, 2024
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 135 (msg:"🐾 - πŸ”” SAMR - Suspicious Map Request πŸͺŸ to an IP Address - Possible Impacket addcomputer script targeting Active Directory πŸ₯· - S0357 - T1136.002"; flow:to_server, stateless; content:"|05 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; content:"|78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ac|"; fast_pattern; content:"|01 00 11 0d 00|"; pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,https://attack.mitre.org/software/S0357/; reference:url,https://attack.mitre.org/techniques/T1136/002/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/084da2e7-0ba0-44fc-8f17-e8a200c69eb5; reference:url,https://0xffsec.com/handbook/services/msrpc/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; reference:url,https://github.com/fortra/impacket/blob/master/examples/addcomputer.py; metadata:created_at 2023_12_29, updated_at 2024_01_03; sid:3301105; rev:4; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/software/S0357/
urlhttps://attack.mitre.org/techniques/T1136/002/
urlhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/084da2e7-0ba0-44fc-8f17-e8a200c69eb5
urlhttps://0xffsec.com/handbook/services/msrpc/
urlhttps://www.secureauth.com/labs/open-source-tools/impacket/
urlhttps://github.com/fortra/impacket/blob/master/examples/addcomputer.py

Metadata

created at2023_12_29
updated at2024_01_03

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!