🐾 - πŸ”” SAMR - Suspicious ChangePasswordUser request to Active Directory πŸͺŸ Possible Impacket smbpasswd script targeting password must be changed πŸ₯· - T1098

SID: 3301109Rev: 121 views
Sourcepawpatrules
CreatedJanuary 3, 2024
UpdatedJanuary 3, 2024
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 445 (msg:"🐾 - πŸ”” SAMR - Suspicious ChangePasswordUser request to Active Directory πŸͺŸ Possible Impacket smbpasswd script targeting password must be changed πŸ₯· - T1098"; flow:to_server, stateless; content:"|fe 53 4d 42 40 00 01 00 00 00 00 00 09 00 7f 00 08 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|05 00 00 03|"; content:"|00 00 37 00|"; content:"|00 bf bf bf 00 00 00 00 00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1098/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/41d7ca60-909f-4d0d-b85a-c9a35b5f2aaa; reference:url,https://snovvcrash.rocks/2020/10/31/pretending-to-be-smbpasswd-with-impacket.html; reference:url,https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; reference:url,https://github.com/fortra/impacket/blob/master/examples/smbpasswd.py; metadata:created_at 2024_01_03, updated_at 2024_01_03; sid:3301109; rev:1; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1098/
urlhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/41d7ca60-909f-4d0d-b85a-c9a35b5f2aaa
urlhttps://snovvcrash.rocks/2020/10/31/pretending-to-be-smbpasswd-with-impacket.html
urlhttps://www.n00py.io/2021/09/resetting-expired-passwords-remotely/
urlhttps://www.secureauth.com/labs/open-source-tools/impacket/
urlhttps://github.com/fortra/impacket/blob/master/examples/smbpasswd.py

Metadata

created at2024_01_03
updated at2024_01_03

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!