🐾 - 🔔 SMB - Suspicious session setup request + NTLMSSP_AUTH 🪟 Possible Impacket or Metasploit smb connection (no DFS support + null hostname) 🥷 - T1021.002

SID: 3301111Rev: 523 views
History
Sourcepawpatrules
CreatedJanuary 6, 2024
UpdatedApril 23, 2024
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 445 (msg:"🐾 - 🔔 SMB - Suspicious session setup request + NTLMSSP_AUTH 🪟 Possible Impacket or Metasploit smb connection (no DFS support + null hostname) 🥷 - T1021.002"; flow:to_server, stateless; content:"|fe 53 4d 42 40 00 01 00 00 00 00 00 01 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 01 00 00 00 00 00 00 00 00 58 00|"; fast_pattern; content:"|4e 54 4c 4d 53 53 50 00 03 00 00 00|"; content:"|00 00 00|"; content:"|00 00 00|"; distance:1; content:"|00 00 00 00 00 00 00 00|"; reference:url,https://attack.mitre.org/techniques/T1021/002/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2024_01_06, updated_at 2024_04_23, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1021_002, mitre_technique_name Remote_Services_SMB_Windows_Admin_Shares; sid:3301111; rev:5; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1021/002/
urlhttps://www.secureauth.com/labs/open-source-tools/impacket/

Metadata

created at2024_01_06
updated at2024_04_23
signature severityMajor
attack targetClient_Endpoint
affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit
mitre tactic idTA0008
mitre tactic nameLateral_Movement
mitre technique idT1021_002
mitre technique nameRemote_Services_SMB_Windows_Admin_Shares

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!