🐾 - 🔔 LDAP - Suspicious NTLMSSP_NEGOCIATE 🪟 Possible Impacket ldap connection (negociates flags + null value for calling worstation name & domain) 🥷 - T1018 - Suricata Rule 3301125 (pawpatrules)

🐾 - 🔔 LDAP - Suspicious NTLMSSP_NEGOCIATE 🪟 Possible Impacket ldap connection (negociates flags + null value for calling worstation name & domain) 🥷 - T1018

SID: 3301125Rev: 111 views

Sourcepawpatrules

CreatedJanuary 26, 2024

UpdatedJanuary 26, 2024

Classificationattempted-recon

alert tcp-pkt any any -> $HOME_NET 389 (msg:"🐾 - 🔔 LDAP - Suspicious NTLMSSP_NEGOCIATE 🪟 Possible Impacket ldap connection (negociates flags + null value for calling worstation name & domain) 🥷 - T1018"; flow:to_server, stateless; content:"|4e 54 4c 4d 53 53 50 00 01 00 00 00|"; content:"|05 02 88 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; endswith; reference:url,https://attack.mitre.org/techniques/T1018/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2024_01_26, updated_at 2024_01_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1018, mitre_technique_name Remote_System_Discovery; sid:3301125; rev:1; classtype:attempted-recon;)

References

url	https://attack.mitre.org/techniques/T1018/
url	https://www.secureauth.com/labs/open-source-tools/impacket/

Metadata

created at2024_01_26

updated at2024_01_26

signature severityMajor

attack targetClient_Endpoint

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

mitre tactic idTA0007

mitre tactic nameDiscovery

mitre technique idT1018

mitre technique nameRemote_System_Discovery

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!