🐾 - 🔔 DCERPC - NTLM Settings request to 🪟 - Possible System Information Discovery 🥷 - T1082 - Suricata Rule 3301127 (pawpatrules)

🐾 - 🔔 DCERPC - NTLM Settings request to 🪟 - Possible System Information Discovery 🥷 - T1082

SID: 3301127Rev: 119 views

Sourcepawpatrules

CreatedFebruary 13, 2024

UpdatedFebruary 13, 2024

Classificationattempted-recon

alert tcp-pkt any any -> $HOME_NET any (msg:"🐾 - 🔔 DCERPC - NTLM Settings request to 🪟 - Possible System Information Discovery 🥷 - T1082"; flow:to_server, stateless; content:"|05 00 00 83|"; content:"|5f 5f 50 41 52 41 4d 45 54 45 52 53 00 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 43 6f 6e 74 72 6f 6c 5c 4c 73 61 5c 4d 53 56 31 5f 30|"; fast_pattern; content:"|4e 54 4c 4d|"; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; metadata:created_at 2024_02_13, updated_at 2024_02_13, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; sid:3301127; rev:1; classtype:attempted-recon;)

References

url	https://attack.mitre.org/techniques/T1082/
url	https://github.com/GhostPack/Seatbelt#remote-enumeration

Metadata

created at2024_02_13

updated at2024_02_13

signature severityMajor

attack targetClient_Endpoint

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

mitre tactic idTA0007

mitre tactic nameDiscovery

mitre technique idT1082

mitre technique nameSystem_Information_Discovery

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!