🐾 - 🔔 DCERPC - Domain Name Service (DNS) Server Management Protocol - Map Response from 🪟 DNSSERVER interface - Possible Remote Privilege Escalation 🥷 - T1068 - Suricata Rule 3301157 (pawpatrules)

🐾 - 🔔 DCERPC - Domain Name Service (DNS) Server Management Protocol - Map Response from 🪟 DNSSERVER interface - Possible Remote Privilege Escalation 🥷 - T1068

SID: 3301157Rev: 134 views

Sourcepawpatrules

CreatedMarch 4, 2024

UpdatedMarch 4, 2024

Classificationattempted-recon

alert tcp-pkt $HOME_NET 135 -> any any (msg:"🐾 - 🔔 DCERPC - Domain Name Service (DNS) Server Management Protocol - Map Response from 🪟 DNSSERVER interface - Possible Remote Privilege Escalation 🥷 - T1068"; flow:to_client, stateless; content:"|05 00 02|"; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; fast_pattern; content:"|04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60|"; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/5093503c-687e-4376-9127-50504908fb91; reference:url,https://phackt.com/dnsadmins-group-exploitation-write-permissions; target:src_ip; metadata:created_at 2024_03_04, updated_at 2024_03_04, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_technique_id T1068, mitre_technique_name Privilege_Escalation; sid:3301157; rev:1; classtype:attempted-recon;)

References

url	https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/5093503c-687e-4376-9127-50504908fb91
url	https://phackt.com/dnsadmins-group-exploitation-write-permissions

Metadata

created at2024_03_04

updated at2024_03_04

signature severityMajor

attack targetClient_and_Server

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

mitre technique idT1068

mitre technique namePrivilege_Escalation

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!