🐾 - 🔔 LDAP - SASL GSS-API Privacy accepted DNS record from Windows DNS Server 🪟 Possible DNS Server Compromised 🥷 - T1584.002 - Check if legitimate client request - Suricata Rule 3301159 (pawpatrules)

🐾 - 🔔 LDAP - SASL GSS-API Privacy accepted DNS record from Windows DNS Server 🪟 Possible DNS Server Compromised 🥷 - T1584.002 - Check if legitimate client request

SID: 3301159Rev: 1832 viewsHistory

Sourcepawpatrules

CreatedMarch 17, 2024

UpdatedMarch 17, 2024

Classificationmisc-attack

alert tcp $HOME_NET 389 -> any any (msg:"🐾 - 🔔 LDAP - SASL GSS-API Privacy accepted DNS record from Windows DNS Server 🪟 Possible DNS Server Compromised 🥷 - T1584.002 - Check if legitimate client request"; flow:to_client, stateless; dsize:<200; threshold:type limit, track by_src,count 1, seconds 10; content:"|00 00 00 52 05 04 07 ff 00 00 00 1c|"; reference:url,https://attack.mitre.org/techniques/T1584.002/; reference:url,https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/; reference:url,https://github.com/Kevin-Robertson/Powermad; metadata:created_at 2024_03_17, updated_at 2024_03_17, signature_severity Informational, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1584.002, mitre_technique_name Compromise_Infrastructure_DNS_Server; sid:3301159; rev:18; classtype:misc-attack;)

References

url	https://attack.mitre.org/techniques/T1584.002/
url	https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
url	https://github.com/Kevin-Robertson/Powermad

Metadata

created at2024_03_17

updated at2024_03_17

signature severityInformational

attack targetServer_Endpoint

affected productWindows_Server_32_64_Bit

mitre tactic idTA0042

mitre tactic nameResource_Development

mitre technique idT1584.002

mitre technique nameCompromise_Infrastructure_DNS_Server

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!