🐾 - 🔔 SMB - Suspicious session setup request via Kerberos Auth 🪟 Possible Impacket connection (no DFS support + no signing required) 🥷 - T1021.002 - Suricata Rule 3321440 (pawpatrules)

🐾 - 🔔 SMB - Suspicious session setup request via Kerberos Auth 🪟 Possible Impacket connection (no DFS support + no signing required) 🥷 - T1021.002

SID: 3321440Rev: 2101 views

Sourcepawpatrules

CreatedMarch 31, 2025

UpdatedApril 1, 2025

Classificationattempted-recon

alert tcp-pkt any any -> $HOME_NET 445 (msg:"🐾 - 🔔 SMB - Suspicious session setup request via Kerberos Auth 🪟 Possible Impacket connection (no DFS support + no signing required) 🥷 - T1021.002"; flow:to_server, stateless; content:"|fe 53 4d 42 40 00 01 00 00 00 00 00 01 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 01 00 00 00 00 00 00 00 00 58 00|"; fast_pattern; content:"|63 69 66 73|"; content:"|00 00 00 00 00 00 00 00|"; target:dest_ip; reference:url,https://attack.mitre.org/techniques/T1021/002/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2025_04_01, updated_at 2025_04_01, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1021_002, mitre_technique_name Remote_Services_SMB_Windows_Admin_Shares; sid:3321440; rev:2; classtype:attempted-recon;)

References

url	https://attack.mitre.org/techniques/T1021/002/
url	https://www.secureauth.com/labs/open-source-tools/impacket/

Metadata

created at2025_04_01

updated at2025_04_01

signature severityMajor

attack targetClient_Endpoint

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

mitre tactic idTA0008

mitre tactic nameLateral_Movement

mitre technique idT1021_002

mitre technique nameRemote_Services_SMB_Windows_Admin_Shares

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!