ATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5

SID: 10002228Rev: 10 views
Sourceptresearch/attackdetection
CreatedMarch 30, 2022
UpdatedMarch 30, 2022
Classificationattempted-user
alert tcp $HOME_NET any -> $DC_SERVERS 88 (msg:"ATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5"; flow:no_stream, established, to_server; content:"|A1 03 02 01 05 A2 03 02 01 0A|"; offset:12; depth:10; content:"|A1 03 02 01 02|"; distance:5; within:6; content:"|A0 03 02 01 17|"; distance:6; within:6; content:"krbtgt"; distance:0; xbits:set, Krb5.AsReq, track ip_src, expire: 10; classtype:attempted-user; reference:url, github.com/ptresearch/AttackDetection; sid:10002228; rev:1;)

References

urlgithub.com/ptresearch/AttackDetection

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!