ATTACK AD [PTsecurity] DCShadow Replication Attempt

SID: 10002557Rev: 20 views
Sourceptresearch/attackdetection
CreatedDecember 13, 2021
UpdatedDecember 13, 2021
Classificationattempted-admin
alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg:"ATTACK AD [PTsecurity] DCShadow Replication Attempt"; flow:established, to_server; content:"|05 00 0B|"; depth:3; content:"|35 42 51 E3 06 4B D1 11 AB 04 00 C0 4F C2 DC D2|"; distance:0; flowbits:set, RPC.Bind.DRSUAPI; flowbits:noalert; reference:url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10002557; rev:2;)

References

urlblog.alsid.eu/dcshadow-explained-4510f52fc19d
urlgithub.com/ptresearch/AttackDetection

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!