alert smb any any -> $DC_SERVERS 445 (msg:"ATTACK AD [PTsecurity] Possible MS-RPRN abuse. Hash or Ticket theft"; flow:to_server, established, no_stream; content:"SMB"; offset:5; depth:3; content:"|05 00 00|"; distance:0; content:"|41 00|"; distance:19; within:2; content:"|00 01 00 00|"; distance:36; within:4; content:"|5C 00 5C 00|"; fast_pattern; distance:0; flowbits:isset, DCERPC.BIND.SPOOLSS; reference:url, posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d; reference:url, github.com/ptresearch/AttackDetection; classtype:attempted-recon; sid:10004153; rev:1;)