ATTACK [PTsecurity] PetitPotam (Machine account NTLM Hash leak) attempt

SID: 10006664Rev: 34 views
Sourceptresearch/attackdetection
CreatedJuly 23, 2021
UpdatedNovember 19, 2021
Classificationattempted-admin
alert dcerpc any any -> any any (msg:"ATTACK [PTsecurity] PetitPotam (Machine account NTLM Hash leak) attempt"; flow:established, to_server; content:"|05 00 00|"; depth:70; content:"|00 00|"; distance:19; within:2; flowbits:isset, DCERPC.EFSR.Bind; xbits:set, PetitPotam.Attempt, track ip_dst, expire 10; reference:url, github.com/ptresearch/AttackDetection; reference:url, github.com/topotam/PetitPotam; metadata:Open Ptsecurity.com ruleset; metadata:created_at 2021_07_23, updated_at 2021_11_19; classtype:attempted-admin; sid:10006664; rev:3;)

References

urlgithub.com/ptresearch/AttackDetection
urlgithub.com/topotam/PetitPotam

Metadata

OpenPtsecurity.com ruleset

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!