ATTACK AD [PTsecurity] DCShadow Replication Attempt

SID: 10002557Rev: 319 views
History
Sourceptrules/open
CreatedJune 24, 2025
UpdatedJune 24, 2025
Classificationattempted-admin
alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg:"ATTACK AD [PTsecurity] DCShadow Replication Attempt"; flow:established, to_server; content:"|05 00 0B|"; depth:3; content:"|35 42 51 E3 06 4B D1 11 AB 04 00 C0 4F C2 DC D2|"; distance:0; flowbits:set, RPC.Bind.DRSUAPI; flowbits:noalert; reference:url, dcshadow.com; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10002557; rev:3;)

References

urldcshadow.com
urlrules.ptsecurity.com

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!