ATTACK AD [PTsecurity] DCShadow: Fake DC Creation

SID: 10002559Rev: 320 views
History
Sourceptrules/open
CreatedJune 24, 2025
UpdatedJune 24, 2025
Classificationattempted-admin
alert tcp !$DC_SERVERS any -> any any (msg:"ATTACK AD [PTsecurity] DCShadow: Fake DC Creation"; flow:established, to_server; content:"|68 84 00|"; content:"CN="; distance:5; within:3; content:"CN=Servers,CN="; distance:0; content:",CN=Sites,CN=Configuration,DC="; distance:0; content:"objectClass"; distance:0; content:"server"; distance:0; reference:url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10002559; rev:3;)

References

urlblog.alsid.eu/dcshadow-explained-4510f52fc19d
urlrules.ptsecurity.com

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!