ATTACK AD [PTsecurity] Possible MS-RPRN abuse (PrinterBug). Hash or Ticket theft

SID: 10004153Rev: 525 views
History
Sourceptrules/open
CreatedJune 24, 2025
UpdatedJune 24, 2025
Classificationattempted-admin
alert smb any any -> any any (msg:"ATTACK AD [PTsecurity] Possible MS-RPRN abuse (PrinterBug). Hash or Ticket theft"; flow:to_server, established, no_stream; content:"SMB"; offset:5; depth:3; content:"|05 00 00|"; distance:0; byte_test:1, &, 0x80, 0, relative; content:"|41 00|"; distance:19; within:2; content:"|00 01 00 00|"; distance:36; within:4; content:"|5C 00 5C 00|"; fast_pattern; distance:0; flowbits:isset, DCERPC.BIND.SPOOLSS; xbits:set, CoercedAuth, track ip_dst, expire 10; reference:url, posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10004153; rev:5;)

References

urlposts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d
urlrules.ptsecurity.com

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!