[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Pass The Hash (man...)
From:       richrumble () gmail ! com (Rich Rumble)
Date:       2009-02-10 12:26:11
Message-ID: fe96dc1e0902100426g25c039ecta3fd493f510320 () mail ! gmail ! com
[Download RAW message or body]

I'll look into it, I need to start improving my submissions in that
fashion(depth, distance etc...)

On Tue, Feb 10, 2009 at 12:00 AM, Frank Knobbe <frank at knobbe.us> wrote:

> On Mon, 2009-02-09 at 21:14 -0500, Rich Rumble wrote:
> > #PsExec rule for lan
> > alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY PsExec service
> > created"; flow:to_server,established; content:"|5c 00 50 00 53 00 45
> > 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|";
> > classtype:suspicious-filename-detect; sid:999990; rev:1;)
> > 
> > #RctrlX rule
> > alert tcp any any -> $HOME_NET 139:445 (msg:"POLICY RemoteControlX,
> > rctrlx service created"; flow:to_server,established; content:"|5c 00
> > 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78
> > 00 65|"; classtype:suspicious-filename-detect; sid:999991; rev:1;)
> > 
> > #GsecDump rule
> > alert tcp any any -> $HOME_NET 139:445 (msg:"EXPLOIT GsecDump,
> > GsecDump executed"; flow:to_server,established; content:"|67 00 73 00
> > 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|";
> > classtype:suspicious-filename-detect; sid:999992; rev:1;)
> 
> 
> Yeah, Pass-the-hash rocks, used it on several pentests. It's a sweet
> tool.
> 
> I'm curious if the above sigs can be improved such that the byte
> sequences can be fixed to a certain offset, or at least a depth of the
> packet? Are those sequences always at the same offset from the packet
> start? That would help reducing FP's and making the rules faster.
> 
> Cheers,
> Frank
> 
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090210/d0d93ea7/attachment-0001.html



[prev in list] [next in list] [prev in thread] [next in thread]