[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] DCSync rule
From: James Lay <jlay () slave-tothe-box ! net>
Date: 2020-03-02 18:58:21
Message-ID: c49280e61ea267a80d789cb4823c370a () slave-tothe-box ! net
[Download RAW message or body]
FWIW...tested during pentest engagement:
in conf file:
ipvar DC_SERVERS [dc1,dc2,dc3]
in rules file:
alert tcp [!$DC_SERVERS] any -> [!$DC_SERVERS] [49152:65535]
(msg:"Possible DCSync Detected"; flow:to_server,established; flags:PA;
content:"|00 03 10 00 00 00|"; depth:8; content:"|03 00|"; distance:14;
classtype:attempted-admin; sid:9999003;)
James
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic