-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPAW-PATRULES_LATERAL_MOVEMENT.rules
100 lines (100 loc) Β· 54 KB
/
PAW-PATRULES_LATERAL_MOVEMENT.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# KXK00OOkxxkO00KX0
# ,NXKxo:,'... ...';cdOXN:
# l;. ..,:ldxkOOOOOOkkxol:,.. .o
# dk lOOOOOOkkkkkkkkkkkOOOOOOx dk
# KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
# x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
# d. o0Okkkkkkkkkkkkk. okkkkkkkkkkOO0k x
# l. c0kkkkkkko. .ckk .kd..'xkkkkkk0x .o
# ;, ;0kkkkkkkc ;ko. .dk. :kkkkkk0l ':
# .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
# l o0kkkk:..'dkkk. .;okkkkkkkkk0x l
# .: .OOkkk; xk, .:kkkkkO0; ;.
# ;. :0kkkko;,cko :kkkk0d .:
# : oOkkkkkkkk .dkkk0k. :
# : dOkkkkkkk .:odxkkkkkOk. ;
# ; oOkkkkkkx:,,ckkkkkkkkkkOx. ,
# '. ;OOkkkkkkkkkkkkkkkkkOOc '
# ' .lOOkkkkkkkkkkkkkOOd. .
# . .lOOkkkkkkkkkOOo' ..
# ' .;dOOOkOOOx:. .
# .. .,lxo;. ..
# .. ..
#
# ____ ___ __ ____ _ _
#| _ \ / \ \ / / | _ \ __ _| |_ _ __ _ _| | ___ ___
#| |_) / _ \ \ /\ / / | |_) / _` | __| '__| | | | |/ _ \/ __|
#| __/ ___ \ V V / | __/ (_| | |_| | | |_| | | __/\__ \
#|_| /_/ \_\_/\_/ |_| \__,_|\__|_| \__,_|_|\___||___/
#
# IDS Rules for Suricata
# π Charles BLANC-ROLIN β ΅ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# π₯· Lateral Movement
alert tcp any any -> $HOME_NET any (msg:"πΎ - π Remote DCOM Execute Shell Command - Possible Lateral Movement π₯· - T1021.003"; flow:stateless,to_server; content:!"S|00|Q|00|L|00|C|00|m|00|d|00|P|00|a|00|r|00|s|00|e|00|r|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|r"; content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1021/003/; metadata:created_at 2021_12_08, updated_at 2022_11_03; sid:3300307; rev:5; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET any (msg:"πΎ - π Remote WMI Win32_Process create - Possible Lateral Movement π₯· - T1021.006"; flow:stateless,to_server; content:"|05 00 00|"; depth: 3; content:"W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00 00 00|"; fast_pattern; content:"c|00|r|00|e|00|a|00|t|00|e|00|"; distance: 16; within: 12; nocase; flowbits: set, WMI.Win32_Process.Create; reference:url,https://attack.mitre.org/techniques/T1021/006/; reference:url,https://github.com/ptresearch/AttackDetection/; metadata:created_at 2021_12_08, updated_at 2022_11_03; sid:3300308; rev:5; classtype:attempted-recon;)
alert tcp $HOME_NET any -> any 22 (msg:"πΎ - π Potential SSH Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 10, seconds 20; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300309; rev:4; metadata:created_at 2022_05_19, updated_at 2022_05_23;)
alert tcp $HOME_NET any -> any 445 (msg:"πΎ - π Potential SMB Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 60, seconds 60; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300310; rev:4; metadata:created_at 2022_05_19, updated_at 2022_05_23;)
alert tcp $HOME_NET any -> any 23 (msg:"πΎ - π Potential TELNET Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 10, seconds 20; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300311; rev:4; metadata:created_at 2022_05_19, updated_at 2022_05_23;)
alert tcp $HOME_NET any -> any 21 (msg:"πΎ - π Potential FTP Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 40, seconds 60; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300312; rev:4; metadata:created_at 2022_05_19, updated_at 2022_05_23;)
alert tcp $HOME_NET any -> any 990 (msg:"πΎ - π Potential FTPS Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 40, seconds 60; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300313; rev:4; metadata:created_at 2022_05_19, updated_at 2022_05_23;)
alert tcp $HOME_NET any -> any 3389 (msg:"πΎ - π Potential RDP Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 60, seconds 60; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300314; rev:4; metadata:created_at 2022_05_19, updated_at 2022_05_23;)
alert tcp $HOME_NET any -> any 389 (msg:"πΎ - π Potential LDAP Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 80, seconds 60; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300315; rev:5; metadata:created_at 2022_05_19, updated_at 2023_11_17;)
alert tcp $HOME_NET any -> any 636 (msg:"πΎ - π Potential LDAPS Brute Force Attack or Scan on default port from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 60, seconds 60; reference:url,https://en.wikipedia.org/wiki/Brute-force_attack; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300316; rev:4; metadata:created_at 2022_05_19, updated_at 2022_05_23;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - π Potential Massive Port Scan from local network - Possible Lateral Movement π₯· - T1110"; flow:to_server, stateless; flags:S,12; threshold: type threshold, track by_src, count 150, seconds 1; reference:url,https://capec.mitre.org/data/definitions/287.html; reference:url,https://attack.mitre.org/techniques/T1110/; classtype:attempted-recon; sid:3300317; rev:2; metadata:created_at 2022_06_18, updated_at 2022_06_18;)
alert tls any any -> any any (msg:"πΎ - π Many TLS Handshake Failure - Potential SSL Scan activity π₯· - T1595.002"; flow:to_client, stateless; dsize:7; content:"|15|"; content:"|00 02 02 28|"; distance:2; within:4; fast_pattern; threshold: type threshold, track by_src, count 15, seconds 20; reference:url,https://github.com/rbsec/sslscan; reference:url,https://attack.mitre.org/techniques/T1595/002/; classtype:attempted-recon; sid:3300318; rev:1; metadata:created_at 2023_08_02, updated_at 2023_08_02;)
alert tls any any -> any any (msg:"πΎ - π Many TLS Client Hello to IP address - Potential SSL Scan activity π₯· - T1595.002"; flow:to_server, stateless; content:"|16 03|"; fast_pattern; content:"|01|"; distance:3; content:"|03|"; distance:3; threshold: type threshold, track by_src, count 70, seconds 50; tls_sni; pcre:"/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; reference:url,https://github.com/rbsec/sslscan; reference:url,https://attack.mitre.org/techniques/T1595/002/; classtype:attempted-recon; sid:3300319; rev:8; metadata:created_at 2023_08_02, updated_at 2023_08_04;)
alert tcp-pkt any any -> $HOME_NET any (msg:"πΎ - π DRSUAPI DsGetDomainControllerInfo - Possible Impacket secrectsdump DCSync attack π₯· - T1003.006 - Check if source is a legit πͺ Domain Controler"; flow:to_server, stateless; content:"|05 00 00|"; depth:3; content:"|03 00 00 00 44 00 00 00 00 00 10 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1003/006/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2022_11_03, updated_at 2024_05_30, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1003_006, mitre_technique_name OS_Credential_Dumping_DCSync; sid:3300320; rev:13; classtype:attempted-recon;)
alert tcp $HOME_NET 445 -> any any (msg:"πΎ - π LSARPC LsarOpenPolicy2 Response from πͺ DC - Possible infos request (net user / PingCastle / Mimikatz DCSync) π₯· - T1003 - Check if destination is legitimate"; flow: to_client, stateless; content:"|05 00 02 03|"; content:"|02 00 00 00 18 00 00 00|"; fast_pattern; content:"|00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1003/006/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2c6f3cf9-d792-4e8b-9af5-5470f636c20a; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/9456a963-7c21-4710-af77-d0a2f5a72d6b; reference:url,https://github.com/gentilkiwi/mimikatz; reference:url,https://www.pingcastle.com/; metadata:created_at 2022_11_12, updated_at 2023_03_17; sid:3300321; rev:6; classtype:attempted-recon;)
alert udp any 427 -> any any (msg:"πΎ - π VMWare SLP VMwareInfrastructure service Reply - Possible OpenSLP vulnerability exploit π₯· - Seen in ESXi Ransomware π attacks - Make sure the destination is legitimate"; flow: to_client, stateless; content:"|02 02|"; content:"|73 65 72 76 69 63 65 3a 56 4d 77 61 72 65 49 6e 66 72 61 73 74 72 75 63 74 75 72 65 3a 2f 2f|"; fast_pattern; reference:url,https://www.vmware.com/security/advisories/VMSA-2019-0022.html; reference:url,https://www.vmware.com/security/advisories/VMSA-2020-0023.html; reference:url,https://www.vmware.com/security/advisories/VMSA-2021-0002.html; reference:url,https://blogs.vmware.com/security/2023/02/83330.html; reference:url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/; metadata:created_at 2023_02_05, updated_at 2023_02_07; sid:3300322; rev:5; classtype:attempted-recon;)
alert udp any any -> any 427 (msg:"πΎ - π VMWare SLP VMwareInfrastructure service Request - Possible OpenSLP vulnerability exploit π₯· - Seen in ESXi Ransomware π attacks - Make sure the source is legitimate"; flow: to_server, stateless; content:"|02 01|"; content:"|73 65 72 76 69 63 65 3a 56 4d 77 61 72 65 49 6e 66 72 61 73 74 72 75 63 74 75 72 65|"; fast_pattern; content:"|44 45 46 41 55 4c 54|"; distance:2; reference:url,https://www.vmware.com/security/advisories/VMSA-2019-0022.html; reference:url,https://www.vmware.com/security/advisories/VMSA-2020-0023.html; reference:url,https://www.vmware.com/security/advisories/VMSA-2021-0002.html; reference:url,https://blogs.vmware.com/security/2023/02/83330.html; reference:url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/; metadata:created_at 2023_02_08, updated_at 2023_02_08; sid:3300323; rev:1; classtype:attempted-recon;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - π DNSCache WMI Reply πͺ - Possible Lateral Movement π₯· - T1021.006"; flow:to_client, stateless; content:"|05 00 02 03|"; content:"|4d 53 46 54 5f 44 4e 53 43 6c 69 65 6e 74 43 61 63 68 65|"; fast_pattern; reference:url,https://wikipedia.org/wiki/Windows_Management_Instrumentation; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; classtype:attempted-recon; sid:3300324; rev:6; metadata:created_at 2023_07_14, updated_at 2023_07_17;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - π Antivirus WMI Reply πͺ - Possible Lateral Movement π₯· - T1021.006"; flow:to_client, stateless; content:"|05 00 02 03|"; content:"|41 6e 74 69 56 69 72 75 73 50 72 6f 64 75 63 74 00 00 64 69 73 70 6c 61 79 4e 61 6d 65|"; fast_pattern; reference:url,https://wikipedia.org/wiki/Windows_Management_Instrumentation; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; classtype:attempted-recon; sid:3300325; rev:6; metadata:created_at 2023_07_14, updated_at 2023_07_17;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - π System infos WMI Reply πͺ - Possible Lateral Movement π₯· - T1021.006"; flow:to_client, stateless; content:"|05 00 02 00|"; content:"|5f 5f 50 41 52 41 4d 45 54 45 52 53 00 00 61 62 73 74 72 61 63 74 00 13|"; content:"|44 65 66 4b 65 79 00 00 75 69 6e 74 33 32|"; content:"|61 63 36 64 31 33 35 30 36 30 30 30 30 35 51 00 00 52 4f 4f 54 5c 44 65 66 61 75 6c 74|"; fast_pattern; reference:url,https://wikipedia.org/wiki/Windows_Management_Instrumentation; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; reference:url,https://www.microsoft.com/en-us/download/details.aspx?id=46899; classtype:attempted-recon; sid:3300326; rev:3; metadata:created_at 2023_07_15, updated_at 2023_07_17;)
alert tcp any any -> $HOME_NET any (msg:"πΎ - π Installed Products WMI Request πͺ - Possible Lateral Movement π₯· - T1021.006"; flow:to_server, stateless; content:"|05 00 00 83|"; content:"|50 41 52 41 4d 45 54 45 52 53 00 00 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 55 6e 69 6e 73 74 61 6c 6c 5c|"; fast_pattern; reference:url,https://wikipedia.org/wiki/Windows_Management_Instrumentation; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; classtype:attempted-recon; sid:3300327; rev:1; metadata:created_at 2023_07_17, updated_at 2023_07_17;)
alert tcp $HOME_NET any -> any any (msg:"πΎ - π Application Identity service WMI Reply πͺ - Possible remote AppLocker state check for Lateral Movement π₯· - T1021.006"; flow:to_client, stateless; content:"|05 00 02 03|"; content:"|57 69 6e 33 32 5f 53 65 72 76 69 63 65|"; fast_pattern; content:"|41 70 70 49 44 53 76 63|"; reference:url,https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/006/; classtype:attempted-recon; sid:3301098; rev:1; metadata:created_at 2023_12_23, updated_at 2023_12_23;)
alert tcp-pkt any any -> $HOME_NET 445 (msg:"πΎ - π DCERPC - Bind request to πͺ WKSSVC interface - Possible System Information Discovery π₯· - T1082"; flow: to_server, stateless; content:"|fe 53 4d 42|"; content:"|05 00 0b 03|"; content:"|98 d0 ff 6b 12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/5b1384ee-dad3-4c5f-942a-e35fc89442a2; reference:url,https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/; reference:url,https://www.pingcastle.com/; metadata:created_at 2023_07_26, updated_at 2023_07_27; sid:3300328; rev:2; classtype:attempted-recon;)
alert tcp-pkt $HOME_NET 445 -> any any (msg:"πΎ - π DCERPC - Bind_ack reply from πͺ WKSSVC interface - Possible System Information Discovery π₯· - T1082"; flow: to_client, stateless; content:"|fe 53 4d 42|"; content:"|05 00 0c 03|"; content:"|5c 50 49 50 45 5c 77 6b 73 73 76 63 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/5b1384ee-dad3-4c5f-942a-e35fc89442a2; reference:url,https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/; reference:url,https://www.pingcastle.com/; metadata:created_at 2023_07_26, updated_at 2024_03_04; sid:3300329; rev:3; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 445 (msg:"πΎ - π DCERPC - Windows πͺ - Network Service Discovery π₯· - T1046"; flow: to_server, stateless; content:"|4e 00 54 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 5c|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1046/; reference:url,https://www.pingcastle.com/; metadata:created_at 2023_07_26, updated_at 2023_07_26; sid:3300330; rev:1; classtype:attempted-recon;)
alert tcp-pkt $HOME_NET 445 -> any any (msg:"πΎ - π DCERPC - Bind_ack reply to πͺ SPOOLSS interface - Possible π¨ Print Spooler State Discovery π₯· - T1082 - T1547.012"; flow: to_client, stateless; content:"|fe 53 4d 42|"; content:"|05 00 0c 03|"; content:"|5c 70 69 70 65 5c 73 70 6f 6f 6c 73 73 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://attack.mitre.org/techniques/T1547/012/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1; reference:url,https://www.pingcastle.com/; metadata:created_at 2023_07_28, updated_at 2023_07_28; sid:3300331; rev:1; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET any (msg:"πΎ - π DCERPC - Last Shutdown request to πͺ - Possible System Information Discovery π₯· - T1082"; flow: to_server, stateless; content:"|05 00 00 83|"; content:"|5f 5f 50 41 52 41 4d 45 54 45 52 53 00 00 53 59 53 54 45 4d 5c 43 6f 6e 74 72 6f 6c 53 65 74 30 30 31 5c 43 6f 6e 74 72 6f 6c 5c 57 69 6e 64 6f 77 73 00 00 53 68 75 74 64 6f 77 6e 54 69 6d 65|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; metadata:created_at 2023_07_30, updated_at 2023_07_30; sid:3300332; rev:1; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET any (msg:"πΎ - π DCERPC - Operating System request to πͺ - Possible System Information Discovery π₯· - T1082"; flow: to_server, stateless; content:"|05 00 00 83|"; content:"|5f 5f 50 41 52 41 4d 45 54 45 52 53 00 00 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 00 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; metadata:created_at 2023_07_30, updated_at 2023_07_30; sid:3300333; rev:2; classtype:attempted-recon;)
alert tcp-pkt $HOME_NET 445 -> any any (msg:"πΎ - π DCERPC - SAMR EnumDomainUsers response from πͺ DC - Possible Domain Account Discovery π₯· - T1087.002"; flow: to_client, stateless; content:"|fe 53 4d 42|"; content:"|05 00 02|"; content:"|00 00 00 00|"; content:"|00 00 02 00|"; fast_pattern; distance:4; content:"|f4 01 00 00|"; content:"|f6 01 00 00|"; reference:url,https://attack.mitre.org/techniques/T1087/002/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6bdc92c0-c692-4ffb-9de7-65858b68da75; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/672e23b6-16eb-45f7-a0eb-f7969d56c209; metadata:created_at 2023_08_09, updated_at 2023_08_23; sid:3300334; rev:5; classtype:attempted-recon;)
alert tcp-pkt $HOME_NET 445 -> any any (msg:"πΎ - π DCERPC - SAMR DispEntryFullGroup response from πͺ DC - Possible Domain Groups Discovery π₯· - T1069.002"; flow: to_client, stateless; content:"|fe 53 4d 42|"; content:"|00 00 00 00|"; content:"|03 00 00 00|"; fast_pattern; distance:4; content:"|00 00 02 00 00 00 00 00|"; distance:8; content:"|0e 02 00 00|"; content:"|0f 02 00 00|"; content:"|00 02 00 00|"; reference:url,https://attack.mitre.org/techniques/T1069/002/; reference:url,https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021; metadata:created_at 2023_08_10, updated_at 2023_08_23; sid:3300335; rev:3; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 135 (msg:"πΎ - π DCERPC - ORPCTHIS Request πͺ - Possible WMI over DCOM abuse with NTLM authentication π₯· - T1047"; flow: to_server, stateless; content:"|05 00 00|"; content:"|05 00 07 00 01 00 00 00 00 00 00 00|"; fast_pattern; content:"|0a 05 0c 00 00 00 00 00 01 00 00 00|"; reference:url,https://attack.mitre.org/techniques/T1047/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/d57e9fd9-8e8b-45b8-99ea-9b0266009676; metadata:created_at 2023_11_23, updated_at 2023_11_23; sid:3301093; rev:3; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 135 (msg:"πΎ - π DCERPC - ORPCTHIS Request πͺ - Possible WMI over DCOM abuse with SPNEGO authentication π₯· - T1047"; flow: to_server, stateless; content:"|05 00 00|"; content:"|05 00 07 00 01 00 00 00 00 00 00 00|"; fast_pattern; content:"|09 05|"; content:"|04 04 04 ff ff ff ff ff|"; distance:6; reference:url,https://attack.mitre.org/techniques/T1047/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/d57e9fd9-8e8b-45b8-99ea-9b0266009676; metadata:created_at 2023_11_23, updated_at 2023_11_23; sid:3301094; rev:1; classtype:attempted-recon;)
alert tcp any any -> any 445 (msg:"πΎ - π KeePass π config file searching over SMB πͺ - Possible Lateral Movement π₯· - T1021.002"; flow:to_server, stateless; content:"|fe 53 4d 42|"; content:"|55 00 73 00 65 00 72 00 73 00 5c|"; content:"|41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 4b 00 65 00 65 00 50 00 61 00 73 00 73 00 5c 00 4b 00 65 00 65 00 50 00 61 00 73 00 73 00 2e 00 63 00 6f 00 6e 00 66 00 69 00 67 00 2e 00 78 00 6d 00 6c|"; fast_pattern; reference:url,https://keepass.info/; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; reference:url,https://attack.mitre.org/techniques/T1021/002/; classtype:attempted-recon; sid:3301099; rev:1; metadata:created_at 2023_12_23, updated_at 2023_12_23;)
alert tcp any any -> $HOME_NET 389 (msg:"πΎ - π LDAP computer type object creation request on πͺ Active Directory - π₯· - T1136.002"; flow: to_server, stateless; content:"|02 01|"; content:"|68|"; distance:1; content:"|43 4e 3d|"; content:"|04 0b 6f 62 6a 65 63 74 43 6c 61 73 73|"; content:"|63 6f 6d 70 75 74 65 72|"; content:"sAMAccountName"; nocase; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1136/002/; reference:url,https://ldap3.readthedocs.io/en/latest/add.html; metadata:created_at 2023_11_27, updated_at 2023_11_28; sid:3301103; rev:7; classtype:attempted-recon;)
alert tcp any any -> $HOME_NET 389 (msg:"πΎ - π LDAP user type object creation request on πͺ Active Directory - π₯· - T1136.002"; flow: to_server, stateless; content:"|02 01|"; content:"|68|"; distance:1; content:"|43 4e 3d|"; content:"|04 0b 6f 62 6a 65 63 74 43 6c 61 73 73|"; content:"|75 73 65 72|"; content:!"|63 6f 6d 70 75 74 65 72|"; content:"sAMAccountName"; nocase; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1136/002/; reference:url,https://ldap3.readthedocs.io/en/latest/add.html; metadata:created_at 2023_11_27, updated_at 2023_11_28; sid:3301104; rev:4; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 135 (msg:"πΎ - π SAMR - Suspicious Map Request πͺ to an IP Address - Possible Impacket addcomputer script targeting Active Directory π₯· - S0357 - T1136.002"; flow: to_server, stateless; content:"|05 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; content:"|78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ac|"; fast_pattern; content:"|01 00 11 0d 00|"; pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,https://attack.mitre.org/software/S0357/; reference:url,https://attack.mitre.org/techniques/T1136/002/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/084da2e7-0ba0-44fc-8f17-e8a200c69eb5; reference:url,https://0xffsec.com/handbook/services/msrpc/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; reference:url,https://github.com/fortra/impacket/blob/master/examples/addcomputer.py; metadata:created_at 2023_12_29, updated_at 2024_01_03; sid:3301105; rev:4; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 135 (msg:"πΎ - π SAMR - Map Request πͺ - Possible Impacket addcomputer script targeting Active Directory π₯· - S0357 - T1136.002"; flow: to_server, stateless; content:"|05 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; content:"|78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ac|"; fast_pattern; content:"|01 00 11 0d 00|"; reference:url,https://attack.mitre.org/software/S0357/; reference:url,https://attack.mitre.org/techniques/T1136/002/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/084da2e7-0ba0-44fc-8f17-e8a200c69eb5; reference:url,https://0xffsec.com/handbook/services/msrpc/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; reference:url,https://github.com/fortra/impacket/blob/master/examples/addcomputer.py; metadata:created_at 2023_12_29, updated_at 2024_01_03; sid:3301106; rev:3; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 445 (msg:"πΎ - π SAMR - Suspicious ChangePasswordUser request to Active Directory πͺ Possible Impacket smbpasswd script targeting password must be changed π₯· - T1098"; flow: to_server, stateless; content:"|fe 53 4d 42 40 00 01 00 00 00 00 00 09 00 7f 00 08 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|05 00 00 03|"; content:"|00 00 37 00|"; content:"|00 bf bf bf 00 00 00 00 00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1098/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/41d7ca60-909f-4d0d-b85a-c9a35b5f2aaa; reference:url,https://snovvcrash.rocks/2020/10/31/pretending-to-be-smbpasswd-with-impacket.html; reference:url,https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; reference:url,https://github.com/fortra/impacket/blob/master/examples/smbpasswd.py; metadata:created_at 2024_01_03, updated_at 2024_01_03; sid:3301109; rev:1; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 53 (msg:"πΎ - π DNS - Suspicious Dynamic update - remote record creation to Windows DNS Server πͺ - Possible DNS Server Compromised π₯· - T1584.002- Check if legitimate client request "; flow: to_server, stateless; content:"|28 00 00 01 00 00 00 01 00 01|"; fast_pattern; content:"|00 06 00 01|"; content:"|08 67 73 73 2d 74 73 69 67 00|"; content:"|00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1584/002/; reference:url,https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/; reference:url,https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/; reference:url,https://github.com/Kevin-Robertson/Powermad; metadata:created_at 2024_01_04, updated_at 2024_03_17, signature_severity Informational, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1584.002, mitre_technique_name Compromise_Infrastructure_DNS_Server; sid:3301110; rev:3; classtype:misc-attack;)
alert tcp-pkt any any -> $HOME_NET 445 (msg:"πΎ - π SMB - Suspicious session setup request + NTLMSSP_AUTH πͺ Possible Impacket or Metasploit smb connection (no DFS support + null hostname) π₯· - T1021.002"; flow: to_server, stateless; content:"|fe 53 4d 42 40 00 01 00 00 00 00 00 01 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 01 00 00 00 00 00 00 00 00 58 00|"; fast_pattern; content:"|4e 54 4c 4d 53 53 50 00 03 00 00 00|"; content:"|00 00 00|"; content:"|00 00 00|"; distance:1; content:"|00 00 00 00 00 00 00 00|"; reference:url,https://attack.mitre.org/techniques/T1021/002/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2024_01_06, updated_at 2024_04_23, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1021_002, mitre_technique_name Remote_Services_SMB_Windows_Admin_Shares; sid:3301111; rev:5; classtype:attempted-recon;)
alert tcp any 445 -> any any (msg:"πΎ - π SMB - Suspicious session setup response for NTLMSSP_CHALLENGE πͺ Possible Responder NTLMv2 response for π© Active Directory credentials capturing π₯· - T1040"; flow: to_client, stateless; content:"|fe 53 4d 42 40 00|"; content:"|16 00 00 c0 01 00|"; content:"|01 00 00 00 00 00 00 00|"; content:"|ff fe 00 00 00 00 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|09 00 00 00 48 00|"; content:"|4e 54 4c 4d 53 53 50 00 02 00 00 00|"; content:"|08 00 08 00 38 00 00 00|"; content:"|a6 00 a6 00 40 00 00 00|"; content:"|02 00 08 00|"; content:"|01 00 1e 00 57 00 49 00 4e 00 2d 00|"; content:"|05 00 14 00|"; content:"|06 03 80 25 00 00 00 0f|"; content:"|00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2024_01_06, updated_at 2024_02_18, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3301112; rev:10; classtype:credential-theft;)
alert tcp any 80 -> any any (msg:"πΎ - π HTTP - Suspicious accepted WebDAV response for NTLMSSP_CHALLENGE πͺ Possible Responder NTLMv2 response for π© Active Directory credentials capturing π₯· - T1040"; flow: to_client, stateless; http.protocol; content:"HTTP/1.1"; http.server; content:"Microsoft-IIS/7.5"; http.content_type; content:"text/html"; http.response_line; content:"HTTP/1.1 200 OK"; http.header.raw; content:"WWW-Authenticate: NTLM"; http.response_body; content:"|2f 70 69 63 74 75 72 65 73 2f 6c 6f 67 6f 2e 6a 70 67 27 20 61 6c 74 3d 27 4c 6f 61 64 69 6e 67 27 20 68 65 69 67 68 74 3d 27 31 27 20 77 69 64 74 68 3d 27 31 27 3e|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1040/; reference:url,https://attack.mitre.org/software/S0174; reference:url,https://github.com/SpiderLabs/Responder; metadata:created_at 2024_01_25, updated_at 2024_02_18, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1040, mitre_technique_name Network_Sniffing; sid:3301124; rev:18; classtype:credential-theft;)
alert tcp-pkt any any -> $HOME_NET 389 (msg:"πΎ - π LDAP - Suspicious NTLMSSP_NEGOCIATE πͺ Possible Impacket ldap connection (negociates flags + null value for calling worstation name & domain) π₯· - T1018"; flow: to_server, stateless; content:"|4e 54 4c 4d 53 53 50 00 01 00 00 00|"; content:"|05 02 88 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; endswith; reference:url,https://attack.mitre.org/techniques/T1018/; reference:url,https://www.secureauth.com/labs/open-source-tools/impacket/; metadata:created_at 2024_01_26, updated_at 2024_01_26, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1018, mitre_technique_name Remote_System_Discovery; sid:3301125; rev:1; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET any (msg:"πΎ - π DCERPC - NTLM Settings request to πͺ - Possible System Information Discovery π₯· - T1082"; flow: to_server, stateless; content:"|05 00 00 83|"; content:"|5f 5f 50 41 52 41 4d 45 54 45 52 53 00 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 43 6f 6e 74 72 6f 6c 5c 4c 73 61 5c 4d 53 56 31 5f 30|"; fast_pattern; content:"|4e 54 4c 4d|"; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://github.com/GhostPack/Seatbelt#remote-enumeration; metadata:created_at 2024_02_13, updated_at 2024_02_13, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; sid:3301127; rev:1; classtype:attempted-recon;)
alert tcp any any -> any any (msg:"πΎ - π¨ DICOM β Many A-ASSOCIATE reject AET answers from DICOM Server on SCU requests - DICOM AET Brute Force activity - Possible System Information Discovery π₯· - T1082"; flow:to_client, stateless; threshold: type threshold, track by_src, count 5, seconds 10; content:"|03 00|"; content:"|00 00 00 04|"; distance:0; content:"|00 01 01 07|"; fast_pattern; distance:0; endswith; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://nmap.org/nsedoc/scripts/dicom-brute.html; metadata:created_at 2024_02_25, updated_at 2024_02_25, signature_severity Major, attack_target Server_Endpoint, affected_product DICOM_Modality, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; sid:3301146; rev:5; classtype:attempted-recon;)
alert tcp any any -> any any (msg:"πΎ - π¨ DICOM β A-ASSOCIATE reject AET answer from DICOM Server on SCU request - Possible System Information Discovery π₯· - T1082"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 600; content:"|03 00|"; content:"|00 00 00 04|"; distance:0; content:"|00 01 01 07|"; fast_pattern; distance:0; endswith; reference:url,https://attack.mitre.org/techniques/T1082/; metadata:created_at 2024_02_25, updated_at 2024_02_25, signature_severity Info, attack_target Server_Endpoint, affected_product DICOM_Modality, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; sid:3301145; rev:5; classtype:attempted-recon;)
alert tcp any any -> any any (msg:"πΎ - π¨ DICOM β A-ASSOCIATE accept answer from DICOM Server to ECHOSCU AET - Possible AET β
credentials found with NMAP π₯· - T1110.002"; flow:to_client, stateless; content:"|02 00 00 00 00 b8|"; content:"|00 01 00 00|"; content:!"|41 4e 59 2d 53 43 50 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|00 01 00 00|"; content:"|45 43 48 4f 53 43 55 20 20 20 20 20 20 20 20 20|"; distance:16; content:"|10 00 00 15 31 2e 32 2e 38 34 30 2e 31 30 30 30 38 2e 33 2e 31 2e 31 2e 31|"; fast_pattern; distance:32; reference:url,https://attack.mitre.org/techniques/T1110/002/; reference:url,https://nmap.org/nsedoc/scripts/dicom-brute.html; metadata:created_at 2024_02_25, updated_at 2024_02_25, signature_severity Major, attack_target Server_Endpoint, affected_product DICOM_Modality, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1110.002, mitre_technique_name Brute_Force_Password_Cracking; sid:3301147; rev:7; classtype:credential-theft;)
alert tcp any any -> any any (msg:"πΎ - π¨ DICOM β Server accept any AET - Possible unsecure service found with NMAP π₯· - T1201"; flow:to_client, stateless; content:"|02 00 00 00 00 b8|"; content:"|00 01 00 00|"; content:"|41 4e 59 2d 53 43 50 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|45 43 48 4f 53 43 55 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|10 00 00 15 31 2e 32 2e 38 34 30 2e 31 30 30 30 38 2e 33 2e 31 2e 31 2e 31|"; fast_pattern; distance:32; reference:url,https://attack.mitre.org/techniques/T1201/; reference:url,https://nmap.org/nsedoc/scripts/dicom-ping.html; reference:url,https://nmap.org/nsedoc/scripts/dicom-brute.html; metadata:created_at 2024_02_25, updated_at 2024_02_25, signature_severity Major, attack_target Server_Endpoint, affected_product DICOM_Modality, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1201, mitre_technique_name Password_Policy_Discovery; sid:3301148; rev:1; classtype:credential-theft;)
alert tcp any any -> any any (msg:"πΎ - π¨ DICOM β A-ASSOCIATE request from NMAP - System Information Discovery π₯· - T1082"; flow:to_server, stateless; content:"|01 00 00 00 00 cd|"; content:"|00 01 00 00 41 4e 59 2d 53 43 50 20 20 20 20 20 20 20 20 20 45 43 48 4f 53 43 55 20 20 20 20 20 20 20 20 20|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://nmap.org/nsedoc/scripts/dicom-ping.html; reference:url,https://nmap.org/nsedoc/scripts/dicom-brute.html; metadata:created_at 2024_02_25, updated_at 2024_02_25, signature_severity Major, attack_target Server_Endpoint, affected_product DICOM_Modality, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; sid:3301149; rev:2; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 135 (msg:"πΎ - π DCERPC - Service Control Manager Remote Protocol - Map Request to πͺ SVCTL interface - Possible Remote Service Stop π₯· - T1489"; flow: to_server, stateless; content:"|05 00 00|"; content:"|81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; fast_pattern; content:"|04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60|"; reference:url,https://attack.mitre.org/techniques/T1489/; reference:url,https://learn.microsoft.com/fr-fr/openspecs/windows_protocols/ms-scmr/15fcdce1-424a-4c99-9965-629f2cd53126; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/MS-SCMR/705b624a-13de-43cc-b8a2-99573da3635f; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/e7a38186-cde2-40ad-90c7-650822bd6333; target:dest_ip; metadata:created_at 2024_03_04, updated_at 2024_03_04, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1489, mitre_technique_name Service_Stop; sid:3301154; rev:2; classtype:attempted-recon;)
alert tcp-pkt $HOME_NET 135 -> any any (msg:"πΎ - π DCERPC - Service Control Manager Remote Protocol - Map Response from πͺ SVCTL interface - Possible Remote Service Stop π₯· - T1489"; flow: to_client, stateless; content:"|05 00 02|"; content:"|81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; fast_pattern; content:"|04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60|"; reference:url,https://attack.mitre.org/techniques/T1489/; reference:url,https://learn.microsoft.com/fr-fr/openspecs/windows_protocols/ms-scmr/15fcdce1-424a-4c99-9965-629f2cd53126; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/MS-SCMR/705b624a-13de-43cc-b8a2-99573da3635f; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/e7a38186-cde2-40ad-90c7-650822bd6333; target:src_ip; metadata:created_at 2024_03_04, updated_at 2024_03_04, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1489, mitre_technique_name Service_Stop; sid:3301155; rev:3; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 135 (msg:"πΎ - π DCERPC - Domain Name Service (DNS) Server Management Protocol - Map Request to πͺ DNSSERVER interface - Possible Remote Privilege Escalation π₯· - T1068"; flow: to_server, stateless; content:"|05 00 00|"; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; fast_pattern; content:"|04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60|"; reference:url,https://attack.mitre.org/techniques/T1068/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/5093503c-687e-4376-9127-50504908fb91; reference:url,https://phackt.com/dnsadmins-group-exploitation-write-permissions; target:dest_ip; metadata:created_at 2024_03_04, updated_at 2024_03_04, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_technique_id T1068, mitre_technique_name Privilege_Escalation; sid:3301156; rev:1; classtype:attempted-recon;)
alert tcp-pkt $HOME_NET 135 -> any any (msg:"πΎ - π DCERPC - Domain Name Service (DNS) Server Management Protocol - Map Response from πͺ DNSSERVER interface - Possible Remote Privilege Escalation π₯· - T1068"; flow: to_client, stateless; content:"|05 00 02|"; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; fast_pattern; content:"|04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60|"; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/5093503c-687e-4376-9127-50504908fb91; reference:url,https://phackt.com/dnsadmins-group-exploitation-write-permissions; target:src_ip; metadata:created_at 2024_03_04, updated_at 2024_03_04, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_technique_id T1068, mitre_technique_name Privilege_Escalation; sid:3301157; rev:1; classtype:attempted-recon;)
alert tcp $HOME_NET any -> any 445 (msg:"πΎ - π SMB - Remote DLL πͺ Execution - Possible Hijack Execution Flow - DLL Side-Loading π₯· - T1574.002"; flow: to_server, stateless; content:"|fe 53 4d 42 40 00|"; content:"|00 00 00 00 00 00 00 00 a1 00 10 00|"; content:"|05 00 00 00 01 00 00 00 60 00 00 00|"; fast_pattern; distance:4; content:"|2e 00 64 00 6c 00 6c 00|"; reference:url,https://attack.mitre.org/techniques/T1574/002/; target:src_ip; metadata:created_at 2024_01_06, updated_at 2024_02_18, signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_tactic_id TA0004, mitre_tactic_name Privilege_Escalation, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1040, mitre_technique_name Hijack_Execution_Flow_DLL_Side_Loading; sid:3301158; rev:1; classtype:targeted-activity;)
alert tcp $HOME_NET 389 -> any any (msg:"πΎ - π LDAP - SASL GSS-API Privacy accepted DNS record from Windows DNS Server πͺ Possible DNS Server Compromised π₯· - T1584.002 - Check if legitimate client request"; flow: to_client, stateless; dsize:<200; threshold: type limit, track by_src,count 1, seconds 10; content:"|00 00 00 52 05 04 07 ff 00 00 00 1c|"; reference:url,https://attack.mitre.org/techniques/T1584.002/; reference:url,https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/; reference:url,https://github.com/Kevin-Robertson/Powermad; metadata:created_at 2024_03_17, updated_at 2024_03_17, signature_severity Informational, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1584.002, mitre_technique_name Compromise_Infrastructure_DNS_Server; sid:3301159; rev:18; classtype:misc-attack;)
alert tcp-pkt $HOME_NET 445 -> any any (msg:"πΎ - π SMB - Brute Force attack - Password Cracking π₯· - T1110.002"; flow: to_client, stateless; threshold: type threshold, track by_src, count 5, seconds 5; content:"|fe 53 4d 42 40 00 01 00 6d 00 00 c0 01 00 01 00 01 00 00 00|"; reference:url,https://attack.mitre.org/techniques/T1110/002/; reference:url,https://0xma.github.io/hacking/brute_force_windows_server_metasploit.html; metadata:created_at 2024_04_23, updated_at 2024_04_23, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1110_002, mitre_technique_name Brute_Force_Password_Cracking; sid:3301160; rev:1; classtype:attempted-recon;)
alert udp $HOME_NET 88 -> any any (msg:"πΎ - π Kerberos - Brute Force attack to Active Directory πͺ - Password Cracking π₯· - T1110.002"; flow: to_client, stateless; threshold: type threshold, track by_src, count 5, seconds 5; content:"|a0 03 02 01 05 a1 03 02 01 1e a4 11 18 0f|"; fast_pattern; content:"|6b 72 62 74 67 74|"; reference:url,https://attack.mitre.org/techniques/T1110/002/; reference:url,https://github.com/ropnop/kerbrute; metadata:created_at 2024_04_23, updated_at 2024_04_23, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1110_002, mitre_technique_name Brute_Force_Password_Cracking; sid:3301161; rev:4; classtype:attempted-recon;)
alert tcp any any -> $HOME_NET 88 (msg:"πΎ - π Suspicious Kerberos AS-Request to Active Directory πͺ - Possible AS-REP Roasting Attack π₯· - T1558.004"; flow: to_server, stateless; content:"|a0 07 03 05 00|"; content:"|80|"; distance:1; content:"|a1|"; distance:2; content:"|6b 72 62 74 67 74|"; fast_pattern; content:!"|a2 03 02 01 0c|"; content:!"|40 81 00|"; content:!"|50 81 00|"; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/GhostPack/Rubeus#asreproast; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py; reference:url,https://medium.com/r3d-buck3t/kerberos-attacks-as-rep-roasting-2549fd757b5; metadata:created_at 2024_05_03, updated_at 2024_05_03, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321254; rev:7; classtype:attempted-recon;)
alert tcp any any -> $HOME_NET 88 (msg:"πΎ - π Suspicious Kerberos AS-Request to Active Directory πͺ - Possible AS-REP Roasting Attack via Impacket π₯· - T1558.004"; flow: to_server, stateless; content:"|a0 07 03 05 00 50 80 00 00 a1|"; content:"|6b 72 62 74 67 74|"; fast_pattern; content:!"|a2 03 02 01 0c|"; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py; reference:url,https://medium.com/r3d-buck3t/kerberos-attacks-as-rep-roasting-2549fd757b5; metadata:created_at 2024_05_03, updated_at 2024_05_03, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321255; rev:1; classtype:attempted-recon;)
alert tcp any any -> $HOME_NET 88 (msg:"πΎ - π Suspicious Kerberos AS-Request to Active Directory πͺ - Possible AS-REP Roasting Attack via Rubeus π₯· - T1558.004"; flow: to_server, stateless; content:"|a0 07 03 05 00 40 80 00 10 a1|"; content:"|6b 72 62 74 67 74|"; fast_pattern; content:!"|a2 03 02 01 0c|"; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/GhostPack/Rubeus#asreproast; reference:url,https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat; metadata:created_at 2024_05_03, updated_at 2024_05_03, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321256; rev:1; classtype:attempted-recon;)
alert tcp any any -> $HOME_NET 389 (msg:"πΎ - π LDAP search request on whole subtree and all type of objects - Possible Domain Account Discovery π₯· - T1087.002"; flow: to_server, stateless; threshold: type limit, track by_src,count 1, seconds 60; content:"|44 43 3d|"; content:!"|43 4e 3d|"; content:"|0a 01 02 0a 01 03 02 01 00 02 01 00 01 01 00|"; content:"|6f 62 6a 65 63 74 43 6c 61 73 73 30 03 04 01 2a|"; fast_pattern; distance:2; reference:url,https://attack.mitre.org/techniques/T1087/002/; reference:url,https://github.com/p0dalirius/ldap2json; metadata:created_at 2024_05_04, updated_at 2024_05_04, signature_severity Major, attack_target Server_Endpoint, mitre_tactic_id TA00067, mitre_tactic_name Discovery, mitre_technique_id T1087_002, mitre_technique_name Account_Discovery_Domain_Account; sid:3321257; rev:1; classtype:attempted-recon;)
alert tcp any any -> $HOME_NET 389 (msg:"πΎ - π LDAP search request on whole subtree and all type of objects to Active Directory πͺ - Possible Domain Account Discovery π₯· - T1087.002"; flow: to_server, stateless; threshold: type limit, track by_src,count 1, seconds 60; content:"|43 4e 3d 53 63 68 65 6d 61 2c 43 4e 3d 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e|"; fast_pattern; content:"|44 43 3d|"; content:"|0a 01 02 0a 01 03 02 01 00 02 01 00 01 01 00|"; content:"|6f 62 6a 65 63 74 43 6c 61 73 73 30 03 04 01 2a|"; distance:2; reference:url,https://attack.mitre.org/techniques/T1087/002/; reference:url,https://github.com/p0dalirius/ldap2json; metadata:created_at 2024_05_04, updated_at 2024_05_04, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA00067, mitre_tactic_name Discovery, mitre_technique_id T1087_002, mitre_technique_name Account_Discovery_Domain_Account; sid:3321258; rev:1; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 389 (msg:"πΎ - π LDAP search request AS-REP Roastable users on Active Directory πͺ - Possible AS-REP Roasting Attack via Rubeus π₯· - T1558.004"; flow: to_server, stateless; content:"|73 61 6d 41 63 63 6f 75 6e 74 54 79 70 65|"; content:"|38 30 35 33 30 36 33 36 38|"; content:"|75 73 65 72 41 63 63 6f 75 6e 74 43 6f 6e 74 72 6f 6c|"; fast_pattern; content:"|34 31 39 34 33 30 34|"; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/GhostPack/Rubeus#asreproast; reference:url,https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat; metadata:created_at 2024_05_04, updated_at 2024_05_04, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321259; rev:3; classtype:attempted-recon;)
alert tcp any any -> any any (msg:"πΎ - π Many TCP/SYN - Possible Masscan Network Service Discovery π₯· - T1046"; flow:to_server; flags:S,2; threshold: type threshold, track by_src, count 1000, seconds 30; reference:url,https://attack.mitre.org/techniques/T1046/; reference:url,https://github.com/robertdavidgraham/masscan; metadata:created_at 2024_05_19, updated_at 2024_05_19, signature_severity Major, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1046, mitre_technique_name Network_Service_Discovery; sid:3321263; rev:3; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET 389 (msg:"πΎ - π LDAP search request Kerberoastable users on Active Directory πͺ - Possible 1st step of Kerberoasting Attack via Impacket π₯· - T1558.003"; flow: to_server, stateless; content:"|63 82 01 22|"; content:"|a0 81 9a 87 14 73 65 72 76 69 63 65 50 72 69 6e 63 69 70 61 6c 4e 61 6d 65|"; fast_pattern; content:"|04 14 73 65 72 76 69 63 65 50 72 69 6e 63 69 70 61 6c 4e 61 6d 65|"; content:"|73 41 4d 41 63 63 6f 75 6e 74 4e 61 6d 65|"; content:"|4d 65 6d 62 65 72 4f 66|"; reference:url,https://attack.mitre.org/techniques/T1558/003/; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py; reference:url,https://medium.com/r3d-buck3t/attacking-service-accounts-with-kerberoasting-with-spns-de9894ca243f; metadata:created_at 2024_05_19, updated_at 2024_05_19, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_003, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_Kerberoasting; sid:3321264; rev:1; classtype:attempted-recon;)
alert tcp any any -> $HOME_NET 88 (msg:"πΎ - π Suspicious Kerberos TGS-Request to Active Directory πͺ - Possible Kerberoasting Attack π₯· - T1558.003"; flow: to_server, stateless; content:"|30 82 05 a2 a1 03 02 01 05 a2 03 02 01 0c|"; content:"|30 82 04 ff a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 00 00 00 00|"; fast_pattern; content:"|6b 72 62 74 67 74|"; content:"|30 73 a0 03 02 01 17|"; content:"|40 81 00 10|"; content:"|30 29 a0 04 02 02 ff 80|"; reference:url,https://attack.mitre.org/techniques/T1558/003/; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py; reference:url,https://medium.com/r3d-buck3t/attacking-service-accounts-with-kerberoasting-with-spns-de9894ca243f; metadata:created_at 2024_05_19, updated_at 2024_05_19, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_003, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_Kerberoasting; sid:3321265; rev:1; classtype:attempted-recon;)
alert tcp-pkt any any -> $HOME_NET any (msg:"πΎ - π DRSUAPI DsGetDomainControllerInfo - Possible Mimikatz DCSync attack π₯· - T1003.006 - Check if source is a legit πͺ Domain Controler"; flow:to_server, stateless; content:"|05 00 00|"; depth:3; content:"|03 00 00 00 50 00 00 00 00 00 10 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1003/006/; reference:url,https://github.com/gentilkiwi/mimikatz; reference:url,https://adsecurity.org/?p=1729; metadata:created_at 2024_05_30, updated_at 2024_05_30, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1003_006, mitre_technique_name OS_Credential_Dumping_DCSync; sid:3321275; rev:1; classtype:attempted-recon;)