[Emerging-Sigs] DCSync rule

James Lay jlay at slave-tothe-box.net
Mon Mar 2 08:58:21 HST 2020


FWIW...tested during pentest engagement:

in conf file:
ipvar DC_SERVERS [dc1,dc2,dc3]

in rules file:
alert tcp [!$DC_SERVERS] any -> [!$DC_SERVERS] [49152:65535] 
(msg:"Possible DCSync Detected"; flow:to_server,established; flags:PA; 
content:"|00 03 10 00 00 00|"; depth:8; content:"|03 00|"; distance:14; 
classtype:attempted-admin; sid:9999003;)

James


More information about the Emerging-sigs mailing list